Milecia McGregor

Securing Your Web Application Pipeline From Intruders

Is your CI/CD pipeline an open door for intruders? Learn to automate security at every stage and transform your pipeline into a fortress.

Securing Your Web Application Pipeline From Intruders
#1about 4 minutes

Establishing foundational CI/CD best practices

Following key principles like small build sizes, environment parity, and local testing creates a reliable foundation before adding security layers.

#2about 5 minutes

Why developers often overlook CI/CD security

Developers often neglect pipeline security due to time constraints, conflicting priorities, and general unfamiliarity with CI/CD configuration languages like YAML.

#3about 5 minutes

Understanding common intruder attack vectors

Intruders exploit vulnerabilities by using open-source tools, finding misconfigurations, scanning for open ports, and leveraging known package security flaws.

#4about 3 minutes

Integrating automated security tools in the build phase

Use Static Application Security Testing (SAST) tools like OWASP Dependency-Check and Snyk to scan for package vulnerabilities early in the build process.

#5about 5 minutes

Applying security tools in test and delivery phases

Leverage DAST tools like OWASP ZAP in the test phase and compliance tools like Chef InSpec in the delivery phase to catch dynamic vulnerabilities.

#6about 2 minutes

Securing applications in the production environment

Utilize bug bounty programs like HackerOne and Bugcrowd for continuous security testing in production, but use automated tools with caution to avoid impacting performance.

#7about 7 minutes

Essential manual security practices for your pipeline

Implement crucial security habits such as managing user permissions, closing unused ports, encrypting all data, and regularly checking against the OWASP Top 10.

#8about 7 minutes

Code examples for integrating security scans

See practical examples of how to add a Snyk security scan step into the configuration files for CircleCI, Conductor, and Travis CI.

#9about 3 minutes

Key takeaways for securing your application pipeline

Prioritize keeping secrets out of version control, routinely audit CI/CD configurations, patch known vulnerabilities promptly, and explore attacker tools to improve your defenses.

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Videos

See all videos
Enabling automated 1-click customer deployments with built-in quality and security44:40

Enabling automated 1-click customer deployments with built-in quality and security

Christoph Ruggenthaler

DevSecOps: Security in DevOps33:20

DevSecOps: Security in DevOps

Aarno Aukia

You can’t hack what you can’t see29:34

You can’t hack what you can’t see

Reto Kaeser

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Climate vs. Weather: How Do We Sustainably Make Software More Secure?51:41

Climate vs. Weather: How Do We Sustainably Make Software More Secure?

Panel Discussion

Maturity assessment for technicians or how I learned to love OWASP SAMM1:41:05

Maturity assessment for technicians or how I learned to love OWASP SAMM

Mathias Tausig

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Stop Committing Your Secrets - GIt Hooks To The Rescue!56:06

Stop Committing Your Secrets - GIt Hooks To The Rescue!

Dwayne McDaniel

From learning to earning

Jobs that call for the skills explored in this talk.

Fullstack Engineer (Secure)

Sysdig
Municipality of Madrid, Spain

Intermediate
React
Unit Testing
Microservices
Software Architecture