Securing the CI Pipeline

Track: DevSecOps
When: Thu PM-2,PM-3
Organizers Imran Mohammed A , Francois Raynaud Francois Raynaud
Participants Arne Zismer , Franziska Buehler , Andra Lezza Andra Lezza , Claudio Camerino Claudio Camerino , Dominik de Smit Dominik de Smit , Francisco Novo Francisco Novo , Mario Platt Mario Platt , Martin Rock-Evans Martin Rock-Evans

Why

This Working Session will consider the securing of the CI Pipeline - A key element of DevOps.

Doing CI builds, testing, and deployments have many advantages when done correctly. Using libraries from 3rd parties in your build can be on compromised servers. Even signing your packages or artifacts automatically could result in you delivering compromised software to others.

What

  • Identify best practice for DevOps and Developers
  • Agree what to include in a cheat sheet for developers who use third party services
  • Agree recommendations for 3rd party service providers (for example, provide warning messages of possible insecurities)

Outcomes

This Working Session will publish:

  • A set of practices for DevOps and Developers
  • Cheat sheet for developers who use third party services
  • Recommendations for 3rd party service providers

Who

  • DevSecOps
  • 3rd party service providers: Travis, SNYK, Codiscope, Gitlab, Node Security, ….
  • Security professionals
  • Developers

References

Previous Summit Working Session

https://owaspsummit.org/Working-Sessions/DevSecOps/Securing-the-CI-Pipeline.html

Register as participant

To register as participant add Securing the CI Pipeline to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page


Back to list of all Working Sessions