How to Smoke a Pipeline

CI/CD Pipelines have been at the center of many recent high-profile security breaches. The tech industry has demanded these systems keep up with the pace of software development. Consequently, this has created systems ripe with security failures. And adversaries are actively exploiting these vulnerable pipelines. The software-supply chain grows as an appealing target to adversarial groups. And the best defense is a good offense.

Goals of this presentation: - First, we’re going to get our bearings with a lighting quick review of what a pipeline is, for those who might not be up to speed. - Then, we’ll do a dive into common vulnerabilities in CI/CD systems. We will use the OWASP top 10 as a guide. - Next, we’ll learn to smoke…pipelines. And by smoke I mean exploit. This will be done with Poisoned Pipeline Execution, Blind Trust, and a number of other fun exploitation tricks. We’ll also look at how these have been used in the wild. - Finally, we’ll stop bad guys from doing this to us.

Warning: You will not look at CI/CD systems the same way again. Where we’re going we don’t need roads.



Tyler Welton

Tyler has spend over a decade hacking and securing network and software systems. Most recently his focus has been on helping companies secure their code and cloud infrastructure. He loves exploring