https://github.com/OpenSecuritySummit/oss2019

title        : Securing the CI Pipeline
type         : working-session
track        : DevSecOps
topics       : ["CI Pipeline"]
technology   :
categories   :                      # GDPR, Juice Shop, etc.
featured     : yes                   # review with summit team "yes"
when_day     : Thu
when_time    : PM-2,PM-3
room_layout  :                    #
room_id      : room-5
session_slack: https://os-summit.slack.com/messages/CAUNFBMAL
status       : review-content              # draft, review-content, done
organizers   :
    - Imran Mohammed A
    - Francois Raynaud
description  : Secure the CI/CD pipeline
participants :
    - Arne Zismer
    - Franziska Buehler

Why

This Working Session will consider the securing of the CI Pipeline - A key element of DevOps.

Doing CI builds, testing, and deployments have many advantages when done correctly. Using libraries from 3rd parties in your build can be on compromised servers. Even signing your packages or artifacts automatically could result in you delivering compromised software to others.

What

• Identify best practice for DevOps and Developers

• Agree what to include in a cheat sheet for developers who use third party services

• Agree recommendations for 3rd party service providers (for example, provide warning messages of possible insecurities)

Outcomes

This Working Session will publish:

• A set of practices for DevOps and Developers

• Cheat sheet for developers who use third party services

• Recommendations for 3rd party service providers

Who

• DevSecOps

• 3rd party service providers: Travis, SNYK, Codiscope, Gitlab, Node Security, ....

• Security professionals

• Developers

References

• How to Secure a Continuous Integration Process

• DEF CON 22 - Kyle Kelley and Greg Anderson - Is This Your Pipe? Hijacking the Build Pipeline

Previous Summit Working Session

https://owaspsummit.org/Working-Sessions/DevSecOps/Securing-the-CI-Pipeline.html