Speakers
Synopsis
Many organisations adopting a cloud-native stack believe that incorporating key security automation tools is enough to fully protect their CI/CD ecosystem from potential attacks.
But is that truly the case? What if I said that there is a multitude of attacks an adversary could execute within a secure CI/CD ecosystem practicing mature DevSecOps practices. What's more concerning is that the impact of such attacks extends beyond the confines of the CI/CD ecosystem.
Through my research conducted over the past 4 years, I've uncovered various methods by which adversaries could exploit a CI/CD ecosystem (both with DevOps and DevSecOps practices). Furthermore, I've also identified how adversaries could leverage it as a weapon to attack integrated critical resources within the cloud-native stack.
This presentation will showcase various methods used to exploit real-world DevSecOps pipelines, demonstrating how they can be abused to infiltrate and compromise critical resources within a cloud-native stack. The presentation will also showcase how misconfigurations were chained to exploit a securely configured CI/CD ecosystem.
Attendees will gain insights and information about the blast radius and lessons learned from such attack chains. The audience will also learn about key controls that enhance the security posture of CI/CD ecosystem using defence in depth methodology. It can be leveraged by red teams for attack simulation and blue teams for monitoring and implementing security controls.