DevSecOps to DevSecOooops: Unveiling how adversaries use Secure CI/CD Ecosystem as a puppet !!!

Tuesday
 
18
 
March
, 
1:50 pm
 - 
2:30 pm
Location
Think Tank 1

Speakers

Sanjeev Mahajan

Sanjeev Mahajan

Principal Security Engineer
SYBER SERVICES

Synopsis

Many organisations adopting a cloud-native stack believe that incorporating key security automation tools is enough to fully protect their CI/CD ecosystem from potential attacks.

But is that truly the case? What if I said that there is a multitude of attacks an adversary could execute within a secure CI/CD ecosystem practicing mature DevSecOps practices. What's more concerning is that the impact of such attacks extends beyond the confines of the CI/CD ecosystem.

Through my research conducted over the past 4 years, I've uncovered various methods by which adversaries could exploit a CI/CD ecosystem (both with DevOps and DevSecOps practices). Furthermore, I've also identified how adversaries could leverage it as a weapon to attack integrated critical resources within the cloud-native stack.

This presentation will showcase various methods used to exploit real-world DevSecOps pipelines, demonstrating how they can be abused to infiltrate and compromise critical resources within a cloud-native stack. The presentation will also showcase how misconfigurations were chained to exploit a securely configured CI/CD ecosystem.

Attendees will gain insights and information about the blast radius and lessons learned from such attack chains. The audience will also learn about key controls that enhance the security posture of CI/CD ecosystem using defence in depth methodology. It can be leveraged by red teams for attack simulation and blue teams for monitoring and implementing security controls.

Acknowledgement of Country

We acknowledge the traditional owners and custodians of country throughout Australia and acknowledge their continuing connection to land, waters and community. We pay our respects to the people, the cultures and the elders past, present and emerging.