SlideShare ist ein Scribd-Unternehmen logo

Secure App Deployments in Multi-tenant CI/CD

Binu Ramakrishnan
Binu Ramakrishnan

The goal of the talk is to introduce you to, the security risks and challenges associated with operating or using a multi-tenant CI/CD platform, and offers security patterns and best practices to harden it. Video: http://oreil.ly/2hVCilH

Technologie
1 von 34
Downloaden Sie, um offline zu lesen
Securing Application Deployments in Multi-tenant CI/CD Environments O’Reilly Security Conference NY 2016
HELLO! I am Binu Ramakrishnan Principal Security Engineer at Yahoo You can find me at: @securitysauce github.com/prbinu
Overview ▹ A brief introduction to CI/CD platform ▹ Challenges with multi-tenant CI/CD environments ▹ Threat modeling ▹ Security patterns and best practices
CI/CD A CI/CD pipeline is a set of jobs chained to achieve continuous delivery, and deployment of applications to production.
CI/CD Deployments Single-tenant | Multi-tenant
Single-tenant ▹ Dedicated build environments ▹ Distributed ▹ Tenant and provider are the same ▹ Limited security impact
Multi-tenant ▹ Shared build environments ▹ Driven by economies of scale ▹ Focused on operational efficiency ▹ Allow enterprise to centrally enforce dev stds & compliance controls ▹ Gateway to enterprise networks
Multi-tenant CI/CD - Security Risks ▹ This platform can be an attractive target for attackers because: ▸ Consolidation of large number of long-lived keys in one place ▸ It acts as a corridor that directly connects to large number of machines, bypassing firewalls ▹ A successful attack can have a significant impact to an enterprise ▸ Leads to exposure of user’s personal info, application credentials, TLS private keys etc.
Denial of Service (DoS) Attacks * http://bit.ly/2exRpWm “Enterprises relying on SaaS apps had no choice but to sit and wait and hope their providers got back online as soon as possible.” *
CI/CD in Nutshell
Enterprise CI/CD
Threat Modeling
CI/CD Admin Exclusive access to the CI/CD platform Actors User/Developer Person who uses the platform and run their build pipelines. CI/CD Platform Developer Limited admin access to the platform.
Trust Boundaries ▹ Application - web interface, REST APIs ▹ Host - isolation between host OS and the build job ▹ Network - segment build machines from other machines and from Internet
Entry Points ▹ Build web interface ▹ Commit handlers ▹ Internal endpoints ▸ Build slave endpoint (to launch builds; SSH) ▹ Deployable artifacts ▹ Build notifications - eg. emails, IRC and Hipchat messages ▹ Build console logs . Attack Surface Exit Points
Threats 16
Common Threats ▹ User account compromise & insider threats ▸ User and platform admins ▹ Network Intrusion ▸ CI/CD internal and external endpoints
Local Storage of Non-ephemeral Keys ▹ Long-lived keys are stored locally to allow build jobs to access protected services. ▹ OAuth tokens, Shared secrets, SSH private keys etc.
Weak Security Controls Build jobs require access to services as part of their execution (eg. artifacts store). Protection mechanism used by those services are less effective in following cases: ▸ IP whitelist based protection ▸ Shared secrets: shared (and accessible) by all build jobs The above controls are susceptible to spoofing in multi-tenant environments.
Build Slave Compromise Large attack surface, spread across multiple networks (iphone, Android, Server app etc.) How? ▹ A network level compromise, exploiting a vulnerability on build slaves ▹ Jobs break out of build container Impact ▹ Listen to the network, spoof identity and access locally stored credentials ▹ Gain access to unauthorized machines and steal sensitive data
Building External Code An attacker can take this path to get into internal network, either by adding backdoors or exploiting known vulnerabilities with open source software.
Security Patterns for Risk Reduction
Ephemeral Keys https://www.flickr.com/photos/articnomad/241620406 JWT, OAuth, SSH-CA, AWS access key etc. ▹ Automated deployments require delegation ▹ Token Delegation: a controlled replay of tokens ▹ Ephemeral keys go well with token delegation model
Capability Delegation & Stateless Auth https://www.flickr.com/photos/18946008@N06/14551311971/ By passing capabilities (in the form of tokens) with build events, we eliminate the need to store long-lived keys in CI/CD platform
▹ Separate out auth components from the core build platform ▹ The Auth service intercepts and authenticates build events, and issues job tokens to downstream build platform ▹ Stateless: Build platform no longer stores job specific long-lived keys ▹ Distributed: Per tenant Auth service for cloud based environments, hosted inside tenant’s network ▹ No consolidation of keys in one place
Audit Trails ▹ Immutable and append-only ▹ Traceability: logs should capture build pipeline events end to end from commit to final deploy. ▹ Trail traits: who, how, when, sequence of events, start and end state. ▹ Audit trails produced by the Auth service can provide a verifiable chain of trust from commit to deploy.
Container & ToolChain Hardening
Network Segmentation Colocating CI/CD platform with other corporate machines allow malicious build jobs to raid your internal network. The recommendation is to zone CI/CD platform from other corporate systems.
Minimal Builds ▹ Do not expose PII or other sensitive info to build machines. ▹ Do complex tests outside of build, in a separate environment you control.
Few more... SSH: Use Restricted Shells Headless SSH access for automated deployment should use a restricted shell. Roll Keys Periodically Establish a process to periodically roll trust anchor keys (and do it periodically). Restrict Job Console Logs Restrict build job console logs only to authorized users Enable 2FA Admins must follow good security hygiene and use 2FA to access platform application and hosts. Prune Admin Access List Keep admin list small for build systems and Git repo access. Vulnerability Patch Mgmt Maintain an inventory of all packages in use and have a mechanism to patch the system in response to a disclosure.
Acknowledgements ▹ Christopher Harrell ▹ St John Johnson ▹ Mike Shema ▹ Jeremiah Wuenschel
Let’s recap major concepts Ephemeral Keys Replace long-lived keys with time-bound scoped tokens. Service providers should start supporting tokens for auth & authz. Capability Delegation Delegate job capabilities with build events, and eliminate the need to store long-lived keys in CI/CD platform. Audit Trails A verifiable chain of trust based on traceable audit logs is a foundational requirement for CI/CD. Minimal Builds Avoid pulling PII or other production sensitive data to build environments. Keep the builds to minimum. Network Segmentation Network level Isolation of CI/CD machines. Build ToolChain Hardening Build tools and Docker containers must be adequately hardened.
THANKS! Any questions? You can find me at: @securitysauce github.com/prbinu
CREDITS Special thanks to all the people who made and released these awesome resources for free: ▹ Presentation template by SlidesCarnival ▹ Photographs by Death to the Stock Photo (license)

