SlideShare a Scribd company logo

Thinking about Jenkins Security

Download as PPTX, PDF
Mark Waite
Mark Waite

DevOps World | Jenkins World 2019 "Thinking about Jenkins Security" presentation by Mark Waite, Wadeck Follonier and Meg McRoberts. Reviews Jenkins security concepts, common pitfalls, and the techniques to avoid those common pitfalls.

1 of 36
Download to read offline
Thinking about Jenkins Security Concepts and Practices for Security
Thinking about Jenkins Security DevSecOps and SecurityJenkins Admin Wadeck Follonier Mark WaiteMeg McRoberts
© 2019 All Rights Reserved. 3 Security Principles • Know the system • Least Privilege • Grant only required privileges • Open only required ports • Defense in Depth • Update your Software • Latest LTS • Latest Weekly
© 2019 All Rights Reserved. 4 Is Jenkins Safe? Charles Dyer, image of San Francisco safe, https://flic.kr/p/hMBVYi
© 2019 All Rights Reserved. 5 Is Jenkins Safe? Answer: Part 1 • Jenkins is • Distributed code execution service • Remote code execution service • Security is always a concern • Risk from connected components • Services can be intrusion points • Risk from executed jobs • Pipeline can run malicious code
© 2019 All Rights Reserved. 6 Is Jenkins Safe? Answer: Part 2 • Many prevention facilities • Good practices are good defense • Jenkins security framework • Courses dive deeper
© 2019 All Rights Reserved. 7 What is Security? Managing threats • Unwarranted access • Data theft • Data damage • Misuse of resources
© 2019 All Rights Reserved. 8 Secure Your Information Protecting Your Intellectual Property • Your organization has information that is used to create value • Information has value. Assure its • Confidentiality • Integrity • Availability • Security practices protect your information
© 2019 All Rights Reserved. 9 Don’t Run Malicious Code • Jenkins is distributed execution • Network connections as entry points • Bad actors want your resources • Cryptocurrency miners • Distributed denial of service attacks • Bot networks • Bad actors want to attack you • Malware attacks on your builds • Malware attacks on your products
© 2019 All Rights Reserved. 10 What Needs to Be Secured? • Access to Jenkins master and agents • Communications between master & agents • Artifacts • Pipeline job definitions • Source code
© 2019 All Rights Reserved. 11 Jenkins Pipeline Execution • Pipeline logic runs on master • Malicious pipeline on misconfigured Jenkins can: ▸Reconfigure Jenkins ▸Delete files ▸Launch attacks ▸Steal data • Pipeline calls steps on master & agents • Attacker could: ▸Run malicious code in build ▸Inject malicious code into build artifacts
© 2019 All Rights Reserved. 12 Don’t Build on Master! • Do not build on Jenkins Master • Zero executors on the master • When master job is mandatory • Configure a master executor • Run the job • Remove the master executor • Jobs on master have access to the master file system and configuration • Run as the ‘Jenkins’ user • Read and write configuration files
© 2019 All Rights Reserved. 13 Static and Ephemeral Agents • Advantages • Easy to provision • Persist indefinitely • Easy to configure • Predictable costs and allocation • Disadvantages • Persist “indefinitely” • Costs when idling • Harder to scale • Advantages • Single-use • Elastic allocation • No cost when idle • Easier to scale • Disadvantages • Initial configuration is harder • Debugging more difficult Static Agents Ephemeral Agents
© 2019 All Rights Reserved. 14 Defense in Depth Physical examples • Company firewalls • Network separation • VPN access • Reverse proxies • DMZ
© 2019 All Rights Reserved. 15 Defense in Depth Application / Jenkins examples • Credentials encryption • Password hashing • Sandboxing • Authorization
© 2019 All Rights Reserved. 16 Global Security Settings • Jenkins default is secure • Closes common intrusion paths • Don’t disable the defaults • CSRF protection • Markup formatting • Content security policy
© 2019 All Rights Reserved. 17 Key Security Concepts • Authentication • Who can access the system • Authorization • What can the authenticated user do
© 2019 All Rights Reserved. 18 Authentication • Active Directory • LDAP • Jenkins’ own user database • OAuth • SAML • Kerberos • None
© 2019 All Rights Reserved. 19 Authentication • Active Directory • LDAP • Jenkins’ own user database • OAuth • SAML • Kerberos • None
© 2019 All Rights Reserved. 20 Authentication • Active Directory • LDAP • Jenkins’ own user database • OAuth • SAML • Kerberos • None
© 2019 All Rights Reserved. 21 Authorization • Matrix-based security • Project-based matrix security • Role-based strategy • Logged-in users can do anything • Anyone can do anything
© 2019 All Rights Reserved. 22 Authorization • Matrix-based security • Project-based matrix security • Role-based strategy • Logged-in users can do anything • Anyone can do anything
© 2019 All Rights Reserved. 23 Authorization • Matrix-based security • Project-based matrix security • Role-based strategy • Logged-in users can do anything • Anyone can do anything
© 2019 All Rights Reserved. 24 Least Privilege • Addition beats subtraction
© 2019 All Rights Reserved. 25 Jenkins Credentials Trusted Access to Resources • Usernames and passwords • Private keys • OAuth tokens • Secret text • Certificates
© 2019 All Rights Reserved. 26 Use Jenkins Credentials – Don’t Embed Plaintext • No passwords in source • No private keys in source • No authentication tokens in source
© 2019 All Rights Reserved. 27 Jenkins Credentials - Examples • Master to agent ssh authentication • Source code ssh or https access • Artifact storage • Databases • Deployment environments
© 2019 All Rights Reserved. 28 Why Jenkins Credentials? Stored securely, available in context • Credentials as Jenkins resources • Protected by Jenkins authorization matrix ▸Create, read, update, and delete permissions • Stored where they are used ▸Store credentials in folder containing jobs that use the credentials ▸Not available to jobs outside the folder
© 2019 All Rights Reserved. 29 Best Practices Do these things • Update the operating system • Update Jenkins • Update plugins • Monitor security advisories • Mailing list - subscribe to jenkinsci-advisories • Review advisories – https://jenkins.io/security/advisories • Resolve administrative monitor
© 2019 All Rights Reserved. 30 Best Practices Do these things • Apply Updates
© 2019 All Rights Reserved. 31 Best Practices Do these things • Apply Updates
© 2019 All Rights Reserved. 32 Best Practices Do these things • Apply Updates
© 2019 All Rights Reserved. 33 Best Practices Do these things • Apply Updates
© 2019 All Rights Reserved. 34 Best Practices Do these things • Apply Updates
DevOptics Software Delivery Visibility & Insights Core Unified Software Delivery & Governance CodeShip CI/CD as a Service Flow Adaptive Release Orchestration DevOps ExcellenceJenkins CloudBees Jenkins Distribution CloudBees Jenkins X Distribution 24x7 Technical Support Assisted Updates Support Accelerator Training Customer Success Managers DevOps Consultants Rollout Feature Flag Management Continuous Delivery Products and Services
Thinking about Jenkins Security
Ad

