SlideShare a Scribd company logo

Trusting the Unknown

Download as PPTX, PDF
S
ssuser37f369

Continuous Integration, Continuous Delivery, workflow automation, more and more tools rely on a vibrant marketplace to share extensions that add new functionality to the systems. Unfortunately, this means you’re putting trust into a LOT of different people and many of these extensions are built by professionals and enthusiasts in their limited spare time. GitHub has such a marketplace for Actions and Azure DevOps one for Pipelines. But how do you know whether you can trust these extensions, how do you stay up to date and if you’re building these extensions yourself, how do you keep them secure and your users on the latest version? Jesse takes us through some of the best practices from the perspective of an extension author, user as well as the administrator of the system that loads these extensions.

Technology
1 of 43
Trusting the Unknown - Ensuring Safe & Secure Extension Use in CI/CD Workflows
Of extensions contain some vulnerability
Of extensions owned by Microsoft
With a ⭐ rating
Of extensions updated in the last 3 months
Of Node based Azure Pipelines tasks
Of PowerShell Azure Pipeline Tasks…
That’s unfair But it’s also a bit true…
Jesse Houwing Chief Trainer & Tinkerer xpirit.com/jesse jessehouwing jessehouwing jessehouwing hachyderm.io/jessehouwing +31 6 41 81 333 8
Extensions in the context of Azure Pipelines Manifests Marketplace pritties Tasks And potentially tabs and context menu actions…
So what is a task? Loads of dependencies At least azure-pipelines-task-lib Frozen at time of publish Another Manifest The actual custom code More pretties
Or… using PowerShell A lot fewer dependencies at least VstsTaskSdk Another Manifest The actual custom code More pretties
An extension can contain more than 1 tasks Task A Task A v1
Where do these tasks come from? • They’re “built-in” tasks • Automatically updated by Microsoft in Azure DevOps • Manually updated through Microsoft Update packs in Azure DevOps Server • Manually updated by administrator through sideloading (see below) • They’re from an extension from the public marketplace • Installed through marketplace.visualstudio.com • Automatically updated in Azure DevOps and Azure DevOps Server • They’re from an extension from the private marketplace • Manually uploaded to Azure DevOps Server • They’re sideloaded directly • Manually uploaded to Azure DevOps or Azure DevOps Server
2 problems with task updates By default, the agent: 1. Pins the major version to the one you selected 2. Updates to the latest minor version available
Where do these tasks come from?
So how do we know we can trust these tasks? You don’t.
How do you know? Well… I downloaded 700GB of vsix files from the Azure DevOps marketplace Extracted them and scanned them
So how do we know we can trust them? Trusted publisher? Verification? Rating? Number of issues and pull-requests? Metadata provided by the author? Recently updated? Looks nice?
Is it really that bad? Maybe not…
All of these potential security issues Do not mean there is a known exploit chain
But it’s not pretty!
It’s not just the updates you should worry about
So what’s the risk we’re running • Some of these extensions turn off TLS security • Some might overwrite arbitrary files • Some might be used to send data to the outside world • Some install things directly from npmjs. • Others download 100’s of MB, extract it and execute without verification • Often on a host with admin permissions There is a lot of potential
Why is PowerShell so much better? It might not be but… • Many of the dependencies are automatically updated through Windows Update • PowerShell relies on the .NET framework for most functionality • There are a lot fewer dependencies to worry about
What is Microsoft doing? • They’ve introduced a new Node 16 handler for Azure Pipelines • They’re deprecating Node 6 and Node 10 for Azure Pipelines tasks. • They’re updating all the built-in tasks for Azure DevOps. • They’re updating all the built-in tasks for Azure DevOps Server 2022? • They’ve added the ability to turn off Node 6 on the Pipelines Agent. • They’re adding warnings to every workflow that runs uses Node 6 (and later 10).
What am I doing / have I done • I actively update all my extensions regularly • I automatically update my dependencies using Snyk, Dependabot and RenovateBot • I scan my code for vulnerabilities using Snyk Code and GitHub advanced Security • I maintain the Azure DevOps Extension Tasks to implement CI / CD for Azure DevOps extensions • I recently contributed to RenovateBot to add support for the Azure Pipeline Marketplace. Now doing the same for dependabot-core.
Guidance for deprecating an extension • Add a warning to all versions of your tasks • Timebomb the task to fail after today+X • Mark all tasks deprecated:true in the task.json • Add [DEPRECATED] to your task friendly name in the task.json • Add [DEPRECATED] to your extension name in the vss-extension.json • Publish this last version • Unpublish the extension • Archive the GitHub repository
Guidance for deprecating task version • Add both the old and the new version of the task to your extension • Update the old version’s friendlyName and add [DEPRECATED] in task.json • Add a warning / error to the implementation to warn you users
What should Extension authors do? • Employ secure password practices and use 2FA • Deprecate extensions you’re no longer maintaining • Update your existing extensions to Node 16 and latest dependencies • Enable DependaBot to automatically keep your dependencies up-to- date • Enable GitHub Advanced Security to detect issues in *your* code • Implement CI / CD to ship new versions with ease • Add repo metadata to their extension manifests
What should Azure DevOps admins do • Disable insecure extensions • Implement RenovateBot to automatically suggest updates to installed Azure Pipelines tasks • Disable Node 6 support on the Azure Pipelines Agent • Do not install every extension in the marketplace without thought • Provide Hosted Agents or ephemeral Scale- set agents
What should Azure DevOps admins do • Run Endpoint Security on your Azure Pipelines Agents • For DevOps Server • Upgrade to Azure DevOps Server 2022 and stay current • Migrate to Azure DevOps Service • Manually upgrade “built-in” tasks • Be careful with internal marketplace
Overwrite a built-in task npm install -g tfx-cli tfx build tasks upload --task-zip-path Task.guid-version.zip --service-url https://yourtfs.com/tfs/DefaultCollection . ./script/install-task.ps1 -CollectionUrl https://yourtfs.com/tfs/DefaultCollection -TaskZip Task.guid-version.zip Delete all versions of a task npm install -g tfx-cli tfx build tasks delete --task-id ad884ca2-732e-4b85-b2d3-ed71bcbd2788 --service-url https://yourtfs.com/tfs/DefaultCollection
What should Azure Pipelines authors do? • Consider whether you actually need an extension. • Keep your pipelines current. Update your major task versions and resolve any issues. • Use Azure Pipelines YAML • Pin the exact version of your tasks • Use RenovateBot to automatically keep your pipelines up to date • Use Hosted Agents / Ephemeral Scale-set agents whenever possible
What should the community do? • Sponsor the authors of extensions you rely on. • Submit pull requests to improve extensions. • Submit pull requests to upgrade extensions to Node 16. • Leave reviews on the marketplace and update them.
Useful resources
Useful Resources • Azure DevOps Marketplace Scan https://github.com/jessehouwing/azure-devops-marketplace-scan https://jessehouwing.net/security-state-of-the-azure-devops- marketplace/ • Hardening guidelines for Azure Pipelines https://learn.microsoft.com/en- us/azure/devops/organizations/security/security-best- practices?view=azure-devops#secure-azure-pipelines
Useful resources • Azure Pipelines Tasks Zips https://github.com/jessehouwing/azure-pipelines-tasks-zips • RenovateBot for Azure Pipelines https://jessehouwing.net/azure-pipelines-enable-renovatebot/ • Azure DevOps Extension tasks https://marketplace.visualstudio.com/items?itemName=ms- devlabs.vsts-developer-tools-build-tasks

