Milecia McGregor

Securing Your Web Application Pipeline From Intruders

Is your CI/CD pipeline an open door for intruders? Learn to automate security at every stage and transform your pipeline into a fortress.

Securing Your Web Application Pipeline From Intruders
#1about 4 minutes

Establishing foundational CI/CD best practices

Following key principles like small build sizes, environment parity, and local testing creates a reliable foundation before adding security layers.

#2about 5 minutes

Why developers often overlook CI/CD security

Developers often neglect pipeline security due to time constraints, conflicting priorities, and general unfamiliarity with CI/CD configuration languages like YAML.

#3about 5 minutes

Understanding common intruder attack vectors

Intruders exploit vulnerabilities by using open-source tools, finding misconfigurations, scanning for open ports, and leveraging known package security flaws.

#4about 3 minutes

Integrating automated security tools in the build phase

Use Static Application Security Testing (SAST) tools like OWASP Dependency-Check and Snyk to scan for package vulnerabilities early in the build process.

#5about 5 minutes

Applying security tools in test and delivery phases

Leverage DAST tools like OWASP ZAP in the test phase and compliance tools like Chef InSpec in the delivery phase to catch dynamic vulnerabilities.

#6about 2 minutes

Securing applications in the production environment

Utilize bug bounty programs like HackerOne and Bugcrowd for continuous security testing in production, but use automated tools with caution to avoid impacting performance.

#7about 7 minutes

Essential manual security practices for your pipeline

Implement crucial security habits such as managing user permissions, closing unused ports, encrypting all data, and regularly checking against the OWASP Top 10.

#8about 7 minutes

Code examples for integrating security scans

See practical examples of how to add a Snyk security scan step into the configuration files for CircleCI, Conductor, and Travis CI.

#9about 3 minutes

Key takeaways for securing your application pipeline

Prioritize keeping secrets out of version control, routinely audit CI/CD configurations, patch known vulnerabilities promptly, and explore attacker tools to improve your defenses.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Preventing exposed API keys in AI-assisted development
03:45 MIN

Preventing exposed API keys in AI-assisted development

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

The security risks of AI-generated code and slopsquatting
05:55 MIN

The security risks of AI-generated code and slopsquatting

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Malware campaigns, cloud latency, and government IT theft
01:06 MIN

Malware campaigns, cloud latency, and government IT theft

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Comparing the security models of browsers and native apps
05:01 MIN

Comparing the security models of browsers and native apps

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Prompt injection as an unsolved AI security problem
07:39 MIN

Prompt injection as an unsolved AI security problem

AI in the Open and in Browsers - Tarek Ziadé

Improving the developer feedback loop with specialized tools
03:16 MIN

Improving the developer feedback loop with specialized tools

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

The security challenges of building AI browser agents
06:33 MIN

The security challenges of building AI browser agents

AI in the Open and in Browsers - Tarek Ziadé

Technical challenges of shipping a cross-platform browser
09:38 MIN

Technical challenges of shipping a cross-platform browser

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Featured Partners

Related Videos

See all videos
Enabling automated 1-click customer deployments with built-in quality and security44:40

Enabling automated 1-click customer deployments with built-in quality and security

Christoph Ruggenthaler

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

What The Hack is Web App Sec?24:01

What The Hack is Web App Sec?

Jackie

DevSecOps: Injecting Security into Mobile CI/CD Pipelines45:08

DevSecOps: Injecting Security into Mobile CI/CD Pipelines

Moataz Nabil

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

Practical tips and tricks for CI/CD success50:28

Practical tips and tricks for CI/CD success

Zan Markan

Why Security-First Development Helps You Ship Better Software Faster22:18

Why Security-First Development Helps You Ship Better Software Faster

Michael Wildpaner

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Dev Digest 194: AI vs. Version Control, Password Louvre & Cursed Webdev
Inside last week’s Dev Digest 194 . 🧠 Learn how to become an AI-native software engineer 🤷‍♂️ How can you stand out when anyone can build anything? 👂 Whisper Leak allows listening to encrypted chats 🐝 What’s new the OWASP2025 Top Ten List 🙅‍♀️ Curse...
Dev Digest 194: AI vs. Version Control, Password Louvre & Cursed Webdev

From learning to earning

Jobs that call for the skills explored in this talk.

DevSecOps

DevSecOps

Xebia
Retortillo de Soria, Spain

GIT
Terraform
Continuous Integration
Amazon Web Services (AWS)