Securing the container DevOps pipeline
Adoption of container technology has surged due to the standardisation and usability resulting from the Docker open sourcing effort and, as a result, the Open Container Initiative (OCI). Many DevOps practitioners and organisations leverage the portability and agility provided by containers in their CI/CD pipelines.
With the rise of automation capabilities and technologies, that manage this pipeline, it is critical to make sure that all aspects of the container’s content and delivery are secure. Where did the container come from? Is it signed? Can we authenticate it? What’s inside? There are so many questions that also need to be automated to insure the steady and secure deployment of mission critical containers onto the container platform. Also it is important that proper audit and forensics capabilities are enabled to help pinpoint vulnerabilities during or post event.
This talk looks at current CI/CD pipelines for container deployment and discusses areas where DevSecOps practitioners should focus. Much of the tooling today comes from popular open source technologies. This has many benefits. But trying to manage all of these tools, working together, and securely, can consume a lot of time and can expose its own vulnerabilities. How do we secure the software supply chain and the assets moving through that pipeline?