YoVDO

Reverse Engineering and Exploiting Builds in the Cloud

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Continuous Deployment Courses Continuous Integration Courses Cloud Security Courses Supply Chain Attacks Courses Container Security Courses Multi-Tenancy Courses

Course Description

Overview

Explore the security vulnerabilities in multi-tenant cloud build environments and container-based CI/CD pipelines in this 47-minute Black Hat conference talk. Gain a concise introduction to Continuous Integration, Delivery, and Deployment (CI/CD) and containers from a hacker's perspective. Discover various security pitfalls through live demonstrations, including reverse engineering techniques and exploitation methods. Learn about potential attack scenarios, supply chain attacks, and the impact of compromised build environments. Understand remediation strategies, component verification, and best practices for securing CI/CD processes. Delve into topics such as evil forks, OCR image attacks, and the power of commands in containers. Equip yourself with knowledge to enhance the security of cloud-based software development and deployment workflows.

Syllabus

Intro
Shoutouts
Heroku Engineering
What is CICD
CICD Components
Common Deployment Patterns
Fully Multitenant
Single Tenant
Networking
Virtual Network
Add Directive
Demo
Whats the impact
Remediation
Assumptions
Power of Command
Commands in Containers
Orchestrators Fail
Component Verification
Supply Chain Attacks
Potential Attack Scenario
Build Environments
How do we do this
Demo OCR Image
Demo OCR Image Containers
Evil Forks
Cheat Sheets
Conclusion
Supply chain security
Wrapup
Multitenancy
Research
Thank you


Taught by

Black Hat

Related Courses

Maintaining Deployment Security in Microsoft Azure
Pluralsight
Microsoft Azure Security Engineer: Configure Advanced Security for Compute
Pluralsight
Microsoft Azure Security Technologies (AZ-500) Cert Prep: 2 Implement Platform Protection
LinkedIn Learning
Securing Containers and Kubernetes Ecosystem
LinkedIn Learning
Performing DevSecOps Automated Security Testing
Pluralsight