SlideShare a Scribd company logo
How Hackers Can
Break Your CI/CD
Infrastructure

WHO WE ARE
Security research. Hacking
tools developer, DevSecOps.
Python developer.
Daniel García (cr0hn)
Can’t define myself.
I go where my curiosity drives to.
Most of the time goes bad.
I process TeraBytes for breakfast.
César Gallego
@ggdaniel
https://bit.do/cr0hn
@CesarGallegoR
https://bit.do/cesar-gallego
Disclaimer!
Any opinions expressed are personal
opinions and don’t represent our
employer’s view in any way
Shared vocabulary
Core Concepts
CONTINUOUS DELIVERY 

VS 

CONTINUOUS DEPLOYMENT
Legacy Systems
No CD
Ops
Dev
No CI/CD
Ops
Dev
Hell
Dev
STEPS IN BUILDING SOFTWARE CONSTRUCTION
User Code Building step Deployment step Production
Follow us down the rabbit hole
Starting the journey
In source code
IN THE SOURCE CODE
User Code Building step Deployment step Production
No all StackOverflow
people are good
persons (or even
humans)
In STACK OVERFLOW Works
Great!
https://trojan-killer.net/the-most-copied-piece-of-java-code-on-stackoverflow-contains-an-error/
● Are your developers using safe libraries?
● Are you check the libraries they use?
● Even more… they ask you for advice when
choice a new library?
All Libraries
Allowed!
https://securityintelligence.com/news/popular-javascript-library-for-node-js-infected-with-malware-to-empty-bitcoin-
wallets/
You trust all libraries? so you know that all
libraries are malware / vulnerabilidades free?
● Passwords
● API keys
● Private keys
● ….
SECRETS & LEAKS
In the 

building step
IN THE BUILDING STEP
User Code Building step Deployment step Production
● What if an user can execute anything in a
Pipeline?
● What if the C.I. has not limited the output
traffic?
A reverse Shell 

in the Pipeline
https://alionder.net/jenkins-script-console-code-exec-reverse-shell-java-deserialization/
Limit user permissions and output
destinations
https://www.youtube.com/watch?v=QDGGPoK4gbk
● Do you control what can download a developer
when they runs in a pipeline?
● Do you control which command can launch a
developer in a C.I. / C.D. configuration file?
(Jenkinsfile, gitlab.yaml…)
● Is your C.I / C.D. in different network? Are you sure?
The EVIL AGENT (1 / 3)
Sonatype DevSecOps Leadership forum 2020
The EVIL AGENT (3 / 3)
➔ Limit internet access in the pipeline.
➔ Perform a correct hardening of the
infrastructure
➔ Fix the execution permissions
● Is your company using free tier
services?
● Has your company GitHub Business
account?
The Greedy
Service consumer!
Keep in mind that free tier has limits by IP
. Like GitHub,
Google Maps… If your deploy rely on this services may
be stuck if someone exceed the IP quota.
A git Bomb cannot be cloned. Only a problem with
old git versions. Be aware in your older systems.
The Git BOMB!
● Are your commits PGP signed?
● You know who can access rights?
● Are you using third party repositories?
Allow only some agents to publish images. Check
docker layers contents. Check Dockerfile.
The DOCKER HUB
Leak!
● You have your own container registry?
● Do you check your Dockerfiles?
● Your pipelines has permissions and
access to publish in docker hub?
A very fat container can spend all free space and avoid
new docker builds. A fat container make deploy a slow and
error prone process.
The Fat DOCKER!
● Do you inspect your Dockerfiles?
● Do you have Docker builds correctly
configured?
● Do you control where layers are built?
In the