Recommended

Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...
Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...
Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...Lean IT Consulting
 
Vagrant to-aws-flow
Vagrant to-aws-flowVagrant to-aws-flow
Vagrant to-aws-flowKimberly Macias
 
Simplified DevOps Bliss -with OpenAI API
Simplified DevOps Bliss -with OpenAI APISimplified DevOps Bliss -with OpenAI API
Simplified DevOps Bliss -with OpenAI APIVictorSzoltysek
 
Devops
DevopsDevops
DevopsJyothirmaiG4
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
Azure DevOps for JavaScript Developers
Azure DevOps for JavaScript DevelopersAzure DevOps for JavaScript Developers
Azure DevOps for JavaScript DevelopersSarah Dutkiewicz
 
Azure DevOps Tasks.pptx
Azure DevOps Tasks.pptx Azure DevOps Tasks.pptx
Azure DevOps Tasks.pptxPrasanthOneness
 
PVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CIPVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CIAndrey Karpov
 

Recommended

Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...
Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...
Continuos Integration and Delivery: from Zero to Hero with TeamCity, Docker a...Lean IT Consulting
 
Vagrant to-aws-flow
Vagrant to-aws-flowVagrant to-aws-flow
Vagrant to-aws-flowKimberly Macias
 
Simplified DevOps Bliss -with OpenAI API
Simplified DevOps Bliss -with OpenAI APISimplified DevOps Bliss -with OpenAI API
Simplified DevOps Bliss -with OpenAI APIVictorSzoltysek
 
Devops
DevopsDevops
DevopsJyothirmaiG4
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
Azure DevOps for JavaScript Developers
Azure DevOps for JavaScript DevelopersAzure DevOps for JavaScript Developers
Azure DevOps for JavaScript DevelopersSarah Dutkiewicz
 
Azure DevOps Tasks.pptx
Azure DevOps Tasks.pptx Azure DevOps Tasks.pptx
Azure DevOps Tasks.pptxPrasanthOneness
 
PVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CIPVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CIAndrey Karpov
 
DevOps Delivery Pipeline
DevOps Delivery PipelineDevOps Delivery Pipeline
DevOps Delivery PipelineDenis Korchuganov
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWSBhargav Amin
 
DevOps & DevEx
DevOps & DevExDevOps & DevEx
DevOps & DevExIfunga Ndana
 
DevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for KubernetesDevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for KubernetesAmbassador Labs
 
Continuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWSContinuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWSAmazon Web Services
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOpsEklove Mohan
 
Docker and Puppet for Continuous Integration
Docker and Puppet for Continuous IntegrationDocker and Puppet for Continuous Integration
Docker and Puppet for Continuous IntegrationGiacomo Vacca
 
SenchaCon 2016: Develop, Test & Deploy with Docker - Jonas Schwabe
SenchaCon 2016: Develop, Test & Deploy with Docker - Jonas Schwabe SenchaCon 2016: Develop, Test & Deploy with Docker - Jonas Schwabe
SenchaCon 2016: Develop, Test & Deploy with Docker - Jonas Schwabe Sencha
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
Versioning for Developers
Versioning for DevelopersVersioning for Developers
Versioning for DevelopersMichelangelo van Dam
 
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...Amazon Web Services
 
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon
 
Continuous Integration & Development with Gitlab
Continuous Integration & Development with GitlabContinuous Integration & Development with Gitlab
Continuous Integration & Development with GitlabAyush Sharma
 
Achieving Full Stack DevOps at Colonial Life
Achieving Full Stack DevOps at Colonial Life Achieving Full Stack DevOps at Colonial Life
Achieving Full Stack DevOps at Colonial Life DevOps.com
 
Zure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training dayZure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training dayOkko Oulasvirta
 
Puppet Camp Melbourne Nov 2014 - A Build Engineering Team’s Journey of Infras...
Puppet Camp Melbourne Nov 2014 - A Build Engineering Team’s Journey of Infras...Puppet Camp Melbourne Nov 2014 - A Build Engineering Team’s Journey of Infras...
Puppet Camp Melbourne Nov 2014 - A Build Engineering Team’s Journey of Infras...Peter Leschev
 
What DevOps Isn't
What DevOps Isn'tWhat DevOps Isn't
What DevOps Isn'tFrank Lamantia
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

More Related Content

Similar to Trusting the Unknown

DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 
DevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for KubernetesDevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for KubernetesAmbassador Labs
 
Continuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWSContinuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWSAmazon Web Services
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOpsEklove Mohan
 
Docker and Puppet for Continuous Integration
Docker and Puppet for Continuous IntegrationDocker and Puppet for Continuous Integration
Docker and Puppet for Continuous IntegrationGiacomo Vacca
 
SenchaCon 2016: Develop, Test & Deploy with Docker - Jonas Schwabe
SenchaCon 2016: Develop, Test & Deploy with Docker - Jonas Schwabe SenchaCon 2016: Develop, Test & Deploy with Docker - Jonas Schwabe
SenchaCon 2016: Develop, Test & Deploy with Docker - Jonas Schwabe Sencha
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...Amazon Web Services
 
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon
 
Continuous Integration & Development with Gitlab
Continuous Integration & Development with GitlabContinuous Integration & Development with Gitlab
Continuous Integration & Development with GitlabAyush Sharma
 
Achieving Full Stack DevOps at Colonial Life
Achieving Full Stack DevOps at Colonial Life Achieving Full Stack DevOps at Colonial Life
Achieving Full Stack DevOps at Colonial Life DevOps.com
 
Zure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training dayZure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training dayOkko Oulasvirta
 
Puppet Camp Melbourne Nov 2014 - A Build Engineering Team’s Journey of Infras...
Puppet Camp Melbourne Nov 2014 - A Build Engineering Team’s Journey of Infras...Puppet Camp Melbourne Nov 2014 - A Build Engineering Team’s Journey of Infras...
Puppet Camp Melbourne Nov 2014 - A Build Engineering Team’s Journey of Infras...Peter Leschev
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 

Similar to Trusting the Unknown (20)

DevOps Delivery Pipeline
DevOps Delivery PipelineDevOps Delivery Pipeline
DevOps Delivery Pipeline
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
 
