11-24, 17:15–17:45 (Pacific/Auckland), Ngaio Marsh Theatre
Continuous-integration and continuous-deployment systems. We know 'em, we love 'em. git push, some magical automation happens, and BAM your code's in the right environment. Glorious.
What does this mean for organisational security though? The days of a surly set of sysadmins holding the private keys are gone, and your devs are now also ops. What happens if a dev is compromised? Scratch that, what happens if an intern is compromised!
This talk is going to walk you through exploiting a modern CI/CD enabled system and show how your latest tranche of Summer-of-Tech interns may just have all the necessary juice to take over... everything! We’ll look at compromising CI/CD infrastructure, credential harvesting, lateral movement and compromising the production systems.
By showing how to practically loot a CI/CD enabled environment, we can elucidate the hacking voodoo and start some robust discussions around how to keep a modern deployment system safe.
DoI is a creature of meat and bone. Security consultant bio-automata at Pulse Security, DoI's day job involves hacking everything and anything to make things a little bit safer for everyone.