deployment step
IN THE DEPLOYMENT STEP
User Code Building step Deployment step Production
Modify a Jar to add a trojan is very easy. Hard
to detect and can be unbelievable persistent.
The Trojan Jar!
● Do you suffer the Jar Hell?
● Your servers has outdated Java stuff?
● Your company has no java artefact
repo?
● ZIP Bomb is an old attack.
● The attack is very simple but very
useful
● Some of system has basic routines to
detect these kinds of attacks.
The ZIP BOMB (1 / 4)
● Major of packaged software is packed as a ZIP
file: .jar, .war, .docx, .xlsx….
● Some Application Servers auto deploy them when
put files in specific path
● What if we put a ZIP bomb renamed as a valid
packed Application for a Tomcat?
The ZIP BOMB (2 / 4)
Sonatype DevSecOps Leadership forum 2020
Perform a correct hardening of host and set
conservative limits of files, CPU and memory
that a processes can get
The ZIP BOMB (4/ 4)
● Memory bomb is type of attack that aims to
fill all system memory.
● Not only RAM also SWAP is affected.
● If you don’t have limits in your host it can
consume all of your HD space as a SWAP
space.
Memory BOMB (1 / 5)
● What if you can run a memory bomb in
a C.I. / C.D. system?
● What if the C.I. is deployed as multi-
agent?
Memory BOMB (2 / 5)
Jenkins agent 1 Jenkins agent 1 Jenkins agent 1
Jenkins behavior:
1 - You put a memory bomb in your Jenkinsfile
Memory BOMB (3 / 5)
2 - The Jenkins Master send to the job to an Jenkins
agent and it runs the pipeline and the memory bomb. So
the Jenkins agent host break down
Jenkins master
3 - Jenkins Master detect that the jobs was not finished.
So the send the same job to another Jenkins Agent
4 - Jenkins agent runs memory bomb and… break down
5 - Go to step 2
Sonatype DevSecOps Leadership forum 2020
➔ Less Known but more effective in Docker.
➔ Today powerful computers can die very fast
with no clue who pipeline is responsible.
➔ You can lost all your agents before you find
where the problem is.
Memory BOMB (5 / 5)
● Fork bomb is type of attack that aims exhaust a
system by creating new processes recursively
● It very difficult to detect if you don’t have a very good
log system configured
● Run in a Pipeline is so easy
● In multi-agent system the results are the same that
with Memory Bomb
Fork BOMB! (1 / 2)
Sonatype DevSecOps Leadership forum 2020
In production
The API contract must be fulfilled. No less, No more. The
more is more problematic.
Is your API
Honest!?
● Do you use thread model on you APIs?
● How do you know all the endpoints that you
have deployed?
● Are debug url opened in production?
Containers are just a bunch o deltas on a file
storage and a lot of genius around. Don’t forget that
layers can be accessed.
keep SECRETS safe!
● Do you store secrets in your containers?
● Do you store security configurations on your
containers?
● Do you store intellectual property on your containers?
● Where are your containers published?
In the
infrastructure
IN THE DEPLOYMENT STEP
User Code Building step Deployment step Production
● Old hack attack but useful
● Alias commands could be the best trojan in
a system.
● There are very complicated to detect
The Evil Alias!
Perform a well hardening of your host systems & be
careful with the bot users
Sonatype DevSecOps Leadership forum 2020
● Do you deploy the C.I. software in your infrastructure?
● Do you have a network isolation from the building software
to the production machine?
● Do you remember the scan by using Jenkins? Can you
imagine use that with Metasploit to Production machines?
The Shared infra!
➔ PLEASE use isolated networks (VPC, VLAN o something
applicable to your infrastructure)
➔ If your C.I. system need to access to the production
machines use LIMITED access API keys.
Keep this in mind
Conclusions
➔ Who will watch the watchers? Manage your CI/
CD as a critical software (because it is).
➔ Assume that you have a lot of potential insiders
attackers.
➔ Protect your C.I. as your production systems.
➔ Monitoring. Always monitoring. Not only in the
building step.
QUIS CUSTODIET IPSOS
CUSTODES?
https://www.99cs.io
We’re working on free online book this controls of
this presentation

More Related Content

What's hot

用 Go 語言實戰 Push Notification 服務
用 Go 語言實戰 Push Notification 服務用 Go 語言實戰 Push Notification 服務
用 Go 語言實戰 Push Notification 服務
Bo-Yi Wu
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in Go
Bo-Yi Wu
 
scaling compiled applications - highload 2013
scaling compiled applications - highload 2013scaling compiled applications - highload 2013
scaling compiled applications - highload 2013
ice799
 