Empfohlen

Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Amazon Web Services
 
申請 Let's Encrypt 免費 SSL 憑證一次就上手
申請 Let's Encrypt 免費 SSL 憑證一次就上手申請 Let's Encrypt 免費 SSL 憑證一次就上手
申請 Let's Encrypt 免費 SSL 憑證一次就上手Will Huang
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Docker swarm
Docker swarmDocker swarm
Docker swarmAlberto Guimarães Viana
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes BasicsRishabh Kumar
 
Microservices Technology Stack
Microservices Technology StackMicroservices Technology Stack
Microservices Technology StackEberhard Wolff
 
Virtualization security and threat
Virtualization security and threatVirtualization security and threat
Virtualization security and threatAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 

Empfohlen

Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Amazon Web Services
 
申請 Let's Encrypt 免費 SSL 憑證一次就上手
申請 Let's Encrypt 免費 SSL 憑證一次就上手申請 Let's Encrypt 免費 SSL 憑證一次就上手
申請 Let's Encrypt 免費 SSL 憑證一次就上手Will Huang
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Docker swarm
Docker swarmDocker swarm
Docker swarmAlberto Guimarães Viana
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes BasicsRishabh Kumar
 
Microservices Technology Stack
Microservices Technology StackMicroservices Technology Stack
Microservices Technology StackEberhard Wolff
 
Virtualization security and threat
Virtualization security and threatVirtualization security and threat
Virtualization security and threatAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
Ivanti for msp
Ivanti for mspIvanti for msp
Ivanti for mspIvanti
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
zero day exploits
zero day exploitszero day exploits
zero day exploitsAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack Ahmed Salama
 
Introducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineIntroducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineVMware Tanzu
 
