SlideShare a Scribd company logo

Thinking about Jenkins Security

Download as PPTX, PDF
Mark Waite
Mark Waite

DevOps World | Jenkins World 2019 "Thinking about Jenkins Security" presentation by Mark Waite, Wadeck Follonier and Meg McRoberts. Reviews Jenkins security concepts, common pitfalls, and the techniques to avoid those common pitfalls.

Software
1 of 36
Thinking about Jenkins Security Concepts and Practices for Security
Thinking about Jenkins Security DevSecOps and SecurityJenkins Admin Wadeck Follonier Mark WaiteMeg McRoberts
© 2019 All Rights Reserved. 3 Security Principles • Know the system • Least Privilege • Grant only required privileges • Open only required ports • Defense in Depth • Update your Software • Latest LTS • Latest Weekly
© 2019 All Rights Reserved. 4 Is Jenkins Safe? Charles Dyer, image of San Francisco safe, https://flic.kr/p/hMBVYi
© 2019 All Rights Reserved. 5 Is Jenkins Safe? Answer: Part 1 • Jenkins is • Distributed code execution service • Remote code execution service • Security is always a concern • Risk from connected components • Services can be intrusion points • Risk from executed jobs • Pipeline can run malicious code
© 2019 All Rights Reserved. 6 Is Jenkins Safe? Answer: Part 2 • Many prevention facilities • Good practices are good defense • Jenkins security framework • Courses dive deeper
© 2019 All Rights Reserved. 7 What is Security? Managing threats • Unwarranted access • Data theft • Data damage • Misuse of resources
© 2019 All Rights Reserved. 8 Secure Your Information Protecting Your Intellectual Property • Your organization has information that is used to create value • Information has value. Assure its • Confidentiality • Integrity • Availability • Security practices protect your information
© 2019 All Rights Reserved. 9 Don’t Run Malicious Code • Jenkins is distributed execution • Network connections as entry points • Bad actors want your resources • Cryptocurrency miners • Distributed denial of service attacks • Bot networks • Bad actors want to attack you • Malware attacks on your builds • Malware attacks on your products
© 2019 All Rights Reserved. 10 What Needs to Be Secured? • Access to Jenkins master and agents • Communications between master & agents • Artifacts • Pipeline job definitions • Source code
© 2019 All Rights Reserved. 11 Jenkins Pipeline Execution • Pipeline logic runs on master • Malicious pipeline on misconfigured Jenkins can: ▸Reconfigure Jenkins ▸Delete files ▸Launch attacks ▸Steal data • Pipeline calls steps on master & agents • Attacker could: ▸Run malicious code in build ▸Inject malicious code into build artifacts
© 2019 All Rights Reserved. 12 Don’t Build on Master! • Do not build on Jenkins Master • Zero executors on the master • When master job is mandatory • Configure a master executor • Run the job • Remove the master executor • Jobs on master have access to the master file system and configuration • Run as the ‘Jenkins’ user • Read and write configuration files
© 2019 All Rights Reserved. 13 Static and Ephemeral Agents • Advantages • Easy to provision • Persist indefinitely • Easy to configure • Predictable costs and allocation • Disadvantages • Persist “indefinitely” • Costs when idling • Harder to scale • Advantages • Single-use • Elastic allocation • No cost when idle • Easier to scale • Disadvantages • Initial configuration is harder • Debugging more difficult Static Agents Ephemeral Agents
© 2019 All Rights Reserved. 14 Defense in Depth Physical examples • Company firewalls • Network separation • VPN access • Reverse proxies • DMZ
© 2019 All Rights Reserved. 15 Defense in Depth Application / Jenkins examples • Credentials encryption • Password hashing • Sandboxing • Authorization
© 2019 All Rights Reserved. 16 Global Security Settings • Jenkins default is secure • Closes common intrusion paths • Don’t disable the defaults • CSRF protection • Markup formatting • Content security policy
© 2019 All Rights Reserved. 17 Key Security Concepts • Authentication • Who can access the system • Authorization • What can the authenticated user do
© 2019 All Rights Reserved. 18 Authentication • Active Directory • LDAP • Jenkins’ own user database • OAuth • SAML • Kerberos • None
© 2019 All Rights Reserved. 19 Authentication • Active Directory • LDAP • Jenkins’ own user database • OAuth • SAML • Kerberos • None
© 2019 All Rights Reserved. 20 Authentication • Active Directory • LDAP • Jenkins’ own user database • OAuth • SAML • Kerberos • None
© 2019 All Rights Reserved. 21 Authorization • Matrix-based security • Project-based matrix security • Role-based strategy • Logged-in users can do anything • Anyone can do anything
© 2019 All Rights Reserved. 22 Authorization • Matrix-based security • Project-based matrix security • Role-based strategy • Logged-in users can do anything • Anyone can do anything
© 2019 All Rights Reserved. 23 Authorization • Matrix-based security • Project-based matrix security • Role-based strategy • Logged-in users can do anything • Anyone can do anything
© 2019 All Rights Reserved. 24 Least Privilege • Addition beats subtraction
© 2019 All Rights Reserved. 25 Jenkins Credentials Trusted Access to Resources • Usernames and passwords • Private keys • OAuth tokens • Secret text • Certificates
© 2019 All Rights Reserved. 26 Use Jenkins Credentials – Don’t Embed Plaintext • No passwords in source • No private keys in source • No authentication tokens in source
© 2019 All Rights Reserved. 27 Jenkins Credentials - Examples • Master to agent ssh authentication • Source code ssh or https access • Artifact storage • Databases • Deployment environments
© 2019 All Rights Reserved. 28 Why Jenkins Credentials? Stored securely, available in context • Credentials as Jenkins resources • Protected by Jenkins authorization matrix ▸Create, read, update, and delete permissions • Stored where they are used ▸Store credentials in folder containing jobs that use the credentials ▸Not available to jobs outside the folder
© 2019 All Rights Reserved. 29 Best Practices Do these things • Update the operating system • Update Jenkins • Update plugins • Monitor security advisories • Mailing list - subscribe to jenkinsci-advisories • Review advisories – https://jenkins.io/security/advisories • Resolve administrative monitor
© 2019 All Rights Reserved. 30 Best Practices Do these things • Apply Updates
© 2019 All Rights Reserved. 31 Best Practices Do these things • Apply Updates
© 2019 All Rights Reserved. 32 Best Practices Do these things • Apply Updates
© 2019 All Rights Reserved. 33 Best Practices Do these things • Apply Updates
© 2019 All Rights Reserved. 34 Best Practices Do these things • Apply Updates
DevOptics Software Delivery Visibility & Insights Core Unified Software Delivery & Governance CodeShip CI/CD as a Service Flow Adaptive Release Orchestration DevOps ExcellenceJenkins CloudBees Jenkins Distribution CloudBees Jenkins X Distribution 24x7 Technical Support Assisted Updates Support Accelerator Training Customer Success Managers DevOps Consultants Rollout Feature Flag Management Continuous Delivery Products and Services
Thinking about Jenkins Security

