How to have visibility and security OF a CICD pipeline

The presentation discusses a modular approach to integrating security tools into the DevOps process, using independent scripts that can be used individually or collectively to analyze data. The focus is on making the security tools as light as possible and fitting them into the existing process.

• The presentation discusses a modular approach to integrating security tools into the DevOps process
• Independent scripts can be used individually or collectively to analyze data
• The focus is on making the security tools as light as possible and fitting them into the existing process
• The solution is modular enough to fit into the requirement of each organization
• Expansion of target technologies and analysis process is in the pipeline

The speaker gives an example of how their organization does development at a fast pace, making it practically impossible to introduce a new security process and keep up with it. The solution is to integrate security tools within the DevOps process and make them modular enough to fit each organization's requirements.

In this talk I will be presenting how an organization can approach the visibility and thus security OF CICD pipeline along with some common attack areas like access controls, credentials hygiene, misconfiguration etc. and their possible solutions.Also, I will introduce two new open source projects:First, CICDGuard - a graph based CICD pipeline visualizer and security analyzer, which 1. Represents entire CICD pipeline in graph form, providing intuitive visibility and solving the awareness problem 2. Identifies common security flaws across supported technologies and provides industry best practices and guidelines for identified flaws 3. Technologies supported as of now: - GitHub - GitHub Action - Jenkins - SpinnakerSecond, ActionGOAT - a deliberate damn vulnerable GitHub Action for learning purposes