Titulo Estágio
Secure Runners for GitHub
Local do Estágio
Fully Remote @Scalabit
Enquadramento
Continuous Integration (CI) and Continuous Delivery (CD) are software development practices aimed at automating the process of building, testing, and deploying software. Usually this is done using pipelines on top of tools like Jenkins, GitHub, or any other popular development platform.
To achieve CI/CD the developers write a pipeline that will automate all the tasks required to qualify and release their software. So every time that a developer pushes his/her changes to the remote then a pipeline is automatically triggered and starts the qualification. Repositories with a lot of collaboration can have pipelines running thousands of times per day. This is the safety net that allows you to release your software in a fully qualified and automatic way.
A secure runner is a Virtual Machine that allows you to run your pipelines in a secure way. The security properties are:
- Forbid data exfiltration;
- Encryption at rest, execution, and transit;
- Keys being rotated constantly;
- Forbidden access to outside a defined perimeter;
- No privileged operations on the workflow;
- Limited access to information provided by the workflow;
Besides these properties, the student should also propose new enhancements in order to make the runner even more secure. The final goal of this project is to have such runners integrated with GitHub and Gitlab. Tests and a security audit should be performed in order to understand if the configuration is correct or not.
Objetivo
This internship has the following goals:
- Understand the current state-of-the-art around CI/CD tools and secure runners
- Define what are the properties to have a secure runner
- Develop a secure runner according to the properties specified in the previous topic
- Test/Pentest the secure runner in a github/gitlab project
Plano de Trabalhos - Semestre 1
- State of the art (Months 1 and 2)
The first stage will consist in studying background knowledge on the topics related to the thesis. Namely, knowledge on Continuous Integration, Continuous Delivery, state-of-the-art in terms of machine learning oriented to CI/CD pipelines. The student is expected to under what are the security properties that identify a secure runner and investigate the state of the art for this technologies;
- Definition of the security properties (Months 3 and 4)
Definition of what are the security properties to be applied to secure runners. Implement basic security checks in a small secure runner.
- Intermediate report (Month 5)
The tasks carried out during the first semester will be documented in the form of an intermediate report, followed by a public presentation and discussion. The most relevant topics at this stage are: context, problem statement, state of the art and preliminary discussion of the solution and its intended objectives.
Plano de Trabalhos - Semestre 2
- Implementation of the secure runner in GitHub/Gitlab (Months 6 and 7)
Define the test castes and perform a pentest on the specified configuration. All configurations shall be specified as infra as code;
- Fine tune the last results for the runner(Month 8)
Apply the runner in a real project and fine tune last properties
- Master’s thesis (Month 9)
The writing of the master's dissertation must be completed and the respective public presentation prepared. The dissertation must document all the work carried out, proposed solution, the results and the conclusions obtained.
Condições
The work will be carried out remotely, with the support of Scalabit for any computational resource required to carry out the work (e.g. cloud infrastructure).
Scalabit has a budget to pay the internship student which is discussed with the applicants.
Orientador
Andre de Brito Passos
andre.passos@scalabit.dev 📩