Milecia McGregor
Securing Your Web Application Pipeline From Intruders
#1about 4 minutes
Establishing foundational CI/CD best practices
Following key principles like small build sizes, environment parity, and local testing creates a reliable foundation before adding security layers.
#2about 5 minutes
Why developers often overlook CI/CD security
Developers often neglect pipeline security due to time constraints, conflicting priorities, and general unfamiliarity with CI/CD configuration languages like YAML.
#3about 5 minutes
Understanding common intruder attack vectors
Intruders exploit vulnerabilities by using open-source tools, finding misconfigurations, scanning for open ports, and leveraging known package security flaws.
#4about 3 minutes
Integrating automated security tools in the build phase
Use Static Application Security Testing (SAST) tools like OWASP Dependency-Check and Snyk to scan for package vulnerabilities early in the build process.
#5about 5 minutes
Applying security tools in test and delivery phases
Leverage DAST tools like OWASP ZAP in the test phase and compliance tools like Chef InSpec in the delivery phase to catch dynamic vulnerabilities.
#6about 2 minutes
Securing applications in the production environment
Utilize bug bounty programs like HackerOne and Bugcrowd for continuous security testing in production, but use automated tools with caution to avoid impacting performance.
#7about 7 minutes
Essential manual security practices for your pipeline
Implement crucial security habits such as managing user permissions, closing unused ports, encrypting all data, and regularly checking against the OWASP Top 10.
#8about 7 minutes
Code examples for integrating security scans
See practical examples of how to add a Snyk security scan step into the configuration files for CircleCI, Conductor, and Travis CI.
#9about 3 minutes
Key takeaways for securing your application pipeline
Prioritize keeping secrets out of version control, routinely audit CI/CD configurations, patch known vulnerabilities promptly, and explore attacker tools to improve your defenses.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
11:13 MIN
Hardening the CI/CD pipeline with automated security tools
You can’t hack what you can’t see
05:33 MIN
Integrating security earlier in the development lifecycle
Vulnerable VS Code extensions are now at your front door
00:28 MIN
Why developers make basic cybersecurity mistakes
Don't Be A Naive Developer: How To Avoid Basic Cybersecurity Mistakes
02:55 MIN
Shifting security left to prevent incidents before deployment
OPA for the cloud natives
24:08 MIN
Key takeaways and tools for preventing path traversal
Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
11:05 MIN
Automating security checks in the CI/CD pipeline
DevSecOps: Security in DevOps
27:19 MIN
Key takeaways on IDE and developer tool security
You click, you lose: a practical look at VSCode's security
13:32 MIN
Automating security tooling within the SDLC
Organizational Change Through The Power Of Why - DevSecOps Enablement
Featured Partners
Related Videos
44:40Enabling automated 1-click customer deployments with built-in quality and security
Christoph Ruggenthaler
29:50Real-World Security for Busy Developers
Kevin Lewis
24:09Plants vs. Thieves: Automated Tests in the World of Web Security
Ramona Schwering
45:08DevSecOps: Injecting Security into Mobile CI/CD Pipelines
Moataz Nabil
37:36Walking into the era of Supply Chain Risks
Vandana Verma
24:01What The Hack is Web App Sec?
Jackie
22:18Why Security-First Development Helps You Ship Better Software Faster
Michael Wildpaner
24:47Supply Chain Security and the Real World: Lessons From Incidents
Adrian Mouat
From learning to earning
Jobs that call for the skills explored in this talk.
DevOps Engineer – Kubernetes & Cloud (m/w/d)
epostbox epb GmbH
Berlin, Germany
Intermediate
Senior
DevOps
Kubernetes
Cloud (AWS/Google/Azure)
Operational Security Engineer - Windows & Azure Cloud
Rocken AG
Azure
Powershell
Windows Server
Network Security