Keynote: Why Developer Laptop Security is Key to Securing Your CI/CD Pipeline

The importance of securing developer laptops in the CI/CD pipeline to prevent security gaps and correlate data across the pipeline.

• Developer laptops are a high-value asset and a potential entry point for attackers to access cloud infrastructure and data.
• Real-time device integrity checks are necessary for zero-trust access.
• Auditing for vulnerable software packages and malicious Chrome extensions is crucial.
• Tying together identity and GitHub activity on the laptop with CI/CD actions can help detect and protect against malicious behavior.
• Correlating data across the CI/CD pipeline is essential to prevent security gaps and enable effective security measures.

Attackers have been targeting developer laptops, which can be used to enumerate an environment, steal SSH keys and AWS credentials, and access critical resources and infrastructure. Malicious Chrome extensions have been used to entice developers to download them onto their laptops. Real-time device integrity checks and auditing for vulnerable software packages and malicious Chrome extensions are necessary to prevent attacks. Tying together identity and GitHub activity on the laptop with CI/CD actions can help detect and protect against malicious behavior, such as software supply chain attacks. Correlating data across the CI/CD pipeline is essential to prevent security gaps and enable effective security measures.

Your developer’s laptop is only one hop away from cloud infrastructure and crown-jewel data and services.  When it comes to securing cloud applications, security teams need to consider how they can secure the arc of application development. It often begins when a developer signs into an identity provider using their laptop, then pulls open-source code from a Git repository. Developers use Chrome extensions for development tasks, then push code through their build, test, and deploy processes using automation servers, Kubernetes, and public cloud services like AWS. At each stage, there are multiple points an attacker can target.  This 5-minute lightening session will cover the requirements for visibility into the entire development supply chain, from laptop to cloud, including: Why developer laptops are often an entry point for attackers—now more than everHow to gather real-time "device integrity" or security hygiene checks for zero-trust accessHow to audit for malicious Chrome extensions or vulnerable software packagesHow to tie together identity and GitHub activity on the laptop with CI/CD actions