How Can CI/CD Go Horribly Wrong?
23,579
Published 2023-05-31
You can learn more about Carlos Polop, Ignacio Dominguez or the security audits and assessments that HALBORN performs at jh.live/halborn
00:00 - How Can CI/CD Go Horribly Wrong?
01:19 - What is CI/CD?
03:47 - Common Misconfigurations
06:19 - Start of Demonstration
10:16 - Pipeline Poisoning Explanation
12:00 - Showcasing Direct Pipeline Poisoning
17:04 - Security Takeaways
🔥 YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
All Comments (21)
-
Wait... so the "hack" already assumes the attacker has push access to the repo? Obviously if you have push access to a repo that's setup with auto-deployment, you can absolutely cause all kinds of mayhem, so I don't see what's so insightful about this video, to be honest.
-
As a DevOps Engineer appreciate this kind of video. By the way in DevSecOps we use ShiftLeft methode, which helps security in CI/CD pipeline.
-
it's fricken CARLOS POLOP!!! Good job with the interview/demo John!
-
Can't believe Mohamed Salah is a hacker.
-
Nice explanatory video! One question still: if the attacker doesn't have push access to the repository this method doesn't work so I don't understand where the threat is
-
You already have push access to repo AND the CI/CD yaml this is not "hacking" you already have all keys to the environment... the CI/CD is usually not accessible to developers to change, or even to trigger in case of production. Sadly insider can do havoc and just save variables left and right, but there is no other way to store and use api keys and stuff, you can go fancy and do some ninja stuff with HashiCorp Vault for example to be a provider of temporary access and stuff.. but in the end as was mentioned, the credentials must be decrypted to be useful...
-
Thanks a lot! Carlos - I know him 😊
-
Thanks for the information
-
My grandma says the CD part of CI/CD is continuous delivery.
-
very nice , thank you 🙂
-
Nice John :D
-
This is like leaving your front door wide open overnight and then being shocked - shocked! that a raccoon wandered into your house. Claiming that random strangers freely having push access to your repo is a security hole is just as absurd.
-
Cool video 😊
-
Interesting video, but I'd prefer to see deeper into what they were talking about, as this method should be basic knowledge for anyone with DevOps experience...
-
“Put the blame on me” “You don’t mind” 😂 Damn tho
-
So CI/CD is basically just saves the copy + paste step of your project files to your server. Fancy name for something really simple. So why wouldn't you just upload a remote shell to that production server?
-
how do even people come up with these things!? its insane
-
thanks babe, great vid
-
1
-
خخخخ محمد صلاح؟