Originally presented at Securi-Tay 2022
Supply chain attacks are higher profile than ever, and Continuous Integration and Continuous Development (CI/CD) pipelines are rapidly forming the basis of modern software development and DevSecOps workflows. These pipelines grant developers flexibility to perform automated testing regularly during development, and can aid in reducing the number of steps required to get code from a keyboard to a development environment. While this is convenient for developers, with great convenience comes great attack surface.
This presentation will provide an introduction into CI/CD pipelines, then discuss some of the ways we have compromised customer environments using a pipeline or code repository as a starting point. The presentation will draw common attack paths and escalation vectors, and hopefully provide some useful guidance on how to lock down your own environments and reduce the blast radius of a compromised pipeline.