logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Defcon 31
Authors: Asi Greenholts Security Researcher at Palo Alto Networks
2023-08-01

GitHub is the most popular platform to host Open Source projects therefore, the popularity of their CI/CD platform - GitHub Actions is rising, which makes it an attractive target for attackers. In this talk I’ll show you how an attacker can take advantage of the Custom GitHub Actions ecosystem by infecting one Action to spread malicious code to other Actions and projects by showing you a demo of POC worm. We will start by exploring the ways in which Actions are loosely and implicitly dependent on other Actions. This will allow us to create a dependency tree of Actions that starts from a project that we want to attack and hopefully ends in a vulnerable Action that we can take control of. We will then dive down to how GitHub Actions is working under the hood and I’ll show you how an attacker that is in control of an Action can utilize the mechanism of the GitHub Actions Runner to infect other Actions that are dependent on their Action and eventually infect the targeted project. Finally, after we’ve gained all of the theoretical knowledge I’ll show you a demo with POC malware that is spreading through Actions and we will talk on how to defend against this kind of attack.
Conference:  Black Hat Asia 2023
Authors: Yakir Kadkoda, Ilay Goldman
2023-05-12

Our talk divides the cloud development flow into 5 phases: IDE, SCM, package managers, CI/CD and Artifacts. We will demonstrate how supply chain attacks can affect organizations at each phase. This includes the risks of cloud, platforms, and application development, as well as the attacker's perspective on how to exploit these areas.We will unveil vulnerabilities and flaws in popular platforms corresponding to each one of the areas. We will also talk about the eco-system and how developers are working with these platforms. Finally, we will show our original research including vulnerabilities and flaws in various platforms and talk about each finding and its implications and mitigations.
Authors: Alex Ilgayev, Elad Pticha
2023-04-21

tldr - powered by Generative AI

The presentation discusses the importance of secure authentication in CI/CD pipelines and the potential vulnerabilities of using tokens. The solution proposed is to use OpenID Connect (OIDC) for authentication.
  • CI/CD pipelines require secure authentication with third-party providers
  • Tokens are a popular method of authentication but can be vulnerable to breaches
  • Examples of breaches include CircleCI and Codecov
  • OpenID Connect (OIDC) is a solution that extends the capabilities of OAuth 2.0 and uses JSON web tokens (JWT) for authentication
  • OIDC is standardized and allows for third-party verification of user identity
Authors: Charlie Egan
2023-04-21

tldr - powered by Generative AI

The presentation discusses the Gatekeeper project, a customizable Kubernetes admission web hook that uses Opa engine to enforce policies and enhance governance in organizations.
  • Gatekeeper project is a customizable Kubernetes admission web hook that uses Opa engine to enforce policies and enhance governance in organizations
  • Gatekeeper is used to ensure that workloads deployed to Kubernetes clusters are compliant with governance and company policies
  • Google Anthos and Microsoft Azure have embedded Gatekeeper in their policy engines
  • Gatekeeper simplifies the process of building an admission web hook
  • Gatekeeper uses Opa engine to enforce policies and enhance governance
  • The presentation also discusses updates to Opa, including new built-in functions and upcoming features such as schema validation and a more user-friendly output for tests
Authors: Joaquin Rodriguez, Alessandro Vozza
2023-04-20

tldr - powered by Generative AI

The presentation discusses the challenges of scaling observability and deployment automation in GitOps and proposes a solution using open-source tools like ClusterAPI, ArgoCD, and Prometheus+Thanos to manage and organize deployments.
  • GitOps has clear advantages over traditional CI/CD tools, but scaling observability and deployment automation can be challenging
  • Open-source tools like ClusterAPI, ArgoCD, and Prometheus+Thanos can help manage and organize deployments
  • The presentation proposes using immutable clusters treated as always stamped out of a template to address the fear of upgrading
  • The ClusterAPI project can be used to declaratively express the idea of a cluster and interact with different cloud providers
  • The v-cluster project can be used to create ephemeral clusters that live inside management clusters and can be used when provisioning time is a crucial parameter
  • The presentation emphasizes the importance of monitoring ephemeral clusters and collecting metrics from them
  • The use of open-source tools can automate the deployment of hundreds of clusters and applications automatically and securely
Authors: Priyanka Saggu, Mario Jason Braganza
2023-04-19

tldr - powered by Generative AI

The presentation discusses the anatomy and examples of Brow Jobs in the Kubernetes project, emphasizing the importance of testing and maintaining infrastructure.
  • Brow Jobs are periodic, presubmit, and postsubmit jobs that help automate testing and deployment in the Kubernetes project
  • The anatomy of a Brow Job includes fields such as name, interval, cluster, and job type
  • Examples of Brow Jobs in the Kubernetes project include syncing enhancement proposals and tracking bugs
  • Testing and maintaining infrastructure is crucial for the success of Brow Jobs and requires collaboration and communication among team members
Authors: Christie Warwick, Priya Wadhwa
2023-04-19

tldr - powered by Generative AI

The presentation discusses the use of Salsa standards and Tecton in threat modeling and securing CI/CD systems on Kubernetes.
  • Salsa sets standards for build system execution to ensure trustworthiness
  • Threat modeling for build system on Kubernetes identifies additional threats and ways to mitigate them
  • Tecton can do more to verify image provenance and address volume isolation
  • Spire can be used to catch tampering with Tecton CRDs
  • Trusted resources in Tecton ensure execution of intended tasks and pipelines
Authors: Cheryl Hung
2023-04-19

tldr - powered by Generative AI

The presentation discusses the process of transitioning to ARM architecture in a cloud-native infrastructure and optimizing CI/CD pipelines.
  • Inventory the software stack and identify hotspots
  • Optimize by provisioning a test environment and making changes
  • Decide on how to build the Kubernetes cluster and deploy
  • AWS is an example of a cloud provider with ARM support
Authors: Tanya Janca
2023-02-16

tldr - powered by Generative AI

The presentation discusses resources and strategies for maintaining secure legacy applications in DevOps.
  • Encourages joining the Open Web Application Security Project and local chapters
  • Provides a PDF summary of the presentation
  • Offers free online community called We Hack Purple with training courses and podcasts
  • Suggests regular communication with software developers and security champions through lunch and learns and presentations
  • Emphasizes the importance of feedback and addressing issues promptly
Conference:  ContainerCon 2022
Authors: Corby Page, Cora Iberkleid
2022-06-23

The Kubernetes ecosystem has a rich set of solutions for various stages of CI/CD. Tools like Flux, Tekton, kpack, Knative, ArgoCD, and more help create a modern path to production. And yet, teams and organizations that adopt these tools struggle with complex, DIY snowflake pipelines. The challenge can be creating and maintaining imperative scripts; orchestrating the flow of information between tools; driving reusability; adopting GitOps practices; and enabling proper separation of concerns. Cartographer is an exciting OSS project that elegantly addresses these challenges, providing the backbone for a modern application platform built on Kubernetes. Rooted in the concept of event-driven supply chain choreography, it enables composable, reusable roadmaps to drive source code to production. It provides an abstraction layer that facilitates the adoption and integration of existing and emerging CI/CD tools, while clearly delineating developer and operator ownership. It complements the existing ecosystem, filling an important gap to ease use, maintenance, and scalability. In this tutorial, you will learn how to create secure end-to-end workflows, sustainably and at scale. You will gain working knowledge of Cartographer that you can apply to your own application deployments.