SlideShare ist ein Scribd-Unternehmen logo

Securing delivery pipelines with isolated contexts and granular access controls

Melissa Kaulfuss
Melissa Kaulfuss

Securing our applications and data has never been more topical. We've recently seen many high profile data breaches, numerous critical vulnerabilities and frantic teams left scrambling to mitigate the damage to their users and ultimately their company's brand. Our automated software delivery pipelines mean we can ship our code fast and without friction, but with multitudes of micro-services to manage, and their countless dependencies, the attack surfaces are increasingly vast and difficult to manage. This talk covers some of the approaches you can use to identify and mitigate security risk and maximise your team's ability to respond! By 'shifting security left' and leaning on automation you'll reduce your chances of becoming a media headline and be well on the way to being able to react swiftly when the next big CVE happens.

Technologie
1 von 74
Downloaden Sie, um offline zu lesen
Securing your delivery pipelines with a slight shift to the left
I’m OK at Computers.
Can you imagine…
We should do better. We can do better.
Supply Chain Levels for Software Artefacts (SLSA) A framework designed to help organisations improve the integrity of their software supply chains.
Developer Burnout Recommendations Performance
The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode. Few software development life cycle (SDLC) models explicitly address software security in detail, so practices like those in the SSDF need to be added to and integrated with each SDLC implementation.
The SSDF outlines solid practices for embedding secure software development practices in the delivery lifecycle, that don’t just identify threats but actually address them. Source: https://csrc.nist.gov/Projects/ssdf
33% of respondents described their security strategy as having a mix of prevention and detection. Source: Left and Right of Boom in Cybersecurity ,Elastic, 2022 82% said they plan to implement, are implementing or have implemented.
33% of respondents described their security strategy as having a mix of prevention and detection. Source: Left and Right of Boom in Cybersecurity ,Elastic, 2022 82% said they plan to implement, are implementing or have implemented.
The road to hell is paved with good intentions.
“would pursue laws to establish liability for software companies that sell technology that lacks cybersecurity protections” The Biden-Harris National Cybersecurity Strategy
Security is our Responsibility
CI CD Git
CI CD Git
Top 10 CI/CD SECURITY RISKS SECURITY RISKS The Open Worldwide Application Security Project (OWASP)
SECURITY RISKS SECURITY RISKS 1 — Insufficient Flow Control Mechanisms 2— Inadequate Identity and Access Management 3— Dependency Chain Abuse 4— Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 6 — Insufficient Credential Hygiene 7 — Insecure System Configuration 8— Ungoverned Usage of 3rd Party Services 9 — Improper Artifact Integrity Validation 10 — Insufficient Logging and Visibility
Our goal is to limit the blast radius.
Is executing build scripts within all build contexts okay?
Executing scripts within all build contexts is not ok.
How about running `terraform plan` in all build contexts?
Executing arbitrary code in all build contexts is not ok.
SECURITY RISKS SECURITY RISKS 1 — Insufficient Flow Control Mechanisms 2— Inadequate Identity and Access Management 3— Dependency Chain Abuse 5 — Insufficient PBAC (Pipeline-Based Access Controls) 6 — Insufficient Credential Hygiene Poisoned Pipeline Execution (PPE) 7 — Insecure System Configuration 8— Ungoverned Usage of 3rd Party Services 9 — Improper Artifact Integrity Validation
Poisoned Pipeline Execution (PPE) • Have isolated pipeline environments and contexts • Sensitive and Non-Sensitive contexts • Use branch protection rules in GitHub/GitLab/BitBucket etc.
Upload Pipeline Build Docker Image Linting Security Scans RSpec Jest Code Coverage Bundle Analysis Branch Build Non-sensitive context - no access to secrets - no pipeline to prod
Upload Pipeline Build Docker Image Linting Security Scans RSpec Jest Code Coverage Bundle Analysis Branch Build Non-sensitive context - no access to secrets - no pipeline to prod Sensitive context - access to secrets - additional permissions Upload Pipeline Build Docker Image Linting Security Scans RSpec Jest Code Coverage Bundle Analysis Main Build Prepare for Deploy Deploy to Prod
SECURITY RISKS SECURITY RISKS 1 — Insufficient Flow Control Mechanisms 2— Inadequate Identity and Access Management 3— Dependency Chain Abuse 4— Poisoned Pipeline Execution (PPE) 6 — Insufficient Credential Hygiene 7 — Insecure System Configuration 8— Ungoverned Usage of 3rd Party Services 9 — Improper Artifact Integrity Validation Insufficient PBAC (Pipeline-Based Access Controls)
• Restrict the scope of a pipeline's access & permissions • Use granular access controls Insufficient PBAC (Pipeline-Based Access Controls)
ECS Service Agent Job ECS deploy role Agent API (Pipelines)
ECS Service Agent Job Agent API (Pipelines) OIDC provider OIDC token
eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ew ogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1w bGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9u Y2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxM zExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0E HR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99 Obi1PRscwh3LOp146waJ8IhehcwL7F09JdijmBqk vPeB2T9CJNqeGpegccMg4vfKjkM8FcGvnzZUN4 _KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lc MiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0 _N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZ KflyuVCyixEoV9GfNQC3_os.jzw2PAithfubEEBLu VVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg Header
eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ew ogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1w bGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9u Y2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxM zExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0E HR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99 Obi1PRscwh3LOp146waJ8IhehcwL7F09JdijmBqk vPeB2T9CJNqeGpegccMg4vfKjkM8FcGvnzZUN4 _KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lc MiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0 _N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZ KflyuVCyixEoV9GfNQC3_os.jzw2PAithfubEEBLu VVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg Payload
eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ew ogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1w bGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9u Y2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxM zExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0E HR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99 Obi1PRscwh3LOp146waJ8IhehcwL7F09JdijmBqk vPeB2T9CJNqeGpegccMg4vfKjkM8FcGvnzZUN4 _KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lc MiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0 _N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZ KflyuVCyixEoV9GfNQC3_os.jzw2PAithfubEEBLu VVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg Signature
• Restrict the scope of a pipeline's access & permissions • Apply granular access controls: • job-tokens • OIDC • Use these things with a dedicated Secrets Manager: • Hashicorp Vault (Buildkite plugin) • AWS Secure Secrets Manager (Buildkite plugin) • Have ingress/egress filters to the internet: • Tailscale • Cloudflare etc. • Always terminate agents and wipe VMs/Machines! Insufficient PBAC (Pipeline-Based Access Controls)
SECURITY RISKS SECURITY RISKS 1 — Insufficient Flow Control Mechanisms 2— Inadequate Identity and Access Management 3— Dependency Chain Abuse 4— Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 7 — Insecure System Configuration 8— Ungoverned Usage of 3rd Party Services 9 — Improper Artifact Integrity Validation 10 — Insufficient Logging and Visibility Insufficient Credential Hygiene
• Limit the blast radius of potential breaches. • Reduce risk of Poisoned Pipeline Execution (PPE): • Limit what code is executed in certain contexts • Have sensitive/non-sensitive build contexts • Have strong Pipeline-Based Access Controls (PBAC): • Limit scope of what builds/pipelines have access to • Use ephemeral/tightly scoped access tokens • Have sufficient Identity and Access Management: • Stick to the principle of least privilege • Be able to revoke access swiftly Insufficient Credential Hygiene
Let machines do the work!
• Use a dedicated secret manager: • HashiCorp Vault, AWS Secure Secrets Manager etc. • Automatically scan for leaked keys and credentials: • GitGuardian, GitHub’s configurable Secret Scanning etc. Insufficient Credential Hygiene
Alerts are only useful if they’re seen and acted on.
SECURITY RISKS SECURITY RISKS 1 — Insufficienct Flow Control Mechanisms 3— Dependency Chain Abuse 4— Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 4 — Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 1 — Insufficient Flow Control Mechanisms 3 — Dependency Chain Abuse 4— Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 6 — Insufficient Credential Hygiene
SECURITY RISKS SECURITY RISKS 2— Inadequate Identity and Access Management 3— Dependency Chain Abuse 4— Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 6 — Insufficient Credential Hygiene 7 — Insecure System Configuration 8— Ungoverned Usage of 3rd Party Services 9 — Improper Artifact Integrity Validation Insufficient Flow Control Mechanisms
we accept mistakes are part of software delivery. CI/CD exists because
Insufficient Flow Control Mechanisms LGTM • Unreviewed code can’t trigger deployment pipelines • Code reviews & approvals should be part of the merge process. • Configure this process in your Source Control Manager: • 2 human approvals prior to a PR being merged • For teams with additional compliance regulations consider using a `block step` in your pipeline.
SECURITY RISKS SECURITY RISKS 1 — Insufficient Flow Control Mechanisms 2— Inadequate Identity and Access Management 4— Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 6 — Insufficient Credential Hygiene 7 — Insecure System Configuration 8— Ungoverned Usage of 3rd Party Services 9 — Improper Artifact Integrity Validation Dependency Chain Abuse
Open Source NPM, Yarn, PyPi, RubyGems, all the things…
Dependency Chain Abuse • Get visibility into CVEs and act on them, use tools like: • GitHub Dependabot • Identifies & notifies users about vulnerable dependencies • Can open PRs to keep dependencies updated • Snyk • Integrates with most CI/CD providers • Does all aspects of security scanning • Code/application/container scanning • Asset Discovery and tagging (so you can pin versions) • Avoid latest versions • Verify the checksum
Software Bill of Materials An immutable list of what’s in an application: • Open source libraries (languages, imports/dependencies) • Plugins, extensions, add-ons used • Application code (versioned) • Information about versions, licensing status and patch status of these components An SBOM for a SaaS application can include info like: • APIs • 3rd party services required to run the SaaS application.
SBOM > F-BOMB
CD CI/
CC/CD CI/
Create actionable SBOMs
Dependency Chain Abuse • Get visibility into packages + CVEs with tools and act on them • GitHub Dependabot • Snyk • Avoid latest versions • Verify the checksum • Practice Continous Compliance (Put a CC in CI/CD) • Generate SBOMs for your applications • Cloudsmith, JFrog, ReversingLabs, Sonatype • Create action oriented workflows around SBOMs
Aim to limit the blast radius
Establish Strict Boundaries
Lean on tooling & automation
Work together to create and adapt the human processes.
GAME OVER GAME OVER
OWASP Top 10 CI/CD Security risks 2022 State of DevOps Report Supply Chain Levels for Software Artifacts (SLSA) Secure Software Development Framework (SSDF) US National Cybersecurity Strategy (March 2023) Auth0's Open ID Connect Handbook Software Bill of Materials (SBOM) Automating Governance Risk and Compliance Creating Actionable SBOMs with Cloudsmith & Buildkite Resources
@MelissaKaulfuss
Securing delivery pipelines with isolated contexts and granular access controls