Recommended

Agile Project Management
Agile Project ManagementAgile Project Management
Agile Project Management
Giampiero Bonifazi
 
Transform Your Business with API-led Connectivity
Transform Your Business with API-led ConnectivityTransform Your Business with API-led Connectivity
Transform Your Business with API-led Connectivity
MuleSoft
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision making
Dennis Stevens
 
Agile Project Management for PMP's
Agile Project Management for PMP'sAgile Project Management for PMP's
Agile Project Management for PMP's
VersionOne
 
Heart of Agile: What is Agile?
Heart of Agile: What is Agile?Heart of Agile: What is Agile?
Heart of Agile: What is Agile?
Agile Tour Beirut
 
Transforming Organizations with CI/CD
Transforming Organizations with CI/CDTransforming Organizations with CI/CD
Transforming Organizations with CI/CD
Cprime
 
Advanced messaging with Apache ActiveMQ
Advanced messaging with Apache ActiveMQAdvanced messaging with Apache ActiveMQ
Advanced messaging with Apache ActiveMQ
dejanb
 
A Product Manager's Place in a DevOps World
A Product Manager's Place in a DevOps WorldA Product Manager's Place in a DevOps World
A Product Manager's Place in a DevOps World
Atlassian
 
Executive Presentation on Agile Project Management by Boardroom Metrics Inc.
Executive Presentation on Agile Project Management by Boardroom Metrics Inc.Executive Presentation on Agile Project Management by Boardroom Metrics Inc.
Executive Presentation on Agile Project Management by Boardroom Metrics Inc.
Boardroom Metrics
 
