Back To Schedule
Tuesday, October 27 • 11:35am - 12:05pm
Hardening Spinnaker Pipelines

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Since Spinnaker is our central solution for continuous deployments, it is trusted with a lot of permissions. If Spinnaker is not sufficiently hardened, these permissions can be abused. Generalized WFH and phishing on the rise add to our concerns. This talk is about preventing such abuse. Jacques will present the motivation for this work at Snap, followed by a presentation of security building blocks for isolating pipelines, and concluding with a motivation for enforcing runtime access controls on pipelines (e.g. what’s in that trigger message?). Jacob will present the work done at Armory to extend the Policy Engine plugin to support the enforcement of runtime access controls on pipelines. By re-using the existing Open Policy Agent support in Policy Engine, this can be supported without introducing a new set of policy language and semantics. The future of this work will include standard policy templates. Tim will present the work done at Styra to support Armory. He will also provide a more general introduction to Open Policy Agent, used widely for externalizing authorization. This will cover unit testing and a demo showing examples of hardening Spinnaker.

avatar for Tim Hinrichs

Tim Hinrichs

CTO, Styra
Tim Hinrichs is a co-founder and CTO of Styra, the cloud-native authorization company, and he is a co-creator of the open source CNCF Open Policy Agent project. Before that, he worked at VMware and co-founded the OpenStack Congress project. Tim has 20+ years of experience developing... Read More →
avatar for Jacques Thomas

Jacques Thomas

Security Engineer, Snap
avatar for Jacob Kobernik

Jacob Kobernik

Software Engineer, Armory

Tuesday October 27, 2020 11:35am - 12:05pm PDT