SE Radio 575: Nir Valtman on Pipelineless Security

Nir Valtman, co-Founder and CEO at Arnica, discusses pipelineless security with SE Radio host Priyanka Raghavan. They start by defining pipelines and then consider how to add security. Nir lays out the key challenges in getting good code coverage with the pipeline-based approach, and then describes how to implement a pipelineless approach and the advantages it offers. Priyanka quizzes him on the concept of "zero new hardcoded secrets," as well as some ways to protect GitHub repositories, and Nir shares examples of how a pipelineless approach could help in these scenarios. They then discuss false positives and handling developer fatigue in dealing with alerts. The show ends with some discussion around the product that Arnica offers and how it implements the pipelineless methodology.

Nir Valtman, co-Founder and CEO at Arnica, discusses pipelineless security with SE Radio host Priyanka Raghavan. They start by defining pipelines and then consider how to add security. Nir lays out the key challenges in getting good code coverage with the pipeline-based approach, and then describes how to implement a pipelineless approach and the advantages it offers. Priyanka quizzes him on the concept of “zero new hardcoded secrets,” as well as some ways to protect GitHub repositories, and Nir shares examples of how a pipelineless approach could help in these scenarios. They then discuss false positives and handling developer fatigue in dealing with alerts. The show ends with some discussion around the product that Arnica offers and how it implements the pipelineless methodology.

Show Notes

Previous SE Radio Episodes

• 288 – Francois Reynaud on DevSecOps

• 541 – Jordan Harband and Donald Fischer on Securing the Supply Chain

• 559 – Ross Anderson on Software Obsolescence

• 514 – Vandana Verma on the OWASP Top-10

• 475 – Rey Bango on Secure Coding Veracode

• 498 – James Socol on Continuous Integration and Continuous Delivery

References

• What is pipelineless security? (blog post)

• What is an sbom, what is it not, and do you need one (blog post)

• How to Reduce Code Risk Using Pipelineless Security

• Arnica’s Real-time Code Risk-Scanning Tools Aim to secure Supply Chain.html

• What is CI/CD Security?

• https://github.com/arnica-ext/GitGoat

• Linkedin: valtmanir

Transcript

Transcript brought to you by IEEE Software magazine.
This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number and URL.

Priyanka Raghavan 00:00:16 Hi everyone, I’m Priyanka Raghaven for Software Engineering Radio. Today I’m going to be chatting with Nir Valtmann, who is the co-founder and CEO at Arnica. Nir is an experienced information and application security leader, and he’s been at a bunch of companies. I just want to call out, he was a VP of Security at Finastra and also CSO at Cabbage. Apart from that, he’s given talks at many different conferences including Black Hat, DEFCON, BSides, and RAC. And today, we’re going to be chatting about a concept called pipeline-less security. So welcome to the show Nir. We’re really happy to have you on board.

Nir Valtmann 00:00:53 Thanks, Priyanka. It’s really my pleasure to join.

Priyanka Raghavan 00:00:56 Okay, is there anything else in your bio that you would like listeners to know about you before we jump into the show?

Nir Valtmann 00:01:02 I think that put aside the title or maybe my history, I really have that state of mind of a hacker. I like to develop code maybe just to prove a point, but not necessarily to develop a production product. For that, I have my co-founders to help with that. But I really like to code. I’m really obsessed about developer experience and how developers actually perceive security because at the end of the day, if you want to help developers to get to a specific point, whether it’s in security or quality, you really need to understand them first to get there.

Priyanka Raghavan 00:01:35 Yeah, I think that’s really great and wonderful to hear because I think one of the things for people who are building products for developers and their experience, it’s almost like a servant leadership model, right? Because you really need to serve the people who, you know, use your product. So let’s get onto the show, and before we start looking at pipeline-less security, could you explain to our listeners what is a pipeline?

Nir Valtmann 00:01:59 Okay, so think about a pipeline as an automated script that is typically being kicked off when certain event occurs in your source code management system. So for example, it can be when you maybe open up a pull request. In that case, you may just want to maybe just build that container that you’re going to deploy. Or maybe it can be also an event that occurs when you merge a pull request or you make changes to a pull request. And in that case, let’s say that you merge the pull request. What is typical to see is certain tests are being executed. So for example, you have a script that builds your software, another script that maybe runs certain integration tests, within your environment that you’re trying to deploy and eventually also runs that deployment script. So that piece of the pipeline is essentially automated based on events and you have multiple systems that have predefined configurations and scripts that you can actually scale that process in a fairly simple way.

Priyanka Raghavan 00:03:04 Great. And I guess today the problem is are there any problems that you see with the ability to integrate security into your pipelines?

Nir Valtmann 00:03:13 So I think that there are some challenges when it comes to integrating security into pipelines. First of all, you actually need to work with either the DevOps or center of excellence or even developers to actually modify the scripts within your pipeline to embed your security tests in it. And let’s say that you do have the buy-in either from management or developers like you. Even then it’s very siloed. So think about companies that have, you don’t need to go far with thousands of thousands of thousands of repos. Think about a company with a hundred repos. How do you go and deploy your security tools where it actually matters, and you get that a hundred percent coverage where it matters to the business. That is the challenge because you need to go and work with multiple teams and modify the scripts to meet their scripting standards. Not only that, what happens if, let’s say tomorrow a new team spins up a new repo, maybe they want to develop a new microservice, how do you ensure that you are going to be there as well? So you always need to chase someone to embed your security tools into that pipeline.

Priyanka Raghavan 00:04:25 To add to that there’s sometimes people, because the task of getting onboarding people onto the pipelines is so huge that they think that’s security, they’ve done, they’ve got the pipeline. So I’ve done my security. So that’s another challenge I guess, right?

Nir Valtmann 00:04:39 Yes. And it also depends what you are actually doing with that because at the end of the day, one of the trends that we see is that many companies utilize even open source tools and embed them into pipelines and then it becomes more of a, I wouldn’t say maybe feature creep, but essentially an essential vulnerability management challenge that you might have. For example, how do you exclude vulnerabilities that are maybe not applicable, maybe false positives? How do you manage all of that in a centralized way, which is quite challenging with open source. And this is also the reason why you see many commercial products running open source to provide you that wrapper to actually manage all of those vulnerabilities in a central place.

Priyanka Raghavan 00:05:25 Okay. And before again we move into pipelineless. Another question I need to ask you is what are the three kinds of top risks that you see in your research on repos, three security top risks?

[...]

Original source