Agile presentation
Agile presentationAgile presentation
Agile presentation
Rahul Chauhan
 
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Alan McSweeney
 
Agile project management PMI-ACP
Agile project management PMI-ACPAgile project management PMI-ACP
Agile project management PMI-ACP
EVOLVE for Instructors Materials
 
Requirements Engineering @ Agile
Requirements Engineering @ AgileRequirements Engineering @ Agile
Requirements Engineering @ Agile
Girish Khemani
 
SSDesign Application Support Services
SSDesign Application Support ServicesSSDesign Application Support Services
SSDesign Application Support Services
SS Design
 
Agile intro module 1
Agile intro module 1Agile intro module 1
Agile intro module 1
André Heijstek
 
Stayin' Alive! Feature Disco Your Way to PI Planning
Stayin' Alive! Feature Disco Your Way to PI PlanningStayin' Alive! Feature Disco Your Way to PI Planning
Stayin' Alive! Feature Disco Your Way to PI Planning
Em Campbell-Pretty
 
Salesforce.com Agile Transformation - Agile 2007 Conference
Salesforce.com Agile Transformation - Agile 2007 ConferenceSalesforce.com Agile Transformation - Agile 2007 Conference
Salesforce.com Agile Transformation - Agile 2007 Conference
Steve Greene
 
Comparing Ways to Scale Agile at Agile Product and Project Manager Meetup
Comparing Ways to Scale Agile at Agile Product and Project Manager MeetupComparing Ways to Scale Agile at Agile Product and Project Manager Meetup
Comparing Ways to Scale Agile at Agile Product and Project Manager Meetup
Bernd Schiffer
 
How to be successful with Agile at Scale. 2013 PM Symposium
How to be successful with Agile at Scale. 2013 PM SymposiumHow to be successful with Agile at Scale. 2013 PM Symposium
How to be successful with Agile at Scale. 2013 PM Symposium
Derek Huether
 
OBASHI® - Foundation
OBASHI® - FoundationOBASHI® - Foundation
OBASHI® - Foundation
Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
Product Development Phases
Product Development PhasesProduct Development Phases
Product Development Phases
Kevin Griggs
 
Kanban values exercise
Kanban values exerciseKanban values exercise
Kanban values exercise
Mike Burrows
 
Guide scrum
Guide scrumGuide scrum
Guide scrum
Yannick Quenec'hdu
 
WAS vs JBoss, WebLogic, Tomcat (year 2015)
WAS vs JBoss, WebLogic, Tomcat (year 2015)WAS vs JBoss, WebLogic, Tomcat (year 2015)
WAS vs JBoss, WebLogic, Tomcat (year 2015)
Roman Kharkovski
 
Demystifying Devops - Uday kumar
Demystifying Devops - Uday kumarDemystifying Devops - Uday kumar
Demystifying Devops - Uday kumar
Agile Testing Alliance
 
DevOps Monitoring and Alerting
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and Alerting
Khairul Zebua
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Using GitHub Actions to Deploy your Workloads to Azure
Using GitHub Actions to Deploy your Workloads to AzureUsing GitHub Actions to Deploy your Workloads to Azure
Using GitHub Actions to Deploy your Workloads to Azure
Kasun Kodagoda
 
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
Viktor Gazdag
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Ad

More Related Content

What's hot (20)

Executive Presentation on Agile Project Management by Boardroom Metrics Inc.
Executive Presentation on Agile Project Management by Boardroom Metrics Inc.Executive Presentation on Agile Project Management by Boardroom Metrics Inc.
Executive Presentation on Agile Project Management by Boardroom Metrics Inc.
Boardroom Metrics
 
Agile presentation
Agile presentationAgile presentation
Agile presentation
Rahul Chauhan
 
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Alan McSweeney
 
Agile project management PMI-ACP
Agile project management PMI-ACPAgile project management PMI-ACP
Agile project management PMI-ACP
EVOLVE for Instructors Materials
 
Requirements Engineering @ Agile
Requirements Engineering @ AgileRequirements Engineering @ Agile
Requirements Engineering @ Agile
Girish Khemani
 
SSDesign Application Support Services
SSDesign Application Support ServicesSSDesign Application Support Services
SSDesign Application Support Services
SS Design
 
