Securing our applications and data has never been more topical. We've recently seen many high profile data breaches, numerous critical vulnerabilities and frantic teams left scrambling to mitigate the damage to their users and ultimately their company's brand. Our automated software delivery pipelines mean we can ship our code fast and without friction, but with multitudes of micro-services to manage, and their countless dependencies, the attack surfaces are increasingly vast and difficult to manage.
This talk covers some of the approaches you can use to identify and mitigate security risk and maximise your team's ability to respond! By 'shifting security left' and leaning on automation you'll reduce your chances of becoming a media headline and be well on the way to being able to react swiftly when the next big CVE happens.
10. Supply Chain Levels for Software Artefacts
(SLSA)
A framework designed to help
organisations improve the integrity of
their software supply chains.
13. The Secure Software Development Framework
(SSDF) is a set of fundamental, sound, and
secure software development practices based
on established secure software development
practice documents from organizations such as
BSA, OWASP, and SAFECode. Few software
development life cycle (SDLC) models explicitly
address software security in detail, so practices
like those in the SSDF need to be added to and
integrated with each SDLC implementation.
14. The SSDF outlines solid practices for
embedding secure software
development practices in the delivery
lifecycle, that don’t just identify
threats but actually address them.
Source: https://csrc.nist.gov/Projects/ssdf
15.
16.
17. 33% of respondents described their
security strategy as having a mix of
prevention and detection.
Source: Left and Right of Boom in Cybersecurity ,Elastic, 2022
82% said they plan to implement, are
implementing or have implemented.
18. 33% of respondents described their
security strategy as having a mix of
prevention and detection.
Source: Left and Right of Boom in Cybersecurity ,Elastic, 2022
82% said they plan to implement, are
implementing or have implemented.
19. The road to hell is paved
with good intentions.
20. “would pursue laws to establish
liability for software companies
that sell technology that lacks
cybersecurity protections”
The Biden-Harris National Cybersecurity Strategy
32. Poisoned Pipeline Execution (PPE)
• Have isolated pipeline environments and contexts
• Sensitive and Non-Sensitive contexts
• Use branch protection rules in GitHub/GitLab/BitBucket
etc.
33. Upload Pipeline Build Docker Image
Linting Security Scans RSpec
Jest Code Coverage Bundle Analysis
Branch Build
Non-sensitive context
- no access to secrets
- no pipeline to prod
34. Upload Pipeline Build Docker Image
Linting Security Scans RSpec
Jest Code Coverage Bundle Analysis
Branch Build
Non-sensitive context
- no access to secrets
- no pipeline to prod
Sensitive context
- access to secrets
- additional permissions
Upload Pipeline Build Docker Image
Linting Security Scans RSpec
Jest Code Coverage Bundle Analysis
Main Build
Prepare for Deploy Deploy to Prod
43. • Restrict the scope of a pipeline's access & permissions
• Apply granular access controls:
• job-tokens
• OIDC
• Use these things with a dedicated Secrets Manager:
• Hashicorp Vault (Buildkite plugin)
• AWS Secure Secrets Manager (Buildkite plugin)
• Have ingress/egress filters to the internet:
• Tailscale
• Cloudflare etc.
• Always terminate agents and wipe VMs/Machines!
Insufficient PBAC (Pipeline-Based Access Controls)
44. SECURITY RISKS
SECURITY RISKS
1 — Insufficient Flow Control Mechanisms
2— Inadequate Identity and Access Management
3— Dependency Chain Abuse
4— Poisoned Pipeline Execution (PPE)
5 — Insufficient PBAC (Pipeline-Based Access Controls)
7 — Insecure System Configuration
8— Ungoverned Usage of 3rd Party Services
9 — Improper Artifact Integrity Validation
10 — Insufficient Logging and Visibility
Insufficient Credential Hygiene
45. • Limit the blast radius of potential breaches.
• Reduce risk of Poisoned Pipeline Execution (PPE):
• Limit what code is executed in certain contexts
• Have sensitive/non-sensitive build contexts
• Have strong Pipeline-Based Access Controls (PBAC):
• Limit scope of what builds/pipelines have access to
• Use ephemeral/tightly scoped access tokens
• Have sufficient Identity and Access Management:
• Stick to the principle of least privilege
• Be able to revoke access swiftly
Insufficient Credential Hygiene
52. Insufficient Flow Control Mechanisms
LGTM
• Unreviewed code can’t trigger deployment pipelines
• Code reviews & approvals should be part of the merge
process.
• Configure this process in your Source Control Manager:
• 2 human approvals prior to a PR being merged
• For teams with additional compliance regulations
consider using a `block step` in your pipeline.
56. Dependency Chain Abuse
• Get visibility into CVEs and act on them, use tools like:
• GitHub Dependabot
• Identifies & notifies users about vulnerable dependencies
• Can open PRs to keep dependencies updated
• Snyk
• Integrates with most CI/CD providers
• Does all aspects of security scanning
• Code/application/container scanning
• Asset Discovery and tagging (so you can pin versions)
• Avoid latest versions
• Verify the checksum
57. Software Bill of Materials
An immutable list of what’s in an application:
• Open source libraries (languages, imports/dependencies)
• Plugins, extensions, add-ons used
• Application code (versioned)
• Information about versions, licensing status and patch status of
these components
An SBOM for a SaaS application can include info like:
• APIs
• 3rd party services required to run the SaaS application.
63. Dependency Chain Abuse
• Get visibility into packages + CVEs with tools and act on them
• GitHub Dependabot
• Snyk
• Avoid latest versions
• Verify the checksum
• Practice Continous Compliance (Put a CC in CI/CD)
• Generate SBOMs for your applications
• Cloudsmith, JFrog, ReversingLabs, Sonatype
• Create action oriented workflows around SBOMs
72. OWASP Top 10 CI/CD Security risks
2022 State of DevOps Report
Supply Chain Levels for Software Artifacts (SLSA)
Secure Software Development Framework (SSDF)
US National Cybersecurity Strategy (March 2023)
Auth0's Open ID Connect Handbook
Software Bill of Materials (SBOM)
Automating Governance Risk and Compliance
Creating Actionable SBOMs with Cloudsmith & Buildkite
Resources