S3E12: Daniel Krivelevich of Cider Security - CI/CD Pipeline Security

- For folks that are familiar, what is a CI/CD pipeline and why is it becoming such a hot topic in modern software delivery?

- Do you think earlier on in the pursuit of DevOps/DevSecOps organizations overlooked the pipeline as an attack vector?

- Any thoughts are notable incidents such as SolarWinds, do you think they brought more attention to the build environment?

- What are you thoughts on emerging guidance such as SLSA NIST SSDF or 800-161. Do you think these are helping bring attention to best practices on securing pipelines?

- In the context of software supply chain security, why do you think pipelines are so critical?

- Keeping on the theme of SBOM, what are your thoughts on the rising adoption and push for SBOM, and now VEX and how can pipelines help facilitate that?

- Cider has produced some excellent resources such as articles and also CICD Goat - how do you all keep innovating on the knowledge and tooling front and how has it been received by the community?

- One of those resources is the Top 10 CICD security risks. Do you want to touch on the list and maybe a couple of the leading risks from the list?

- Any recommendations on learning resources for folks wanting to learn more about pipeline security, best practices and why it is important?