Agile intro module 1
Agile intro module 1Agile intro module 1
Agile intro module 1
André Heijstek
 
Stayin' Alive! Feature Disco Your Way to PI Planning
Stayin' Alive! Feature Disco Your Way to PI PlanningStayin' Alive! Feature Disco Your Way to PI Planning
Stayin' Alive! Feature Disco Your Way to PI Planning
Em Campbell-Pretty
 
Salesforce.com Agile Transformation - Agile 2007 Conference
Salesforce.com Agile Transformation - Agile 2007 ConferenceSalesforce.com Agile Transformation - Agile 2007 Conference
Salesforce.com Agile Transformation - Agile 2007 Conference
Steve Greene
 
Comparing Ways to Scale Agile at Agile Product and Project Manager Meetup
Comparing Ways to Scale Agile at Agile Product and Project Manager MeetupComparing Ways to Scale Agile at Agile Product and Project Manager Meetup
Comparing Ways to Scale Agile at Agile Product and Project Manager Meetup
Bernd Schiffer
 
How to be successful with Agile at Scale. 2013 PM Symposium
How to be successful with Agile at Scale. 2013 PM SymposiumHow to be successful with Agile at Scale. 2013 PM Symposium
How to be successful with Agile at Scale. 2013 PM Symposium
Derek Huether
 
OBASHI® - Foundation
OBASHI® - FoundationOBASHI® - Foundation
OBASHI® - Foundation
Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
Product Development Phases
Product Development PhasesProduct Development Phases
Product Development Phases
Kevin Griggs
 
Kanban values exercise
Kanban values exerciseKanban values exercise
Kanban values exercise
Mike Burrows
 
Guide scrum
Guide scrumGuide scrum
Guide scrum
Yannick Quenec'hdu
 
WAS vs JBoss, WebLogic, Tomcat (year 2015)
WAS vs JBoss, WebLogic, Tomcat (year 2015)WAS vs JBoss, WebLogic, Tomcat (year 2015)
WAS vs JBoss, WebLogic, Tomcat (year 2015)
Roman Kharkovski
 
Demystifying Devops - Uday kumar
Demystifying Devops - Uday kumarDemystifying Devops - Uday kumar
Demystifying Devops - Uday kumar
Agile Testing Alliance
 
DevOps Monitoring and Alerting
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and Alerting
Khairul Zebua
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Using GitHub Actions to Deploy your Workloads to Azure
Using GitHub Actions to Deploy your Workloads to AzureUsing GitHub Actions to Deploy your Workloads to Azure
Using GitHub Actions to Deploy your Workloads to Azure
Kasun Kodagoda
 
Executive Presentation on Agile Project Management by Boardroom Metrics Inc.
Executive Presentation on Agile Project Management by Boardroom Metrics Inc.Executive Presentation on Agile Project Management by Boardroom Metrics Inc.
Executive Presentation on Agile Project Management by Boardroom Metrics Inc.
Boardroom Metrics
 
Agile presentation
Agile presentationAgile presentation
Agile presentation
Rahul Chauhan
 
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Alan McSweeney
 
Agile project management PMI-ACP
Agile project management PMI-ACPAgile project management PMI-ACP
Agile project management PMI-ACP
EVOLVE for Instructors Materials
 
Requirements Engineering @ Agile
Requirements Engineering @ AgileRequirements Engineering @ Agile
Requirements Engineering @ Agile
Girish Khemani
 
SSDesign Application Support Services
SSDesign Application Support ServicesSSDesign Application Support Services
SSDesign Application Support Services
SS Design
 
Agile intro module 1
Agile intro module 1Agile intro module 1
Agile intro module 1
André Heijstek
 
Stayin' Alive! Feature Disco Your Way to PI Planning
Stayin' Alive! Feature Disco Your Way to PI PlanningStayin' Alive! Feature Disco Your Way to PI Planning
Stayin' Alive! Feature Disco Your Way to PI Planning
Em Campbell-Pretty
 
Salesforce.com Agile Transformation - Agile 2007 Conference
Salesforce.com Agile Transformation - Agile 2007 ConferenceSalesforce.com Agile Transformation - Agile 2007 Conference
Salesforce.com Agile Transformation - Agile 2007 Conference
Steve Greene
 