Recommended

Securing jenkins
Securing jenkinsSecuring jenkins
Securing jenkins
CloudBees
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
Ching-Hsuan Yen
 
Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!
SebastienSEYMARC
 
Jenkins CI
Jenkins CIJenkins CI
Jenkins CI
Viyaan Jhiingade
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
Haggai Philip Zagury
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
Knoldus Inc.
 
GitOps and ArgoCD
GitOps and ArgoCDGitOps and ArgoCD
GitOps and ArgoCD
Omar Fathy
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
Weaveworks
 

Recommended

Securing jenkins
Securing jenkinsSecuring jenkins
Securing jenkins
CloudBees
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
Ching-Hsuan Yen
 
Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!
SebastienSEYMARC
 
Jenkins CI
Jenkins CIJenkins CI
Jenkins CI
Viyaan Jhiingade
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
Haggai Philip Zagury
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
Knoldus Inc.
 
GitOps and ArgoCD
GitOps and ArgoCDGitOps and ArgoCD
GitOps and ArgoCD
Omar Fathy
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
Weaveworks
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...
Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...
Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...
Edureka!
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
Akihiro Suda
 
Using GitLab CI
Using GitLab CIUsing GitLab CI
Using GitLab CI
ColCh
 
GitOps with ArgoCD
GitOps with ArgoCDGitOps with ArgoCD
GitOps with ArgoCD
CloudOps2005
 
OVS v OVS-DPDK
OVS v OVS-DPDKOVS v OVS-DPDK
OVS v OVS-DPDK
Md Safiyat Reza
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
Weaveworks
 
CNCF and Cloud Native Intro
CNCF and Cloud Native IntroCNCF and Cloud Native Intro
CNCF and Cloud Native Intro
Cloud Native Bangalore
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Vietnam Open Infrastructure User Group
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
ssuser31375f
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
Keep Your Cache Always Fresh with Debezium! with Gunnar Morling | Kafka Summi...
Keep Your Cache Always Fresh with Debezium! with Gunnar Morling | Kafka Summi...Keep Your Cache Always Fresh with Debezium! with Gunnar Morling | Kafka Summi...
Keep Your Cache Always Fresh with Debezium! with Gunnar Morling | Kafka Summi...
HostedbyConfluent
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
Kangaroot
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
Rancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptxRancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptx
LibbySchulze
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
Faculty of Technical Sciences, University of Novi Sad
 
