The presentation discusses the importance of securing developer laptops in order to secure the entire CI/CD pipeline. It highlights the vulnerabilities and security gaps in the traditional pipeline and emphasizes the need for correlating data across the pipeline. The presentation also provides solutions for securing developer laptops and enabling developers through good security practices.
- The traditional CI/CD pipeline has data silos and security gaps that create vulnerabilities for attackers to exploit.
- Correlating data across the pipeline is crucial for securing the entire pipeline.
- Developer laptops are a high-value asset and often an entry point for attackers.
- Auditing for vulnerable software packages and malicious Chrome extensions, dynamic trust scores for zero-trust access, and detecting and protecting against malicious behavior are some of the solutions for securing developer laptops.
- Good security practices can enable developers to work from untrusted or lightly secured home networks around the world.
- Security should enable development teams and break down roadblocks.
The presentation mentions a rise in attackers targeting developer laptops due to their high value. Attackers can enumerate the environment, steal SSH keys and AWS credentials, and gain access to critical resources and infrastructure. The presentation also shares a fun example of attackers cloning real Chrome extensions and putting them on the store to entice and spearfish specific developers to download them onto their laptops.
Your developer’s laptop is only one hop away from cloud infrastructure and crown-jewel data and services. When it comes to securing cloud applications, security teams need to consider how they can secure the arc of application development. It often begins when a developer signs into an identity provider using their laptop, then pulls open-source code from a Git repository. Developers use Chrome extensions for development tasks, then push code through their build, test, and deploy processes using automation servers, Kubernetes, and public cloud services like AWS. At each stage, there are multiple points an attacker can target.This session will cover the requirements for visibility into the entire development supply chain, from laptop to cloud, including:Why developer laptops are often an entry point for attackers—now more than ever How to gather real-time "device integrity" or security hygiene checks for zero-trust access How to audit for malicious Chrome extensions or vulnerable software packages How to tie together identity and GitHub activity on the laptop with CI/CD actions