(Draft) Kubernetes - A Comprehensive Overview
(Draft) Kubernetes - A Comprehensive Overview(Draft) Kubernetes - A Comprehensive Overview
(Draft) Kubernetes - A Comprehensive OverviewBob Killen
 
CEH - Module 5 : System Hacking
CEH - Module 5 : System HackingCEH - Module 5 : System Hacking
CEH - Module 5 : System HackingAvirot Mitamura
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenTrang Nguyen
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewBob Killen
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Megan O'Keefe
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Weaveworks
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 
Design pattern talk by Kaya Weers - 2024
Design pattern talk by Kaya Weers - 2024Design pattern talk by Kaya Weers - 2024
Design pattern talk by Kaya Weers - 2024Kaya Weers
 
Dual write strategies for microservices
Dual write strategies for microservicesDual write strategies for microservices
Dual write strategies for microservicesBilgin Ibryam
 
Ingress overview
Ingress overviewIngress overview
Ingress overviewHarshal Shah
 
CI-CD WITH GITLAB WORKFLOW
CI-CD WITH GITLAB WORKFLOWCI-CD WITH GITLAB WORKFLOW
CI-CD WITH GITLAB WORKFLOWAddWeb Solution Pvt. Ltd.
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Analysis of TLS in SMTP World
Analysis of TLS in SMTP WorldAnalysis of TLS in SMTP World
Analysis of TLS in SMTP WorldBinu Ramakrishnan
 
Smtp 102013
Smtp 102013Smtp 102013
Smtp 102013RedChip Companies, Inc.
 

Weitere ähnliche Inhalte

Was ist angesagt?

Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
Ivanti for msp
Ivanti for mspIvanti for msp
Ivanti for mspIvanti
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Introducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineIntroducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineVMware Tanzu
 
(Draft) Kubernetes - A Comprehensive Overview
(Draft) Kubernetes - A Comprehensive Overview(Draft) Kubernetes - A Comprehensive Overview
(Draft) Kubernetes - A Comprehensive OverviewBob Killen
 
CEH - Module 5 : System Hacking
CEH - Module 5 : System HackingCEH - Module 5 : System Hacking
CEH - Module 5 : System HackingAvirot Mitamura
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenTrang Nguyen
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewBob Killen
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Megan O'Keefe
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Weaveworks
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 
Design pattern talk by Kaya Weers - 2024
Design pattern talk by Kaya Weers - 2024Design pattern talk by Kaya Weers - 2024
Design pattern talk by Kaya Weers - 2024Kaya Weers
 
Dual write strategies for microservices
Dual write strategies for microservicesDual write strategies for microservices
Dual write strategies for microservicesBilgin Ibryam
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 

Was ist angesagt? (20)

Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Ivanti for msp
Ivanti for mspIvanti for msp
Ivanti for msp
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
zero day exploits
zero day exploitszero day exploits
zero day exploits
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
 
Introducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineIntroducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring Statemachine
 
(Draft) Kubernetes - A Comprehensive Overview
(Draft) Kubernetes - A Comprehensive Overview(Draft) Kubernetes - A Comprehensive Overview
(Draft) Kubernetes - A Comprehensive Overview
 
CEH - Module 5 : System Hacking
CEH - Module 5 : System HackingCEH - Module 5 : System Hacking
CEH - Module 5 : System Hacking
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang Nguyen
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
 
Design pattern talk by Kaya Weers - 2024
Design pattern talk by Kaya Weers - 2024Design pattern talk by Kaya Weers - 2024
Design pattern talk by Kaya Weers - 2024
 
Dual write strategies for microservices
Dual write strategies for microservicesDual write strategies for microservices
Dual write strategies for microservices
 
Ingress overview
Ingress overviewIngress overview
Ingress overview
 
CI-CD WITH GITLAB WORKFLOW
CI-CD WITH GITLAB WORKFLOWCI-CD WITH GITLAB WORKFLOW
CI-CD WITH GITLAB WORKFLOW
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 

Andere mochten auch

Analysis of TLS in SMTP World
Analysis of TLS in SMTP WorldAnalysis of TLS in SMTP World
Analysis of TLS in SMTP WorldBinu Ramakrishnan
 