Introduction to Mercurial
Introduction to MercurialIntroduction to Mercurial
Introduction to Mercurial
digitalspaghetti
 
Pluginize ALL the things
Pluginize ALL the thingsPluginize ALL the things
Pluginize ALL the things
Jose Diaz-Gonzalez
 
More developers on DevOps with Docker orchestration
More developers on DevOps with Docker orchestrationMore developers on DevOps with Docker orchestration
More developers on DevOps with Docker orchestration
Giulio De Donato
 
2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop
Simon Bennetts
 
LCE12: Intro Training: Upstreaming 101
LCE12: Intro Training: Upstreaming 101LCE12: Intro Training: Upstreaming 101
LCE12: Intro Training: Upstreaming 101
Linaro
 
Magento Continuous Integration & Continuous Delivery @MM17HR
Magento Continuous Integration & Continuous Delivery @MM17HRMagento Continuous Integration & Continuous Delivery @MM17HR
Magento Continuous Integration & Continuous Delivery @MM17HR
Denis Ristic
 
Resources For Floss Projects
Resources For Floss ProjectsResources For Floss Projects
Resources For Floss Projects
Jon Spriggs
 
Docker introduction in Hardware Company
Docker introduction in Hardware CompanyDocker introduction in Hardware Company
Docker introduction in Hardware Company
Evan Lin
 
Vagrant - the essence of DevOps in a tool
Vagrant - the essence of DevOps in a toolVagrant - the essence of DevOps in a tool
Vagrant - the essence of DevOps in a tool
Paul Stack
 
TDC2016SP - Trilha DevOps Java
TDC2016SP - Trilha DevOps JavaTDC2016SP - Trilha DevOps Java
TDC2016SP - Trilha DevOps Java
tdc-globalcode
 
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
Felipe Prado
 
Golang Microservices meetup
Golang Microservices meetupGolang Microservices meetup
Golang Microservices meetup
Girish Ramnani
 
Master Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins PlatformMaster Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins Platform
dcjuengst
 
Jenkins Shared Libraries Workshop
Jenkins Shared Libraries WorkshopJenkins Shared Libraries Workshop
Jenkins Shared Libraries Workshop
Julien Pivotto
 
A Modest Introduction to Swift
A Modest Introduction to SwiftA Modest Introduction to Swift
A Modest Introduction to Swift
John Anderson
 
Developing for LinkedIn's Application Platform
Developing for LinkedIn's Application PlatformDeveloping for LinkedIn's Application Platform
Developing for LinkedIn's Application Platform
Taylor Singletary
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by Python
All Things Open
 

What's hot (20)

用 Go 語言實戰 Push Notification 服務
用 Go 語言實戰 Push Notification 服務用 Go 語言實戰 Push Notification 服務
用 Go 語言實戰 Push Notification 服務
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in Go
 
scaling compiled applications - highload 2013
scaling compiled applications - highload 2013scaling compiled applications - highload 2013
scaling compiled applications - highload 2013
 
Introduction to Mercurial
Introduction to MercurialIntroduction to Mercurial
Introduction to Mercurial
 
Pluginize ALL the things
Pluginize ALL the thingsPluginize ALL the things
Pluginize ALL the things
 
More developers on DevOps with Docker orchestration
More developers on DevOps with Docker orchestrationMore developers on DevOps with Docker orchestration
More developers on DevOps with Docker orchestration
 
2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop
 
LCE12: Intro Training: Upstreaming 101
LCE12: Intro Training: Upstreaming 101LCE12: Intro Training: Upstreaming 101
LCE12: Intro Training: Upstreaming 101
 
Magento Continuous Integration & Continuous Delivery @MM17HR
Magento Continuous Integration & Continuous Delivery @MM17HRMagento Continuous Integration & Continuous Delivery @MM17HR
Magento Continuous Integration & Continuous Delivery @MM17HR
 
