SlideShare a Scribd company logo

Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-code and roles

Oleg Nenashev
Oleg Nenashev

In this presentation I will show how to protect your Jenkins system from common user mistakes using Configuration-as-Code and Ownership-based security.

Software
1 of 72
Download to read offline
Managing security in Jenkins with Configuration-as-Code and roles Oleg Nenashev CloudBees, Inc. Belarus Jenkins Meetup Minsk, July 29, 2017
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 2 About me @oleg_nenashev oleg-nenashev LibreCores project St. Petersburg Polytechnic University Jenkins meetups
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 3 Oleg’s “Hall of Shame”(c) • Plugins • Jenkins Core • Windows Service Wrapper • Remoting • Security
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 4 About you
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 5 Agenda •Introduction to Jenkins Security •System Configuration-as-Code in Jenkins •Ownership-based security •Live Demos Disclaimer: • Presentation represent the author’s personal opinion • Author’s personal opinion may differ from official positions of CloudBees and/or Jenkins community • Many Jenkins instances were harmed, use carefully
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 6 1. Most popular CI/CD tool in the world 2. Generic automation server 3. Flexible and extensible 4. It’s open source, big community 5. Commercial support vendors 6. … Who is Mr. Jenkins? https://jenkins.io
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 7
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 8 Jenkins is a… remote execution engine (by design)
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 9 Jenkins is a… remote execution engine (by design) • One can run code and system commands • Access to master system • Access to agents • Access to private/public clouds
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 10 Jenkins… has access to sensitive data (by design)
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 11 Jenkins… has access to sensitive data (by design) • Credentials • Private repositories • Artifacts, including release ones
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 12 Jenkins is a… service (by design)
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 13 Jenkins is a… service (by design) • Multiple users • Different expertise • Users may misuse permissions
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 14 What does security mean? Jenkins security Intrusion and data theft protection Restrictions within organization
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 15 Jenkins security Intrusion and data theft protection Restrictions within organization • Must-have in internet-facing instances • Paranoid mode is fine What does security mean?
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 16 Jenkins security Intrusion and data theft protection Restrictions within organization • Better user experience • Protection from unintentional actions • Protection from lack of expertise What does security mean?
Protecting Jenkins instance. Basic Rules
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 18 •Limited number of admins •Permissions •Security audit Rule #0. Use security!
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 19 • Security Team • Fixes in Jenkins core and Plugins • https://jenkins.io/security/ Jenkins Board Core Team Security LTS Events INFRA Website
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 20 Rule #1. Keep Updating • Frequent security releases • Weekly • Current LTS baseline • Info sources • https://jenkins.io/security/advisories/ • jenkinsci-advisories mailing list (including announcements) • RSS feed 2.46.2 Exploits are in the wild, update ASAP
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 21 •Not enough? LTS is only 3 months…
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 22 •Not enough? •Build your own core (custom fork) •HINT: Join the security team to get info about changes in advance LTS is only 3 months…
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 23 •Not enough? •Build your own core (custom fork) •Use custom versions from vendors: • https://wiki.jenkins-ci.org/display/JENKINS/Commercial+Support • CloudBees Jenkins Enterprise LTS is only 3 months…
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 24 Do you pull latest images from DockerHub?
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 25 •What’s inside? •Who can change them? •What if there is a malicious code? Do you pull latest images from DockerHub?
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 26 •What’s inside? •Who can change them? •What if there is a malicious code? •How is it different from other package sources? Do you pull latest images from DockerHub?
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 27 Rule #2. Know what you use Monitor plugin versions and release notes • Beware of transient dependencies (!) • Also monitor JIRA Consider using locally managed sources • Internal Maven • Docker Registry • Custom Jenkins Update Center: Juseppe • https://github.com/yandex-qatools/juseppe Use static configurations • Configuration-as-Code
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 28 Configuration as Code in Jenkins JobsSystem Configurations
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 29 System Configurations… as Code External tools Jenkins CLI and REST API python- jenkins jenkins-client (java) Configuration Management Ansible, Chef, … Docker, Docker Compose ... Solutions in Jenkins Groovy Boot Hooks System Config DSL (alpha) Scriptler Plugin SCM Sync Configuration UnstableJust examples… Insecure
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 30 Groovy Hooks • Universal solution • Hooks on startup events • init, boot-failure • Scripts • WEB-INF/HOOK.groovy in jenkins.war • WEB-INF/HOOK.groovy.d/*.groovy in jenkins.war • $JENKINS_HOME/HOOK.groovy • $JENKINS_HOME/HOOK.groovy.d/*.groovy in lexical order https://wiki.jenkins-ci.org/display/JENKINS/Groovy+Hook+Script
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 31 https://hub.docker.com/r/onenashev/ demo-jenkins-config-as-code/ Groovy Hooks
Is it enough?
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 33 Rule #3. Keep Jenkins in a sandbox Do not run masters/agents under system accounts Restrict access to non-required resources • Generic accounts • Read-only repositories Sandbox your scripts as well
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 34 Scryptocalypse https://jenkins.io/security/advisory/2017-04-10/ • Unlimited scripting • More than 30 plugins affected •Groovy Plugin •JobDSL Plugin •Grails Plugin •Scriptler Plugin • Some of them are blocked
