Rosemary Wang (she/her)
Developer Advocate at HashiCorp
@joatmon08
joatmon08.github.io
4
Slide 5
Slide 5 text
How to secure betterβ¦
5
Slide 6
Slide 6 text
How to secure betterβ¦
and remediate faster.
6
Slide 7
Slide 7 text
Securing CI/CD Pipelines
An Overview
β Access Control
β Secrets
β Runners
β Dependencies
β Configuration
7
Slide 8
Slide 8 text
Access Control π₯
8
Slide 9
Slide 9 text
limit serviceβs access rights to minimum required
least privilege
9
Slide 10
Slide 10 text
Pipelines need access.
Code Repository
accessesβ¦
Build infrastructure. Infrastructure Provider
Checkout code.
Deploy application.
Application Platform /
Release Repository
Test for security. Security Tool
Check code quality. Quality Assurance Tool
Run integration tests. Store for User Data
10
Slide 11
Slide 11 text
Choose your access.
Code Repository
Checkout code. Read repositories.
11
Slide 12
Slide 12 text
Choose your access.
Code Repository
Build infrastructure. Infrastructure Provider
Checkout code. Read repositories.
Write speci
fi
c services.
12
Slide 13
Slide 13 text
Choose your access.
Code Repository
Build infrastructure. Infrastructure Provider
Checkout code.
Deploy application.
Application Platform /
Release Repository
Read repositories.
Write speci
fi
c services.
Write speci
fi
c nodes or
namespaces.
13
Slide 14
Slide 14 text
Choose your access.
Code Repository
Build infrastructure. Infrastructure Provider
Checkout code.
Deploy application.
Application Platform /
Release Repository
Test for security. Security Tool
Read repositories.
Write speci
fi
c services.
Write speci
fi
c nodes or
namespaces.
Read test results.
14
Slide 15
Slide 15 text
Choose your access.
Code Repository
Build infrastructure. Infrastructure Provider
Checkout code.
Deploy application.
Application Platform /
Release Repository
Test for security. Security Tool
Check code quality. Quality Assurance Tool
Read repositories.
Write speci
fi
c services.
Write speci
fi
c nodes or
namespaces.
Read test results.
Read test results.
15
Slide 16
Slide 16 text
Choose your access.
Code Repository
Build infrastructure. Infrastructure Provider
Checkout code.
Deploy application.
Application Platform /
Release Repository
Test for security. Security Tool
Check code quality. Quality Assurance Tool
Read repositories.
Write speci
fi
c services.
Write speci
fi
c nodes or
namespaces.
Read test results.
Read test results.
Run integration tests. Store for User Data Read table in testing
environment.
16
Slide 17
Slide 17 text
The challenge of least privilege
Solutions
β Limit access from pipeline early in development
β Limit write access to repositories early in development
17
Slide 18
Slide 18 text
The challenge of least privilege
Solutions
β Limit access from pipeline early in development
β Limit write access to repositories early in development
β Offer self-service to refine access
β Offer templates of secure policies
18
Slide 19
Slide 19 text
The challenge of least privilege
Solutions
β Limit access from pipeline early in development
β Limit write access to repositories early in development
β Offer self-service to refine access
β Offer templates of secure policies
β Review access on a regular cadence
β Audit pipeline runs
19
Slide 20
Slide 20 text
Secrets π
20
Slide 21
Slide 21 text
sensitive information linked to access to a system or service
secrets
21
Slide 22
Slide 22 text
vault_database_secret_backend_connection.post
gres will be created
β’ resource
"vault_database_secret_backend_connection"
"postgres" {β¨
β¦ postgresql {
βͺ connection_url = "postgres://
hcpvault:ZWtW62okZyJh@terraform-2020113
0215226595400000001.cho1mmdxhp1z.us-
west-2.rds.amazonaws.com:5432/prod"
PIPELINE LOGS
[UNIT TEST]
TERRAFORM
FMT
[BUILD]
TERRAFORM
INIT
[DEPLOY]
TERRAFORM
PLAN
[RELEASE]
TERRAFORM
APPLY
[TEST]
22
Slide 23
Slide 23 text
vault_database_secret_backend_connection.post
gres will be created
β’ resource
"vault_database_secret_backend_connection"
"postgres" {β¨
β¦ postgresql {
βͺ connection_url = "postgres://
hcpvault:ZWtW62okZyJh@terraform-2020113
0215226595400000001.cho1mmdxhp1z.us-
west-2.rds.amazonaws.com:5432/prod"
PIPELINE LOGS
[UNIT TEST]
TERRAFORM
FMT
[BUILD]
TERRAFORM
INIT
[DEPLOY]
TERRAFORM
PLAN
[RELEASE]
TERRAFORM
APPLY
[TEST]
23
π±
Slide 24
Slide 24 text
Plan R
Remediate the secret
β’ Regret
β’ Revoke
β’ Rotate
β’ Reference
β’ Replace
β’ Re-run
24
Slide 25
Slide 25 text
Plan R
Remediate the secret
β’ Regret
β’ Revoke
β’ Rotate
β’ Reference
β’ Replace
β’ Re-run
25
100 pipelines laterβ¦ π
Slide 26
Slide 26 text
Pipelines use secrets.
