DevOps World | Jenkins World 2019 Lisbon has ended
Back To Schedule
Thursday, December 5 • 13:45 - 14:30
The Story, the Findings and the Fixes Behind More than 100 Jenkins Plugins Vulnerabilities

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Jenkins is an open source tool that helps developers build, deploy and automate software development and delivery. It can be extended with further functionality by more than a thousand plugins. These plugins help with recurring tasks such as executing a static code analyzer or copying a compiled software to a CIFS share or they may add functionalities like Active Directory authentication or role-based authorization. Similar to well-known content management systems, this core framework is extended by hundreds of plugins. But most these plugins are developed by third-party developers and it is up to them for securely writing them.

As the number of open source and third-party developed plugins grow as part of the Jenkins installation, it can be a challenging task to ensure that only secure components are being used in the DevOps environment. This talk takes a look at the most common vulnerabilities as well as ones found during research into more than 100 plugins. More importantly, we look at how to prevent these vulnerabilities during plugin development so that a more secure Jenkins CI and CD environment can be built.

avatar for Viktor Gazdag

Viktor Gazdag

Security Consultant, NCC Group
Viktor Gazdag has been in the IT security industry for over five years and currently working at NCC Group as a security consultant. Recently he started to research and report security vulnerabilities in multiple DevOps products and plugins. Viktor's name might be familiar based on... Read More →

Thursday December 5, 2019 13:45 - 14:30 PST
Auditorium II