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 35 DIY
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 36 Jenkins Script Security https://plugins.jenkins.io/ script-security DIY
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 37 Script Security Plugin Used in [almost] all Groovy plugins https://plugins.jenkins.io/script-security
Is it enough to become secure?
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 39 Rule #4. Do not Run Jobs on master • Builds have access to the master filesystem • They can… • Read data from other builds/artifacts • Read secret hashes • Modify Jenkins system configuration • … • You don’t want that
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 40 Rule #4. Do not Run Jobs on master • Solution 1: • Set “0” executors on master • Another node running under different account • BUT: Does not protect from fly-weight tasks
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 41 Rule #4. Do not Run Jobs on master • Solution 1: • 0 executors on master • Another node running under different account • BUT: Does not protect from fly-weight tasks • Solution 2: • Job Restrictions Plugin • Details: later
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 42 •By default builds run with the System account •Users may trigger wrong builds •Users can extract data Rule #5. Do not trust your builds
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 43 Authorize Project Plugin Authorize builds • Global default • Whitelist of user- configurable strategies • Job properties https://plugins.jenkins.io/authorize-project
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 44 •Audit Trail – logging of actions •https://plugins.jenkins.io/audit-trail •Security Inspector – permission checks •https://plugins.jenkins.io/security-inspector •… Rule #6. Audit your security
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 45 Security Inspector Plugin https://plugins.jenkins.io/security-inspector Reports for jobs, agents and users
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 46 •Assign leads to jobs and agents •Share the maintenance effort with them •Make the ownership explicit Rule #7. Make the responsibilities explicit
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 47 Common strategies do not “just work” Project Matrix Authorization Strategy • Hard to manage • No support of Node permissions Role-Based Strategy • Regular expression for each role • Performance: Hundreds of Regex checks every request • Web UI easily hangs
Ownership-Based Security
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 49 Ownership-based Security Role- Strategy Ownership Job Restrictions • Assign owners of jobs/nodes • Fancy UI • Auth strategy • Macro engine • Restrict runs for jobs and nodes http://bit.ly/ownership-based-security + Authorize Project
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 50 Ownership Plugin • Primary and Secondary Owners • Summary Boxes, View filters, etc. • Environment variables • Integration with Security plugins Customizable layout https://plugins.jenkins.io/ownership
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 51 Ownership Info. Definition and Inheritance Folders Jobs Nodes Runs Sub- Projects
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 52 Demo. What’s inside? Ownership 0.10.0 Job Restrictions 0.6 Security Inspector 0.4 Jenkins core 2.62.2 (minimal – 1.625) Authorize Project 1.3.0 Dynamic Search View 0.2.2 Role Strategy 2.5.1
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 53 https://hub.docker.com/r/onenashev/ demo-jenkins-config-as-code/
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 54 Setting ownership info
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 55 Ownership Info. What Do you get? • Ownership Summary Boxes • Ownership View Columns • View Filters • Also: @Me macro Customizable layout
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 56 Example: Quick administration contacts Customizable template
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 57 Ownership-Based Security. Role-Based Strategy Settings Roles [1/2]
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 58 Ownership-Based Security. Role-Based Strategy Settings Roles [2/2]
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 59 Ownership-Based Security. Role-Based Strategy Settings Assignments
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 60 Jobs. Securing access Untrusted secondary owners!
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 61 Jobs. Authorize Project Jobs get authenticated as owners => • Permissions • Node access (Computer.BUILD)
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 62 Using Data in Jobs. Freestyle
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 63 Using Data in Jobs. Pipeline
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 64 Jenkins nodes • Similar Ownership Management • Special permission • Node Ownership Monitor • => info in the table
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 65 Securing Nodes
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 66 Job Restrictions. Protecting the Master node • NEVER let users run jobs on master • Only use it for system jobs owned by admins
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 67 Ownership-Based Security: Links Plugins: • https://plugins.jenkins.io/ownership • https://plugins.jenkins.io/role-strategy • https://plugins.jenkins.io/job-restrictions • https://plugins.jenkins.io/authorize-project Ownership-based security: • http://bit.ly/ownership-based-security Demo • https://github.com/oleg-nenashev/demo-jenkins-config-as-code
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 68 Ownership-Based Security: Out of the scope • Item-specific security •Plugging Matrix Project Security into Ownership Engine • Ownership-based restrictions for triggering jobs • Ownership assignment policy on create/copy • Groovy API for System Scripts (needs some love) • “sudo” mode implementation for admins
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 69 •Follow the security advisories •Keep your Jenkins up to date •Use Security plugins Takeaways
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 70 •Many existing solutions for large-scale •They are not well documented sometimes… •But they exist Rule #-1. Explore
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 71 •Security page: https://jenkins.io/security/ •Advisories: https://jenkins.io/security/advisories/ •Ownership-based security: http://bit.ly/ownership-based-security •Demo: https://hub.docker.com/r/onenashev/demo-jenkins- config-as-code/ Links
@oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 72 Thank you! Contacts: E-mail: onenashev@cloudbees.com GitHub: oleg-nenashev Twitter: @oleg_nenashev

