BruCON 0x0D has ended
Back To Schedule
Thursday, October 7 • 17:00 - 18:00
The risk of CI/CD pipeline poisoning via CodeBuild: On the intricate challenges of setting up a secure CI/CD pipeline

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In this session we focus on CI/CD pipelines deployed via AWS managed services, such as CodeBuild, CodeDeploy and CodePipeline. And we demonstrate how small decisions can have a significant impact on the security of the CI/CD pipeline, even to the point where the trustworthiness of the pipeline is broken (a poisoned pipeline).

CodeBuild’s functionality can be abused to allow developers to bypass existing security controls implemented as part of the SDLC environment, such as peer code review, code approval processes, segregation of duties and secrets management. This can introduce a, perhaps, unforeseen vector for exfiltrating application secrets, tampering with the application and, potentially, taking full control of the deployment servers by executing commands using elevated privileges.

Due to the shared responsibility model, this is mostly an AWS customers’ challenge. Moreover, customers will be open to the risk even when following AWS samples, tutorials, and, even managed services that help simplify and automate the setup of CI/CD pipelines in the cloud environment, such as CodeStar.

In this session we want to explain and warn DevSecOps and Cloud communities about this pipeline poisoning risk in particular, so that it can be taken into account for securing CI/CD pipelines in the cloud. And, in general, showcase the new challenges and considerations that cloud solutions bring to those adopting the cloud.

avatar for Asier Rivera

Asier Rivera

Asier has been part of the Cyber & Privacy team of PwC Belgium since he joined in September 2017 after finishing his studies. As a member of the technical security and risk management team, Asier is strongly focused on the technical aspects of application security and secure software... Read More →

Thursday October 7, 2021 17:00 - 18:00 CEST
01. Westvleteren University