SlideShare ist ein Scribd-Unternehmen logo

12 tricks to avoid hackers breaks your CI / CD

Daniel Garcia (a.k.a cr0hn)
Daniel Garcia (a.k.a cr0hn)

When we build an CI / CD systems sometimes forget protect it and hackers can take advantage of that

Software
1 von 51
Downloaden Sie, um offline zu lesen
12 tricks to avoid hackers breaks your CI / CD
WHO WE ARE Security research. Hacking tools developer, DevSecOps. Python developer. Daniel García (cr0hn) Can’t define myself. I go where my curiosity drives to. Most of the time goes bad. I process TeraBytes for breakfast. César Gallego @ggdaniel https://bit.do/cr0hn @CesarGallegoR https://bit.do/cesar-gallego
Disclaimer! Any opinions expressed are personal opinions and don’t represent our employer’s view in any way
https://www.99cs.io We’re working on free online book this controls of this presentation. Leave us your email and we will notify you when it is published We’ll not SPAM you, we promise :)
Shared vocabulary Core Concepts
Legacy Systems
No CD OpsDev
No CI/CD OpsDev
Hell Dev
STEPS IN BUILDING SOFTWARE CONSTRUCTION User Code Building step Deployment step Production
STEPS IN BUILDING SOFTWARE CONSTRUCTION User Code Building step Deployment step Production
Follow us down the rabbit hole Starting the journey
In source code
IN THE SOURCE CODE User Code Building step Deployment step Production
No all StackOverflow people are good persons (or even humans) In STACK OVERFLOW Works Great! https://trojan-killer.net/the-most-copied-piece-of-java-code-on-stackoverflow-contains-an-error/
● Are your developers using safe libraries? ● Are you check the libraries they use? ● Even more… they ask you for advice when choice a new library? All Libraries Allowed! https://securityintelligence.com/news/popular-javascript-library-for-node-js-infected-with-malware-to-empty-bitcoin- wallets/ You trust all libraries? so you know that all libraries are malware / vulnerabilidades free?
● Passwords ● API keys ● Private keys ● …. SECRETS & LEAKS
In the building step
IN THE BUILDING STEP User Code Building step Deployment step Production
● What if an user can execute anything in a Pipeline? ● What if the C.I. has not limited the output traffic? A reverse Shell in the Pipeline https://alionder.net/jenkins-script-console-code-exec-reverse-shell-java-deserialization/ Limit user permissions and output destinations
https://www.youtube.com/watch?v=QDGGPoK4gbk
● Do you control what can download a developer when they runs in a pipeline? ● Do you control which command can launch a developer in a C.I. / C.D. configuration file? (Jenkinsfile, gitlab.yaml…) ● Is your C.I / C.D. in different network? Are you sure? The EVIL AGENT (1 / 3)
The EVIL AGENT (3 / 3) ➔ Limit internet access in the pipeline. ➔ Fix the execution permissions
● Is your company using free tier services? ● Has your company GitHub Business account? The Greedy Service consumer! Keep in mind that free tier has limits by IP. Like GitHub, Google Maps… If your deploy rely on this services may be stuck if someone exceed the IP quota.
● Is your company using free tier services? ● Has your company GitHub Business account? The Greedy Service consumer! Keep in mind that free tier has limits by IP. Like GitHub, Google Maps… If your deploy rely on this services may be stuck if someone exceed the IP quota.
A git Bomb cannot be cloned. Only a problem with old git versions. Be aware in your older systems. The Git BOMB! ● Are your commits PGP signed? ● You know who can access rights? ● Are you using third party repositories?