Empfohlen

securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdfsecuring-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdfMelissa Kaulfuss
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code EverywhereMatt Ray
 
Block-Chain Oriented Software Testing Approach
Block-Chain Oriented Software Testing ApproachBlock-Chain Oriented Software Testing Approach
Block-Chain Oriented Software Testing ApproachIRJET Journal
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CASTCAST
 
Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1Dr. Anish Cheriyan (PhD)
 
Continuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureContinuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureCitiusTech
 

Empfohlen

securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdfsecuring-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdfMelissa Kaulfuss
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code EverywhereMatt Ray
 
Block-Chain Oriented Software Testing Approach
Block-Chain Oriented Software Testing ApproachBlock-Chain Oriented Software Testing Approach
Block-Chain Oriented Software Testing ApproachIRJET Journal
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CASTCAST
 
Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1Dr. Anish Cheriyan (PhD)
 
Continuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureContinuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureCitiusTech
 
Dev ops and safety critical systems
Dev ops and safety critical systemsDev ops and safety critical systems
Dev ops and safety critical systemsLen Bass
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPQAware GmbH
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»GoQA
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarRogue Wave Software
 
Getting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar SeriesGetting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar SeriesAmazon Web Services
 
All levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-appsAll levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-appsAndrii Skrypnychenko
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
04+ECETEMT092-+WDT+APB+UVM.pdf
04+ECETEMT092-+WDT+APB+UVM.pdf04+ECETEMT092-+WDT+APB+UVM.pdf
04+ECETEMT092-+WDT+APB+UVM.pdfSamHoney6
 
IRJET- E-Gatepass System
IRJET- E-Gatepass SystemIRJET- E-Gatepass System
IRJET- E-Gatepass SystemIRJET Journal
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability ManagementIRJET Journal
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksWeaveworks
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdfVishwas N
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryKenta Yamamoto
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldDr. Anish Cheriyan (PhD)
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldDr. Anish Cheriyan (PhD)
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 

Weitere ähnliche Inhalte

Ähnlich wie Securing delivery pipelines with isolated contexts and granular access controls

Dev ops and safety critical systems
Dev ops and safety critical systemsDev ops and safety critical systems
Dev ops and safety critical systemsLen Bass
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPQAware GmbH
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»GoQA
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarRogue Wave Software
 
Getting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar SeriesGetting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar SeriesAmazon Web Services
 
All levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-appsAll levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-appsAndrii Skrypnychenko
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
04+ECETEMT092-+WDT+APB+UVM.pdf
04+ECETEMT092-+WDT+APB+UVM.pdf04+ECETEMT092-+WDT+APB+UVM.pdf
04+ECETEMT092-+WDT+APB+UVM.pdfSamHoney6
 
IRJET- E-Gatepass System
IRJET- E-Gatepass SystemIRJET- E-Gatepass System
IRJET- E-Gatepass SystemIRJET Journal
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability ManagementIRJET Journal
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksWeaveworks
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdfVishwas N
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryKenta Yamamoto
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldDr. Anish Cheriyan (PhD)
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldDr. Anish Cheriyan (PhD)
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 

Ähnlich wie Securing delivery pipelines with isolated contexts and granular access controls (20)

Dev ops and safety critical systems
Dev ops and safety critical systemsDev ops and safety critical systems
Dev ops and safety critical systems
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
 
Getting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar SeriesGetting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar Series
 
All levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-appsAll levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-apps
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
04+ECETEMT092-+WDT+APB+UVM.pdf
04+ECETEMT092-+WDT+APB+UVM.pdf04+ECETEMT092-+WDT+APB+UVM.pdf
04+ECETEMT092-+WDT+APB+UVM.pdf
 
IRJET- E-Gatepass System
IRJET- E-Gatepass SystemIRJET- E-Gatepass System
IRJET- E-Gatepass System
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability Management
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git History
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 

Kürzlich hochgeladen

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Kürzlich hochgeladen (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

Securing delivery pipelines with isolated contexts and granular access controls