Resources For Floss Projects
Resources For Floss ProjectsResources For Floss Projects
Resources For Floss Projects
 
Docker introduction in Hardware Company
Docker introduction in Hardware CompanyDocker introduction in Hardware Company
Docker introduction in Hardware Company
 
Vagrant - the essence of DevOps in a tool
Vagrant - the essence of DevOps in a toolVagrant - the essence of DevOps in a tool
Vagrant - the essence of DevOps in a tool
 
TDC2016SP - Trilha DevOps Java
TDC2016SP - Trilha DevOps JavaTDC2016SP - Trilha DevOps Java
TDC2016SP - Trilha DevOps Java
 
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
 
Golang Microservices meetup
Golang Microservices meetupGolang Microservices meetup
Golang Microservices meetup
 
Master Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins PlatformMaster Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins Platform
 
Jenkins Shared Libraries Workshop
Jenkins Shared Libraries WorkshopJenkins Shared Libraries Workshop
Jenkins Shared Libraries Workshop
 
A Modest Introduction to Swift
A Modest Introduction to SwiftA Modest Introduction to Swift
A Modest Introduction to Swift
 
Developing for LinkedIn's Application Platform
Developing for LinkedIn's Application PlatformDeveloping for LinkedIn's Application Platform
Developing for LinkedIn's Application Platform
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by Python
 

Similar to Sonatype DevSecOps Leadership forum 2020

Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
corehard_by
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned  Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
RightScale
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
dotCloud
 
Introduction to Docker and Containers
Introduction to Docker and ContainersIntroduction to Docker and Containers
Introduction to Docker and Containers
Docker, Inc.
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
Omid Vahdaty
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 
A Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersA Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and Containers
Docker, Inc.
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
Docker, Inc.
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 Edition
Kris Buytaert
 
Debugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to LinuxDebugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to Linux
Serapheim-Nikolaos Dimitropoulos
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
DynamicInfraDays
 
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineGroovy there's a docker in my application pipeline
Groovy there's a docker in my application pipeline
Kris Buytaert
 
OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert
OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert
OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert
NETWAYS
 
PHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in phpPHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in php
Ahmed Abdou
 
Deploying software at Scale
Deploying software at ScaleDeploying software at Scale
Deploying software at Scale
Kris Buytaert
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker
 
[2020 git lab commit] continuous infrastructure
[2020 git lab commit] continuous infrastructure[2020 git lab commit] continuous infrastructure
[2020 git lab commit] continuous infrastructure
Rodrigo Stefani Domingues
 

Similar to Sonatype DevSecOps Leadership forum 2020 (20)

Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned  Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
 
Introduction to Docker and Containers
Introduction to Docker and ContainersIntroduction to Docker and Containers
Introduction to Docker and Containers
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
A Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersA Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and Containers
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 Edition
 
Debugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to LinuxDebugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to Linux
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
 
Groovy there's a docker in my application pipeline
Groovy there's a docker in my application pipelineGroovy there's a docker in my application pipeline
Groovy there's a docker in my application pipeline
 
OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert
OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert
OSMC 2017 | Groovy There is a Docker in my Dashing Pipeline by Kris Buytaert
 
PHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in phpPHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in php
 
Deploying software at Scale
Deploying software at ScaleDeploying software at Scale
Deploying software at Scale
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
[2020 git lab commit] continuous infrastructure
[2020 git lab commit] continuous infrastructure[2020 git lab commit] continuous infrastructure
[2020 git lab commit] continuous infrastructure
 

More from Daniel Garcia (a.k.a cr0hn)

Security in AWS Lambdas - NavajaNegra CON 2018
Security in AWS Lambdas - NavajaNegra CON 2018Security in AWS Lambdas - NavajaNegra CON 2018
Security in AWS Lambdas - NavajaNegra CON 2018
Daniel Garcia (a.k.a cr0hn)
 