DevOps & DevEx
DevOps & DevExDevOps & DevEx
DevOps & DevEx
 
DevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for KubernetesDevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for Kubernetes
 
Continuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWSContinuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWS
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
 
Docker and Puppet for Continuous Integration
Docker and Puppet for Continuous IntegrationDocker and Puppet for Continuous Integration
Docker and Puppet for Continuous Integration
 
SenchaCon 2016: Develop, Test & Deploy with Docker - Jonas Schwabe
SenchaCon 2016: Develop, Test & Deploy with Docker - Jonas Schwabe SenchaCon 2016: Develop, Test & Deploy with Docker - Jonas Schwabe
SenchaCon 2016: Develop, Test & Deploy with Docker - Jonas Schwabe
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
Versioning for Developers
Versioning for DevelopersVersioning for Developers
Versioning for Developers
 
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
 
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
 
Continuous Integration & Development with Gitlab
Continuous Integration & Development with GitlabContinuous Integration & Development with Gitlab
Continuous Integration & Development with Gitlab
 
Achieving Full Stack DevOps at Colonial Life
Achieving Full Stack DevOps at Colonial Life Achieving Full Stack DevOps at Colonial Life
Achieving Full Stack DevOps at Colonial Life
 
Zure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training dayZure Azure PaaS Zero to Hero - DevOps training day
Zure Azure PaaS Zero to Hero - DevOps training day
 
Puppet Camp Melbourne Nov 2014 - A Build Engineering Team’s Journey of Infras...
Puppet Camp Melbourne Nov 2014 - A Build Engineering Team’s Journey of Infras...Puppet Camp Melbourne Nov 2014 - A Build Engineering Team’s Journey of Infras...
Puppet Camp Melbourne Nov 2014 - A Build Engineering Team’s Journey of Infras...
 
What DevOps Isn't
What DevOps Isn'tWhat DevOps Isn't
What DevOps Isn't
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 

