Secure CI/CD Training

CI/CD practices have become more common nowadays and therefore it is important to ensure our applications integrate and are deployed safely. If these processes are overlooked, the entire code base can be tampered, compromised or, maybe worse, lead to further breaches and information disclosures.

This workshop covers transferable concepts, regardless of what systems are in place for the continuous integration and continuous delivery parts. We will start from scratch however, defining and understanding the process, best practices and what considerations should be taken into account when defining a CI/CD process.

Using a dummy project, we will go over the process of containerizing the application, how to do it correctly, set and install the entire toolset needed to secure a CI/CD process.

Target Audience

Software Engineers, DevOps Engineers, Security Engineers and Security Managers/Leaders.

Training Program

Part 1

  • CI/CD Overview
    • In this section, we will cover what is CI, what is CD and what happens in each phase, as well as why it matters to the point we need to secure it.
    • CI/CD Threat Modelling (identify potential threats in each stage)
  • CI/CD Best Practices
    • In this section, we will cover engineering best practices for proper CI/CD processes like unit, integration and end-to-end tests, application containerization, automated security testing (SAST, DAST, SCA, etc), dev environments and more
    • Access Control and secure configurations overall

Part 2

  • Secure coding - proper secret handling, security quality gates at CI phases;
  • Secure application containerization (stripped images, remove unused packages, rootless containers;
  • Base image hardening - progressive and signed builds;
  • Securing the CI/CD System (Overall recommendations, GitHub Actions, GitLab Pipelines best practices, and transferable ideas);
  • Q&A

What You Will Learn

  • Latest engineering trends and practices in packaging and distributing software;
  • Best practices to secure your GitHub Actions and GItLab Pipelines;
  • How to approach and include automated security testing in your pipelines;
  • How to use incremental builds to deploy applications;
  • Common mistakes to avoid when building a standardised CI/CD process to avoid information disclosure, exposure of sensitive data and/or code base compromise.

What are you waiting for? Get in touch to schedule your training session.

Local

Presential / Online


Next session

TBD


Duration
4 Hours
Group Size

Individual/Up to 10 persons


Value

275€ (plus VAT if applicable)


Instructor

Gustavo Silva

With close to 5 years of experience working as a software developer in industry leading companies, Gustavo has been focusing on application security, as well as security research and penetration testing. Long-term open source contributor and advocate, he is one of the maintainers of Surface Security and shhbt (security intelligence and automation platform and security scanners, respectively).