Rooted 2018 - Crawlino: The next level of crawling systems
Rooted 2018 - Crawlino: The next level of crawling systemsRooted 2018 - Crawlino: The next level of crawling systems
Rooted 2018 - Crawlino: The next level of crawling systems
Daniel Garcia (a.k.a cr0hn)
 
Ingenieria social aplicada: Mucho mas fácil de lo que parece
Ingenieria social aplicada: Mucho mas fácil de lo que pareceIngenieria social aplicada: Mucho mas fácil de lo que parece
Ingenieria social aplicada: Mucho mas fácil de lo que parece
Daniel Garcia (a.k.a cr0hn)
 
Ingeniería social aplicada: Mucho más fácil de lo que parece
Ingeniería social aplicada: Mucho más fácil de lo que pareceIngeniería social aplicada: Mucho más fácil de lo que parece
Ingeniería social aplicada: Mucho más fácil de lo que parece
Daniel Garcia (a.k.a cr0hn)
 
Identificando y rompiendo servicios de las 4 capas de TCP/IP
Identificando y rompiendo servicios de las 4 capas de TCP/IPIdentificando y rompiendo servicios de las 4 capas de TCP/IP
Identificando y rompiendo servicios de las 4 capas de TCP/IP
Daniel Garcia (a.k.a cr0hn)
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
RootedCON 2016 - Broker & MQ injection
RootedCON 2016 - Broker & MQ injectionRootedCON 2016 - Broker & MQ injection
RootedCON 2016 - Broker & MQ injection
Daniel Garcia (a.k.a cr0hn)
 
Hacking y python: Hacking de redes con Python
Hacking y python: Hacking de redes con PythonHacking y python: Hacking de redes con Python
Hacking y python: Hacking de redes con Python
Daniel Garcia (a.k.a cr0hn)
 
Cybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincherasCybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Daniel Garcia (a.k.a cr0hn)
 
Tu DevOp me da trabajo: Soy auditor de seguridad
Tu DevOp me da trabajo: Soy auditor de seguridadTu DevOp me da trabajo: Soy auditor de seguridad
Tu DevOp me da trabajo: Soy auditor de seguridad
Daniel Garcia (a.k.a cr0hn)
 
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azulScapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Daniel Garcia (a.k.a cr0hn)
 
Topera: Evadiendo Snort con IPv6
Topera: Evadiendo Snort con IPv6Topera: Evadiendo Snort con IPv6
Topera: Evadiendo Snort con IPv6
Daniel Garcia (a.k.a cr0hn)
 
III Hack and beers: evadiendo técnicas de fingerprinting en Linux y Wordpress
III Hack and beers: evadiendo técnicas de fingerprinting en Linux y WordpressIII Hack and beers: evadiendo técnicas de fingerprinting en Linux y Wordpress
III Hack and beers: evadiendo técnicas de fingerprinting en Linux y Wordpress
Daniel Garcia (a.k.a cr0hn)
 
GoLismero: The Web Knife
GoLismero: The Web KnifeGoLismero: The Web Knife
GoLismero: The Web Knife
Daniel Garcia (a.k.a cr0hn)
 
El poder de los reptiles: Hacer herramientas de hacking es fácil
El poder de los reptiles: Hacer herramientas de hacking es fácilEl poder de los reptiles: Hacer herramientas de hacking es fácil
El poder de los reptiles: Hacer herramientas de hacking es fácil
Daniel Garcia (a.k.a cr0hn)
 
Cybercam 2014
Cybercam 2014Cybercam 2014
Introduccion muy básica a Python
Introduccion muy básica a PythonIntroduccion muy básica a Python
Introduccion muy básica a Python
Daniel Garcia (a.k.a cr0hn)
 
Qué es el fingerprinting: Definición, peligros y medidas mitigadoras
Qué es el fingerprinting: Definición, peligros y medidas mitigadorasQué es el fingerprinting: Definición, peligros y medidas mitigadoras
Qué es el fingerprinting: Definición, peligros y medidas mitigadoras
Daniel Garcia (a.k.a cr0hn)
 
