Attacking CI/CD Environments
CI / CD systems are obnoxiously present and sprayed across modern enterprise environments. With the current world focusing on faster delivery, and faster production CI / CD has taken a prominent role in the development world. Rapid adoption of these technologies has meant that a lot of the security precautions are thrown out of the window and insecure by default settings are in place. We have created this course to focus on Attacking CI CD environments as a way in for attackers.
In this course, we take an approach from basics to advanced guidance. We start with understanding how CI / CD systems work under the hood and then understand their position in a corporate IT environment. We focus on exploiting both self-hosted environments as well as SaaS-based environments.
Basic; Intermediate
Overview of CI/CD Environments
Introduction to CI/CD Attacks
CI/CD Attacks in Different Environment
Environment Specific Attacks (GitHub)
Environment Specific Attacks (Jenkins)
Environment Specific Attacks (GitLab CI)
Cloud Providers CI/CD Systems’ Attack Vectors
Using CI/CD Systems as Attacker’s Tools
The course will be followed by a Capture-The-Flag event, where the participants can implement their learnings and hack a vulnerable-by-design environment on the last day of the training.
Our labs are cloud-based, and a browser should be sufficient. However, we will still suggest the following hardware specs:
The course assumes basic familiarity with CI CD and pipeline concepts. Security tooling and specific pipeline details will be covered in the course.
Intensive hands-on training with labs, demos, and real-world scenarios to discuss and hack into.
Anant Shrivastava is a highly experienced information security professional with over 15 years of corporate experience. He is a frequent speaker and trainer at international conferences and is the founder of Cyfinoid Research, a cyber security research firm. He leads open source projects such as Tamer Platform and CodeVigilant and is actively involved in information security communities such as null, OWASP, and various bsides and defcon groups.
Kumar Ashwin is a security professional specializing in web, cloud, and software supply chain security, and is highly regarded in the field. He has presented at conferences like x33fcon, BSides, and c0c0n, and actively contributes to security communities like null, Winja, and DEFCON Cloud Village. Transitioning from offensive security to security engineering, Ashwin offers a unique perspective, emphasizing evolving methodologies and ensuring software supply chain resilience. His expertise has aided numerous organizations in bolstering their security posture. Visit his blog at https://krash.dev for more insights.