
How to Build a Compromise-Resilient CI/CD - trishankdatadog
https://sched.co/dUZM
======
trishankdatadog
CI/CD is critical to any DevOps operation today, but when attackers compromise
it, they get to distribute malicious software to millions of unsuspecting
users. We present how Datadog used TUF and in-toto to develop, to the best of
our knowledge, the industry’s first end-to-end verified pipeline that
automatically builds integrations for the Datadog agent. That is, even if this
pipeline is compromised, users should not be able to install malware. We will
show a demonstration of our pipeline in production being used to protect users
of the Datadog agent, and describe how you can use TUF + in-toto to secure
your own pipeline.