Extreme security in web servers
Extreme security in  web serversExtreme security in  web servers
Extreme security in web servers
Daniel Garcia (a.k.a cr0hn)
 
The art of disguise - Antifingerprinting techniques
The art of disguise - Antifingerprinting techniquesThe art of disguise - Antifingerprinting techniques
The art of disguise - Antifingerprinting techniques
Daniel Garcia (a.k.a cr0hn)
 

More from Daniel Garcia (a.k.a cr0hn) (20)

Security in AWS Lambdas - NavajaNegra CON 2018
Security in AWS Lambdas - NavajaNegra CON 2018Security in AWS Lambdas - NavajaNegra CON 2018
Security in AWS Lambdas - NavajaNegra CON 2018
 
Rooted 2018 - Crawlino: The next level of crawling systems
Rooted 2018 - Crawlino: The next level of crawling systemsRooted 2018 - Crawlino: The next level of crawling systems
Rooted 2018 - Crawlino: The next level of crawling systems
 
Ingenieria social aplicada: Mucho mas fácil de lo que parece
Ingenieria social aplicada: Mucho mas fácil de lo que pareceIngenieria social aplicada: Mucho mas fácil de lo que parece
Ingenieria social aplicada: Mucho mas fácil de lo que parece
 
Ingeniería social aplicada: Mucho más fácil de lo que parece
Ingeniería social aplicada: Mucho más fácil de lo que pareceIngeniería social aplicada: Mucho más fácil de lo que parece
Ingeniería social aplicada: Mucho más fácil de lo que parece
 
Identificando y rompiendo servicios de las 4 capas de TCP/IP
Identificando y rompiendo servicios de las 4 capas de TCP/IPIdentificando y rompiendo servicios de las 4 capas de TCP/IP
Identificando y rompiendo servicios de las 4 capas de TCP/IP
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
RootedCON 2016 - Broker & MQ injection
RootedCON 2016 - Broker & MQ injectionRootedCON 2016 - Broker & MQ injection
RootedCON 2016 - Broker & MQ injection
 
Hacking y python: Hacking de redes con Python
Hacking y python: Hacking de redes con PythonHacking y python: Hacking de redes con Python
Hacking y python: Hacking de redes con Python
 
Cybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincherasCybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincheras
 
Tu DevOp me da trabajo: Soy auditor de seguridad
Tu DevOp me da trabajo: Soy auditor de seguridadTu DevOp me da trabajo: Soy auditor de seguridad
Tu DevOp me da trabajo: Soy auditor de seguridad
 
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azulScapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
 
Topera: Evadiendo Snort con IPv6
Topera: Evadiendo Snort con IPv6Topera: Evadiendo Snort con IPv6
Topera: Evadiendo Snort con IPv6
 
III Hack and beers: evadiendo técnicas de fingerprinting en Linux y Wordpress
III Hack and beers: evadiendo técnicas de fingerprinting en Linux y WordpressIII Hack and beers: evadiendo técnicas de fingerprinting en Linux y Wordpress
III Hack and beers: evadiendo técnicas de fingerprinting en Linux y Wordpress
 
GoLismero: The Web Knife
GoLismero: The Web KnifeGoLismero: The Web Knife
GoLismero: The Web Knife
 
El poder de los reptiles: Hacer herramientas de hacking es fácil
El poder de los reptiles: Hacer herramientas de hacking es fácilEl poder de los reptiles: Hacer herramientas de hacking es fácil
El poder de los reptiles: Hacer herramientas de hacking es fácil
 
Cybercam 2014
Cybercam 2014Cybercam 2014
Cybercam 2014
 
Introduccion muy básica a Python
Introduccion muy básica a PythonIntroduccion muy básica a Python
Introduccion muy básica a Python
 
Qué es el fingerprinting: Definición, peligros y medidas mitigadoras
Qué es el fingerprinting: Definición, peligros y medidas mitigadorasQué es el fingerprinting: Definición, peligros y medidas mitigadoras
Qué es el fingerprinting: Definición, peligros y medidas mitigadoras
 
Extreme security in web servers
Extreme security in  web serversExtreme security in  web servers
Extreme security in web servers
 
The art of disguise - Antifingerprinting techniques
The art of disguise - Antifingerprinting techniquesThe art of disguise - Antifingerprinting techniques
The art of disguise - Antifingerprinting techniques
 

Recently uploaded

High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
Axel Rennoch
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
Shiv Technolabs
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
Management Institute of Skills Development
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
Anant Gupta
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
rajancomputerfbd
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
kumarjarun2010
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
Ivanti
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 

Recently uploaded (20)

High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 

Sonatype DevSecOps Leadership forum 2020

  • 1. How Hackers Can Break Your CI/CD Infrastructure

  • 2. WHO WE ARE Security research. Hacking tools developer, DevSecOps. Python developer. Daniel García (cr0hn) Can’t define myself. I go where my curiosity drives to. Most of the time goes bad. I process TeraBytes for breakfast. César Gallego @ggdaniel https://bit.do/cr0hn @CesarGallegoR https://bit.do/cesar-gallego
  • 3. Disclaimer! Any opinions expressed are personal opinions and don’t represent our employer’s view in any way
  • 5. CONTINUOUS DELIVERY VS CONTINUOUS DEPLOYMENT
  • 10. STEPS IN BUILDING SOFTWARE CONSTRUCTION User Code Building step Deployment step Production
  • 11. Follow us down the rabbit hole Starting the journey
  • 13. IN THE SOURCE CODE User Code Building step Deployment step Production
  • 14. No all StackOverflow people are good persons (or even humans) In STACK OVERFLOW Works Great! https://trojan-killer.net/the-most-copied-piece-of-java-code-on-stackoverflow-contains-an-error/
  • 15. ● Are your developers using safe libraries? ● Are you check the libraries they use? ● Even more… they ask you for advice when choice a new library? All Libraries Allowed! https://securityintelligence.com/news/popular-javascript-library-for-node-js-infected-with-malware-to-empty-bitcoin- wallets/ You trust all libraries? so you know that all libraries are malware / vulnerabilidades free?
  • 16. ● Passwords ● API keys ● Private keys ● …. SECRETS & LEAKS
  • 18. IN THE BUILDING STEP User Code Building step Deployment step Production
  • 19. ● What if an user can execute anything in a Pipeline? ● What if the C.I. has not limited the output traffic? A reverse Shell in the Pipeline https://alionder.net/jenkins-script-console-code-exec-reverse-shell-java-deserialization/ Limit user permissions and output destinations
  • 21. ● Do you control what can download a developer when they runs in a pipeline? ● Do you control which command can launch a developer in a C.I. / C.D. configuration file? (Jenkinsfile, gitlab.yaml…) ● Is your C.I / C.D. in different network? Are you sure? The EVIL AGENT (1 / 3)
  • 23. The EVIL AGENT (3 / 3) ➔ Limit internet access in the pipeline. ➔ Perform a correct hardening of the infrastructure ➔ Fix the execution permissions
  • 24. ● Is your company using free tier services? ● Has your company GitHub Business account? The Greedy Service consumer! Keep in mind that free tier has limits by IP . Like GitHub, Google Maps… If your deploy rely on this services may be stuck if someone exceed the IP quota.
  • 25. A git Bomb cannot be cloned. Only a problem with old git versions. Be aware in your older systems. The Git BOMB! ● Are your commits PGP signed? ● You know who can access rights? ● Are you using third party repositories?
  • 26. Allow only some agents to publish images. Check docker layers contents. Check Dockerfile. The DOCKER HUB Leak! ● You have your own container registry? ● Do you check your Dockerfiles? ● Your pipelines has permissions and access to publish in docker hub?
  • 27. A very fat container can spend all free space and avoid new docker builds. A fat container make deploy a slow and error prone process. The Fat DOCKER! ● Do you inspect your Dockerfiles? ● Do you have Docker builds correctly configured? ● Do you control where layers are built?
