Securing the CI Pipeline

Track:DevSecOps
When:Thu PM-2,PM-3
Where:Maulden
Organizers(one of participants)
ParticipantsAndra Lezza Andra Lezza , Chris Allen Chris Allen , Daniel Kefer Daniel Kefer , Dominik de Smit Dominik de Smit , Emma Fang Emma Fang , Foteini Karantoni Foteini Karantoni , Francisco Novo Francisco Novo , Jay Mbolda Yamdjeu Jay Mbolda Yamdjeu , Jean-Jacques MOIROUX Jean-Jacques MOIROUX , Lauren Chiesa Lauren Chiesa , Martin Rock-Evans Martin Rock-Evans , Mustafa Kasmani Mustafa Kasmani , Rafael Jimenez Rafael Jimenez , Sean Siford Sean Siford , Sean Turner Sean Turner , Sven Schleier Sven Schleier , Tom Ling Tom Ling , Tony Richards Tony Richards , Yan Kravchenko Yan Kravchenko
Remote ParticipantsAndré Rainho André Rainho

Why

This Working Session will consider the securing of the CI Pipeline - A key element of DevOps.

Doing CI builds, testing, and deployments have many advantages when done correctly. Using libraries from 3rd parties in your build can be on compromised servers. Even signing your packages or artifacts automatically could result in you delivering compromised software to others.

What

  • Identify best practice for DevOps and Developers
  • Agree what to include in a cheat sheet for developers who use third party services
  • Agree recommendations for 3rd party service providers (for example, provide warning messages of possible insecurities)

Outcomes

This Working Session will publish:

  • A set of practices for DevOps and Developers
  • Cheat sheet for developers who use third party services
  • Recommendations for 3rd party service providers

Who

  • DevSecOps
  • 3rd party service providers: Travis, SNYK, Codiscope, Gitlab, Node Security, ….
  • Security professionals
  • Developers

References

Previous Summit Working Session

https://owaspsummit.org/Working-Sessions/DevSecOps/Securing-the-CI-Pipeline.html

Register as participant

To register as participant add Securing the CI Pipeline to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page


Back to list of all Working Sessions