Secure CI/CD Using JSON Web Token (JWT) - Dov Hershkovitch, GitLab
Abstract
DevSecOps extends the DevOps ecosystem with the security aspect. Sensitive information is everywhere, be it passwords, secret tokens or exchanged IDs in order to gain access to tools and platforms. The problem has been addressed by many secret management solutions and frameworks, yet creating another problem: Which to choose from, and how to integrate best into your DevOps processes? Engineers started to workaround the security protocols, and often sensitive information is stored in insecure ways. A plaintext token can lead to security leaks and business incidents in a worst case scenario. JSON Web Token (JWT) aims to build the integration bridge as an open standard for security claims exchange. Join this session to learn how in GitLab we leverage JWT tokens to access different secret management solutions, including major cloud providers. Hear best practices on the challenges to retrieve sensitive data and how to enhance the DevSecOps security processes in your organization.