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
Viktor Gazdag
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 

More Related Content

What's hot

Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...
Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...
Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...
Edureka!
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
Akihiro Suda
 
Using GitLab CI
Using GitLab CIUsing GitLab CI
Using GitLab CI
ColCh
 
GitOps with ArgoCD
GitOps with ArgoCDGitOps with ArgoCD
GitOps with ArgoCD
CloudOps2005
 
OVS v OVS-DPDK
OVS v OVS-DPDKOVS v OVS-DPDK
OVS v OVS-DPDK
Md Safiyat Reza
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
Weaveworks
 
CNCF and Cloud Native Intro
CNCF and Cloud Native IntroCNCF and Cloud Native Intro
CNCF and Cloud Native Intro
Cloud Native Bangalore
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Vietnam Open Infrastructure User Group
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
ssuser31375f
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
Keep Your Cache Always Fresh with Debezium! with Gunnar Morling | Kafka Summi...
Keep Your Cache Always Fresh with Debezium! with Gunnar Morling | Kafka Summi...Keep Your Cache Always Fresh with Debezium! with Gunnar Morling | Kafka Summi...
Keep Your Cache Always Fresh with Debezium! with Gunnar Morling | Kafka Summi...
HostedbyConfluent
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
Kangaroot
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
Rancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptxRancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptx
LibbySchulze
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
Faculty of Technical Sciences, University of Novi Sad
 

What's hot (20)

Container Security
Container SecurityContainer Security
Container Security
 
Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...
Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...
Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
 
Using GitLab CI
Using GitLab CIUsing GitLab CI
Using GitLab CI
 
GitOps with ArgoCD
GitOps with ArgoCDGitOps with ArgoCD
GitOps with ArgoCD
 
OVS v OVS-DPDK
OVS v OVS-DPDKOVS v OVS-DPDK
OVS v OVS-DPDK
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
 
CNCF and Cloud Native Intro
CNCF and Cloud Native IntroCNCF and Cloud Native Intro
CNCF and Cloud Native Intro
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Keep Your Cache Always Fresh with Debezium! with Gunnar Morling | Kafka Summi...
Keep Your Cache Always Fresh with Debezium! with Gunnar Morling | Kafka Summi...Keep Your Cache Always Fresh with Debezium! with Gunnar Morling | Kafka Summi...
Keep Your Cache Always Fresh with Debezium! with Gunnar Morling | Kafka Summi...
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Rancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptxRancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptx
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
 

Similar to Thinking about Jenkins Security

The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
Viktor Gazdag
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
Sumit Tambe
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
Precisely
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Oleg Nenashev
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
CloudBees
 
How to create a secure IoT device
How to create a secure IoT deviceHow to create a secure IoT device
How to create a secure IoT device
Abhijeet Rane
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
SBWebinars
 
Where and When to Docker
Where and When to DockerWhere and When to Docker
Where and When to Docker
dantheelder
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22
WesComer2
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodology
laeshin park
 

Similar to Thinking about Jenkins Security (20)

The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
 
How to create a secure IoT device
How to create a secure IoT deviceHow to create a secure IoT device
How to create a secure IoT device
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Where and When to Docker
Where and When to DockerWhere and When to Docker
Where and When to Docker
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodology
 

More from Mark Waite

Training as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingTraining as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to training
Mark Waite
 
Docker and Jenkins [as code]
Docker and Jenkins [as code]Docker and Jenkins [as code]
Docker and Jenkins [as code]
Mark Waite
 
Lessons from Jenkins Platform Support
Lessons from Jenkins Platform SupportLessons from Jenkins Platform Support
Lessons from Jenkins Platform Support
Mark Waite
 
Git for jenkins faster and better
Git for jenkins faster and betterGit for jenkins faster and better
Git for jenkins faster and better
Mark Waite
 
Docker and Jenkins Pipeline
Docker and Jenkins PipelineDocker and Jenkins Pipeline
Docker and Jenkins Pipeline
Mark Waite
 
To TDD or not to TDD - that is the question
To TDD or not to TDD - that is the questionTo TDD or not to TDD - that is the question
To TDD or not to TDD - that is the question
Mark Waite
 
