How Hackers Can Breach CI/CD Systems - Security Vulnerabilities and Mitigation

Explore how hackers can breach Continuous Integration and Continuous Deployment (CI/CD) systems in this comprehensive OWASP Foundation conference talk. Delve into the world of software development automation and the potential security risks associated with CI/CD processes. Learn about common vulnerabilities in CI/CD environments, including IDE leaks, poor role granularity, and insecure development machines. Discover how attackers can exploit secrets and leaks, control artifact repositories, and leverage environment vulnerabilities. Examine real-world scenarios such as reverse shells in pipelines, malicious GitHub Actions, and compromised CI bots. Investigate Docker-related security issues, API vulnerabilities, and ransomware threats to source code. Gain insights into various attack techniques, including ZIP bombs, memory bombs, and fork bombs. Understand the importance of keeping secrets safe, managing evil aliases, and securing shared infrastructure. Through multiple demonstrations and practical examples, acquire valuable knowledge on identifying, exploiting, and mitigating security flaws in CI/CD systems to protect your organization's production environments.

Intro
CONTINUOUS DELIVERY CONTINUOUS DEPLOYMENT
The IDE Leaks!
The BAD ROLE Granularity!
The DEV Machine as only source code se
All Libraries Allowed!
SECRETS & LEAKS
Control Artefacts Repository
The ENVIRONMENT Leak! (1/2)
The ENV Leak! (2/2)
A reverse Shell in the Pipeline
The Evil GitHub Actions!
The mighty CI BOT
The EVIL AGENT (1/3)
The EVIL AGENT (3/3)
The DOCKER HUB Leak!
Keep API Safe!
The SOURCE CODE ransomware!
The Fat DOCKER!
The evil DOCKER twin!
The Greedy Service consumer!
Run FREE Internet!
The Trojan Jar!
The ZIP BOMB (2/4)
The ZIP BOMB (4/4)
Memory BOMB (3/5)
Memory BOMB (5/5)
Fork BOMB! (1/2)
Is your API Honest!? (1/2)
Keep SECRETS safe!
The Evil Alias!
The Shared infra! (1/2)
The TIP Of the iceberg