26
Certi
fi
cates
Access Usernames & Passwords
Testing User Data
Tokens
SSH Keys
Encryption Keys
Slide 27
Slide 27 text
Pipelines create secrets.
27
Con
fi
guration Usernames & Passwords
SSH Keys
Tokens
Slide 28
Slide 28 text
The challenge of secrets
Solutions
β Mask or omit in pipeline output
β Use a secrets manager
28
Slide 29
Slide 29 text
The challenge of secrets
Solutions
β Mask or omit in pipeline output
β Use a secrets manager
β Issue new credentials per pipeline run
β Audit secrets usage
29
Slide 30
Slide 30 text
Runners π
30
Slide 31
Slide 31 text
resources that run pipeline stages or tasks
runners
31
33
Container
π€
1. Someone accesses CI/CD runner (e.g., SSH).
Virtual
Machine
$ mount /dev/ /mnt
$ chroot /mnt
2. Container can access host
fi
lesystem.
3. Access code or
fi
les for other jobs.
Other Jobs
on Virtual
Machine
Slide 34
Slide 34 text
34
Infrastructure Provider
Runner Managed Service
Engineer
Must be
authorized
user.
Must be
authorized
account.
Secrets Manager
Slide 35
Slide 35 text
35
Infrastructure Provider
Runner Managed Service
Engineer
Must be
authorized
user.
Must be
authorized
account.
Secrets Manager
Allow IP
address over
VPN.
Allow IP
addresses for CI
framework.
Slide 36
Slide 36 text
The challenge of securing runners
Solutions
β Use trusted / verified images
β Scan for OS vulnerabilities
36
Slide 37
Slide 37 text
The challenge of securing runners
Solutions
β Use trusted / verified images
β Scan for OS vulnerabilities
β Define network policy
β Run as a non-root
37
Slide 38
Slide 38 text
The challenge of securing runners
Solutions
β Use trusted / verified images
β Scan for OS vulnerabilities
β Define network policy
β Run as a non-root
β Use ephemeral secrets
β Audit remote access to runner
38
Slide 39
Slide 39 text
Dependencies π
39
Slide 40
Slide 40 text
third-party code used for pipeline stages or tasks
dependencies
40
Slide 41
Slide 41 text
41
name: release
jobs:
goreleaser:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.14
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v2
with:
version: latest
args: release --rm-dist
Downloaded from trusted source?
Veri
fi
ed code?
Correct plugin?
Slide 42
Slide 42 text
42
public class UnverifiedPlugin {
protected static void getFiles(AbstractBuild b,
FilePath workspace) {
// code to replace project files or metadata
// code to gather information
// code to siphon credentials
}
}
Slide 43
Slide 43 text
The challenge of securing dependencies
Solutions
β Scan for vulnerabilities
β Verify checksums and signatures
43
Slide 44
Slide 44 text
The challenge of securing dependencies
Solutions
β Scan for vulnerabilities
β Verify checksums and signatures
β Use verified registry
β Pin versions
44
Slide 45
Slide 45 text
Configuration π
45
Slide 46
Slide 46 text
de
fi
ne delivery pipelines through source code
pipeline as
code
46
The challenge of securing configuration
Solutions
β Apply immutability to pipeline configuration
β Offer pipeline templates with secure defaults
48
Slide 49
Slide 49 text
The challenge of securing configuration
Solutions
β Apply immutability to pipeline configuration
β Offer pipeline templates with secure defaults
β Test pipelines as code
β Secure dependencies that allow arbitrary code / command
49
Slide 50
Slide 50 text
The challenge of securing configuration
Solutions
β Apply immutability to pipeline configuration
β Offer pipeline templates with secure defaults
β Test pipelines as code
β Secure dependencies that allow arbitrary code / command
β Audit changes to pipeline configuration
50
Slide 51
Slide 51 text
Securing CI/CD Pipelines
In Summary
β Access Control
β Secrets
β Runners
β Dependencies
β Configuration
51
Slide 52
Slide 52 text
Securing CI/CD Pipelines
In Summary
β Access Control
β Secrets
β Runners
β Dependencies
β Configuration
52
Favor immutability.