How secure is your build/server? a story of packages and trust

Jessie Frazelle

Discover the importance of verifying and validating code and packages to ensure the security of your build and server. Learn about checksums, signatures, proxy-level scanning, and more to stay ahead of security threats.

Key takeaways
  • Focus on verification and validation of code and packages
    • Use checksums to verify integrity of code and packages
    • Implement multiple signatures for added security
    • Use proxy-level scanning to verify libraries
    • annually verify package updates
  • Emphasize importance of transparency and visibility
    • Audit logs and logs for security incidents
    • Verification of binaries and dependencies
    • Reports and summaries of security incidents
  • Highlight limitations and challenges of security
    • Complexity of code and packages
    • Difficulty in verifying binary integrity
    • Limitations of trust in third-party libraries
  • Suggestolutions and tools for improved security
    • GPG-enabled repositories
    • Docker Notary for secure builds
    • NPM install with verified packages
    • Critical Code Review
  • Discuss concept of “hermetic” builds and binaries
    • Every step of the build process documented and verifiable
    • Build and package verification with checksums
  • Emphasize importance of education and awareness
    • Training developers on secure coding practices
    • Educating users on security risks and best practices
    • Promoting security awareness in the development community