Following key principles like small build sizes, environment parity, and local testing creates a reliable foundation before adding security layers.
Developers often neglect pipeline security due to time constraints, conflicting priorities, and general unfamiliarity with CI/CD configuration languages like YAML.
Intruders exploit vulnerabilities by using open-source tools, finding misconfigurations, scanning for open ports, and leveraging known package security flaws.
Use Static Application Security Testing (SAST) tools like OWASP Dependency-Check and Snyk to scan for package vulnerabilities early in the build process.
Leverage DAST tools like OWASP ZAP in the test phase and compliance tools like Chef InSpec in the delivery phase to catch dynamic vulnerabilities.
Utilize bug bounty programs like HackerOne and Bugcrowd for continuous security testing in production, but use automated tools with caution to avoid impacting performance.
Implement crucial security habits such as managing user permissions, closing unused ports, encrypting all data, and regularly checking against the OWASP Top 10.
See practical examples of how to add a Snyk security scan step into the configuration files for CircleCI, Conductor, and Travis CI.
Prioritize keeping secrets out of version control, routinely audit CI/CD configurations, patch known vulnerabilities promptly, and explore attacker tools to improve your defenses.
44:40Christoph Ruggenthaler
33:20Aarno Aukia
29:34Reto Kaeser
37:36Vandana Verma
51:41Panel Discussion
29:50Kevin Lewis
56:06Dwayne McDaniel
24:09Ramona Schwering
Jobs that call for the skills explored in this talk.
Trility Consulting
Caci Inc
Linthicum Heights, United States of America
GitLab
The Cybersecurity
Punk Security Ltd.
CGI Group Inc.
Gloucester, United Kingdom
