Securing the CI Pipeline

Track: DevSecOps
When: Thu PM-2,PM-3
Where: Maulden
Organizers Imran Mohammed A Imran Mohammed A , Francois Raynaud Francois Raynaud
Participants Arne Zismer Arne Zismer , Franziska Buehler Franziska Buehler , Abhinav Sejpal Abhinav Sejpal , Alina Radu Alina Radu , Clara Anel Mansilla Clara Anel Mansilla , Claudio Camerino Claudio Camerino , Dominik de Smit Dominik de Smit , Gabor Pek Gabor Pek , Imran Chaudhari Imran Chaudhari , Luis Saiz Luis Saiz , Mario Platt Mario Platt , Matt Pendlebury Matt Pendlebury , Peter Turczak Peter Turczak , Sotiraki Sima Sotiraki Sima , Sven Schleier Sven Schleier
Remote Participants Aaron Lane Aaron Lane , Abdullah Garcia Abdullah Garcia , Abhi Raj Abhi Raj , Andrew Martin Andrew Martin , Barbara Schachner Barbara Schachner , Domenico Malorni Domenico Malorni , Ernesto Bethencourt Ernesto Bethencourt , Guy Jarvis Guy Jarvis , Harmeet Singh Harmeet Singh , Lubo Vikev Lubo Vikev , Madhu Akula Madhu Akula , Mohanish Mahajan Mohanish Mahajan , Mustaqiim Muhar Mustaqiim Muhar , Paul Cutting Paul Cutting , Sergio Issi Sergio Issi , Sophie Tonnoir Sophie Tonnoir , Sugumaran Uppili Sugumaran Uppili , Vandana Verma Vandana Verma , Vinod Anandan Vinod Anandan

Why

This Working Session will consider the securing of the CI Pipeline - A key element of DevOps.

Doing CI builds, testing, and deployments have many advantages when done correctly. Using libraries from 3rd parties in your build can be on compromised servers. Even signing your packages or artifacts automatically could result in you delivering compromised software to others.

What

  • Identify best practice for DevOps and Developers
  • Agree what to include in a cheat sheet for developers who use third party services
  • Agree recommendations for 3rd party service providers (for example, provide warning messages of possible insecurities)

Outcomes

This Working Session will publish:

  • A set of practices for DevOps and Developers
  • Cheat sheet for developers who use third party services
  • Recommendations for 3rd party service providers

Who

  • DevSecOps
  • 3rd party service providers: Travis, SNYK, Codiscope, Gitlab, Node Security, ….
  • Security professionals
  • Developers

References

Previous Summit Working Session

https://owaspsummit.org/Working-Sessions/DevSecOps/Securing-the-CI-Pipeline.html

Register as participant

To register as participant add Securing the CI Pipeline to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page


Back to list of all Working Sessions