ESCOURROU Remi - CICD security: A new eldorado

Fri Aug 12 2022 at 09:00 am to 01:00 pm

Harrah's Las Vegas | Las Vegas

DEF CON WORKSHOPS
Publisher/HostDEF CON WORKSHOPS
ESCOURROU Remi - CICD security: A new eldorado
Advertisement
Friday AM - Copper
ESCOURROU Remi - CICD security: A new eldorado
About this Event

CI/CD pipelines are increasingly becoming part of the standard infrastructure within dev teams and with the rise of solutions such as Infrastructure as Code, the sensitivity level of such pipelines is escalating. In case of compromise, it is not just the applications that are at risk but the underlying systems themselves and sometimes the whole information systems.

Attackers are beginning to exploit those weaknesses both for supply chains attacks but also to escalate their privileges within the victim IS.

Welcome to DataLeek company, after several decades of V-cycle development we have now decided to adopt the "agile" methodology. To do so, our IT teams have set up a CI/CD pipeline that rely on the most advanced and state-of-the-art tools available on the market.

However, for some reasons, our CISO seems to doubt the security level of this brand new infrastructure and insist to perform a pentest on it.

Your mission, should you choose to accept it, is to evaluate the security level of this CI/CD pipeline and offer solutions to fix the issues identified.

In this fully hands-on workshop, we’ll guide you through multiple vulnerabilities that we witnessed during numerous penetration tests. You’ll learn how to:

  • Get a foothold within a CI/CD pipeline
  • Find interesting secrets and other information within code repositories
  • How to pivot and exploit weak configuration on the orchestrator
  • Compromise building nodes in order to add backdoors to artifacts
  • Pivot on cloud infrastructure
  • Escape Kubernetes thanks to common misconfiguration
  • Perform a privilege escalation in AWS

Hand-on exercises will be performed on our lab environment with a wide variety of tools. For each attack, we will also focus on prevention, mitigation techniques and potential way to detect exploitations.

Pre-requisites:

  • This training is aimed at security professionals or developers willing to understand the risks of a poorly secured CI/CD pipeline.

Materials or Equipment Required:

  • Laptop capable of running virtual machines (8GB of RAM is a minimum) and an up-to-date RDP client.
Advertisement

Event Venue & Nearby Stays

Harrah's Las Vegas, 3475 South Las Vegas Boulevard, Las Vegas, United States

Tickets

USD 0.00

Discover more events by tags:

Workshops in Las VegasArt in Las VegasIt in Las VegasVirtual in Las VegasVirtual-run in Las Vegas

Sharing is Caring: