Milecia McGregor

Securing Your Web Application Pipeline From Intruders

Is your CI/CD pipeline an open door for intruders? Learn to automate security at every stage and transform your pipeline into a fortress.

Securing Your Web Application Pipeline From Intruders
#1about 4 minutes

Establishing foundational CI/CD best practices

Following key principles like small build sizes, environment parity, and local testing creates a reliable foundation before adding security layers.

#2about 5 minutes

Why developers often overlook CI/CD security

Developers often neglect pipeline security due to time constraints, conflicting priorities, and general unfamiliarity with CI/CD configuration languages like YAML.

#3about 5 minutes

Understanding common intruder attack vectors

Intruders exploit vulnerabilities by using open-source tools, finding misconfigurations, scanning for open ports, and leveraging known package security flaws.

#4about 3 minutes

Integrating automated security tools in the build phase

Use Static Application Security Testing (SAST) tools like OWASP Dependency-Check and Snyk to scan for package vulnerabilities early in the build process.

#5about 5 minutes

Applying security tools in test and delivery phases

Leverage DAST tools like OWASP ZAP in the test phase and compliance tools like Chef InSpec in the delivery phase to catch dynamic vulnerabilities.

#6about 2 minutes

Securing applications in the production environment

Utilize bug bounty programs like HackerOne and Bugcrowd for continuous security testing in production, but use automated tools with caution to avoid impacting performance.

#7about 7 minutes

Essential manual security practices for your pipeline

Implement crucial security habits such as managing user permissions, closing unused ports, encrypting all data, and regularly checking against the OWASP Top 10.

#8about 7 minutes

Code examples for integrating security scans

See practical examples of how to add a Snyk security scan step into the configuration files for CircleCI, Conductor, and Travis CI.

#9about 3 minutes

Key takeaways for securing your application pipeline

Prioritize keeping secrets out of version control, routinely audit CI/CD configurations, patch known vulnerabilities promptly, and explore attacker tools to improve your defenses.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Hardening the CI/CD pipeline with automated security tools
11:13 MIN

Hardening the CI/CD pipeline with automated security tools

You can’t hack what you can’t see

Integrating security earlier in the development lifecycle
05:33 MIN

Integrating security earlier in the development lifecycle

Vulnerable VS Code extensions are now at your front door

Shifting security left to prevent incidents before deployment
02:55 MIN

Shifting security left to prevent incidents before deployment

OPA for the cloud natives

Key takeaways and tools for preventing path traversal
24:08 MIN

Key takeaways and tools for preventing path traversal

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Automating security checks in the CI/CD pipeline
11:05 MIN

Automating security checks in the CI/CD pipeline

DevSecOps: Security in DevOps

Key takeaways on IDE and developer tool security
27:19 MIN

Key takeaways on IDE and developer tool security

You click, you lose: a practical look at VSCode's security

Automating security tooling within the SDLC
13:32 MIN

Automating security tooling within the SDLC

Organizational Change Through The Power Of Why - DevSecOps Enablement

Choosing the right security testing methods for your pipeline
13:35 MIN

Choosing the right security testing methods for your pipeline

DevSecOps: Injecting Security into Mobile CI/CD Pipelines

Featured Partners

Related Videos

See all videos
Enabling automated 1-click customer deployments with built-in quality and security44:40

Enabling automated 1-click customer deployments with built-in quality and security

Christoph Ruggenthaler

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Plants vs. Thieves: Automated Tests in the World of Web Security24:09

Plants vs. Thieves: Automated Tests in the World of Web Security

Ramona Schwering

DevSecOps: Injecting Security into Mobile CI/CD Pipelines45:08

DevSecOps: Injecting Security into Mobile CI/CD Pipelines

Moataz Nabil

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

What The Hack is Web App Sec?24:01

What The Hack is Web App Sec?

Jackie

Why Security-First Development Helps You Ship Better Software Faster22:18

Why Security-First Development Helps You Ship Better Software Faster

Michael Wildpaner

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

From learning to earning

Jobs that call for the skills explored in this talk.