A very fat container can spend all free space and avoid new docker builds. A fat container make deploy a slow and error prone process. The Fat DOCKER! ● Do you inspect your Dockerfiles? ● Do you have Docker builds correctly configured? ● Do you control where layers are built?
In the deployment step
IN THE DEPLOYMENT STEP User Code Building step Deployment step Production
● ZIP Bomb is an old attack. ● The attack is very simple but very useful ● Some of system has basic routines to detect these kinds of attacks. The ZIP BOMB (1 / 4)
● Major of packaged software is packed as a ZIP file: .jar, .war, .docx, .xlsx…. ● Some Application Servers auto deploy them when put files in specific path ● What if we put a ZIP bomb renamed as a valid packed Application for a Tomcat? The ZIP BOMB (2 / 4)
Perform a correct hardening of host and set conservative limits of files, CPU and memory that a processes can get The ZIP BOMB (4/ 4)
● Memory bomb is type of attack that aims to fill all system memory. ● Not only RAM also SWAP is affected. ● If you don’t have limits in your host it can consume all of your HD space as a SWAP space. Memory BOMB (1 / 5)
● What if you can run a memory bomb in a C.I. / C.D. system? ● What if the C.I. is deployed as multi- agent? Memory BOMB (2 / 5)
Jenkins agent 1 Jenkins agent 1 Jenkins agent 1 Jenkins behavior: 1 - You put a memory bomb in your Jenkinsfile Memory BOMB (3 / 5) 2 - The Jenkins Master send to the job to an Jenkins agent and it runs the pipeline and the memory bomb. So the Jenkins agent host break down Jenkins master 3 - Jenkins Master detect that the jobs was not finished. So the send the same job to another Jenkins Agent 4 - Jenkins agent runs memory bomb and… break down 5 - Go to step 2
➔ Less known but more effective in Docker. ➔ Today powerful computers can die very fast with no clue who pipeline is responsible. ➔ You can lost all your agents before you find where the problem is. ➔ Limit jobs run retries ➔ Perform a correct Operation System Disk Partition Memory BOMB (5 / 5)
● Fork bomb is type of attack that aims exhaust a system by creating new processes recursively ● It very difficult to detect if you don’t have a very good log system configured ● Run in a Pipeline is so easy ● In multi-agent system the results are the same that with Memory Bomb Fork BOMB! (1 / 3)
➡ Perform a correct hardening of O.S. ➡ Limit tasks by user and process ➡ Improve monitoring Fork BOMB! (3 / 3)
In production
The API contract must be fulfilled. No less, No more. The more is more problematic. Is your API Honest!? ● Do you use thread model on you APIs? ● How do you know all the endpoints that you have deployed? ● Are debug url opened in production?
The API contract must be fulfilled. No less, No more. The more is more problematic. Is your API Honest!? ● Do you use thread model on you APIs? ● How do you know all the endpoints that you have deployed? ● Are debug url opened in production?
In the infrastructure
IN THE DEPLOYMENT STEP User Code Building step Deployment step Production
● Old hack attack but useful ● Alias commands could be the best trojan in a system. ● There are very complicated to detect The Evil Alias! Perform a well hardening of your host systems & be careful with the bot users
Keep this in mind Conclusions
➔ Assume that you have a lot of potential insiders attackers. ➔ Protect your C.I. as your production systems. ➔ Monitoring. Always monitoring. Not only in the building step. QUIS CUSTODIET IPSOS CUSTODES?