Recommended

Configuration as Code in Jenkins. What's new? Nov 2016
Configuration as Code in Jenkins. What's new? Nov 2016Configuration as Code in Jenkins. What's new? Nov 2016
Configuration as Code in Jenkins. What's new? Nov 2016Oleg Nenashev
 
The Butler is still young – applying modern Jenkins features to the Embedded ...
The Butler is still young – applying modern Jenkins features to the Embedded ...The Butler is still young – applying modern Jenkins features to the Embedded ...
The Butler is still young – applying modern Jenkins features to the Embedded ...Oleg Nenashev
 
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems IntegrationJenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems IntegrationOleg Nenashev
 
7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins Users7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins UsersJules Pierre-Louis
 
Git and GitHub for Documentation
Git and GitHub for DocumentationGit and GitHub for Documentation
Git and GitHub for DocumentationAnne Gentle
 
Improving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerImproving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerBrett Palmer
 
Jenkins Workflow Webinar - Dec 10, 2014
Jenkins Workflow Webinar - Dec 10, 2014Jenkins Workflow Webinar - Dec 10, 2014
Jenkins Workflow Webinar - Dec 10, 2014CloudBees
 
Javaone 2014 - Git & Docker with Jenkins
Javaone 2014 - Git & Docker with JenkinsJavaone 2014 - Git & Docker with Jenkins
Javaone 2014 - Git & Docker with JenkinsAndy Pemberton
 

Recommended

Configuration as Code in Jenkins. What's new? Nov 2016
Configuration as Code in Jenkins. What's new? Nov 2016Configuration as Code in Jenkins. What's new? Nov 2016
Configuration as Code in Jenkins. What's new? Nov 2016Oleg Nenashev
 
The Butler is still young – applying modern Jenkins features to the Embedded ...
The Butler is still young – applying modern Jenkins features to the Embedded ...The Butler is still young – applying modern Jenkins features to the Embedded ...
The Butler is still young – applying modern Jenkins features to the Embedded ...Oleg Nenashev
 
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems IntegrationJenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems IntegrationOleg Nenashev
 
7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins Users7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins UsersJules Pierre-Louis
 
Git and GitHub for Documentation
Git and GitHub for DocumentationGit and GitHub for Documentation
Git and GitHub for DocumentationAnne Gentle
 
Improving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerImproving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerBrett Palmer
 
Jenkins Workflow Webinar - Dec 10, 2014
Jenkins Workflow Webinar - Dec 10, 2014Jenkins Workflow Webinar - Dec 10, 2014
Jenkins Workflow Webinar - Dec 10, 2014CloudBees
 
Javaone 2014 - Git & Docker with Jenkins
Javaone 2014 - Git & Docker with JenkinsJavaone 2014 - Git & Docker with Jenkins
Javaone 2014 - Git & Docker with JenkinsAndy Pemberton
 
Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)Tracy Kennedy
 
Continuous Delivery with Jenkins Workflow
Continuous Delivery with Jenkins WorkflowContinuous Delivery with Jenkins Workflow
Continuous Delivery with Jenkins WorkflowUdaypal Aarkoti
 
7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins Users7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins UsersJules Pierre-Louis
 
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
(Declarative) Jenkins Pipelines
(Declarative) Jenkins Pipelines(Declarative) Jenkins Pipelines
(Declarative) Jenkins PipelinesSteffen Gebert
 
Brujug Jenkins pipeline scalability
Brujug Jenkins pipeline scalabilityBrujug Jenkins pipeline scalability
Brujug Jenkins pipeline scalabilityDamien Coraboeuf
 
2016 Docker Palo Alto - CD with ECS and Jenkins
2016 Docker Palo Alto - CD with ECS and Jenkins2016 Docker Palo Alto - CD with ECS and Jenkins
2016 Docker Palo Alto - CD with ECS and JenkinsTracy Kennedy
 
Jenkins days workshop pipelines - Eric Long
Jenkins days workshop pipelines - Eric LongJenkins days workshop pipelines - Eric Long
Jenkins days workshop pipelines - Eric Longericlongtx
 
Automated Deployment Pipeline using Jenkins, Puppet, Mcollective and AWS
Automated Deployment Pipeline using Jenkins, Puppet, Mcollective and AWSAutomated Deployment Pipeline using Jenkins, Puppet, Mcollective and AWS
Automated Deployment Pipeline using Jenkins, Puppet, Mcollective and AWSBamdad Dashtban
 
SD DevOps Meet-up - Jenkins 2.0 and Pipeline-as-Code
SD DevOps Meet-up - Jenkins 2.0 and Pipeline-as-CodeSD DevOps Meet-up - Jenkins 2.0 and Pipeline-as-Code
SD DevOps Meet-up - Jenkins 2.0 and Pipeline-as-CodeBrian Dawson
 
