DevOps World | Jenkins World 2019 Lisbon

Jenkins is an open source tool that helps developers build, deploy and automate software development and delivery. It can be extended with further functionality by more than a thousand plugins. These plugins help with recurring tasks such as executing a static code analyzer or copying a compiled software to a CIFS share or they may add functionalities like Active Directory authentication or role-based authorization. Similar to well-known content management systems, this core framework is extended by hundreds of plugins. But most these plugins are developed by third-party developers and it is up to them for securely writing them.

As the number of open source and third-party developed plugins grow as part of the Jenkins installation, it can be a challenging task to ensure that only secure components are being used in the DevOps environment. This talk takes a look at the most common vulnerabilities as well as ones found during research into more than 100 plugins. More importantly, we look at how to prevent these vulnerabilities during plugin development so that a more secure Jenkins CI and CD environment can be built.