Empfohlen

Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Daniel Garcia (a.k.a cr0hn)
 
Patterns and antipatterns in Docker image lifecycle as was presented at DC Do...
Patterns and antipatterns in Docker image lifecycle as was presented at DC Do...Patterns and antipatterns in Docker image lifecycle as was presented at DC Do...
Patterns and antipatterns in Docker image lifecycle as was presented at DC Do...Baruch Sadogursky
 
Steve Sfartz - How to embed Messaging and Video in your apps - Codemotion Mil...
Steve Sfartz - How to embed Messaging and Video in your apps - Codemotion Mil...Steve Sfartz - How to embed Messaging and Video in your apps - Codemotion Mil...
Steve Sfartz - How to embed Messaging and Video in your apps - Codemotion Mil...Codemotion
 
Documenting apps ti confnyc
Documenting apps ti confnycDocumenting apps ti confnyc
Documenting apps ti confnycJamil Spain
 
Magento Continuous Integration & Continuous Delivery @MM17HR
Magento Continuous Integration & Continuous Delivery @MM17HRMagento Continuous Integration & Continuous Delivery @MM17HR
Magento Continuous Integration & Continuous Delivery @MM17HRDenis Ristic
 
Get involved in Open Source
Get involved in Open SourceGet involved in Open Source
Get involved in Open SourceJoe Brinkman
 
Write microservice in golang
Write microservice in golangWrite microservice in golang
Write microservice in golangBo-Yi Wu
 

Empfohlen

Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Daniel Garcia (a.k.a cr0hn)
 
Patterns and antipatterns in Docker image lifecycle as was presented at DC Do...
Patterns and antipatterns in Docker image lifecycle as was presented at DC Do...Patterns and antipatterns in Docker image lifecycle as was presented at DC Do...
Patterns and antipatterns in Docker image lifecycle as was presented at DC Do...Baruch Sadogursky
 
Steve Sfartz - How to embed Messaging and Video in your apps - Codemotion Mil...
Steve Sfartz - How to embed Messaging and Video in your apps - Codemotion Mil...Steve Sfartz - How to embed Messaging and Video in your apps - Codemotion Mil...
Steve Sfartz - How to embed Messaging and Video in your apps - Codemotion Mil...Codemotion
 
Documenting apps ti confnyc
Documenting apps ti confnycDocumenting apps ti confnyc
Documenting apps ti confnycJamil Spain
 
Magento Continuous Integration & Continuous Delivery @MM17HR
Magento Continuous Integration & Continuous Delivery @MM17HRMagento Continuous Integration & Continuous Delivery @MM17HR
Magento Continuous Integration & Continuous Delivery @MM17HRDenis Ristic
 
Get involved in Open Source
Get involved in Open SourceGet involved in Open Source
Get involved in Open SourceJoe Brinkman
 
Write microservice in golang
Write microservice in golangWrite microservice in golang
Write microservice in golangBo-Yi Wu
 
LCE12: Intro Training: Upstreaming 101
LCE12: Intro Training: Upstreaming 101LCE12: Intro Training: Upstreaming 101
LCE12: Intro Training: Upstreaming 101Linaro
 
Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015Aleksey Razbakov
 
Porque Odeio Branches
Porque Odeio BranchesPorque Odeio Branches
Porque Odeio BranchesRafael Petry
 
scaling compiled applications - highload 2013
scaling compiled applications - highload 2013scaling compiled applications - highload 2013
scaling compiled applications - highload 2013ice799
 
Pluginize ALL the things
Pluginize ALL the thingsPluginize ALL the things
Pluginize ALL the thingsJose Diaz-Gonzalez
 
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...Felipe Prado
 
Unit Testing TypeScript
Unit Testing TypeScriptUnit Testing TypeScript
Unit Testing TypeScriptDaniel Jimenez Garcia
 
Devops is (not ) a buzzword
Devops is (not ) a buzzwordDevops is (not ) a buzzword
Devops is (not ) a buzzwordMiguel Fonseca
 
Pipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodePipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodeKris Buytaert
 
JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...
JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...
JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...CloudBees
 
A Modest Introduction to Swift
A Modest Introduction to SwiftA Modest Introduction to Swift
A Modest Introduction to SwiftJohn Anderson
 
2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting WorkshopSimon Bennetts
 
The way Devs do Ops
The way Devs do OpsThe way Devs do Ops
The way Devs do OpsMiguel Fonseca
 
TDC2016SP - Trilha DevOps Java
TDC2016SP - Trilha DevOps JavaTDC2016SP - Trilha DevOps Java
TDC2016SP - Trilha DevOps Javatdc-globalcode
 
Master Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins PlatformMaster Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins Platformdcjuengst
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonAll Things Open
 
Elixir koans
Elixir koansElixir koans
Elixir koansRuben Amortegui
 
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...Ontico
 
Infrastructure as code might be literally impossible / Joe Domato (packageclo...
Infrastructure as code might be literally impossible / Joe Domato (packageclo...Infrastructure as code might be literally impossible / Joe Domato (packageclo...
Infrastructure as code might be literally impossible / Joe Domato (packageclo...Ontico
 
Developing for LinkedIn's Application Platform
Developing for LinkedIn's Application PlatformDeveloping for LinkedIn's Application Platform
Developing for LinkedIn's Application PlatformTaylor Singletary
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Debugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to LinuxDebugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to LinuxSerapheim-Nikolaos Dimitropoulos
 

Weitere ähnliche Inhalte

Was ist angesagt?

