SlideShare a Scribd company logo

Secure your jenkins

Download as DOCX, PDF
L
Loves Cloud

Jenkins CI is a great tool, but, it does not mean that it can take care of own security. Getting Jenkins up and running is one thing, and have it properly and securely configured requires some thoughtful configuration.

Technology
1 of 6
Secure your Jenkins Jenkins CI is a great tool, but, it does not mean that it can take care of own security. Getting Jenkins up and running is one thing, and have it properly and securely configured requires some thoughtful configuration. Secure your Jenkins Most people think that I have setup user authentication, and my Jenkins is now secure, but, this is not the case. There are a lot of small and basic things that you need to do to make Jenkins secure, most of these are very fundamental, however, impact of these small steps can be massive. Why you should take Jenkins security seriously? You should take security of your Jenkins seriously, because, Jenkins is an application which is interacting with different components, services, servers etc. To do this Jenkins needs credentials and/or access to those services. Say for example, your Jenkins is running on AWS, and it needs access to ECR, ECS and EC2. To do this, you would create an IAM user for Jenkins (although not the best option out there, but, still very widely used) and give it EC2 admin access. Now, think of a scenario when someone gets hold of your Jenkins instance, where you stored your IAM credentials in Jenkins Environment variables. Now this person can wrack havoc for you, your organization and your customers, not a pretty situation to be in.
You should work to avoid these kind of painful situations by taking precautionary steps. As the saying goes, precaution is better than cure. What can you do to keep your Jenkins secure? There are lot of small and basic things that you need to do to make Jenkins secure, most of these are very basic, but, impact of these small steps can be massive. First and foremost, never take security of your Jenkins lightly. Nothing that you need to do are massive or tedious, just a few thoughtful configurations. A few recommended steps for Secure Jenkins configurations: Never, ever store ANY type of credentials in Jenkins Environment variables, there should not be any exceptions to this rule. Period.
 Use specialized options (Credentials, AWS Parameter Store Plugin, Hashicorp Vault) for credentials storage. There are plugins available for these tools.
Always setup SSL with Jenkins (you can get a free SSL certificate from https://letsencrypt.org/)  Always, always inject credentials instead of hard coding them.
 Do not use your Github/Bitbucket/Gitlab credentials, instead, wherever possible use either of following: API Tokens OR SSH Keys etc for checkout. One of the best thing about the API access tokens is that you can control how much access you want to give to token you generate for your Jenkins.  Never ever give unlimited access of your cloud account to Jenkins instance, for example give it a restricted AWS role, keeping “Principle of least privilege” in mind.  When creating Jenkins users, give them access to what they need only, not everybody needs to be admin.  If your Jenkins is accessed via Internet and does not have SSL enabled (RED FLAG), publicly, then, think about it again (use disposable/temp/single use credentials for different services, instead of configuring Jenkins with your user name password.) Jenkins best practices recommendation  Send notifications when a job fails  Use parameterized builds instead of hard coding paths  Avoid installing dependencies on Jenkins build server  In larger systems, don’t build on a master  Backup Jenkins home regularly  Integrate Jenkins with your issue tracking system  Archive unused jobs before removing them  Avoid scheduling all jobs to start at same time
Jenkins is a great tool, and probably one of most widely used CI solutions in market. We need to make sure necessary security checks are in place. If someone can use one of the exploits to gain access to your Jenkins, it’s bad, however, if your credentials are stored in plain text, result of this might be disastrous. Please share your thoughts, reach out to me if you want to know more about Security, DevOps, Digital Transformation, Containers, Cloud Computing and related technologies. I am reachable at ravish@loves.cloud.

Recommended

Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
lokori
 
The 5 Stages of Secrets Management Grief, And How to Prevail
The 5 Stages of Secrets Management Grief, And How to Prevail The 5 Stages of Secrets Management Grief, And How to Prevail
The 5 Stages of Secrets Management Grief, And How to Prevail
Bryan Sterling
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineering
Dinis Cruz
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server Security
Gabriel Villa
 
Is DevOps Braking Your Company?
Is DevOps Braking Your Company?Is DevOps Braking Your Company?
Is DevOps Braking Your Company?
conjur_inc
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
DevSecCon
 
Security as Code
Security as CodeSecurity as Code
Security as Code
Ed Bellis
 

Recommended

Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
lokori
 
The 5 Stages of Secrets Management Grief, And How to Prevail
The 5 Stages of Secrets Management Grief, And How to Prevail The 5 Stages of Secrets Management Grief, And How to Prevail
The 5 Stages of Secrets Management Grief, And How to Prevail
Bryan Sterling
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineering
Dinis Cruz
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server Security
Gabriel Villa
 
Is DevOps Braking Your Company?
Is DevOps Braking Your Company?Is DevOps Braking Your Company?
Is DevOps Braking Your Company?
conjur_inc
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
DevSecCon
 
Security as Code
Security as CodeSecurity as Code
Security as Code
Ed Bellis
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
John Kinsella
 
Reasons you should start using cloud storage immediately
Reasons you should start using cloud storage immediatelyReasons you should start using cloud storage immediately
Reasons you should start using cloud storage immediately
House of IT
 
Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast
Codefresh
 
OSB220: What's New in Security Endpoint Manager
OSB220: What's New in Security Endpoint ManagerOSB220: What's New in Security Endpoint Manager
OSB220: What's New in Security Endpoint Manager
Ivanti
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
BitSensor Webwinkel Vakdagen
BitSensor Webwinkel VakdagenBitSensor Webwinkel Vakdagen
BitSensor Webwinkel Vakdagen
webwinkelvakdag
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using Cypress
Maurice De Beijer [MVP]
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
Teri Radichel
 
Practical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationPractical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security Instrumentation
VMware Tanzu
 
SQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET EditionSQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET Edition
Bert Wagner
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
Archana Joshi
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOps
Tushar Gupta
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
Top DevOps Security Failures
Top DevOps Security FailuresTop DevOps Security Failures
Top DevOps Security Failures
Pawel Krawczyk
 
DevSecOps for you Full Stack
DevSecOps for you Full StackDevSecOps for you Full Stack
DevSecOps for you Full Stack
Ron Nixon
 
DevOps Security for Good
DevOps Security for GoodDevOps Security for Good
DevOps Security for Good
Francisco Donoso
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?
All Things Open
 

More Related Content

What's hot

Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast
Codefresh
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using Cypress
Maurice De Beijer [MVP]
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 

What's hot (20)

Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
 
Reasons you should start using cloud storage immediately
Reasons you should start using cloud storage immediatelyReasons you should start using cloud storage immediately
Reasons you should start using cloud storage immediately
 
Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast
 
OSB220: What's New in Security Endpoint Manager
OSB220: What's New in Security Endpoint ManagerOSB220: What's New in Security Endpoint Manager
OSB220: What's New in Security Endpoint Manager
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
 
BitSensor Webwinkel Vakdagen
BitSensor Webwinkel VakdagenBitSensor Webwinkel Vakdagen
BitSensor Webwinkel Vakdagen
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using Cypress
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
 
Practical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationPractical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security Instrumentation
 
SQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET EditionSQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET Edition
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 
Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOps
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
 
Top DevOps Security Failures
Top DevOps Security FailuresTop DevOps Security Failures
Top DevOps Security Failures
 
DevSecOps for you Full Stack
DevSecOps for you Full StackDevSecOps for you Full Stack
DevSecOps for you Full Stack
 
DevOps Security for Good
DevOps Security for GoodDevOps Security for Good
DevOps Security for Good
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 

Similar to Secure your jenkins

Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?
All Things Open
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
GDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdfGDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdf
James Anderson
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
AWS Summit Berlin 2013 - Your first week with EC2
AWS Summit Berlin 2013 - Your first week with EC2AWS Summit Berlin 2013 - Your first week with EC2
AWS Summit Berlin 2013 - Your first week with EC2
AWS Germany
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 

Similar to Secure your jenkins (20)

Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container security
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdf
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdf
 
GDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdfGDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdf
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Introduction to continuous integration
Introduction to continuous integrationIntroduction to continuous integration
Introduction to continuous integration
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple Steps
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 
AWS Summit Berlin 2013 - Your first week with EC2
AWS Summit Berlin 2013 - Your first week with EC2AWS Summit Berlin 2013 - Your first week with EC2
AWS Summit Berlin 2013 - Your first week with EC2
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
JENKINS Training
JENKINS TrainingJENKINS Training
JENKINS Training
 
Avoiding the security brick
Avoiding the security brickAvoiding the security brick
Avoiding the security brick
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 
Jenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous DeliveryJenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous Delivery
 
Scaling Jenkins Devops presentation
Scaling Jenkins Devops presentationScaling Jenkins Devops presentation
Scaling Jenkins Devops presentation
 

More from Loves Cloud

More from Loves Cloud (12)

Setting up a kubernetes cluster on ubuntu 18.04- loves cloud
Setting up a kubernetes cluster on ubuntu 18.04- loves cloudSetting up a kubernetes cluster on ubuntu 18.04- loves cloud
Setting up a kubernetes cluster on ubuntu 18.04- loves cloud
 
Jira for DevOps - Loves Cloud
Jira for DevOps - Loves CloudJira for DevOps - Loves Cloud
Jira for DevOps - Loves Cloud
 
Machine Learning Model as API with AWS Serverless- Loves Cloud
Machine Learning Model as API with AWS Serverless- Loves CloudMachine Learning Model as API with AWS Serverless- Loves Cloud
Machine Learning Model as API with AWS Serverless- Loves Cloud
 