Git in-the-large
Git in-the-largeGit in-the-large
Git in-the-large
Mark Waite
 
Jenkins - Continuous Integration after Hudson, CruiseControl, and home built
Jenkins - Continuous Integration after Hudson, CruiseControl, and home builtJenkins - Continuous Integration after Hudson, CruiseControl, and home built
Jenkins - Continuous Integration after Hudson, CruiseControl, and home builtMark Waite
 
Jenkins For One
Jenkins For OneJenkins For One
Jenkins For One
Mark Waite
 

More from Mark Waite (9)

Training as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingTraining as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to training
 
Docker and Jenkins [as code]
Docker and Jenkins [as code]Docker and Jenkins [as code]
Docker and Jenkins [as code]
 
Lessons from Jenkins Platform Support
Lessons from Jenkins Platform SupportLessons from Jenkins Platform Support
Lessons from Jenkins Platform Support
 
Git for jenkins faster and better
Git for jenkins faster and betterGit for jenkins faster and better
Git for jenkins faster and better
 
Docker and Jenkins Pipeline
Docker and Jenkins PipelineDocker and Jenkins Pipeline
Docker and Jenkins Pipeline
 
To TDD or not to TDD - that is the question
To TDD or not to TDD - that is the questionTo TDD or not to TDD - that is the question
To TDD or not to TDD - that is the question
 
Git in-the-large
Git in-the-largeGit in-the-large
Git in-the-large
 
Jenkins - Continuous Integration after Hudson, CruiseControl, and home built
Jenkins - Continuous Integration after Hudson, CruiseControl, and home builtJenkins - Continuous Integration after Hudson, CruiseControl, and home built
Jenkins - Continuous Integration after Hudson, CruiseControl, and home built
 
Jenkins For One
Jenkins For OneJenkins For One
Jenkins For One
 

Recently uploaded

First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Jay Das
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
Srikant77
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 

Recently uploaded (20)