  • 29. IN THE DEPLOYMENT STEP User Code Building step Deployment step Production
  • 30. Modify a Jar to add a trojan is very easy. Hard to detect and can be unbelievable persistent. The Trojan Jar! ● Do you suffer the Jar Hell? ● Your servers has outdated Java stuff? ● Your company has no java artefact repo?
  • 31. ● ZIP Bomb is an old attack. ● The attack is very simple but very useful ● Some of system has basic routines to detect these kinds of attacks. The ZIP BOMB (1 / 4)
  • 32. ● Major of packaged software is packed as a ZIP file: .jar, .war, .docx, .xlsx…. ● Some Application Servers auto deploy them when put files in specific path ● What if we put a ZIP bomb renamed as a valid packed Application for a Tomcat? The ZIP BOMB (2 / 4)
  • 34. Perform a correct hardening of host and set conservative limits of files, CPU and memory that a processes can get The ZIP BOMB (4/ 4)
  • 35. ● Memory bomb is type of attack that aims to fill all system memory. ● Not only RAM also SWAP is affected. ● If you don’t have limits in your host it can consume all of your HD space as a SWAP space. Memory BOMB (1 / 5)
  • 36. ● What if you can run a memory bomb in a C.I. / C.D. system? ● What if the C.I. is deployed as multi- agent? Memory BOMB (2 / 5)
  • 37. Jenkins agent 1 Jenkins agent 1 Jenkins agent 1 Jenkins behavior: 1 - You put a memory bomb in your Jenkinsfile Memory BOMB (3 / 5) 2 - The Jenkins Master send to the job to an Jenkins agent and it runs the pipeline and the memory bomb. So the Jenkins agent host break down Jenkins master 3 - Jenkins Master detect that the jobs was not finished. So the send the same job to another Jenkins Agent 4 - Jenkins agent runs memory bomb and… break down 5 - Go to step 2
  • 39. ➔ Less Known but more effective in Docker. ➔ Today powerful computers can die very fast with no clue who pipeline is responsible. ➔ You can lost all your agents before you find where the problem is. Memory BOMB (5 / 5)
  • 40. ● Fork bomb is type of attack that aims exhaust a system by creating new processes recursively ● It very difficult to detect if you don’t have a very good log system configured ● Run in a Pipeline is so easy ● In multi-agent system the results are the same that with Memory Bomb Fork BOMB! (1 / 2)
  • 43. The API contract must be fulfilled. No less, No more. The more is more problematic. Is your API Honest!? ● Do you use thread model on you APIs? ● How do you know all the endpoints that you have deployed? ● Are debug url opened in production?
  • 44. Containers are just a bunch o deltas on a file storage and a lot of genius around. Don’t forget that layers can be accessed. keep SECRETS safe! ● Do you store secrets in your containers? ● Do you store security configurations on your containers? ● Do you store intellectual property on your containers? ● Where are your containers published?
  • 46. IN THE DEPLOYMENT STEP User Code Building step Deployment step Production
  • 47. ● Old hack attack but useful ● Alias commands could be the best trojan in a system. ● There are very complicated to detect The Evil Alias! Perform a well hardening of your host systems & be careful with the bot users
  • 49. ● Do you deploy the C.I. software in your infrastructure? ● Do you have a network isolation from the building software to the production machine? ● Do you remember the scan by using Jenkins? Can you imagine use that with Metasploit to Production machines? The Shared infra! ➔ PLEASE use isolated networks (VPC, VLAN o something applicable to your infrastructure) ➔ If your C.I. system need to access to the production machines use LIMITED access API keys.
  • 50. Keep this in mind Conclusions
  • 51. ➔ Who will watch the watchers? Manage your CI/ CD as a critical software (because it is). ➔ Assume that you have a lot of potential insiders attackers. ➔ Protect your C.I. as your production systems. ➔ Monitoring. Always monitoring. Not only in the building step. QUIS CUSTODIET IPSOS CUSTODES?
  • 52. https://www.99cs.io We’re working on free online book this controls of this presentation