Managing cost for your cloud workloads - Loves cloud
Managing cost for your cloud workloads - Loves cloudManaging cost for your cloud workloads - Loves cloud
Managing cost for your cloud workloads - Loves cloud
 
Loves cloud - How do you manage your cloud
Loves cloud - How do you manage your cloudLoves cloud - How do you manage your cloud
Loves cloud - How do you manage your cloud
 
Evolve your workloads with cloud - Loves Cloud
Evolve your workloads with cloud - Loves CloudEvolve your workloads with cloud - Loves Cloud
Evolve your workloads with cloud - Loves Cloud
 
March 2020 update - Loves cloud
March 2020 update - Loves cloudMarch 2020 update - Loves cloud
March 2020 update - Loves cloud
 
Cloud management - loves cloud
Cloud management - loves cloudCloud management - loves cloud
Cloud management - loves cloud
 
Cloud adoption - Loves cloud
Cloud adoption - Loves cloudCloud adoption - Loves cloud
Cloud adoption - Loves cloud
 
Azure - Loves cloud
Azure - Loves cloudAzure - Loves cloud
Azure - Loves cloud
 
A perfect lift off my journey
A perfect lift off my journeyA perfect lift off my journey
A perfect lift off my journey
 
Kubernetes - An introduction
Kubernetes - An introductionKubernetes - An introduction
Kubernetes - An introduction
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Secure your jenkins

  • 1. Secure your Jenkins Jenkins CI is a great tool, but, it does not mean that it can take care of own security. Getting Jenkins up and running is one thing, and have it properly and securely configured requires some thoughtful configuration. Secure your Jenkins Most people think that I have setup user authentication, and my Jenkins is now secure, but, this is not the case. There are a lot of small and basic things that you need to do to make Jenkins secure, most of these are very fundamental, however, impact of these small steps can be massive. Why you should take Jenkins security seriously? You should take security of your Jenkins seriously, because, Jenkins is an application which is interacting with different components, services, servers etc. To do this Jenkins needs credentials and/or access to those services. Say for example, your Jenkins is running on AWS, and it needs access to ECR, ECS and EC2. To do this, you would create an IAM user for Jenkins (although not the best option out there, but, still very widely used) and give it EC2 admin access. Now, think of a scenario when someone gets hold of your Jenkins instance, where you stored your IAM credentials in Jenkins Environment variables. Now this person can wrack havoc for you, your organization and your customers, not a pretty situation to be in.
  • 2. You should work to avoid these kind of painful situations by taking precautionary steps. As the saying goes, precaution is better than cure. What can you do to keep your Jenkins secure? There are lot of small and basic things that you need to do to make Jenkins secure, most of these are very basic, but, impact of these small steps can be massive. First and foremost, never take security of your Jenkins lightly. Nothing that you need to do are massive or tedious, just a few thoughtful configurations. A few recommended steps for Secure Jenkins configurations: Never, ever store ANY type of credentials in Jenkins Environment variables, there should not be any exceptions to this rule. Period.
  • 3.  Use specialized options (Credentials, AWS Parameter Store Plugin, Hashicorp Vault) for credentials storage. There are plugins available for these tools.
  • 4. Always setup SSL with Jenkins (you can get a free SSL certificate from https://letsencrypt.org/)  Always, always inject credentials instead of hard coding them.
  • 5.  Do not use your Github/Bitbucket/Gitlab credentials, instead, wherever possible use either of following: API Tokens OR SSH Keys etc for checkout. One of the best thing about the API access tokens is that you can control how much access you want to give to token you generate for your Jenkins.  Never ever give unlimited access of your cloud account to Jenkins instance, for example give it a restricted AWS role, keeping “Principle of least privilege” in mind.  When creating Jenkins users, give them access to what they need only, not everybody needs to be admin.  If your Jenkins is accessed via Internet and does not have SSL enabled (RED FLAG), publicly, then, think about it again (use disposable/temp/single use credentials for different services, instead of configuring Jenkins with your user name password.) Jenkins best practices recommendation  Send notifications when a job fails  Use parameterized builds instead of hard coding paths  Avoid installing dependencies on Jenkins build server  In larger systems, don’t build on a master  Backup Jenkins home regularly  Integrate Jenkins with your issue tracking system  Archive unused jobs before removing them  Avoid scheduling all jobs to start at same time
  • 6. Jenkins is a great tool, and probably one of most widely used CI solutions in market. We need to make sure necessary security checks are in place. If someone can use one of the exploits to gain access to your Jenkins, it’s bad, however, if your credentials are stored in plain text, result of this might be disastrous. Please share your thoughts, reach out to me if you want to know more about Security, DevOps, Digital Transformation, Containers, Cloud Computing and related technologies. I am reachable at ravish@loves.cloud.