logo
allArticlesConferencesPresentations

Your code might be secure, but what about your pipeline? Challenges of securing build/deployment environment.

Conference:  OWASP 20th Anniversary Event

2021-09-24

Authors:   Marcin Szydłowski

Abstract

Abstract:​Traditionally Change Management is a very well-defined process. You can find hundreds of articles on the Internet explaining how each change should be properly requested, developed, tested and approved before being moved to the production environment.Obviously, each of these steps requires documentation and formal approval (sign-off) from the appropriate person. This process was giving security engineers several chances to ensure that changes do not introduce any new vulnerabilities and infrastructure to which the application is deployed is hardened and patched.Security around the Change Management process gets a little bit more complicated for agile software development and DevOps methodologies where tens of small changes are introduced every day. Each of these small changes is being automatically tested from various perspectives and if everything goes as expected it gets deployed to the environment of your choice without human intervention.Without any manual review in place, change management and security controls rely heavily on the fact that:- humans cannot access sensitive environments in an uncontrolled manner- application’s and infrastructure’s code is independently reviewed to avoid unauthorized changes and detect flaws- pre-approved and verified artifacts are used while building applications to decrease the risk of insecure dependencies or malicious artifacts- automated tests are performed by pipeline to detect defects or security issuesIt goes without saying, that ability to circumvent any of the above mentioned controls may introduce unauthorized changes and security issues to the application.This presentation will describe often ignored area of application security which is related to security of development environment. Presenter will share some common misconfigurations of build/deployment environment which can have a significant negative impact on source code integrity and as an ultimate result on security of application itself.​​​
Materials:
Tags:
change management
Agile
DevOps
automated testing

Post a comment

Related work

Path To Production: Sustainable Compliance In Strict Environments

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Chip Zoller, Brandt Keller
2022-10-27

Sharing Knowledge: Writing Good Docs for Quick Approval

Conference:  KubeCon + CloudNativeCon Europe 2022
Authors: Jared Bhatti
2022-05-19

How DoD Uses K8s and Flux to Achieve Compliance and Deployment Consistency

Conference:  KubeCon + CloudNativeCon Europe 2021
Authors: Michael Medellin, Gordon Tillman

Quantifying the Business Value of Cloud-Native Data Management

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Prashanto Kochavara
2021-10-14

12 Essential Requirements for Policy Enforcement and Governance with OSCAL

Conference:  Cloud Native SecurityCon North America 2023
Authors: Robert Ficcaglia

Demystifying (& Bypassing) macOS's Background Task Management

Conference:  Defcon 31
Authors: Patrick Wardle Objective-See Foundation
2023-08-01