Building Jenkins Pipelines at Scale
Building Jenkins Pipelines at ScaleBuilding Jenkins Pipelines at Scale
Building Jenkins Pipelines at ScaleJulien Pivotto
 
How Docker simplifies CI/CD
How Docker simplifies CI/CDHow Docker simplifies CI/CD
How Docker simplifies CI/CDGabriel N. Schenker
 
Pimp your Continuous Delivery Pipeline with Jenkins workflow (W-JAX 14)
Pimp your Continuous Delivery Pipeline with Jenkins workflow (W-JAX 14)Pimp your Continuous Delivery Pipeline with Jenkins workflow (W-JAX 14)
Pimp your Continuous Delivery Pipeline with Jenkins workflow (W-JAX 14)CloudBees
 
Delivery Pipeline as Code: using Jenkins 2.0 Pipeline
Delivery Pipeline as Code: using Jenkins 2.0 PipelineDelivery Pipeline as Code: using Jenkins 2.0 Pipeline
Delivery Pipeline as Code: using Jenkins 2.0 PipelineSlawa Giterman
 
DCSF19 Transforming a 15+ Year Old Semiconductor Manufacturing Environment
DCSF19 Transforming a 15+ Year Old Semiconductor Manufacturing EnvironmentDCSF19 Transforming a 15+ Year Old Semiconductor Manufacturing Environment
DCSF19 Transforming a 15+ Year Old Semiconductor Manufacturing EnvironmentDocker, Inc.
 
How Nuxeo uses the open-source continuous integration server Jenkins
How Nuxeo uses the open-source continuous integration server JenkinsHow Nuxeo uses the open-source continuous integration server Jenkins
How Nuxeo uses the open-source continuous integration server JenkinsNuxeo
 
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins PipelinesAn Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins PipelinesSteffen Gebert
 
DockerCon SF 2015: Ben Golub's Keynote Day 1
DockerCon SF 2015: Ben Golub's Keynote Day 1DockerCon SF 2015: Ben Golub's Keynote Day 1
DockerCon SF 2015: Ben Golub's Keynote Day 1Docker, Inc.
 
JUC Europe 2015: Scaling Your Jenkins Master with Docker
JUC Europe 2015: Scaling Your Jenkins Master with DockerJUC Europe 2015: Scaling Your Jenkins Master with Docker
JUC Europe 2015: Scaling Your Jenkins Master with DockerCloudBees
 
Continuous Delivery in Enterprise Environments using Docker, Ansible and Jenkins
Continuous Delivery in Enterprise Environments using Docker, Ansible and JenkinsContinuous Delivery in Enterprise Environments using Docker, Ansible and Jenkins
Continuous Delivery in Enterprise Environments using Docker, Ansible and JenkinsMarcel Birkner
 
Who *is* Jenkins?
Who *is* Jenkins?Who *is* Jenkins?
Who *is* Jenkins?Andrew Bayer
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisLewis Ardern
 

More Related Content

What's hot

Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)Tracy Kennedy
 
Continuous Delivery with Jenkins Workflow
Continuous Delivery with Jenkins WorkflowContinuous Delivery with Jenkins Workflow
Continuous Delivery with Jenkins WorkflowUdaypal Aarkoti
 
7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins Users7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins UsersJules Pierre-Louis
 
(Declarative) Jenkins Pipelines
(Declarative) Jenkins Pipelines(Declarative) Jenkins Pipelines
(Declarative) Jenkins PipelinesSteffen Gebert
 
Brujug Jenkins pipeline scalability
Brujug Jenkins pipeline scalabilityBrujug Jenkins pipeline scalability
Brujug Jenkins pipeline scalabilityDamien Coraboeuf
 
2016 Docker Palo Alto - CD with ECS and Jenkins
2016 Docker Palo Alto - CD with ECS and Jenkins2016 Docker Palo Alto - CD with ECS and Jenkins
2016 Docker Palo Alto - CD with ECS and JenkinsTracy Kennedy
 
Jenkins days workshop pipelines - Eric Long
Jenkins days workshop pipelines - Eric LongJenkins days workshop pipelines - Eric Long
Jenkins days workshop pipelines - Eric Longericlongtx
 
Automated Deployment Pipeline using Jenkins, Puppet, Mcollective and AWS
Automated Deployment Pipeline using Jenkins, Puppet, Mcollective and AWSAutomated Deployment Pipeline using Jenkins, Puppet, Mcollective and AWS
Automated Deployment Pipeline using Jenkins, Puppet, Mcollective and AWSBamdad Dashtban
 
SD DevOps Meet-up - Jenkins 2.0 and Pipeline-as-Code
SD DevOps Meet-up - Jenkins 2.0 and Pipeline-as-CodeSD DevOps Meet-up - Jenkins 2.0 and Pipeline-as-Code
SD DevOps Meet-up - Jenkins 2.0 and Pipeline-as-CodeBrian Dawson
 
