• Date: 19th August

• Time: 1pm - 4pm (3 hours)

• Weight: 40%

• Hurdle: 50% to pass

More: openlearning.com/…/exam

• Everything is assessable
• Some easy, some medium(er), some hard(er)
• Practicals + Written
• Submit a SHORT writeup
  • e.g. “Cookie tampering to gain admin access. Change JWT admin=1”
• Try not to cheat™
• Take breaks
• You got this!

Last week: How do I deploy and run my applications, whilst being secure?

• Load Balancing?
• SSL?
• Zero Trust?
• Docker?

Securing CI/CD from bad things

• Tokens, Keys, Secrets, Envs
  • Who has access?
  • Exfiltration?
• Malicious Code
• Service Accounts
• Service Machines
• SAST / DAST
• Limits

$> ls
# -rwxrwxr-x 1 andrew andrew  12K Jul 12 15:50 server.py
# -rw------- 1 andrew andrew 1.8K Jul 24 18:28 my_secret.key

$> git status
# On branch dev
# nothing to commit, working tree clean

echo my_secret.key >> .gitignore
git add .gitignore
git commit -m "Ignore confidential data"
git push

ima ignore the secret key file, this is safe… right?

$> git status
# On branch dev
# nothing to commit, working tree clean

git rm my_secret.key     # <<< Alright we should be good

$> ls
# -rwxrwxr-x 1 andrew andrew  12K Jul 12 15:50 server.py

git commit -m "Remove confidential data"
git push

Oh.. okay I’ll just delete the file then?

git rm --cached my_secret.key      # Remove the key from git
echo my_secret.key >> .gitignore   ## Git ignore it
git add .gitignore                 ### Commit .gitignore
# rm -rf / --no-preserve-root      #### <<< wait not this one

git commit --amend -m "Removed confidential data"
           # ^ Okay so this edits the previous commit

git push -f       # <<< FORCE PUSH TO PRODUCTION LET'S GOOOO

SURELY now???
I’ve modified the commit which I accidentally committed the secret key file. It’s now even gitignored!