Securing your CI/CD pipeline from code to deployment

[Saim-Safdar]

The first steps for securing your team’s CI/CD pipeline include locking down configuration managers, systems that host repositories, and the build servers. The pipeline should be monitored from end to end with watertight access control across the entire toolchain. In this CDF workshop, a guided tour of how to scan-build script for vulnerabilities, and steps needed to be taken into consideration for regularly monitoring source code for vulnerabilities prior to the app deployed to production.

By following along with this workshop you will be familiarized with best practices for securing your CI/CD pipeline including the following:

• Remove hard-coded secrets from CI/CD config files.
• Have rigorous security parameters, such as one-time passwords, for secrets regarding more sensitive tools and systems.
• Distribute secrets among CI/CD config files to reduce the potential attack target of each file.
• Use password managers, and rotate passwords after each use.
• Know who has access to what. Whether it’s role-based, time-based, or task-based, there should be a clear repository of access management. Another option to consider is segmenting secrets based on levels of access.
• Ensure secrets are not inadvertently passed on during builds for pull requests via your CI/CD pipelines.
• Deploy the practice of least privilege. Give access only to requisite secrets. Besides employee access, the least privilege also applies to applications, systems, or connected devices that require privileges or permissions to perform tasks. You should regularly audit levels of access to maintain the level of least privilege

[Saim-Safdar]

@sbtaylor15 happy to share his knowledge on this topic as he already presented a similar talk on this Adding Open Source Security Tooling to your DevOps Pipeline

[TracyRagan]

Steve's final abstract: The first step in protecting your software supply chain should include adding security actions to your CI/CD pipeline, from scanning your repos to locking down your builds. The pipeline should be evolved to include available open-source tools that can shift your DevOps pipeline to a DevSecOps pipeline.  In this CDF workshop, Steve Taylor will cover 5 phases of the DevOps process that must be reinforced to improve your supply chain security. In this workshop, you will learn about new open-source security tooling that you can immediately add to your pipeline to implement good security practices, including: Learn what phases of the pipeline need security actions.

• Learn how to implement the OpenSSF Security Scorecard.
• Learn where signing and SBOM generation should be added.
• Understand SLSA and how the Prysia decentralized package network can help you achieve SLSA compliance.
• Learn about Ortelius as an evidence store to consolidate security logs and build an organizational-level security profile.
• Learn how CDEvents will simplify adding new tooling to your pipeline to maintain a secure software supply chain. 

Securing your organization from cyber hacks is not just the job of production teams. It is time for development teams to play their part. Building security into your CD Pipelines is the first step. This workshop will help you get there. 

[TracyRagan]

This is scheduled for June 22nd.