OWASP Global AppSec US 2021 has ended
Back To Schedule
Friday, November 12 • 11:00am - 12:00pm
How hackers can breach your C.I / C.D systems

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Since software started to be created as a product or as an essential part of many companies. There has been analysed how to automate the software development process.

There are currently two acronyms that define the main processes of creating and deploying modern software: C.I. / C.D.

Each represents a series of clearly differentiated processes: during the software creation process and its subsequent release into production.

With the rise of these philosophies, countless new concepts and associated software have emerged to carry them out: Jenkins, Drone, Bamboo, Github, Gitlab, Docker, Docker Swarm, Kubernetes, Terraform, Ansible, Slack, etc.

We rely on our production services to be updated and deployed by this kind of software. We do complex and thorough hardening processes of our production systems, but do we put the same effort in securing CI/CD environments? are we aware that these systems often have a high level of permissions? Do we know the consequences for the company if they are compromised?

This talk aims to demonstrate how possible it is to take control of all the productive systems of an organisation by breaching the security of CI/CD systems.

We will analyse CI/CD environments with commonly used and well-known components, analysing the most typical security flaws, how to exploit them, and how to mitigate them.

Several demos will be conducted in which complete CI/CD environments will be deployed, and each of the most vulnerable points will be exploited.

avatar for Daniel García

Daniel García

API Security Researcher, 42Crunch
Daniel is a security researcher, pentester, source code analyst, SecDevOps, and expert developer.I have a bit strange profile. I am mixing in hacking and development. I love researching anything, and I am a little obsessed with the idea that not everything is invented yet.Currently... Read More →
avatar for Cesar Gallego

Cesar Gallego

Data and functional programming were my day to day until I began to fall, like Alice in Wonderland, down the security rabbit hole. I don't know where my journey will end, but every step I take fascinates me like the first day. I have decades of professional computing experience, mostly... Read More →

Friday November 12, 2021 11:00am - 12:00pm PST