| Track: | DevSecOps |
|---|---|
| When: | Thu PM-2,PM-3 |
| Where: | Maulden |
| Organizers | Imran Mohammed A Imran Mohammed A , Francois Raynaud Francois Raynaud |
| Participants | Arne Zismer Arne Zismer , Franziska Buehler Franziska Buehler , Abhinav Sejpal Abhinav Sejpal , Alina Radu Alina Radu , Clara Anel Mansilla Clara Anel Mansilla , Claudio Camerino Claudio Camerino , Dominik de Smit Dominik de Smit , Gabor Pek Gabor Pek , Imran Chaudhari Imran Chaudhari , Luis Saiz Luis Saiz , Mario Platt Mario Platt , Matt Pendlebury Matt Pendlebury , Peter Turczak Peter Turczak , Sotiraki Sima Sotiraki Sima , Sven Schleier Sven Schleier |
| Remote Participants | Aaron Lane Aaron Lane , Abdullah Garcia Abdullah Garcia , Abhi Raj Abhi Raj , Andrew Martin Andrew Martin , Barbara Schachner Barbara Schachner , Domenico Malorni Domenico Malorni , Ernesto Bethencourt Ernesto Bethencourt , Guy Jarvis Guy Jarvis , Harmeet Singh Harmeet Singh , Lubo Vikev Lubo Vikev , Madhu Akula Madhu Akula , Mohanish Mahajan Mohanish Mahajan , Mustaqiim Muhar Mustaqiim Muhar , Paul Cutting Paul Cutting , Sergio Issi Sergio Issi , Sophie Tonnoir Sophie Tonnoir , Sugumaran Uppili Sugumaran Uppili , Vandana Verma Vandana Verma , Vinod Anandan Vinod Anandan |
Why
This Working Session will consider the securing of the CI Pipeline - A key element of DevOps.
Doing CI builds, testing, and deployments have many advantages when done correctly. Using libraries from 3rd parties in your build can be on compromised servers. Even signing your packages or artifacts automatically could result in you delivering compromised software to others.
What
- Identify best practice for DevOps and Developers
- Agree what to include in a cheat sheet for developers who use third party services
- Agree recommendations for 3rd party service providers (for example, provide warning messages of possible insecurities)
Outcomes
This Working Session will publish:
- A set of practices for DevOps and Developers
- Cheat sheet for developers who use third party services
- Recommendations for 3rd party service providers
Who
- DevSecOps
- 3rd party service providers: Travis, SNYK, Codiscope, Gitlab, Node Security, ….
- Security professionals
- Developers
References
- How to Secure a Continuous Integration Process
- DEF CON 22 - Kyle Kelley and Greg Anderson - Is This Your Pipe? Hijacking the Build Pipeline
Previous Summit Working Session
https://owaspsummit.org/Working-Sessions/DevSecOps/Securing-the-CI-Pipeline.html
Register as participant
To register as participant add Securing the CI Pipeline to either:
- the
sessionsmetadata field from your participant's page (find your participant page and look for the edit link). - or the
participantsmetadata field from this git session page
Back to list of all Working Sessions