Attacking Development Pipelines for Actual Profit
Offered By: 44CON Information Security Conference via YouTube
Course Description
Overview
Explore the vulnerabilities in CI/CD pipelines and learn how to exploit them for profit in this 25-minute conference talk from the 44CON Information Security Conference. Dive into real-world issues involving Perforce, network storage, and cross-instance compromise. Discover methodologies for secret management, report manipulation, and deployment exploitation. Examine practical tools like SSH reverse shells and research servers. Analyze a classic DNS rebinding attack on web hooks. Gain valuable insights into attacking development pipelines and understand the potential risks and rewards associated with these security weaknesses.
Syllabus
Introduction
CI/CD Pipelines?
CI/CD: Command Execution as a Service
Methodology - Definition
IRL Issue: Perforce
IRL Issue: Network Storage
Methodology - Execution
Tooling - SSHReverse Shell
IRL Issue: Cross Instance Compromise
Methodology - Secret Management
IRL Issue: VMware guestinfo variables
Methodology - Reports
Tooling - Research Servers
IRL Issue: Web Hook - Classic DNS Rebinding
Methodology - Deployment
Summary
Taught by
44CON Information Security Conference
Related Courses
Continuous Delivery and DevOps with TFS and VSTS 2018, Managing BuildsPluralsight DevSecOps: Building a Secure Continuous Delivery Pipeline
LinkedIn Learning Microsoft DevOps Solutions: Designing a Sensitive Information Strategy
Pluralsight Microsoft Azure DevOps Engineer: Implement a Secure and Compliant Development Process
Pluralsight Linux Administration with Ansible: Advanced Ansible Automation
Pluralsight