Presentation: Keep Calm and Secure Your CI/CD Pipeline
Share this on:
This presentation is now available to view on InfoQ.com
Watch video with transcriptWhat You’ll Learn
- Hear about some DevSecOps challenges Pride in London had with open source software.
- Find out what are some of the security challenges web developers have to deal with and how to fix them.
Abstract
Shifting left significantly reduces costs and diminishes release delays. Continuous security validation should be added at each step from development through production to help ensure the application is always secure. We can then switch the conversation with the security team from approving each release to approving the CI/CD process and having the ability to monitor and audit the process at any time.
In this session, we’ll be focusing on work done with Pride in London (a project using Gatsby2, Contentful and Netlify) and showing you how to create a secure continuous integration/continuous deployment pipeline. You’ll learn how GitHub Marketplace helped the team automating and improving our workflow with different tools for accessibility, code coverage, code review, code quality, security and other functionalities (alerting with Slack). You’ll also find out what OWASP is and how to improve the workflow for your own open source projects using GitHub Marketplace applications.
What is the work that you are doing today?
In my day job, I'm the lead security engineer at Photobox. I'm in charge of application security, cloud security and network security within my team. And for Pride in London, I'm the tech lead and the security manager. I take care of the website and the application, manage a team of fifteen developers and implement features that the other teams in the organisation are requesting. This is all volunteer based and working on an open source project.
How do you deal with stress and development when building security features?
It depends on the features. If it's a new feature, we could set up threat modelling sessions where we would sit down with the developers, the architect and the product owner, go through those new features and see what can go wrong and how we can remediate or fix any issues that are flagged during those sessions. Also we attend their developers guilds and try to give more context and tell a story behind the vulnerabilities, because we think that presenting the OWASP Top 10 most common vulnerabilities is great, but also giving more context and how it impacts different companies, by giving real life examples, make more sense for the developers because they might not be used to the security jargon.
To give an example, let's say two, three years ago there was this event-stream npm package incident. There was a little bit of social engineering involved because it was open-source and the attacker managed to push malicious code within the repository. The result was that more than 8 million applications were running malicious code. There are many other examples around websites embedding crypto mining softwares, malicious scripts, and this could be prevented by implementing a content security policy or adding a subresource integrity checksum, for example.
Such cases help developers because they understand that if they don't check for their 3rd party packages, or if they don't implement a content security policy, this could happen in their company.
To summarize, I would say don't use specific security jargon when you talk to developers and product teams, but try to tell a story and give context.
What are the goals for your talk and what are the takeaways?
The talk will cover a quick introduction around what is cybersecurity and why is it important? I will give a couple of examples - like the one that I mentioned with the event stream package. What could be the impact of ransomware? Then I will focus on web application security.
My case study is around Pride in London, which is an open source project. We’ve leveraged the power of the GitHub marketplace applications we could find there because it's open source. We've implemented a lot of those tools and platforms that are available on the marketplace around code coverage, testing, compliance, security, scanning for tokens and credentials, and flagging any vulnerabilities.
We'll go through the challenges that we faced when using some of the tools, around false positives, how we tried to tune those tools, how we decommissioned some of these tools, how we're monitoring our third party packages, the CI/CD pipeline that we currently have with Pride in London with all the tools that we've implemented from the GitHub marketplace. Obviously, it's not a bulletproof solution, but it will help open source maintainers to have some guidelines or starting points to use those tools and have their open source projects more secure.
Last Year's Tracks
Monday, 2 March
-
Next Generation Microservices: Building Distributed Systems the Right Way
Microservice-based applications are everywhere, but well-built distributed systems are not so common. Early adopters of microservices share their insights on how to design systems the right way.
-
Streaming Data Architectures
Today's systems process huge volumes of continuously changing data. Hear how the innovators in this space are designing systems and leveraging modern data stream processing platforms.
-
Driving Full Cycle Engineering Teams at Every Level
"Full cycle developers" is not just another catch phrase; it's about engineers taking ownership and delivering value, and doing so with the support of their entire organisation. Learn more from the pioneers.
-
When Things Go Wrong: GDPR, Ethics, & Politics
Privacy, confidentiality, safety and security: learning from the frontlines, from both good and bad experiences
-
JavaScript: Pushing the Client Beyond the Browser
JavaScript is not just the language of the web. Join this track to learn how the innovators are pushing the boundaries of this classic language and ecosystem
-
Modern CS in the Real World
Head back to academia to solve today's problems in software engineering.
Tuesday, 3 March
-
Architectures You've Always Wondered About
Hard-earned lessons from the names you know on scalability, reliability, security, and performance.
-
The Future of the API: REST, gRPC, GraphQL and More
The humble web-based API is evolving. This track provides the what, how, and why of future APIs.
-
Building High Performing Teams
There are many discussions outlining the secret sauce of high-performing teams. Learn how to balance the essential ingredients of high performing teams such as trust and delegation, as well as recognising the pitfalls and problems that will ruin any recipe.
-
Machine Learning: The Latest Innovations
AI and machine learning is more approachable than ever. Discover how ML, deep learning, and other modern approaches are being used in practice.
-
Bare Knuckle Performance
Crushing latency and getting the most out of your hardware.
-
Modern Compilation Targets
Learn about the innovation happening in the compilation target space. WebAssembly is only the tip of the iceberg.
Wednesday, 4 March
-
Growing Unicorns in the EU: Building, Leading and Scaling Financial Tech Start Ups
Learn how EU FinTech innovators have designed, built, and led both their technologies and organisations.
-
Kubernetes and Cloud Architectures
Learn about cloud native architectural approaches from the leading industry experts who have operated Kubernetes and FaaS at scale, and explore the associated modern DevOps practices.
-
Chaos and Resilience: Architecting for Success
Making systems resilient involves people and tech. Learn about strategies being used, from cognitive systems engineering to chaos engineering.
-
Leading Distributed Teams
Remote and distributed working are increasing in popularity, but many organisations underestimate the leadership challenges. Learn from those who are doing this effectively.
-
Scaling Security, from Device to Cloud
Implementing effective security is vitally important, regardless of where you are deploying software applications
-
Evolving Java
JVM futures, JIT directions and improvements to the runtimes stack is the theme of this year’s JVM track.