OWASP Global AppSec US 2021

Since software started to be created as a product or as an essential part of many companies. There has been analysed how to automate the software development process.

There are currently two acronyms that define the main processes of creating and deploying modern software: C.I. / C.D.

Each represents a series of clearly differentiated processes: during the software creation process and its subsequent release into production.

With the rise of these philosophies, countless new concepts and associated software have emerged to carry them out: Jenkins, Drone, Bamboo, Github, Gitlab, Docker, Docker Swarm, Kubernetes, Terraform, Ansible, Slack, etc.

We rely on our production services to be updated and deployed by this kind of software. We do complex and thorough hardening processes of our production systems, but do we put the same effort in securing CI/CD environments? are we aware that these systems often have a high level of permissions? Do we know the consequences for the company if they are compromised?

This talk aims to demonstrate how possible it is to take control of all the productive systems of an organisation by breaching the security of CI/CD systems.

We will analyse CI/CD environments with commonly used and well-known components, analysing the most typical security flaws, how to exploit them, and how to mitigate them.

Several demos will be conducted in which complete CI/CD environments will be deployed, and each of the most vulnerable points will be exploited.