Getting together to define some secure setup guidelines for users would be useful, too. It's not that helpful that Jenkins and its plugins are more secure if users end up configuring Jenkins insecurely in the first place!
On Thu, Jan 21, 2021 at 7:12 AM 'Olblak' via Jenkins Developers <[email protected]> wrote: > > Thanks, Oleg for putting down this, I would definitely be interested to chat > during the contributor summit about this topic. > > On Thu, Jan 21, 2021, at 1:48 PM, Oleg Nenashev wrote: > > Just a quick follow-up to this thread, there is ongoing discussion about > hosting a contributor summit after FOSDEM. > Should it happen, I suggest having a security track/section there. We had a > similar one last year in Brussels, and IIRC it went quite well. > > Ideas/comments and topic suggestions are welcome :) > > > On Tuesday, January 19, 2021 at 9:02:51 AM UTC+1 Oleg Nenashev wrote: > > Hi all, > > To follow-up on the Jenkins Governance meeting we had last week, I'd like to > continue the discussion about Jenkins security which was suggested as one of > 2021 priorities. In this thread I propose to discuss ideas w.r.t improving > security of Jenkins components and software supply chains. NOTE: Please do > not reference unfixed security issues in this thread (reporting > vulnerabilities). > > Current state. Jenkins Security Team is doing a great job w.r.t. addressing > security issues. In 2020 we had 19 security advisories with 198 fixed > vulnerabilities and 72 disclosed ones. There were great additions to > devtools: Dependabot, GitHub CodeQL, Find-Sec-Bugs, etc. Also, new plugin > hosting requests now get on-demand security reviews before being published. > All of that is a great progress compared to the state we had several years > ago. > > What’s next? With all the recent events, security of the software delivery > chain is in the spotlight for the many organizations. Jenkins is a key part > of this chain for many users, and for sure we want to keep it that way. It is > not “just” about timely fixing security issues and preventing > misconfiguration. We are also interested to keep our own delivery processes > in the best possible shape. > > Some ideas we discussed at the meeting: > > Growing security awareness among contributors so that the new code and > documentation get developed with security in mind. > Expanding developer tooling. It would help to automate, and, when relevant, > enforce preferred security practices in Jenkins components. > > Examples: release automation infrastructure, adopting more analysis tools in > the default pipelines. With a great start in previous years, we could > definitely do more by using available tools and sponsorships. > > Getting more contributors involved in the security effort. It is not only > about delivering the security fixes. Many topics could be discussed publicly > in SIGs and sub-projects, e.g. hardening Docker images, demonstrating > security tools with Jenkins, and so on. Contributors could also help with > security reviews > // Add your ideas in replies! > > What do you think about these items? Would you like to suggest more > additional areas where we could improve? Any feedback would be appreciated. > > Best regards, > Oleg Nenashev > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/ea30b90e-c2ee-433f-868d-384793350481n%40googlegroups.com. > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/735b71c9-6321-41a0-b3cc-7c13177ac66e%40www.fastmail.com. -- Matt Sicker Senior Software Engineer, CloudBees -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ozxuAZz-ssfKzT6k%3D6r2pfdxfEt%2BBnMaNMfpEV_Zoo8hA%40mail.gmail.com.
