2024-08-07 –, Florentine E
In today's tech landscape, where cloud computing and DevOps practices have converged, managing the integrity of CI/CD pipelines is essential. However, with the rise of automation, there comes an increased risk. Join us for "Pipeline Pandemonium," a comprehensive talk about vulnerabilities within CI/CD pipelines and their potential to inadvertently negatively affect organizations that rely on cloud environments. Through real-world examples and case studies, attendees will explore the convergence of rapid software delivery and cloud infrastructure, uncovering the methods used by malicious actors to infiltrate pipelines and compromise cloud security.
Several real-world examples will be expounded, including code injection, dependency hijacking, unauthorized access through over-provisioned keys, runner abuse, and artifact poisoning. More specifically, much of the talk will focus on common techniques to abuse privileges and configurations associated with GitHub actions, CircleCI and Jenkins pipelines. The presenter has real world experience exploiting these issues at fortune 500 companies and has made significant contributions to their security organization’s security posture.
Although the focus of the presentation is for a broad audience and requires no in-depth knowledge about the specific topics that will be covered.
This talk dives into real-world experiences with CI/CD pipeline abuse and how I used them to gain privileges in cloud environments. When I started testing in the cloud, I struggled with understanding how these systems worked and how vital they are to Infrastructure as Code (IaC). Many of the tricks I used weren't documented back then but have become more widely known through blogs and shared experiences. I hope this talk helps other pentesters expand their cloud testing skills by showing common scenarios I've encountered.
I will have some recorded demos to go along with my presentation.
Blake is a seasoned cybersecurity professional, boasting over 6 years of experience in threat emulation. He specializes in various areas, including red teaming, purple teaming, penetration testing, and cloud security. Previously a Red Teamer through the Department of Education where he obtained several SANS certifications and is currently serving as an Offensive Security Engineer at PayPal, Blake orchestrates and executes engagements by focusing on enhancing security effectiveness through purple team engagements within both cloud and internal networks. Blake demonstrates his ability to identify common vulnerability patterns through continual participation in CTFs and has a passion for continuing education. Additionally, he has refined his skills through constant security research, further enhancing his expertise in cybersecurity.