First results from using GitHub CodeQL to discover security vulnerabilities in Jenkins plugins

A little over a month ago, GitHub announced the general availability of its code scanning solution. It’s based on CodeQL, which makes it pretty easy to write queries for it and run them using the CodeQL GitHub action, CodeQL command line tools, or on lgtm.com. Many of the security vulnerabilities discovered in Jenkins plugins are Read more about First results from using GitHub CodeQL to discover security vulnerabilities in Jenkins plugins[…]

New – Using Amazon GuardDuty to Protect Your S3 Buckets

As we anticipated in this post, the anomaly and threat detection for Amazon Simple Storage Service (S3) activities that was previously available in Amazon Macie has now been enhanced and reduced in cost by over 80% as part of Amazon GuardDuty. This expands GuardDuty threat detection coverage beyond workloads and AWS accounts to also help you protect your Read more about New – Using Amazon GuardDuty to Protect Your S3 Buckets[…]

Severity of cross-site scripting vulnerabilities

Eagle-eyed readers of today’s security advisory may already have noticed that we consider the cross-site scripting (XSS) vulnerabilities to be ‘High’ severity. This is a change from previous security advisories, in which similar vulnerabilities got a ‘Medium’ score. We follow the guidelines of CVSS version 3.0 for the severity we assign to these issues. Their Read more about Severity of cross-site scripting vulnerabilities[…]

Amazon Detective – Rapid Security Investigation and Analysis

Almost five years ago, I blogged about a solution that automatically analyzes AWS CloudTrail data to generate alerts upon sensitive API usage. It was a simple and basic solution for security analysis and automation. But demanding AWS customers have multiple AWS accounts, collect data from multiple sources, and simple searches based on regular expressions are Read more about Amazon Detective – Rapid Security Investigation and Analysis[…]

Introducing the Azure Key Vault Credentials Provider for Jenkins

Azure Key Vault is a product for securely managing keys, secrets and certificates. I’m happy to announce two new features in the Azure Key Vault plugin: a credential provider to tightly link Jenkins and Azure Key Vault. huge thanks to Jie Shen for contributing this integration with the configuration-as-code plugin. These changes were released in Read more about Introducing the Azure Key Vault Credentials Provider for Jenkins[…]

Generic Webhook Trigger Plugin

Table of Contents The Problem Code Duplication And Security A Branch Is Not A Feature Documentation The Solution Code Duplication And Security A Branch Is Not A Feature Documentation This post will describe some common problems I’ve had with Jenkins and how I solved them by developing Generic Webhook Trigger Plugin. The Problem I was Read more about Generic Webhook Trigger Plugin[…]

Introducing the AWS Secrets Manager Credentials Provider for Jenkins

API keys and secrets are difficult to handle safely, and probably something you avoid thinking about. In this post I’ll show how the new AWS Secrets Manager Credentials Provider plugin allows you to marshal your secrets into one place, and use them securely from Jenkins. When CI/CD pipelines moved to the public cloud, credential management Read more about Introducing the AWS Secrets Manager Credentials Provider for Jenkins[…]

Identify Unintended Resource Access with AWS Identity and Access Management (IAM) Access Analyzer

Today I get to share my favorite kind of announcement. It’s the sort of thing that will improve security for just about everyone that builds on AWS, it can be turned on with almost no configuration, and it costs nothing to use. We’re launching a new, first-of-its-kind capability called AWS Identity and Access Management (IAM) Read more about Identify Unintended Resource Access with AWS Identity and Access Management (IAM) Access Analyzer[…]

Do Plugins Store Credentials In A Secure Way? – DevOps World | Jenkins World 2019

This is a speaker blog post for a DevOps World | Jenkins World 2019 talk in Lisbon, Portugal and has been posted in line with NCC Group responsible disclosure policy. Related Jenkins security advisories: 2017-11-08, 2017-11-16, 2018-06-25, 2018-07-30, 2018-09-25, 2019-02-19, 2019-03-06, 2019-03-25, 2019-04-03, 2019-04-17, 2019-08-07, 2019-09-12, 2019-10-01, 2019-10-16, 2019-10-23. Some of the vulnerabilities have been Read more about Do Plugins Store Credentials In A Secure Way? – DevOps World | Jenkins World 2019[…]

Thinking About Jenkins Security – DevOps World | Jenkins World 2019

This is a speaker blogpost for a DevOps World | Jenkins World 2019 talk in Lisbon, Portugal Come join us at DevOps World | Jenkins World 2019 for “Thinking about Jenkins Security“, a talk about securing your Jenkins server. We’ll review the layers that secure Jenkins and describe techniques that you can use to protect Read more about Thinking About Jenkins Security – DevOps World | Jenkins World 2019[…]