Attacking & Defending Supply Chains. How we got Admin in your Cloud,...
Mike Ruth
BSidesSF 2024 · Day 1
This talk, presented by Mike Ruth, a Security Engineer at Rippling, delves into the critical and often overlooked security vulnerabilities within modern software supply chains, specifically focusing on **Continuous Integration/Continuous Deployment (CI/CD)** pipelines. Titled "Attacking & Defending Supply Chains. How we got Admin in your Cloud,..." it serves as an extension of a previous talk given in 2022 that primarily focused on Terraform. This iteration expands the scope to include other prevalent CI/CD tools such as GitHub Actions and Buildkite, demonstrating how misconfigurations and inherent design choices can lead to administrative access in cloud environments.
AI review
This talk dissects critical vulnerabilities in widely adopted CI/CD platforms like GitHub Actions, Buildkite, and Terraform. The speaker effectively demonstrates how default configurations and common developer practices can lead to secret exfiltration, arbitrary code execution via pre-merge pull requests, and even a bypass of Terraform's plan-and-review process to directly apply infrastructure changes. While some underlying principles of CI/CD security are not entirely novel, the specific exploitation paths across multiple tools and the detailed mitigations make this a highly valuable and…