Comparing Ways to Scale Agile at Agile Product and Project Manager Meetup
Comparing Ways to Scale Agile at Agile Product and Project Manager MeetupComparing Ways to Scale Agile at Agile Product and Project Manager Meetup
Comparing Ways to Scale Agile at Agile Product and Project Manager Meetup
Bernd Schiffer
 
How to be successful with Agile at Scale. 2013 PM Symposium
How to be successful with Agile at Scale. 2013 PM SymposiumHow to be successful with Agile at Scale. 2013 PM Symposium
How to be successful with Agile at Scale. 2013 PM Symposium
Derek Huether
 
OBASHI® - Foundation
OBASHI® - FoundationOBASHI® - Foundation
OBASHI® - Foundation
Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
Product Development Phases
Product Development PhasesProduct Development Phases
Product Development Phases
Kevin Griggs
 
Kanban values exercise
Kanban values exerciseKanban values exercise
Kanban values exercise
Mike Burrows
 
Guide scrum
Guide scrumGuide scrum
Guide scrum
Yannick Quenec'hdu
 
WAS vs JBoss, WebLogic, Tomcat (year 2015)
WAS vs JBoss, WebLogic, Tomcat (year 2015)WAS vs JBoss, WebLogic, Tomcat (year 2015)
WAS vs JBoss, WebLogic, Tomcat (year 2015)
Roman Kharkovski
 
Demystifying Devops - Uday kumar
Demystifying Devops - Uday kumarDemystifying Devops - Uday kumar
Demystifying Devops - Uday kumar
Agile Testing Alliance
 
DevOps Monitoring and Alerting
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and Alerting
Khairul Zebua
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Using GitHub Actions to Deploy your Workloads to Azure
Using GitHub Actions to Deploy your Workloads to AzureUsing GitHub Actions to Deploy your Workloads to Azure
Using GitHub Actions to Deploy your Workloads to Azure
Kasun Kodagoda
 

Similar to Thinking about Jenkins Security (20)

The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
Viktor Gazdag
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
Sumit Tambe
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
Precisely
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Oleg Nenashev
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
CloudBees
 
How to create a secure IoT device
How to create a secure IoT deviceHow to create a secure IoT device
How to create a secure IoT device
Abhijeet Rane
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
SBWebinars
 
Where and When to Docker
Where and When to DockerWhere and When to Docker
Where and When to Docker
dantheelder
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22
WesComer2
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodology
laeshin park
 
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
Viktor Gazdag
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
Sumit Tambe
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
Precisely
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Oleg Nenashev
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
CloudBees
 
How to create a secure IoT device
How to create a secure IoT deviceHow to create a secure IoT device
How to create a secure IoT device
Abhijeet Rane
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
SBWebinars
 
Where and When to Docker
Where and When to DockerWhere and When to Docker
Where and When to Docker
dantheelder
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22
WesComer2
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodology
laeshin park
 
Ad

More from Mark Waite (9)

Training as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingTraining as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to training
Mark Waite
 
Docker and Jenkins [as code]
Docker and Jenkins [as code]Docker and Jenkins [as code]
Docker and Jenkins [as code]
Mark Waite
 
Lessons from Jenkins Platform Support
Lessons from Jenkins Platform SupportLessons from Jenkins Platform Support
Lessons from Jenkins Platform Support
Mark Waite
 
Git for jenkins faster and better
Git for jenkins faster and betterGit for jenkins faster and better
Git for jenkins faster and better
Mark Waite
 
Docker and Jenkins Pipeline
Docker and Jenkins PipelineDocker and Jenkins Pipeline
Docker and Jenkins Pipeline
Mark Waite
 
To TDD or not to TDD - that is the question
To TDD or not to TDD - that is the questionTo TDD or not to TDD - that is the question
To TDD or not to TDD - that is the question
Mark Waite
 
Git in-the-large
Git in-the-largeGit in-the-large
Git in-the-large
Mark Waite
 
Jenkins - Continuous Integration after Hudson, CruiseControl, and home built
Jenkins - Continuous Integration after Hudson, CruiseControl, and home builtJenkins - Continuous Integration after Hudson, CruiseControl, and home built
Jenkins - Continuous Integration after Hudson, CruiseControl, and home built
Mark Waite
 
Jenkins For One
Jenkins For OneJenkins For One
Jenkins For One
Mark Waite
 
Training as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingTraining as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to training
Mark Waite
 