Trusting the Unknown

  • 1. Trusting the Unknown - Ensuring Safe & Secure Extension Use in CI/CD Workflows
  • 2. Of extensions contain some vulnerability
  • 3. Of extensions owned by Microsoft
  • 4. With a ⭐ rating
  • 5. Of extensions updated in the last 3 months
  • 6. Of Node based Azure Pipelines tasks
  • 7. Of PowerShell Azure Pipeline Tasks…
  • 8. That’s unfair But it’s also a bit true…
  • 9.
  • 10. Jesse Houwing Chief Trainer & Tinkerer xpirit.com/jesse jessehouwing jessehouwing jessehouwing hachyderm.io/jessehouwing +31 6 41 81 333 8
  • 11.
  • 12.
  • 13. Extensions in the context of Azure Pipelines Manifests Marketplace pritties Tasks And potentially tabs and context menu actions…
  • 14. So what is a task? Loads of dependencies At least azure-pipelines-task-lib Frozen at time of publish Another Manifest The actual custom code More pretties
  • 15. Or… using PowerShell A lot fewer dependencies at least VstsTaskSdk Another Manifest The actual custom code More pretties
  • 16. An extension can contain more than 1 tasks Task A Task A v1
  • 17. Where do these tasks come from? • They’re “built-in” tasks • Automatically updated by Microsoft in Azure DevOps • Manually updated through Microsoft Update packs in Azure DevOps Server • Manually updated by administrator through sideloading (see below) • They’re from an extension from the public marketplace • Installed through marketplace.visualstudio.com • Automatically updated in Azure DevOps and Azure DevOps Server • They’re from an extension from the private marketplace • Manually uploaded to Azure DevOps Server • They’re sideloaded directly • Manually uploaded to Azure DevOps or Azure DevOps Server
  • 18. 2 problems with task updates By default, the agent: 1. Pins the major version to the one you selected 2. Updates to the latest minor version available
  • 19. Where do these tasks come from?
  • 20. So how do we know we can trust these tasks? You don’t.
  • 21. How do you know? Well… I downloaded 700GB of vsix files from the Azure DevOps marketplace Extracted them and scanned them
  • 22. So how do we know we can trust them? Trusted publisher? Verification? Rating? Number of issues and pull-requests? Metadata provided by the author? Recently updated? Looks nice?
  • 23. Is it really that bad? Maybe not…
  • 24. All of these potential security issues Do not mean there is a known exploit chain
  • 25. But it’s not pretty!
  • 26. It’s not just the updates you should worry about
  • 27. So what’s the risk we’re running • Some of these extensions turn off TLS security • Some might overwrite arbitrary files • Some might be used to send data to the outside world • Some install things directly from npmjs. • Others download 100’s of MB, extract it and execute without verification • Often on a host with admin permissions There is a lot of potential
  • 28.
  • 29. Why is PowerShell so much better? It might not be but… • Many of the dependencies are automatically updated through Windows Update • PowerShell relies on the .NET framework for most functionality • There are a lot fewer dependencies to worry about
  • 30. What is Microsoft doing? • They’ve introduced a new Node 16 handler for Azure Pipelines • They’re deprecating Node 6 and Node 10 for Azure Pipelines tasks. • They’re updating all the built-in tasks for Azure DevOps. • They’re updating all the built-in tasks for Azure DevOps Server 2022? • They’ve added the ability to turn off Node 6 on the Pipelines Agent. • They’re adding warnings to every workflow that runs uses Node 6 (and later 10).
  • 31. What am I doing / have I done • I actively update all my extensions regularly • I automatically update my dependencies using Snyk, Dependabot and RenovateBot • I scan my code for vulnerabilities using Snyk Code and GitHub advanced Security • I maintain the Azure DevOps Extension Tasks to implement CI / CD for Azure DevOps extensions • I recently contributed to RenovateBot to add support for the Azure Pipeline Marketplace. Now doing the same for dependabot-core.
  • 32. Guidance for deprecating an extension • Add a warning to all versions of your tasks • Timebomb the task to fail after today+X • Mark all tasks deprecated:true in the task.json • Add [DEPRECATED] to your task friendly name in the task.json • Add [DEPRECATED] to your extension name in the vss-extension.json • Publish this last version • Unpublish the extension • Archive the GitHub repository
  • 33. Guidance for deprecating task version • Add both the old and the new version of the task to your extension • Update the old version’s friendlyName and add [DEPRECATED] in task.json • Add a warning / error to the implementation to warn you users
  • 34. What should Extension authors do? • Employ secure password practices and use 2FA • Deprecate extensions you’re no longer maintaining • Update your existing extensions to Node 16 and latest dependencies • Enable DependaBot to automatically keep your dependencies up-to- date • Enable GitHub Advanced Security to detect issues in *your* code • Implement CI / CD to ship new versions with ease • Add repo metadata to their extension manifests
  • 35. What should Azure DevOps admins do • Disable insecure extensions • Implement RenovateBot to automatically suggest updates to installed Azure Pipelines tasks • Disable Node 6 support on the Azure Pipelines Agent • Do not install every extension in the marketplace without thought • Provide Hosted Agents or ephemeral Scale- set agents
  • 36. What should Azure DevOps admins do • Run Endpoint Security on your Azure Pipelines Agents • For DevOps Server • Upgrade to Azure DevOps Server 2022 and stay current • Migrate to Azure DevOps Service • Manually upgrade “built-in” tasks • Be careful with internal marketplace
  • 37. Overwrite a built-in task npm install -g tfx-cli tfx build tasks upload --task-zip-path Task.guid-version.zip --service-url https://yourtfs.com/tfs/DefaultCollection . ./script/install-task.ps1 -CollectionUrl https://yourtfs.com/tfs/DefaultCollection -TaskZip Task.guid-version.zip Delete all versions of a task npm install -g tfx-cli tfx build tasks delete --task-id ad884ca2-732e-4b85-b2d3-ed71bcbd2788 --service-url https://yourtfs.com/tfs/DefaultCollection
  • 38.
  • 39. What should Azure Pipelines authors do? • Consider whether you actually need an extension. • Keep your pipelines current. Update your major task versions and resolve any issues. • Use Azure Pipelines YAML • Pin the exact version of your tasks • Use RenovateBot to automatically keep your pipelines up to date • Use Hosted Agents / Ephemeral Scale-set agents whenever possible
  • 40. What should the community do? • Sponsor the authors of extensions you rely on. • Submit pull requests to improve extensions. • Submit pull requests to upgrade extensions to Node 16. • Leave reviews on the marketplace and update them.
  • 42. Useful Resources • Azure DevOps Marketplace Scan https://github.com/jessehouwing/azure-devops-marketplace-scan https://jessehouwing.net/security-state-of-the-azure-devops- marketplace/ • Hardening guidelines for Azure Pipelines https://learn.microsoft.com/en- us/azure/devops/organizations/security/security-best- practices?view=azure-devops#secure-azure-pipelines
  • 43. Useful resources • Azure Pipelines Tasks Zips https://github.com/jessehouwing/azure-pipelines-tasks-zips • RenovateBot for Azure Pipelines https://jessehouwing.net/azure-pipelines-enable-renovatebot/ • Azure DevOps Extension tasks https://marketplace.visualstudio.com/items?itemName=ms- devlabs.vsts-developer-tools-build-tasks