11-23, 17:05–17:50 (Europe/Vienna), Track 2 (3.1 (Kreativ))
Continuous Integration and Continuous Delivery systems are omnipresent in today's development workflows. They help developers to focus more on their actual programming duties by automating repetitive tasks and allow the periodic usage of security tools. But the messy truth is, that in many organizations they are simply taken for granted as yet another development tool instead of being recognized for what they are: a system at the core of your infrastructure with almost unbounded permissions.
This talk starts by elaborating why we even want and need CI systems in the first place, in order to build up the stage for the inherent security risks.
Those are outlined based on the new "OWASP Top 10 CI/CD Security Risks" list and augmented by recounting "war stories" from real world security assessments an breaches of CI systems.
Finally, a live demonstration shows, how easy an attacker can gain access to your build infrastructure via a malicious container image.
Content warning: You might be a lot more nervous about your dev environment when you return to work on monday.
Graduated in mathematics
Holistic perspective on computers: former developer, sysadmin, security officer, university teacher and even computer salesman
Now a security consultant specializing in application security
Open source lover