- For folks that are familiar, what is a CI/CD pipeline and why is it becoming such a hot topic in modern software delivery?
- Do you think earlier on in the pursuit of DevOps/DevSecOps organizations overlooked the pipeline as an attack vector?
- Any thoughts are notable incidents such as SolarWinds, do you think they brought more attention to the build environment?
- What are you thoughts on emerging guidance such as SLSA NIST SSDF or 800-161. Do you think these are helping bring attention to best practices on securing pipelines?
- In the context of software supply chain security, why do you think pipelines are so critical?
- Keeping on the theme of SBOM, what are your thoughts on the rising adoption and push for SBOM, and now VEX and how can pipelines help facilitate that?
- Cider has produced some excellent resources such as articles and also CICD Goat - how do you all keep innovating on the knowledge and tooling front and how has it been received by the community?
- One of those resources is the Top 10 CICD security risks. Do you want to touch on the list and maybe a couple of the leading risks from the list?
- Any recommendations on learning resources for folks wanting to learn more about pipeline security, best practices and why it is important?
© 2024 Chris Hughes
Substack is the home for great culture
Share this post