Github, Travis-CI and Perl
Github, Travis-CI and PerlGithub, Travis-CI and Perl
Github, Travis-CI and PerlDave Cross
 
Scaling Up Continuous Deployment
Scaling Up Continuous DeploymentScaling Up Continuous Deployment
Scaling Up Continuous DeploymentTimothy Fitz
 
Continuous Delivery in the AWS Cloud
Continuous Delivery in the AWS CloudContinuous Delivery in the AWS Cloud
Continuous Delivery in the AWS CloudNigel Fernandes
 
The Hard Problems of Continuous Deployment
The Hard Problems of Continuous DeploymentThe Hard Problems of Continuous Deployment
The Hard Problems of Continuous DeploymentTimothy Fitz
 
Multi tenancy - Wining formula for a PaaS
Multi tenancy - Wining formula for a PaaSMulti tenancy - Wining formula for a PaaS
Multi tenancy - Wining formula for a PaaSWSO2
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
 
Infrastructure Continuous Delivery using CloudFormation
Infrastructure Continuous Delivery using CloudFormationInfrastructure Continuous Delivery using CloudFormation
Infrastructure Continuous Delivery using CloudFormationjoehack3r
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Continuous Deployment: Beyond Continuous Delivery
Continuous Deployment: Beyond Continuous DeliveryContinuous Deployment: Beyond Continuous Delivery
Continuous Deployment: Beyond Continuous DeliveryTimothy Fitz
 
Deep Dive: Infrastructure as Code
Deep Dive: Infrastructure as CodeDeep Dive: Infrastructure as Code
Deep Dive: Infrastructure as CodeAmazon Web Services
 
Infrastructure as Code with AWS CloudFormation
Infrastructure as Code with AWS CloudFormationInfrastructure as Code with AWS CloudFormation
Infrastructure as Code with AWS CloudFormationJustyna Janczyszyn
 
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3Mirco Hering
 
Transforming the Monolith at 20M tph
Transforming the Monolith at 20M tphTransforming the Monolith at 20M tph
Transforming the Monolith at 20M tphVMware Tanzu
 
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...XebiaLabs
 
Building a Foundation for Global Digital Marketing
Building a Foundation for Global Digital MarketingBuilding a Foundation for Global Digital Marketing
Building a Foundation for Global Digital MarketingMerkle
 
A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...Binu Ramakrishnan
 

Andere mochten auch (20)

Analysis of TLS in SMTP World
Analysis of TLS in SMTP WorldAnalysis of TLS in SMTP World
Analysis of TLS in SMTP World
 
Smtp 102013
Smtp 102013Smtp 102013
Smtp 102013
 
Github, Travis-CI and Perl
Github, Travis-CI and PerlGithub, Travis-CI and Perl
Github, Travis-CI and Perl
 
Scaling Up Continuous Deployment
Scaling Up Continuous DeploymentScaling Up Continuous Deployment
Scaling Up Continuous Deployment
 
Continuous Delivery in the AWS Cloud
Continuous Delivery in the AWS CloudContinuous Delivery in the AWS Cloud
Continuous Delivery in the AWS Cloud
 
The Hard Problems of Continuous Deployment
The Hard Problems of Continuous DeploymentThe Hard Problems of Continuous Deployment
The Hard Problems of Continuous Deployment
 
Multi tenancy - Wining formula for a PaaS
Multi tenancy - Wining formula for a PaaSMulti tenancy - Wining formula for a PaaS
Multi tenancy - Wining formula for a PaaS
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
 
Infrastructure Continuous Delivery using CloudFormation
Infrastructure Continuous Delivery using CloudFormationInfrastructure Continuous Delivery using CloudFormation
Infrastructure Continuous Delivery using CloudFormation
 
Smtp server q&a webinar
Smtp server q&a webinarSmtp server q&a webinar
Smtp server q&a webinar
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Continuous Deployment: Beyond Continuous Delivery
Continuous Deployment: Beyond Continuous DeliveryContinuous Deployment: Beyond Continuous Delivery
Continuous Deployment: Beyond Continuous Delivery
 
Deep Dive: Infrastructure as Code
Deep Dive: Infrastructure as CodeDeep Dive: Infrastructure as Code
Deep Dive: Infrastructure as Code
 
