Track: | DevSecOps |
---|---|
When: | Thu PM-2,PM-3 |
Where: | Maulden |
Organizers | (one of participants) |
Participants | Andra Lezza Andra Lezza , Chris Allen Chris Allen , Daniel Kefer Daniel Kefer , Dominik de Smit Dominik de Smit , Emma Fang Emma Fang , Foteini Karantoni Foteini Karantoni , Francisco Novo Francisco Novo , Jay Mbolda Yamdjeu Jay Mbolda Yamdjeu , Jean-Jacques MOIROUX Jean-Jacques MOIROUX , Lauren Chiesa Lauren Chiesa , Martin Rock-Evans Martin Rock-Evans , Mustafa Kasmani Mustafa Kasmani , Rafael Jimenez Rafael Jimenez , Sean Siford Sean Siford , Sean Turner Sean Turner , Sven Schleier Sven Schleier , Tom Ling Tom Ling , Tony Richards Tony Richards , Yan Kravchenko Yan Kravchenko |
Remote Participants | André Rainho André Rainho |
Why
This Working Session will consider the securing of the CI Pipeline - A key element of DevOps.
Doing CI builds, testing, and deployments have many advantages when done correctly. Using libraries from 3rd parties in your build can be on compromised servers. Even signing your packages or artifacts automatically could result in you delivering compromised software to others.
What
- Identify best practice for DevOps and Developers
- Agree what to include in a cheat sheet for developers who use third party services
- Agree recommendations for 3rd party service providers (for example, provide warning messages of possible insecurities)
Outcomes
This Working Session will publish:
- A set of practices for DevOps and Developers
- Cheat sheet for developers who use third party services
- Recommendations for 3rd party service providers
Who
- DevSecOps
- 3rd party service providers: Travis, SNYK, Codiscope, Gitlab, Node Security, ….
- Security professionals
- Developers
References
- How to Secure a Continuous Integration Process
- DEF CON 22 - Kyle Kelley and Greg Anderson - Is This Your Pipe? Hijacking the Build Pipeline
- Devops Pro Europe 2019 - Jeroen Willemsen - Securing your CI/CD Pipeline
Previous Summit Working Session
https://owaspsummit.org/Working-Sessions/DevSecOps/Securing-the-CI-Pipeline.html
Register as participant
To register as participant add Securing the CI Pipeline
to either:
- the
sessions
metadata field from your participant's page (find your participant page and look for the edit link). - or the
participants
metadata field from this git session page
Back to list of all Working Sessions