Milecia McGregor
Securing Your Web Application Pipeline From Intruders
#1about 4 minutes
Establishing foundational CI/CD best practices
Following key principles like small build sizes, environment parity, and local testing creates a reliable foundation before adding security layers.
#2about 5 minutes
Why developers often overlook CI/CD security
Developers often neglect pipeline security due to time constraints, conflicting priorities, and general unfamiliarity with CI/CD configuration languages like YAML.
#3about 5 minutes
Understanding common intruder attack vectors
Intruders exploit vulnerabilities by using open-source tools, finding misconfigurations, scanning for open ports, and leveraging known package security flaws.
#4about 3 minutes
Integrating automated security tools in the build phase
Use Static Application Security Testing (SAST) tools like OWASP Dependency-Check and Snyk to scan for package vulnerabilities early in the build process.
#5about 5 minutes
Applying security tools in test and delivery phases
Leverage DAST tools like OWASP ZAP in the test phase and compliance tools like Chef InSpec in the delivery phase to catch dynamic vulnerabilities.
#6about 2 minutes
Securing applications in the production environment
Utilize bug bounty programs like HackerOne and Bugcrowd for continuous security testing in production, but use automated tools with caution to avoid impacting performance.
#7about 7 minutes
Essential manual security practices for your pipeline
Implement crucial security habits such as managing user permissions, closing unused ports, encrypting all data, and regularly checking against the OWASP Top 10.
#8about 7 minutes
Code examples for integrating security scans
See practical examples of how to add a Snyk security scan step into the configuration files for CircleCI, Conductor, and Travis CI.
#9about 3 minutes
Key takeaways for securing your application pipeline
Prioritize keeping secrets out of version control, routinely audit CI/CD configurations, patch known vulnerabilities promptly, and explore attacker tools to improve your defenses.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
11:13 MIN
Hardening the CI/CD pipeline with automated security tools
You can’t hack what you can’t see
05:33 MIN
Integrating security earlier in the development lifecycle
Vulnerable VS Code extensions are now at your front door
19:44 MIN
Integrating security tests into your development pipeline
Plants vs. Thieves: Automated Tests in the World of Web Security
00:28 MIN
Why developers make basic cybersecurity mistakes
Don't Be A Naive Developer: How To Avoid Basic Cybersecurity Mistakes
19:36 MIN
Integrating security tests into your CI/CD pipeline
Plants vs. Thieves: Automated Tests in the World of Web Security
02:55 MIN
Shifting security left to prevent incidents before deployment
OPA for the cloud natives
24:08 MIN
Key takeaways and tools for preventing path traversal
Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
11:05 MIN
Automating security checks in the CI/CD pipeline
DevSecOps: Security in DevOps
Featured Partners
Related Videos
44:40Enabling automated 1-click customer deployments with built-in quality and security
Christoph Ruggenthaler
33:20DevSecOps: Security in DevOps
Aarno Aukia
29:34You can’t hack what you can’t see
Reto Kaeser
37:36Walking into the era of Supply Chain Risks
Vandana Verma
51:41Climate vs. Weather: How Do We Sustainably Make Software More Secure?
Panel Discussion
1:41:05Maturity assessment for technicians or how I learned to love OWASP SAMM
Mathias Tausig
29:50Real-World Security for Busy Developers
Kevin Lewis
56:06Stop Committing Your Secrets - GIt Hooks To The Rescue!
Dwayne McDaniel
From learning to earning
Jobs that call for the skills explored in this talk.
Application Security Engineer
BrainRocket
Municipality of Madrid, Spain
Python
Gitlab
Docker
Jenkins
Terraform
+6
Full Stack Software Engineer (Attack Surface Management)
Sysdig
Remote
Intermediate
REST
MySQL
Neo4j
PostgreSQL
+4