Loading…
Attending this event?
We have been working hard to secure the world through challenges and discovery. And now, it’s time to celebrate! Many of you have played a crucial role in the Foundation’s enduring history, and we encourage you to participate in the celebration coming this September! Our theme, Securing the Next 20 Years, is encouraging and exciting as we look ahead to the next 20 years!

Join us for FREE at this live 24-hour global event as we honor the past, celebrate the present, and embrace the future of OWASP and cybersecurity. Hear from world-renowned keynotes and special speakers, and network with your peers. It is FREE to attend, however, registration IS required, so please register today!

Back To Schedule
Friday, September 24 • 10:30am - 11:00am
Your code might be secure, but what about your pipeline? Challenges of securing build/deployment environment.

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Abstract:
​Traditionally Change Management is a very well-defined process. You can find hundreds of articles on the Internet explaining how each change should be properly requested, developed, tested and approved before being moved to the production environment.

Obviously, each of these steps requires documentation and formal approval (sign-off) from the appropriate person. This process was giving security engineers several chances to ensure that changes do not introduce any new vulnerabilities and infrastructure to which the application is deployed is hardened and patched.

Security around the Change Management process gets a little bit more complicated for agile software development and DevOps methodologies where tens of small changes are introduced every day. Each of these small changes is being automatically tested from various perspectives and if everything goes as expected it gets deployed to the environment of your choice without human intervention.

Without any manual review in place, change management and security controls rely heavily on the fact that:

- humans cannot access sensitive environments in an uncontrolled manner
- application’s and infrastructure’s code is independently reviewed to avoid unauthorized changes and detect flaws
- pre-approved and verified artifacts are used while building applications to decrease the risk of insecure dependencies or malicious artifacts
- automated tests are performed by pipeline to detect defects or security issues

It goes without saying, that ability to circumvent any of the above mentioned controls may introduce unauthorized changes and security issues to the application.

This presentation will describe often ignored area of application security which is related to security of development environment. Presenter will share some common misconfigurations of build/deployment environment which can have a significant negative impact on source code integrity and as an ultimate result on security of application itself.​​​

Speakers
avatar for Marcin Szydlowski

Marcin Szydlowski

InfoSec Manager, PMI
Cyber Security enthusiast familiar with application security from both offensive and defensive perspective. As currently responsible for secure implementation of information systems in a global company, Marcin is able to share his experiences on secure system development in an environment... Read More →


Friday September 24, 2021 10:30am - 11:00am EDT
On-Line
Feedback form isn't open yet.