2023-02-06, 15:55–16:20, B.2.009
Rudder is used in critical contexts and the focus on its security has increased over the years, along with the threats. This talk will give an overview of how security topics are handled by the Rudder team, how they have evolved over time and what are our plans to handle current challenges. We will expose:
- our recent features and architectural changes improving software security, especially in terms of node/server communication, user authentication and attack surface limitation.
- our process to handle vulnerabilities reported or discovered in Rudder.
- our efforts for software supply chain securitization, in particular regarding dependencies management and build infrastructure (dedicated signature server, ephemeral build environments, etc.)
- and finally how we try to steer the dev culture towards security topics awareness, through integration of security assessments to our specification processes, and regular training and discussions.
Coming from a system administration background, Alexis switched to doing mostly software engineering. He is currently lead developer on the system parts of Rudder, including networking, configuration management agents and security.
He is also part of the Rust language Secure Code working group, which promotes tooling to help writing secure code in Rust and manages the Rust ecosystem vulnerability database.