Building Jenkins Pipelines at Scale
Building Jenkins Pipelines at ScaleBuilding Jenkins Pipelines at Scale
Building Jenkins Pipelines at ScaleJulien Pivotto
 
Pimp your Continuous Delivery Pipeline with Jenkins workflow (W-JAX 14)
Pimp your Continuous Delivery Pipeline with Jenkins workflow (W-JAX 14)Pimp your Continuous Delivery Pipeline with Jenkins workflow (W-JAX 14)
Pimp your Continuous Delivery Pipeline with Jenkins workflow (W-JAX 14)CloudBees
 
Delivery Pipeline as Code: using Jenkins 2.0 Pipeline
Delivery Pipeline as Code: using Jenkins 2.0 PipelineDelivery Pipeline as Code: using Jenkins 2.0 Pipeline
Delivery Pipeline as Code: using Jenkins 2.0 PipelineSlawa Giterman
 
DCSF19 Transforming a 15+ Year Old Semiconductor Manufacturing Environment
DCSF19 Transforming a 15+ Year Old Semiconductor Manufacturing EnvironmentDCSF19 Transforming a 15+ Year Old Semiconductor Manufacturing Environment
DCSF19 Transforming a 15+ Year Old Semiconductor Manufacturing EnvironmentDocker, Inc.
 
How Nuxeo uses the open-source continuous integration server Jenkins
How Nuxeo uses the open-source continuous integration server JenkinsHow Nuxeo uses the open-source continuous integration server Jenkins
How Nuxeo uses the open-source continuous integration server JenkinsNuxeo
 
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins PipelinesAn Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins PipelinesSteffen Gebert
 
DockerCon SF 2015: Ben Golub's Keynote Day 1
DockerCon SF 2015: Ben Golub's Keynote Day 1DockerCon SF 2015: Ben Golub's Keynote Day 1
DockerCon SF 2015: Ben Golub's Keynote Day 1Docker, Inc.
 
JUC Europe 2015: Scaling Your Jenkins Master with Docker
JUC Europe 2015: Scaling Your Jenkins Master with DockerJUC Europe 2015: Scaling Your Jenkins Master with Docker
JUC Europe 2015: Scaling Your Jenkins Master with DockerCloudBees
 
Continuous Delivery in Enterprise Environments using Docker, Ansible and Jenkins
Continuous Delivery in Enterprise Environments using Docker, Ansible and JenkinsContinuous Delivery in Enterprise Environments using Docker, Ansible and Jenkins
Continuous Delivery in Enterprise Environments using Docker, Ansible and JenkinsMarcel Birkner
 

What's hot (20)

Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)Continuous Delivery with Jenkins and Wildfly (2014)
Continuous Delivery with Jenkins and Wildfly (2014)
 
Continuous Delivery with Jenkins Workflow
Continuous Delivery with Jenkins WorkflowContinuous Delivery with Jenkins Workflow
Continuous Delivery with Jenkins Workflow
 
7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins Users7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins Users
 
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
 
(Declarative) Jenkins Pipelines
(Declarative) Jenkins Pipelines(Declarative) Jenkins Pipelines
(Declarative) Jenkins Pipelines
 
Brujug Jenkins pipeline scalability
Brujug Jenkins pipeline scalabilityBrujug Jenkins pipeline scalability
Brujug Jenkins pipeline scalability
 
2016 Docker Palo Alto - CD with ECS and Jenkins
2016 Docker Palo Alto - CD with ECS and Jenkins2016 Docker Palo Alto - CD with ECS and Jenkins
2016 Docker Palo Alto - CD with ECS and Jenkins
 
Jenkins days workshop pipelines - Eric Long
Jenkins days workshop pipelines - Eric LongJenkins days workshop pipelines - Eric Long
Jenkins days workshop pipelines - Eric Long
 
Automated Deployment Pipeline using Jenkins, Puppet, Mcollective and AWS
Automated Deployment Pipeline using Jenkins, Puppet, Mcollective and AWSAutomated Deployment Pipeline using Jenkins, Puppet, Mcollective and AWS
Automated Deployment Pipeline using Jenkins, Puppet, Mcollective and AWS
 
SD DevOps Meet-up - Jenkins 2.0 and Pipeline-as-Code
SD DevOps Meet-up - Jenkins 2.0 and Pipeline-as-CodeSD DevOps Meet-up - Jenkins 2.0 and Pipeline-as-Code
SD DevOps Meet-up - Jenkins 2.0 and Pipeline-as-Code
 
Building Jenkins Pipelines at Scale
Building Jenkins Pipelines at ScaleBuilding Jenkins Pipelines at Scale
Building Jenkins Pipelines at Scale
 
How Docker simplifies CI/CD
How Docker simplifies CI/CDHow Docker simplifies CI/CD
How Docker simplifies CI/CD
 
Pimp your Continuous Delivery Pipeline with Jenkins workflow (W-JAX 14)
Pimp your Continuous Delivery Pipeline with Jenkins workflow (W-JAX 14)Pimp your Continuous Delivery Pipeline with Jenkins workflow (W-JAX 14)
Pimp your Continuous Delivery Pipeline with Jenkins workflow (W-JAX 14)
 
