+1. Jenkins even has an authenticated mode, but their code quality is so inconsistent that even that's not enough.
When we investigated in 2015, we found an average of 3 remote code execution / escalation of privilege CVEs per year in the previous 4 years. Looking at [1], I see the trend is still not great - 30 CVEs in 2018.
Fundamentally, it seems to me that Jenkins does not have the mindset to do security well. This isn't surprising given its plugin architecture permits random code to run. Isolate it behind a proxy server like https://github.com/pusher/oauth2_proxy and sleep better at night.
When we investigated in 2015, we found an average of 3 remote code execution / escalation of privilege CVEs per year in the previous 4 years. Looking at [1], I see the trend is still not great - 30 CVEs in 2018.
Fundamentally, it seems to me that Jenkins does not have the mindset to do security well. This isn't surprising given its plugin architecture permits random code to run. Isolate it behind a proxy server like https://github.com/pusher/oauth2_proxy and sleep better at night.
[1] https://www.cvedetails.com/vulnerability-list/vendor_id-1586...