• DocumentCode
    727407
  • Title

    Securing a Deployment Pipeline

  • Author

    Bass, Len ; Holz, Ralph ; Rimba, Paul ; Tran, An Binh ; Liming Zhu

  • Author_Institution
    Software Syst. Res. Group, NICTA, Sydney, NSW, Australia
  • fYear
    2015
  • fDate
    19-19 May 2015
  • Firstpage
    4
  • Lastpage
    7
  • Abstract
    At the RELENG 2014 Q&A, the question was asked, “What is your greatest concern?” and the response was “someone subverting our deployment pipeline”. That is the motivation for this paper. We explore what it means to subvert a pipeline and provide several different scenarios of subversion. We then focus on the issue of securing a pipeline. As a result, we provide an engineering process that is based on having trusted components mediate access to sensitive portions of the pipeline from other components, which can remain untrusted. Applying our process to a pipeline we constructed involving Chef, Jenkins, Docker, Github, and AWS, we find that some aspects of our process result in easy to make changes to the pipeline, whereas others are more difficult. Consequently, we have developed a design that hardens the pipeline, although it does not yet completely secure it.
  • Keywords
    security of data; trusted computing; deployment pipeline security; engineering process; trusted components; Analytical models; Permission; Pipelines; Software; Supply chains; DevOps; continuous deployment; supply chain;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Release Engineering (RELENG), 2015 IEEE/ACM 3rd International Workshop on
  • Conference_Location
    Florence
  • Type

    conf

  • DOI
    10.1109/RELENG.2015.11
  • Filename
    7169443
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=727407