Docker and Jenkins [as code]
Docker and Jenkins [as code]Docker and Jenkins [as code]
Docker and Jenkins [as code]
Mark Waite
 
Lessons from Jenkins Platform Support
Lessons from Jenkins Platform SupportLessons from Jenkins Platform Support
Lessons from Jenkins Platform Support
Mark Waite
 
Git for jenkins faster and better
Git for jenkins faster and betterGit for jenkins faster and better
Git for jenkins faster and better
Mark Waite
 
Docker and Jenkins Pipeline
Docker and Jenkins PipelineDocker and Jenkins Pipeline
Docker and Jenkins Pipeline
Mark Waite
 
To TDD or not to TDD - that is the question
To TDD or not to TDD - that is the questionTo TDD or not to TDD - that is the question
To TDD or not to TDD - that is the question
Mark Waite
 
Git in-the-large
Git in-the-largeGit in-the-large
Git in-the-large
Mark Waite
 
Jenkins - Continuous Integration after Hudson, CruiseControl, and home built
Jenkins - Continuous Integration after Hudson, CruiseControl, and home builtJenkins - Continuous Integration after Hudson, CruiseControl, and home built
Jenkins - Continuous Integration after Hudson, CruiseControl, and home built
Mark Waite
 
Jenkins For One
Jenkins For OneJenkins For One
Jenkins For One
Mark Waite
 
Ad

Recently uploaded (20)

How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New VersionPixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
saimabibi60507
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New VersionPixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
saimabibi60507
 

