Is Your Approach To Pipeline Security Flawed? Rethinking CI/CD Security - Patricia R

With DevSecOps becoming the standard, CI/CD pipelines have become the backbone of software development and deployment, running thousands of times a day. Each pipeline executes critical tasks such as building, testing, and deploying code - often leveraging automation and guardrails to ensure quality and security. Tools that integrate in pipelines promise to help. But what exactly is a pipeline? What systems and resources does it interact with? And most importantly, how can we ensure that no pipeline becomes a pivot point for an attacker to compromise our most valuable systems? Can we be confident pipelines are running what we expect and providing the necessary data for other processes? These questions point to a (perhaps overlooked) concept: Protected Resources. In this talk, we will explore how shifting to a new mindset could enhance visibility into pipelines, ensure adherence to security protocols, and prevent pipelines from becoming attack vectors. We'll delve into practical strategies to gain observability, improve compliance, and better secure your CI/CD system in the age of DevSecOps.