Securely deploying an application
A secure infrastructure is pretty useless if the application being transported is not reliably secure. So this week we will talk about securing our deployment and continuous integration process.
In git the author of a commit is determined simply by a setting in your local git client. This can be changed at any time, to anything you want, like so:
$ git config --global user.email "email@example.com" $ git config --global user.name "Really George Washington"
This makes an identity provided by git pretty insecure and unreliable. So let's imagine someone pretends to be me and copies my writing style and posts and posts a pull request for a "fix" as me. A co-worker could just think, "Eh, small fix, tests don't break, merged.", having thus introduced a possible vulnerability.
This is less of a problem when using a platform like GitHub, which doesn't care about your git author settings, but only displays the account you work from on GitHub. Issues could arise for people not using GitHub or when you move away the repository to another host. The other issue is as always unforeseen security vulnerabilities in the platform itself.
To ensure that we can trust that each maintainer is actually who we think they are, we can introduce GPG signed commits. However since the process of generating a key, and then having that key signed is long and complicated, it wouldn't make sense to require this for all people trying to contribute to the project. The user experience behind this could also just lead to people generating a key once for this commit and then throwing it away, just to get a then meaningless signed commit.
- pull requests from third party contributers can come from anyone and don't need to be signed.
- merges and commits to master need to be signed
Step 1: update/create gpg keys Step 2: enable gpg key signing in git Step 3: have something that rejects unsigned merge commits
https://github.com/danger/peril Use peril for checking for signed commits
https://snyk.io/org/brainsware/projects Use snyk for automatic node package vulnerability checkup
Use bintray for signed packages!
Script authenticity, layer one, commits: https://twitter.com/dancarley/status/888063401490096130
? Potential webapp that verifies authenticity with certs Not within scope right now Browser extension with network for checking script signatures
Can you trust your Build-chain? — trusting trust, and reflections on trusting trust
- Known CVEs in libraries (OWASP A9) — Greenkeeper.io
- How to verify the artifact has the expected functionality and only that?