LCE12: Intro Training: Upstreaming 101
LCE12: Intro Training: Upstreaming 101LCE12: Intro Training: Upstreaming 101
LCE12: Intro Training: Upstreaming 101Linaro
 
Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015Aleksey Razbakov
 
Porque Odeio Branches
Porque Odeio BranchesPorque Odeio Branches
Porque Odeio BranchesRafael Petry
 
scaling compiled applications - highload 2013
scaling compiled applications - highload 2013scaling compiled applications - highload 2013
scaling compiled applications - highload 2013ice799
 
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...Felipe Prado
 
Devops is (not ) a buzzword
Devops is (not ) a buzzwordDevops is (not ) a buzzword
Devops is (not ) a buzzwordMiguel Fonseca
 
Pipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodePipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodeKris Buytaert
 
JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...
JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...
JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...CloudBees
 
A Modest Introduction to Swift
A Modest Introduction to SwiftA Modest Introduction to Swift
A Modest Introduction to SwiftJohn Anderson
 
2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting WorkshopSimon Bennetts
 
TDC2016SP - Trilha DevOps Java
TDC2016SP - Trilha DevOps JavaTDC2016SP - Trilha DevOps Java
TDC2016SP - Trilha DevOps Javatdc-globalcode
 
Master Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins PlatformMaster Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins Platformdcjuengst
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonAll Things Open
 
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...Ontico
 
Infrastructure as code might be literally impossible / Joe Domato (packageclo...
Infrastructure as code might be literally impossible / Joe Domato (packageclo...Infrastructure as code might be literally impossible / Joe Domato (packageclo...
Infrastructure as code might be literally impossible / Joe Domato (packageclo...Ontico
 
Developing for LinkedIn's Application Platform
Developing for LinkedIn's Application PlatformDeveloping for LinkedIn's Application Platform
Developing for LinkedIn's Application PlatformTaylor Singletary
 

Was ist angesagt? (20)

LCE12: Intro Training: Upstreaming 101
LCE12: Intro Training: Upstreaming 101LCE12: Intro Training: Upstreaming 101
LCE12: Intro Training: Upstreaming 101
 
Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015
 
Porque Odeio Branches
Porque Odeio BranchesPorque Odeio Branches
Porque Odeio Branches
 
scaling compiled applications - highload 2013
scaling compiled applications - highload 2013scaling compiled applications - highload 2013
scaling compiled applications - highload 2013
 
Pluginize ALL the things
Pluginize ALL the thingsPluginize ALL the things
Pluginize ALL the things
 
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
 
Unit Testing TypeScript
Unit Testing TypeScriptUnit Testing TypeScript
Unit Testing TypeScript
 
Devops is (not ) a buzzword
Devops is (not ) a buzzwordDevops is (not ) a buzzword
Devops is (not ) a buzzword
 
Pipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodePipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as Code
 
JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...
JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...
JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...
 
A Modest Introduction to Swift
A Modest Introduction to SwiftA Modest Introduction to Swift
A Modest Introduction to Swift
 
2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop2017 DevSecCon ZAP Scripting Workshop
2017 DevSecCon ZAP Scripting Workshop
 
The way Devs do Ops
The way Devs do OpsThe way Devs do Ops
The way Devs do Ops
 
TDC2016SP - Trilha DevOps Java
TDC2016SP - Trilha DevOps JavaTDC2016SP - Trilha DevOps Java
TDC2016SP - Trilha DevOps Java
 
Master Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins PlatformMaster Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins Platform
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by Python
 
Elixir koans
Elixir koansElixir koans
Elixir koans
 
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
Мониторинг облачной CI-системы на примере Jenkins / Александр Акбашев (HERE T...
 
