Securing the CI Pipeline
This Working Session will consider the securing of the CI Pipeline - A key element of DevOps.
Doing CI builds, testing, and deployments have many advantages when done correctly. Using libraries from 3rd parties in your build can be on compromised servers. Even signing your packages or artifacts automatically could result in you delivering compromised software to others.
- Identify best practice for DevOps and Developers
- Agree what to include in a cheat sheet for developers who use third party services
- Agree recommendations for 3rd party service providers (for example, provide warning messages of possible insecurities)
This Working Session will publish:
- A set of practices for DevOps and Developers
- Cheat sheet for developers who use third party services
- Recommendations for 3rd party service providers
- DevSecOps (or SecDevOps), depending on DevSecOps vs SecDevOps.
- 3rd party service providers: Travis, SNYK, Codiscope, Gitlab, Node Security, ….
- Security professionals
- How to Secure a Continuous Integration Process
- DEF CON 22 - Kyle Kelley and Greg Anderson - Is This Your Pipe? Hijacking the Build Pipeline
Here are the current ‘work in progress’ materials for this session (please add as much information as possible before the sessions)
Related Working Session(s)
- Best practices in using SAST, DAST, IAST and RASP Tools
- Docker Security
- Integrating Security Tools in the SDL
- Scaling Static Analysis Reviews and Deployments
Back to list of all Working Sessions and Tracks
Edit this page here