Infrastructure as Code with AWS CloudFormation
Infrastructure as Code with AWS CloudFormationInfrastructure as Code with AWS CloudFormation
Infrastructure as Code with AWS CloudFormation
 
Dod is not done
Dod is not doneDod is not done
Dod is not done
 
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
 
Transforming the Monolith at 20M tph
Transforming the Monolith at 20M tphTransforming the Monolith at 20M tph
Transforming the Monolith at 20M tph
 
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
 
Building a Foundation for Global Digital Marketing
Building a Foundation for Global Digital MarketingBuilding a Foundation for Global Digital Marketing
Building a Foundation for Global Digital Marketing
 
A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...A Scalable Client Authentication & Authorization Service for Container-Based ...
A Scalable Client Authentication & Authorization Service for Container-Based ...
 

Ähnlich wie Secure App Deployments in Multi-tenant CI/CD

Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...Binu Ramakrishnan
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...LibreCon
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source WayGordon Haff
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
How to build a self-documenting application
How to build a self-documenting applicationHow to build a self-documenting application
How to build a self-documenting applicationconjur_inc
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Priyanka Aash
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceKevin Gilpin
 
Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunitiesATMOSPHERE .
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!MSHOWTO Bilisim Toplulugu
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!All Things Open
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationKim Clark
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 
Introduction to Serverless through Architectural Patterns
Introduction to Serverless through Architectural PatternsIntroduction to Serverless through Architectural Patterns
Introduction to Serverless through Architectural PatternsMathieu Mailhos
 

Ähnlich wie Secure App Deployments in Multi-tenant CI/CD (20)

Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
How to build a self-documenting application
How to build a self-documenting applicationHow to build a self-documenting application
How to build a self-documenting application
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and Compliance
 
Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for Integration
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Introduction to Serverless through Architectural Patterns
Introduction to Serverless through Architectural PatternsIntroduction to Serverless through Architectural Patterns
Introduction to Serverless through Architectural Patterns
 

Kürzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Kürzlich hochgeladen (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Secure App Deployments in Multi-tenant CI/CD