Delivery Pipeline as Code: using Jenkins 2.0 Pipeline
Delivery Pipeline as Code: using Jenkins 2.0 PipelineDelivery Pipeline as Code: using Jenkins 2.0 Pipeline
Delivery Pipeline as Code: using Jenkins 2.0 Pipeline
 
DCSF19 Transforming a 15+ Year Old Semiconductor Manufacturing Environment
DCSF19 Transforming a 15+ Year Old Semiconductor Manufacturing EnvironmentDCSF19 Transforming a 15+ Year Old Semiconductor Manufacturing Environment
DCSF19 Transforming a 15+ Year Old Semiconductor Manufacturing Environment
 
How Nuxeo uses the open-source continuous integration server Jenkins
How Nuxeo uses the open-source continuous integration server JenkinsHow Nuxeo uses the open-source continuous integration server Jenkins
How Nuxeo uses the open-source continuous integration server Jenkins
 
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins PipelinesAn Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
An Open-Source Chef Cookbook CI/CD Implementation Using Jenkins Pipelines
 
DockerCon SF 2015: Ben Golub's Keynote Day 1
DockerCon SF 2015: Ben Golub's Keynote Day 1DockerCon SF 2015: Ben Golub's Keynote Day 1
DockerCon SF 2015: Ben Golub's Keynote Day 1
 
JUC Europe 2015: Scaling Your Jenkins Master with Docker
JUC Europe 2015: Scaling Your Jenkins Master with DockerJUC Europe 2015: Scaling Your Jenkins Master with Docker
JUC Europe 2015: Scaling Your Jenkins Master with Docker
 
Continuous Delivery in Enterprise Environments using Docker, Ansible and Jenkins
Continuous Delivery in Enterprise Environments using Docker, Ansible and JenkinsContinuous Delivery in Enterprise Environments using Docker, Ansible and Jenkins
Continuous Delivery in Enterprise Environments using Docker, Ansible and Jenkins
 

Similar to Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-code and roles

BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisLewis Ardern
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins SecurityMark Waite
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...CloudBees
 
Agile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAgile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAdam Getchell
 
Java / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBees
Java / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBeesJava / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBees
Java / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBeesParis Open Source Summit
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfiantoidsecconf
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectGene Gotimer
 
DevOps - IaC | Talk | AGILE GURUGRAM 2018 | 23 - 24 March, 2018
DevOps - IaC | Talk | AGILE GURUGRAM 2018 | 23 - 24 March, 2018DevOps - IaC | Talk | AGILE GURUGRAM 2018 | 23 - 24 March, 2018
DevOps - IaC | Talk | AGILE GURUGRAM 2018 | 23 - 24 March, 2018AgileNetwork
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Clark Everetts
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedNGINX, Inc.
 
Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018John Willis
 
Securing jenkins
Securing jenkinsSecuring jenkins
Securing jenkinsCloudBees
 

Similar to Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-code and roles (20)

Who *is* Jenkins?
Who *is* Jenkins?Who *is* Jenkins?
Who *is* Jenkins?
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins Security
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
 
Agile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAgile Secure Cloud Application Development Management
Agile Secure Cloud Application Development Management
 
Java / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBees
Java / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBeesJava / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBees
Java / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBees
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfianto
 
Node.js Module: I Choose You!
Node.js Module: I Choose You!Node.js Module: I Choose You!
Node.js Module: I Choose You!
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD Project
 
DevOps - IaC | Talk | AGILE GURUGRAM 2018 | 23 - 24 March, 2018
DevOps - IaC | Talk | AGILE GURUGRAM 2018 | 23 - 24 March, 2018DevOps - IaC | Talk | AGILE GURUGRAM 2018 | 23 - 24 March, 2018
DevOps - IaC | Talk | AGILE GURUGRAM 2018 | 23 - 24 March, 2018
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting Started
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 
Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018
 
Securing jenkins
Securing jenkinsSecuring jenkins
Securing jenkins
 

Recently uploaded

Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfIdiosysTechnologies1
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 

Recently uploaded (20)

Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 

Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-code and roles

  • 1. Managing security in Jenkins with Configuration-as-Code and roles Oleg Nenashev CloudBees, Inc. Belarus Jenkins Meetup Minsk, July 29, 2017
  • 2. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 2 About me @oleg_nenashev oleg-nenashev LibreCores project St. Petersburg Polytechnic University Jenkins meetups
  • 3. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 3 Oleg’s “Hall of Shame”(c) • Plugins • Jenkins Core • Windows Service Wrapper • Remoting • Security
  • 4. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 4 About you
  • 5. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 5 Agenda •Introduction to Jenkins Security •System Configuration-as-Code in Jenkins •Ownership-based security •Live Demos Disclaimer: • Presentation represent the author’s personal opinion • Author’s personal opinion may differ from official positions of CloudBees and/or Jenkins community • Many Jenkins instances were harmed, use carefully
  • 6. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 6 1. Most popular CI/CD tool in the world 2. Generic automation server 3. Flexible and extensible 4. It’s open source, big community 5. Commercial support vendors 6. … Who is Mr. Jenkins? https://jenkins.io
  • 7. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 7
  • 8. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 8 Jenkins is a… remote execution engine (by design)
  • 9. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 9 Jenkins is a… remote execution engine (by design) • One can run code and system commands • Access to master system • Access to agents • Access to private/public clouds
  • 10. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 10 Jenkins… has access to sensitive data (by design)
  • 11. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 11 Jenkins… has access to sensitive data (by design) • Credentials • Private repositories • Artifacts, including release ones
  • 12. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 12 Jenkins is a… service (by design)
  • 13. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 13 Jenkins is a… service (by design) • Multiple users • Different expertise • Users may misuse permissions
  • 14. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 14 What does security mean? Jenkins security Intrusion and data theft protection Restrictions within organization
  • 15. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 15 Jenkins security Intrusion and data theft protection Restrictions within organization • Must-have in internet-facing instances • Paranoid mode is fine What does security mean?
  • 16. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 16 Jenkins security Intrusion and data theft protection Restrictions within organization • Better user experience • Protection from unintentional actions • Protection from lack of expertise What does security mean?
  • 18. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 18 •Limited number of admins •Permissions •Security audit Rule #0. Use security!
  • 19. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 19 • Security Team • Fixes in Jenkins core and Plugins • https://jenkins.io/security/ Jenkins Board Core Team Security LTS Events INFRA Website
  • 20. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 20 Rule #1. Keep Updating • Frequent security releases • Weekly • Current LTS baseline • Info sources • https://jenkins.io/security/advisories/ • jenkinsci-advisories mailing list (including announcements) • RSS feed 2.46.2 Exploits are in the wild, update ASAP
  • 21. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 21 •Not enough? LTS is only 3 months…
  • 22. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 22 •Not enough? •Build your own core (custom fork) •HINT: Join the security team to get info about changes in advance LTS is only 3 months…
  • 23. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 23 •Not enough? •Build your own core (custom fork) •Use custom versions from vendors: • https://wiki.jenkins-ci.org/display/JENKINS/Commercial+Support • CloudBees Jenkins Enterprise LTS is only 3 months…
  • 24. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 24 Do you pull latest images from DockerHub?
  • 25. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 25 •What’s inside? •Who can change them? •What if there is a malicious code? Do you pull latest images from DockerHub?
  • 26. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 26 •What’s inside? •Who can change them? •What if there is a malicious code? •How is it different from other package sources? Do you pull latest images from DockerHub?
  • 27. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 27 Rule #2. Know what you use Monitor plugin versions and release notes • Beware of transient dependencies (!) • Also monitor JIRA Consider using locally managed sources • Internal Maven • Docker Registry • Custom Jenkins Update Center: Juseppe • https://github.com/yandex-qatools/juseppe Use static configurations • Configuration-as-Code
  • 28. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 28 Configuration as Code in Jenkins JobsSystem Configurations
  • 29. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 29 System Configurations… as Code External tools Jenkins CLI and REST API python- jenkins jenkins-client (java) Configuration Management Ansible, Chef, … Docker, Docker Compose ... Solutions in Jenkins Groovy Boot Hooks System Config DSL (alpha) Scriptler Plugin SCM Sync Configuration UnstableJust examples… Insecure
  • 30. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 30 Groovy Hooks • Universal solution • Hooks on startup events • init, boot-failure • Scripts • WEB-INF/HOOK.groovy in jenkins.war • WEB-INF/HOOK.groovy.d/*.groovy in jenkins.war • $JENKINS_HOME/HOOK.groovy • $JENKINS_HOME/HOOK.groovy.d/*.groovy in lexical order https://wiki.jenkins-ci.org/display/JENKINS/Groovy+Hook+Script
  • 31. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 31 https://hub.docker.com/r/onenashev/ demo-jenkins-config-as-code/ Groovy Hooks
  • 33. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 33 Rule #3. Keep Jenkins in a sandbox Do not run masters/agents under system accounts Restrict access to non-required resources • Generic accounts • Read-only repositories Sandbox your scripts as well
  • 34. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 34 Scryptocalypse https://jenkins.io/security/advisory/2017-04-10/ • Unlimited scripting • More than 30 plugins affected •Groovy Plugin •JobDSL Plugin •Grails Plugin •Scriptler Plugin • Some of them are blocked
  • 35. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 35 DIY
  • 36. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 36 Jenkins Script Security https://plugins.jenkins.io/ script-security DIY
