Загрузка...

Securing CI/CD: Complexity & Inspiration from Runtime Security - Abhimanyu Dhamija, KoalaLab

Securing CI/CD: Complexity & Inspiration from Runtime Security - Abhimanyu Dhamija, KoalaLab

Growth of software supply chain attacks has propelled a deeper look into security of CI/CD. Build environments are prone to secrets/sensitive data exfiltration attacks. Covering here, the learnings around building BOLT(https://github.com/koalalab-inc/bolt), an Open-source tool which secure CI runtime(For GitHub Actions). Taking inspiration from Runtime security, enabling a firewall on buildtime/CI runtime(Egress-filter as CI is a traffic source) should be good start. Complexity 1: IP-based rules won't work. A lot of internet traffic is behind CDNs/WAFs, so egress-filter will require domain-name based filtering. Complexity 2: CI runtime has outbound traffic to multi-tenant systems like github/dockerhub/jfrog etc. This demands deep SSL based inspection capabilities in egress control. Solution: TLS interception+eBPF Linux kernel supports eBPF which provides a way to tap into SSL traffic without the need to decrypt traffic. Such a solution does not add any overhead for developers and is efficient. Covering implementation complexity of eBPF probing for various different kind of SSL libraries to make the solution comprehensive for all kinds of CI pipelines.

Видео Securing CI/CD: Complexity & Inspiration from Runtime Security - Abhimanyu Dhamija, KoalaLab канала OpenSSF
Страницу в закладки Мои закладки
Все заметки Новая заметка Страницу в заметки

На информационно-развлекательном портале SALDA.WS применяются cookie-файлы. Нажимая кнопку Принять, вы подтверждаете свое согласие на их использование.

Об использовании CookiesПринять