This was a DevOps Melbourne meetup where I presented “How Secure Is Your Build Server” alongside Natalia Djohari’s talk on achieving devops lessons. The event was a collaboration with the MyDevSecOps community, bringing together people from different parts of the world during the pandemic.
My talk focused on the trust chain from your laptop all the way to production. The question is simple: did you build the build you wanted? The answer is more complicated than most people realize. Starting from a fresh laptop, you are already trusting things you do not think about – TLS certificates, cipher suites, certificate revocation lists. When you download dependencies with npm or pip, you are trusting that the network has not been tampered with, that the package registry is serving what the author intended, and that the author’s account has not been compromised.
The build server itself is a high-value target. It has access to source code, secrets, deployment credentials, and often runs with elevated privileges. I walked through the delivery pipeline from source to production, showing the many points where tampering can happen: expired certificates, hijacked package registries, compromised build agents, unsigned artifacts, and more. The compression was real – 110 slides covering the entire attack surface.
The key takeaway was not to scare people but to make them aware. Most teams assume their pipeline is trustworthy because they control the code. But the pipeline depends on dozens of external systems, each with its own trust assumptions. Understanding those assumptions is the first step toward securing them.
Watch on YouTube – available on the jedi4ever channel
This summary was generated using AI based on the auto-generated transcript.