The tools for attacking Jenkins have become more sophisticated and accessible, making Jenkins a softer target. If successful, that infected build could be distributed through the trusted supply chain. A compromised Jenkins server is also an opportunity to introduce malicious code into a build. One of the reasons the target value is so high is that Jenkins tends to store powerful credentials needed to deploy cloud infrastructure and applications automatically. If this were chess, then Jenkins is the queen. I would be surprised if a resourceful attacker failed to deliver a damaging blow after finding a foothold on a Jenkins server. ![]() This Diagram shows a GitHub event triggering a job on an exposed, visible Jenkins server Checkmate: Jenkins is a High-Value Target We knew that we wanted to use our home-grown networking framework OpenZiti to solve this kind of problem, so we used the OpenZiti SDK for Node.JS to create a GitHub Action to send a webhook securely via OpenZiti instead of over the internet. One layer of security didn’t seem like enough protection for something so valuable. ![]() This exposure was intentional, but it could have become a serious problem if our server had been the target of a network-launched attack. We created a custom Jenkins-style webhook generator that we could use in GitHub, but the core problem remained: anyone could still “see” our Jenkins server on the internet. In our case, the Jenkins jobs needed certain parameters not available in GitHub’s built-in webhooks. Some jobs were not as readily migrated to a new CI system, and why bother? It made more sense to keep running those jobs in Jenkins, and so a new problem was introduced: how do we trigger Jenkins jobs from an external system like GitHub? There were some builds that needed to happen in GitHub or BitBucket. Eventually, we expanded to use CI as a service too. Here at NetFoundry, we started out using Jenkins to automate our builds, run tests, and promote releases. Jenkins is a widely adopted automation tool for building software with a broad array of plugins and integrations with key DevOps tools like Docker and Kubernetes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |