6 Security layer 4: securing the delivery pipeline
This chapter covers
- Controlling permissions granted to users and third parties in GitHub and CircleCI
- Protecting source code from modifications with Git commits and tag signing
- Managing permissions in Docker Hub
- Managing deployment permissions in AWS
- Distributing configuration secrets safely in AWS
So far, we’ve talked about protecting services as they run in a production environment. In this chapter, we’ll shift our focus to the infrastructure that takes the code from developers and brings it to the production environment. Continuous integration and continuous delivery are great tools to accelerate development cycles, but they come with their share of security concerns. Mainly, the increased reliance on third-party services to host, test, build, and ship code opens the door to misconfigurations that can let attackers take control of the application code. We’ll talk about how to prevent our code and configuration from being altered as it transits through the pipeline, from the developer computer to the cloud. Our goal is to make sure the code running in the production infrastructure is the code the developers intended to run when writing the application.