Overview
Explore the security vulnerabilities in multi-tenant cloud build environments and container-based CI/CD pipelines in this 47-minute Black Hat conference talk. Gain a concise introduction to Continuous Integration, Delivery, and Deployment (CI/CD) and containers from a hacker's perspective. Discover various security pitfalls through live demonstrations, including reverse engineering techniques and exploitation methods. Learn about potential attack scenarios, supply chain attacks, and the impact of compromised build environments. Understand remediation strategies, component verification, and best practices for securing CI/CD processes. Delve into topics such as evil forks, OCR image attacks, and the power of commands in containers. Equip yourself with knowledge to enhance the security of cloud-based software development and deployment workflows.
Syllabus
Intro
Shoutouts
Heroku Engineering
What is CICD
CICD Components
Common Deployment Patterns
Fully Multitenant
Single Tenant
Networking
Virtual Network
Add Directive
Demo
Whats the impact
Remediation
Assumptions
Power of Command
Commands in Containers
Orchestrators Fail
Component Verification
Supply Chain Attacks
Potential Attack Scenario
Build Environments
How do we do this
Demo OCR Image
Demo OCR Image Containers
Evil Forks
Cheat Sheets
Conclusion
Supply chain security
Wrapup
Multitenancy
Research
Thank you
Taught by
Black Hat