When I started Open Source Security I knew one of those topics that could use more attention was the security of CI/CD systems. All the talk about securing the supply chain seems to almost exclusively focus on the development stage as well as the deployment stage. It seems like there’s not enough attention happening to the build stage (spoiler: most of the successful attacks have happened at this stage). When François Proulx reached out to chat about CD/CD systems, I couldn’t say yes fast enough. ...