Thinking about Jenkins Security

  • 1. Thinking about Jenkins Security Concepts and Practices for Security
  • 2. Thinking about Jenkins Security DevSecOps and SecurityJenkins Admin Wadeck Follonier Mark WaiteMeg McRoberts
  • 3. © 2019 All Rights Reserved. 3 Security Principles • Know the system • Least Privilege • Grant only required privileges • Open only required ports • Defense in Depth • Update your Software • Latest LTS • Latest Weekly
  • 4. © 2019 All Rights Reserved. 4 Is Jenkins Safe? Charles Dyer, image of San Francisco safe, https://flic.kr/p/hMBVYi
  • 5. © 2019 All Rights Reserved. 5 Is Jenkins Safe? Answer: Part 1 • Jenkins is • Distributed code execution service • Remote code execution service • Security is always a concern • Risk from connected components • Services can be intrusion points • Risk from executed jobs • Pipeline can run malicious code
  • 6. © 2019 All Rights Reserved. 6 Is Jenkins Safe? Answer: Part 2 • Many prevention facilities • Good practices are good defense • Jenkins security framework • Courses dive deeper
  • 7. © 2019 All Rights Reserved. 7 What is Security? Managing threats • Unwarranted access • Data theft • Data damage • Misuse of resources
  • 8. © 2019 All Rights Reserved. 8 Secure Your Information Protecting Your Intellectual Property • Your organization has information that is used to create value • Information has value. Assure its • Confidentiality • Integrity • Availability • Security practices protect your information
  • 9. © 2019 All Rights Reserved. 9 Don’t Run Malicious Code • Jenkins is distributed execution • Network connections as entry points • Bad actors want your resources • Cryptocurrency miners • Distributed denial of service attacks • Bot networks • Bad actors want to attack you • Malware attacks on your builds • Malware attacks on your products
  • 10. © 2019 All Rights Reserved. 10 What Needs to Be Secured? • Access to Jenkins master and agents • Communications between master & agents • Artifacts • Pipeline job definitions • Source code
  • 11. © 2019 All Rights Reserved. 11 Jenkins Pipeline Execution • Pipeline logic runs on master • Malicious pipeline on misconfigured Jenkins can: ▸Reconfigure Jenkins ▸Delete files ▸Launch attacks ▸Steal data • Pipeline calls steps on master & agents • Attacker could: ▸Run malicious code in build ▸Inject malicious code into build artifacts
  • 12. © 2019 All Rights Reserved. 12 Don’t Build on Master! • Do not build on Jenkins Master • Zero executors on the master • When master job is mandatory • Configure a master executor • Run the job • Remove the master executor • Jobs on master have access to the master file system and configuration • Run as the ‘Jenkins’ user • Read and write configuration files
  • 13. © 2019 All Rights Reserved. 13 Static and Ephemeral Agents • Advantages • Easy to provision • Persist indefinitely • Easy to configure • Predictable costs and allocation • Disadvantages • Persist “indefinitely” • Costs when idling • Harder to scale • Advantages • Single-use • Elastic allocation • No cost when idle • Easier to scale • Disadvantages • Initial configuration is harder • Debugging more difficult Static Agents Ephemeral Agents
  • 14. © 2019 All Rights Reserved. 14 Defense in Depth Physical examples • Company firewalls • Network separation • VPN access • Reverse proxies • DMZ
  • 15. © 2019 All Rights Reserved. 15 Defense in Depth Application / Jenkins examples • Credentials encryption • Password hashing • Sandboxing • Authorization
  • 16. © 2019 All Rights Reserved. 16 Global Security Settings • Jenkins default is secure • Closes common intrusion paths • Don’t disable the defaults • CSRF protection • Markup formatting • Content security policy
  • 17. © 2019 All Rights Reserved. 17 Key Security Concepts • Authentication • Who can access the system • Authorization • What can the authenticated user do
  • 18. © 2019 All Rights Reserved. 18 Authentication • Active Directory • LDAP • Jenkins’ own user database • OAuth • SAML • Kerberos • None
  • 19. © 2019 All Rights Reserved. 19 Authentication • Active Directory • LDAP • Jenkins’ own user database • OAuth • SAML • Kerberos • None
  • 20. © 2019 All Rights Reserved. 20 Authentication • Active Directory • LDAP • Jenkins’ own user database • OAuth • SAML • Kerberos • None
  • 21. © 2019 All Rights Reserved. 21 Authorization • Matrix-based security • Project-based matrix security • Role-based strategy • Logged-in users can do anything • Anyone can do anything
  • 22. © 2019 All Rights Reserved. 22 Authorization • Matrix-based security • Project-based matrix security • Role-based strategy • Logged-in users can do anything • Anyone can do anything
  • 23. © 2019 All Rights Reserved. 23 Authorization • Matrix-based security • Project-based matrix security • Role-based strategy • Logged-in users can do anything • Anyone can do anything
  • 24. © 2019 All Rights Reserved. 24 Least Privilege • Addition beats subtraction
  • 25. © 2019 All Rights Reserved. 25 Jenkins Credentials Trusted Access to Resources • Usernames and passwords • Private keys • OAuth tokens • Secret text • Certificates
  • 26. © 2019 All Rights Reserved. 26 Use Jenkins Credentials – Don’t Embed Plaintext • No passwords in source • No private keys in source • No authentication tokens in source
  • 27. © 2019 All Rights Reserved. 27 Jenkins Credentials - Examples • Master to agent ssh authentication • Source code ssh or https access • Artifact storage • Databases • Deployment environments
  • 28. © 2019 All Rights Reserved. 28 Why Jenkins Credentials? Stored securely, available in context • Credentials as Jenkins resources • Protected by Jenkins authorization matrix ▸Create, read, update, and delete permissions • Stored where they are used ▸Store credentials in folder containing jobs that use the credentials ▸Not available to jobs outside the folder
  • 29. © 2019 All Rights Reserved. 29 Best Practices Do these things • Update the operating system • Update Jenkins • Update plugins • Monitor security advisories • Mailing list - subscribe to jenkinsci-advisories • Review advisories – https://jenkins.io/security/advisories • Resolve administrative monitor
  • 30. © 2019 All Rights Reserved. 30 Best Practices Do these things • Apply Updates
  • 31. © 2019 All Rights Reserved. 31 Best Practices Do these things • Apply Updates
  • 32. © 2019 All Rights Reserved. 32 Best Practices Do these things • Apply Updates
  • 33. © 2019 All Rights Reserved. 33 Best Practices Do these things • Apply Updates
  • 34. © 2019 All Rights Reserved. 34 Best Practices Do these things • Apply Updates
  • 35. DevOptics Software Delivery Visibility & Insights Core Unified Software Delivery & Governance CodeShip CI/CD as a Service Flow Adaptive Release Orchestration DevOps ExcellenceJenkins CloudBees Jenkins Distribution CloudBees Jenkins X Distribution 24x7 Technical Support Assisted Updates Support Accelerator Training Customer Success Managers DevOps Consultants Rollout Feature Flag Management Continuous Delivery Products and Services