Critical CI/CD vulnerabilities nobody tells you about.
What it’s about
CI/CD pipelines are the new target. Compromise the CI/CD and you compromise the entire company.
This talk covers:
- Top 10 CI/CD vulnerabilities
- Attacks on Jenkins, GitLab CI, GitHub Actions, CircleCI
- Supply chain attacks through CI/CD
- Secrets and credentials compromise
- Defense in depth for pipelines
Why it’s relevant
CI/CD is the gateway to production. A compromised pipeline means malicious code in production without anyone noticing.
I’ve seen real attacks where the attacker compromised the CI/CD and spent months injecting backdoors in every deployment.
Impact
One of the most shared talks from RootedCON 2020. Many companies completely reviewed their CI/CD security after watching it.
Later I presented an extended version at the Sonatype DevSecOps Leadership Forum 2020.