“Your build pipeline is a production system,” says Tom Duckering, lead consultant from Thoughtworks London. Tom gave the talk Securing the Pipeline together with Patrick Downey at XConf Hamburg.
Both Tom and Pat identify themselves as infrastructure automation guys and gave me a short insight into the dangers that could come out of your continuous delivery pipeline when not sufficiently secured.
In this half- hour interview, we first introduce the threats coming out of the pipeline. We establish the continuous delivery pipeline as a production system - because it will create what is in production. We also give an example of how easy it can be to get root access with an anonymous user, and of course we discuss strategies to make a pipeline secure enough for the attack trees a customer might face.