Is Your Approach to Pipeline Security Flawed? Rethinking CI/CD Security
2024-12-14 , Track 2

With CI/CD pipelines driving modern DevSecOps, ensuring they don't become attack vectors is a shared concern across organisations. This talk introduces a new perspective focusing on provable CI/CD security, while steering away from securing pipelines directly. Maintain compliance, ensure visibility, and prevent potential threats from compromising critical systems by focusing on what really matters.


With DevSecOps becoming the standard, CI/CD pipelines have become the backbone of software development and deployment, running thousands of times a day. Each pipeline executes critical tasks such as building, testing, and deploying code - often leveraging automation and guardrails to ensure quality and security. Tools that integrate in pipelines promise to help.

But what exactly is a pipeline? What systems and resources does it interact with? And most importantly, how can we ensure that no pipeline becomes a pivot point for an attacker to compromise our most valuable systems? Can we be confident pipelines are running what we expect and providing the necessary data for other processes?

These questions point to a (perhaps overlooked) concept: Protected Resources. In this talk, we will explore how shifting to a new mindset could enhance visibility into pipelines, ensure adherence to security protocols, and prevent pipelines from becoming attack vectors. We'll delve into practical strategies to gain observability, improve compliance, and better secure your CI/CD system in the age of DevSecOps.