  • 37. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 37 Script Security Plugin Used in [almost] all Groovy plugins https://plugins.jenkins.io/script-security
  • 38. Is it enough to become secure?
  • 39. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 39 Rule #4. Do not Run Jobs on master • Builds have access to the master filesystem • They can… • Read data from other builds/artifacts • Read secret hashes • Modify Jenkins system configuration • … • You don’t want that
  • 40. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 40 Rule #4. Do not Run Jobs on master • Solution 1: • Set “0” executors on master • Another node running under different account • BUT: Does not protect from fly-weight tasks
  • 41. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 41 Rule #4. Do not Run Jobs on master • Solution 1: • 0 executors on master • Another node running under different account • BUT: Does not protect from fly-weight tasks • Solution 2: • Job Restrictions Plugin • Details: later
  • 42. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 42 •By default builds run with the System account •Users may trigger wrong builds •Users can extract data Rule #5. Do not trust your builds
  • 43. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 43 Authorize Project Plugin Authorize builds • Global default • Whitelist of user- configurable strategies • Job properties https://plugins.jenkins.io/authorize-project
  • 44. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 44 •Audit Trail – logging of actions •https://plugins.jenkins.io/audit-trail •Security Inspector – permission checks •https://plugins.jenkins.io/security-inspector •… Rule #6. Audit your security
  • 45. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 45 Security Inspector Plugin https://plugins.jenkins.io/security-inspector Reports for jobs, agents and users
  • 46. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 46 •Assign leads to jobs and agents •Share the maintenance effort with them •Make the ownership explicit Rule #7. Make the responsibilities explicit
  • 47. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 47 Common strategies do not “just work” Project Matrix Authorization Strategy • Hard to manage • No support of Node permissions Role-Based Strategy • Regular expression for each role • Performance: Hundreds of Regex checks every request • Web UI easily hangs
  • 49. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 49 Ownership-based Security Role- Strategy Ownership Job Restrictions • Assign owners of jobs/nodes • Fancy UI • Auth strategy • Macro engine • Restrict runs for jobs and nodes http://bit.ly/ownership-based-security + Authorize Project
  • 50. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 50 Ownership Plugin • Primary and Secondary Owners • Summary Boxes, View filters, etc. • Environment variables • Integration with Security plugins Customizable layout https://plugins.jenkins.io/ownership
  • 51. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 51 Ownership Info. Definition and Inheritance Folders Jobs Nodes Runs Sub- Projects
  • 52. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 52 Demo. What’s inside? Ownership 0.10.0 Job Restrictions 0.6 Security Inspector 0.4 Jenkins core 2.62.2 (minimal – 1.625) Authorize Project 1.3.0 Dynamic Search View 0.2.2 Role Strategy 2.5.1
  • 53. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 53 https://hub.docker.com/r/onenashev/ demo-jenkins-config-as-code/
  • 54. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 54 Setting ownership info
  • 55. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 55 Ownership Info. What Do you get? • Ownership Summary Boxes • Ownership View Columns • View Filters • Also: @Me macro Customizable layout
  • 56. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 56 Example: Quick administration contacts Customizable template
  • 57. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 57 Ownership-Based Security. Role-Based Strategy Settings Roles [1/2]
  • 58. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 58 Ownership-Based Security. Role-Based Strategy Settings Roles [2/2]
  • 59. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 59 Ownership-Based Security. Role-Based Strategy Settings Assignments
  • 60. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 60 Jobs. Securing access Untrusted secondary owners!
  • 61. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 61 Jobs. Authorize Project Jobs get authenticated as owners => • Permissions • Node access (Computer.BUILD)
  • 62. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 62 Using Data in Jobs. Freestyle
  • 63. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 63 Using Data in Jobs. Pipeline
  • 64. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 64 Jenkins nodes • Similar Ownership Management • Special permission • Node Ownership Monitor • => info in the table
  • 65. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 65 Securing Nodes
  • 66. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 66 Job Restrictions. Protecting the Master node • NEVER let users run jobs on master • Only use it for system jobs owned by admins
  • 67. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 67 Ownership-Based Security: Links Plugins: • https://plugins.jenkins.io/ownership • https://plugins.jenkins.io/role-strategy • https://plugins.jenkins.io/job-restrictions • https://plugins.jenkins.io/authorize-project Ownership-based security: • http://bit.ly/ownership-based-security Demo • https://github.com/oleg-nenashev/demo-jenkins-config-as-code
  • 68. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 68 Ownership-Based Security: Out of the scope • Item-specific security •Plugging Matrix Project Security into Ownership Engine • Ownership-based restrictions for triggering jobs • Ownership assignment policy on create/copy • Groovy API for System Scripts (needs some love) • “sudo” mode implementation for admins
  • 69. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 69 •Follow the security advisories •Keep your Jenkins up to date •Use Security plugins Takeaways
  • 70. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 70 •Many existing solutions for large-scale •They are not well documented sometimes… •But they exist Rule #-1. Explore
  • 71. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 71 •Security page: https://jenkins.io/security/ •Advisories: https://jenkins.io/security/advisories/ •Ownership-based security: http://bit.ly/ownership-based-security •Demo: https://hub.docker.com/r/onenashev/demo-jenkins- config-as-code/ Links
  • 72. @oleg_nenashev, #jenkinsBY © 2017 CloudBees, Inc. All Rights Reserved. 72 Thank you! Contacts: E-mail: onenashev@cloudbees.com GitHub: oleg-nenashev Twitter: @oleg_nenashev