  • 1. Securing Application Deployments in Multi-tenant CI/CD Environments O’Reilly Security Conference NY 2016
  • 2. HELLO! I am Binu Ramakrishnan Principal Security Engineer at Yahoo You can find me at: @securitysauce github.com/prbinu
  • 3. Overview ▹ A brief introduction to CI/CD platform ▹ Challenges with multi-tenant CI/CD environments ▹ Threat modeling ▹ Security patterns and best practices
  • 4. CI/CD A CI/CD pipeline is a set of jobs chained to achieve continuous delivery, and deployment of applications to production.
  • 6. Single-tenant ▹ Dedicated build environments ▹ Distributed ▹ Tenant and provider are the same ▹ Limited security impact
  • 7. Multi-tenant ▹ Shared build environments ▹ Driven by economies of scale ▹ Focused on operational efficiency ▹ Allow enterprise to centrally enforce dev stds & compliance controls ▹ Gateway to enterprise networks
  • 8. Multi-tenant CI/CD - Security Risks ▹ This platform can be an attractive target for attackers because: ▸ Consolidation of large number of long-lived keys in one place ▸ It acts as a corridor that directly connects to large number of machines, bypassing firewalls ▹ A successful attack can have a significant impact to an enterprise ▸ Leads to exposure of user’s personal info, application credentials, TLS private keys etc.
  • 9. Denial of Service (DoS) Attacks * http://bit.ly/2exRpWm “Enterprises relying on SaaS apps had no choice but to sit and wait and hope their providers got back online as soon as possible.” *
  • 13. CI/CD Admin Exclusive access to the CI/CD platform Actors User/Developer Person who uses the platform and run their build pipelines. CI/CD Platform Developer Limited admin access to the platform.
  • 14. Trust Boundaries ▹ Application - web interface, REST APIs ▹ Host - isolation between host OS and the build job ▹ Network - segment build machines from other machines and from Internet
  • 15. Entry Points ▹ Build web interface ▹ Commit handlers ▹ Internal endpoints ▸ Build slave endpoint (to launch builds; SSH) ▹ Deployable artifacts ▹ Build notifications - eg. emails, IRC and Hipchat messages ▹ Build console logs . Attack Surface Exit Points
  • 17. Common Threats ▹ User account compromise & insider threats ▸ User and platform admins ▹ Network Intrusion ▸ CI/CD internal and external endpoints
  • 18. Local Storage of Non-ephemeral Keys ▹ Long-lived keys are stored locally to allow build jobs to access protected services. ▹ OAuth tokens, Shared secrets, SSH private keys etc.
  • 19. Weak Security Controls Build jobs require access to services as part of their execution (eg. artifacts store). Protection mechanism used by those services are less effective in following cases: ▸ IP whitelist based protection ▸ Shared secrets: shared (and accessible) by all build jobs The above controls are susceptible to spoofing in multi-tenant environments.
  • 20. Build Slave Compromise Large attack surface, spread across multiple networks (iphone, Android, Server app etc.) How? ▹ A network level compromise, exploiting a vulnerability on build slaves ▹ Jobs break out of build container Impact ▹ Listen to the network, spoof identity and access locally stored credentials ▹ Gain access to unauthorized machines and steal sensitive data
  • 21. Building External Code An attacker can take this path to get into internal network, either by adding backdoors or exploiting known vulnerabilities with open source software.
  • 23. Ephemeral Keys https://www.flickr.com/photos/articnomad/241620406 JWT, OAuth, SSH-CA, AWS access key etc. ▹ Automated deployments require delegation ▹ Token Delegation: a controlled replay of tokens ▹ Ephemeral keys go well with token delegation model
  • 24. Capability Delegation & Stateless Auth https://www.flickr.com/photos/18946008@N06/14551311971/ By passing capabilities (in the form of tokens) with build events, we eliminate the need to store long-lived keys in CI/CD platform
  • 25. ▹ Separate out auth components from the core build platform ▹ The Auth service intercepts and authenticates build events, and issues job tokens to downstream build platform ▹ Stateless: Build platform no longer stores job specific long-lived keys ▹ Distributed: Per tenant Auth service for cloud based environments, hosted inside tenant’s network ▹ No consolidation of keys in one place
  • 26. Audit Trails ▹ Immutable and append-only ▹ Traceability: logs should capture build pipeline events end to end from commit to final deploy. ▹ Trail traits: who, how, when, sequence of events, start and end state. ▹ Audit trails produced by the Auth service can provide a verifiable chain of trust from commit to deploy.
  • 28. Network Segmentation Colocating CI/CD platform with other corporate machines allow malicious build jobs to raid your internal network. The recommendation is to zone CI/CD platform from other corporate systems.
  • 29. Minimal Builds ▹ Do not expose PII or other sensitive info to build machines. ▹ Do complex tests outside of build, in a separate environment you control.
  • 30. Few more... SSH: Use Restricted Shells Headless SSH access for automated deployment should use a restricted shell. Roll Keys Periodically Establish a process to periodically roll trust anchor keys (and do it periodically). Restrict Job Console Logs Restrict build job console logs only to authorized users Enable 2FA Admins must follow good security hygiene and use 2FA to access platform application and hosts. Prune Admin Access List Keep admin list small for build systems and Git repo access. Vulnerability Patch Mgmt Maintain an inventory of all packages in use and have a mechanism to patch the system in response to a disclosure.
  • 31. Acknowledgements ▹ Christopher Harrell ▹ St John Johnson ▹ Mike Shema ▹ Jeremiah Wuenschel
  • 32. Let’s recap major concepts Ephemeral Keys Replace long-lived keys with time-bound scoped tokens. Service providers should start supporting tokens for auth & authz. Capability Delegation Delegate job capabilities with build events, and eliminate the need to store long-lived keys in CI/CD platform. Audit Trails A verifiable chain of trust based on traceable audit logs is a foundational requirement for CI/CD. Minimal Builds Avoid pulling PII or other production sensitive data to build environments. Keep the builds to minimum. Network Segmentation Network level Isolation of CI/CD machines. Build ToolChain Hardening Build tools and Docker containers must be adequately hardened.
  • 33. THANKS! Any questions? You can find me at: @securitysauce github.com/prbinu
  • 34. CREDITS Special thanks to all the people who made and released these awesome resources for free: ▹ Presentation template by SlidesCarnival ▹ Photographs by Death to the Stock Photo (license)