How Can CI/CD Go Horribly Wrong?

John Hammond
John Hammond
23,579
0
Published 2023-05-31
jh.live/halborn || In this video we’ll learn the basics of Continuous Integration and Continuous Deployment (CI/CD) and what security implications it has – with a live demo example, showcasing how we can perform direct pipeline poisoning to execute code and ultimately leak sensitive production info like AWS credentials!

You can learn more about Carlos Polop, Ignacio Dominguez or the security audits and assessments that HALBORN performs at jh.live/halborn

00:00 - How Can CI/CD Go Horribly Wrong?
01:19 - What is CI/CD?
03:47 - Common Misconfigurations
06:19 - Start of Demonstration
10:16 - Pipeline Poisoning Explanation
12:00 - Showcasing Direct Pipeline Poisoning
17:04 - Security Takeaways

🔥 YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discordjh.live/twitterjh.live/linkedinjh.live/instagramjh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
All Comments (21)
  • @vokuheila
    Wait... so the "hack" already assumes the attacker has push access to the repo? Obviously if you have push access to a repo that's setup with auto-deployment, you can absolutely cause all kinds of mayhem, so I don't see what's so insightful about this video, to be honest.
  • @elchinefa9524
    As a DevOps Engineer appreciate this kind of video. By the way in DevSecOps we use ShiftLeft methode, which helps security in CI/CD pipeline.
  • @pr0tagnist
    it's fricken CARLOS POLOP!!! Good job with the interview/demo John!
  • @mossdem
    Can't believe Mohamed Salah is a hacker.
  • @JosephHenryDrawing
    Nice explanatory video! One question still: if the attacker doesn't have push access to the repository this method doesn't work so I don't understand where the threat is
  • @vladoportos
    You already have push access to repo AND the CI/CD yaml this is not "hacking" you already have all keys to the environment... the CI/CD is usually not accessible to developers to change, or even to trigger in case of production. Sadly insider can do havoc and just save variables left and right, but there is no other way to store and use api keys and stuff, you can go fancy and do some ninja stuff with HashiCorp Vault for example to be a provider of temporary access and stuff.. but in the end as was mentioned, the credentials must be decrypted to be useful...
  • @itsfoss5268
    My grandma says the CD part of CI/CD is continuous delivery.
  • @lllevokelll
    This is like leaving your front door wide open overnight and then being shocked - shocked! that a raccoon wandered into your house. Claiming that random strangers freely having push access to your repo is a security hole is just as absurd.
  • @refuzion1314
    Interesting video, but I'd prefer to see deeper into what they were talking about, as this method should be basic knowledge for anyone with DevOps experience...
  • @mikewilliams1782
    “Put the blame on me” “You don’t mind” 😂 Damn tho
  • @FalcoGer
    So CI/CD is basically just saves the copy + paste step of your project files to your server. Fancy name for something really simple. So why wouldn't you just upload a remote shell to that production server?
  • @hamids4550
    how do even people come up with these things!? its insane