How Secure Is Your Build Server? A Story of Packages and Trust



We have learned that we need to trust others, but as our parents used to say – don’t trust strangers. So we secure our production server more than ever. Yet, there is this no-man's land: “the build server”. We think it’s time to take a closer look at some of the good practices around securing builds & artifacts to improve our day to day level of trust. Development has changed over the years, from doing everything yourself to a 3rd party package for every function. Operations has changed too, running your own servers is now considered an exception. To the cloud!
We have learned that we need to trust others, but as our parents used to say – don’t trust strangers. So we secure our production server more than ever. Yet, in the middle sits this no-man's land: “the CI server”. We think it’s time to take a closer look at some of the good practices around securing builds & artifacts to improve our day to day level of trust. With Marked Sherman statement “Development is now assembly” in mind, the talk will focus more on the package/artifact/repository aspect. Less on the app security inside the code itself or at the OS/Machine level. ❮ul❯
❮li❯This talk I will go into detail on:❮/li❯
❮li❯How to verify trust of your dependencies: from metadata, binaries, and repositories❮/li❯
❮li❯How to provide trust to others that build upon your software❮/li❯
❮li❯How this ties into the concept of “reproducible builds”❮/li❯
❮li❯How a practical “Software Bill of Material” looks❮/li❯
❮li❯How the concepts of the “The Update Framework” (TUF) relate❮/li❯
❮li❯How you can implement secure packaging policies❮/li❯
❮/ul❯ It will explain these topics using practical/code examples from the Node.js and Docker ecosystems.
All this will be presented from the different viewpoints from “dev” , “sec” and “ops”. Let’s take ownership of your trust , we are already responsible when things go wrong anyway. EVENT / SPEAKER:
FOSDEM 2020 / Patrick Debois PUBLICATION PERMISSIONS / ATTRIBUTION CREDITS:
Original video was published with the Creative Commons Attribution license (reuse allowed). Original video source: https://www.youtube.com/watch?v=QYe94_gvMfk **** Interested in the stock market? Love trading? I developed my own Market Model which provides BUY and SELL signals on S&P500. Check it out here: https://yuriymatso.com/my-market-model/ https://www.youtube.com/watch?v=SfDoWTXf14w

Leave a Reply

Your email address will not be published. Required fields are marked *