First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 

Thinking about Jenkins Security

  • 1. Thinking about Jenkins Security Concepts and Practices for Security
  • 2. Thinking about Jenkins Security DevSecOps and SecurityJenkins Admin Wadeck Follonier Mark WaiteMeg McRoberts
  • 3. © 2019 All Rights Reserved. 3 Security Principles • Know the system • Least Privilege • Grant only required privileges • Open only required ports • Defense in Depth • Update your Software • Latest LTS • Latest Weekly
  • 4. © 2019 All Rights Reserved. 4 Is Jenkins Safe? Charles Dyer, image of San Francisco safe, https://flic.kr/p/hMBVYi
  • 5. © 2019 All Rights Reserved. 5 Is Jenkins Safe? Answer: Part 1 • Jenkins is • Distributed code execution service • Remote code execution service • Security is always a concern • Risk from connected components • Services can be intrusion points • Risk from executed jobs • Pipeline can run malicious code
  • 6. © 2019 All Rights Reserved. 6 Is Jenkins Safe? Answer: Part 2 • Many prevention facilities • Good practices are good defense • Jenkins security framework • Courses dive deeper
  • 7. © 2019 All Rights Reserved. 7 What is Security? Managing threats • Unwarranted access • Data theft • Data damage • Misuse of resources
  • 8. © 2019 All Rights Reserved. 8 Secure Your Information Protecting Your Intellectual Property • Your organization has information that is used to create value • Information has value. Assure its • Confidentiality • Integrity • Availability • Security practices protect your information
  • 9. © 2019 All Rights Reserved. 9 Don’t Run Malicious Code • Jenkins is distributed execution • Network connections as entry points • Bad actors want your resources • Cryptocurrency miners • Distributed denial of service attacks • Bot networks • Bad actors want to attack you • Malware attacks on your builds • Malware attacks on your products
  • 10. © 2019 All Rights Reserved. 10 What Needs to Be Secured? • Access to Jenkins master and agents • Communications between master & agents • Artifacts • Pipeline job definitions • Source code
  • 11. © 2019 All Rights Reserved. 11 Jenkins Pipeline Execution • Pipeline logic runs on master • Malicious pipeline on misconfigured Jenkins can: ▸Reconfigure Jenkins ▸Delete files ▸Launch attacks ▸Steal data • Pipeline calls steps on master & agents • Attacker could: ▸Run malicious code in build ▸Inject malicious code into build artifacts
  • 12. © 2019 All Rights Reserved. 12 Don’t Build on Master! • Do not build on Jenkins Master • Zero executors on the master • When master job is mandatory • Configure a master executor • Run the job • Remove the master executor • Jobs on master have access to the master file system and configuration • Run as the ‘Jenkins’ user • Read and write configuration files
  • 13. © 2019 All Rights Reserved. 13 Static and Ephemeral Agents • Advantages • Easy to provision • Persist indefinitely • Easy to configure • Predictable costs and allocation • Disadvantages • Persist “indefinitely” • Costs when idling • Harder to scale • Advantages • Single-use • Elastic allocation • No cost when idle • Easier to scale • Disadvantages • Initial configuration is harder • Debugging more difficult Static Agents Ephemeral Agents
  • 14. © 2019 All Rights Reserved. 14 Defense in Depth Physical examples • Company firewalls • Network separation • VPN access • Reverse proxies • DMZ
  • 15. © 2019 All Rights Reserved. 15 Defense in Depth Application / Jenkins examples • Credentials encryption • Password hashing • Sandboxing • Authorization
  • 16. © 2019 All Rights Reserved. 16 Global Security Settings • Jenkins default is secure • Closes common intrusion paths • Don’t disable the defaults • CSRF protection • Markup formatting • Content security policy
  • 17. © 2019 All Rights Reserved. 17 Key Security Concepts • Authentication • Who can access the system • Authorization • What can the authenticated user do
  • 18. © 2019 All Rights Reserved. 18 Authentication • Active Directory • LDAP • Jenkins’ own user database • OAuth • SAML • Kerberos • None
  • 19. © 2019 All Rights Reserved. 19 Authentication • Active Directory • LDAP • Jenkins’ own user database • OAuth • SAML • Kerberos • None
  • 20. © 2019 All Rights Reserved. 20 Authentication • Active Directory • LDAP • Jenkins’ own user database • OAuth • SAML • Kerberos • None
  • 21. © 2019 All Rights Reserved. 21 Authorization • Matrix-based security • Project-based matrix security • Role-based strategy • Logged-in users can do anything • Anyone can do anything
  • 22. © 2019 All Rights Reserved. 22 Authorization • Matrix-based security • Project-based matrix security • Role-based strategy • Logged-in users can do anything • Anyone can do anything
  • 23. © 2019 All Rights Reserved. 23 Authorization • Matrix-based security • Project-based matrix security • Role-based strategy • Logged-in users can do anything • Anyone can do anything
  • 24. © 2019 All Rights Reserved. 24 Least Privilege • Addition beats subtraction
  • 25. © 2019 All Rights Reserved. 25 Jenkins Credentials Trusted Access to Resources • Usernames and passwords • Private keys • OAuth tokens • Secret text • Certificates
  • 26. © 2019 All Rights Reserved. 26 Use Jenkins Credentials – Don’t Embed Plaintext • No passwords in source • No private keys in source • No authentication tokens in source
  • 27. © 2019 All Rights Reserved. 27 Jenkins Credentials - Examples • Master to agent ssh authentication • Source code ssh or https access • Artifact storage • Databases • Deployment environments
  • 28. © 2019 All Rights Reserved. 28 Why Jenkins Credentials? Stored securely, available in context • Credentials as Jenkins resources • Protected by Jenkins authorization matrix ▸Create, read, update, and delete permissions • Stored where they are used ▸Store credentials in folder containing jobs that use the credentials ▸Not available to jobs outside the folder
  • 29. © 2019 All Rights Reserved. 29 Best Practices Do these things • Update the operating system • Update Jenkins • Update plugins • Monitor security advisories • Mailing list - subscribe to jenkinsci-advisories • Review advisories – https://jenkins.io/security/advisories • Resolve administrative monitor
  • 30. © 2019 All Rights Reserved. 30 Best Practices Do these things • Apply Updates
  • 31. © 2019 All Rights Reserved. 31 Best Practices Do these things • Apply Updates
  • 32. © 2019 All Rights Reserved. 32 Best Practices Do these things • Apply Updates
  • 33. © 2019 All Rights Reserved. 33 Best Practices Do these things • Apply Updates
  • 34. © 2019 All Rights Reserved. 34 Best Practices Do these things • Apply Updates
  • 35. DevOptics Software Delivery Visibility & Insights Core Unified Software Delivery & Governance CodeShip CI/CD as a Service Flow Adaptive Release Orchestration DevOps ExcellenceJenkins CloudBees Jenkins Distribution CloudBees Jenkins X Distribution 24x7 Technical Support Assisted Updates Support Accelerator Training Customer Success Managers DevOps Consultants Rollout Feature Flag Management Continuous Delivery Products and Services