Infrastructure as code might be literally impossible / Joe Domato (packageclo...
Infrastructure as code might be literally impossible / Joe Domato (packageclo...Infrastructure as code might be literally impossible / Joe Domato (packageclo...
Infrastructure as code might be literally impossible / Joe Domato (packageclo...
 
Developing for LinkedIn's Application Platform
Developing for LinkedIn's Application PlatformDeveloping for LinkedIn's Application Platform
Developing for LinkedIn's Application Platform
 

Ähnlich wie 12 tricks to avoid hackers breaks your CI / CD

Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
PHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in phpPHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in phpAhmed Abdou
 
[2020 git lab commit] continuous infrastructure
[2020 git lab commit] continuous infrastructure[2020 git lab commit] continuous infrastructure
[2020 git lab commit] continuous infrastructureRodrigo Stefani Domingues
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringAndrew Kirkpatrick
 
TSC Summit #3 - Reverse engineering and anti debugging techniques
TSC Summit #3 - Reverse engineering and anti debugging techniquesTSC Summit #3 - Reverse engineering and anti debugging techniques
TSC Summit #3 - Reverse engineering and anti debugging techniquesMikal Villa
 
What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...Sławomir Zborowski
 
How go makes us faster (May 2015)
How go makes us faster (May 2015)How go makes us faster (May 2015)
How go makes us faster (May 2015)Wilfried Schobeiri
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automationSensePost
 
Writing code well: tools, tips and tricks
Writing code well: tools, tips and tricks Writing code well: tools, tips and tricks
Writing code well: tools, tips and tricks FogGuru MSCA Project
 
Compilers programmingembedded
Compilers programmingembeddedCompilers programmingembedded
Compilers programmingembeddedManish Pandey
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Untangling fall2017 week2
Untangling fall2017 week2Untangling fall2017 week2
Untangling fall2017 week2Derek Jacoby
 
Untangling fall2017 week2_try2
Untangling fall2017 week2_try2Untangling fall2017 week2_try2
Untangling fall2017 week2_try2Derek Jacoby
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsOmid Vahdaty
 
My "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsMy "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsGR8Conf
 
Introduction to go lang
Introduction to go langIntroduction to go lang
Introduction to go langAmal Mohan N
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 

Ähnlich wie 12 tricks to avoid hackers breaks your CI / CD (20)

Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Debugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to LinuxDebugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to Linux
 
PHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in phpPHP Mega Meetup, Sep, 2020, Anti patterns in php
PHP Mega Meetup, Sep, 2020, Anti patterns in php
 
[2020 git lab commit] continuous infrastructure
[2020 git lab commit] continuous infrastructure[2020 git lab commit] continuous infrastructure
[2020 git lab commit] continuous infrastructure
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability Engineering
 
TSC Summit #3 - Reverse engineering and anti debugging techniques
TSC Summit #3 - Reverse engineering and anti debugging techniquesTSC Summit #3 - Reverse engineering and anti debugging techniques
TSC Summit #3 - Reverse engineering and anti debugging techniques
 
What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...What every C++ programmer should know about modern compilers (w/ comments, AC...
What every C++ programmer should know about modern compilers (w/ comments, AC...
 
How go makes us faster (May 2015)
How go makes us faster (May 2015)How go makes us faster (May 2015)
How go makes us faster (May 2015)
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automation
 
Writing code well: tools, tips and tricks
Writing code well: tools, tips and tricks Writing code well: tools, tips and tricks
Writing code well: tools, tips and tricks
 
Compilers programmingembedded
Compilers programmingembeddedCompilers programmingembedded
Compilers programmingembedded
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Untangling fall2017 week2
Untangling fall2017 week2Untangling fall2017 week2
Untangling fall2017 week2
 
Untangling fall2017 week2_try2
Untangling fall2017 week2_try2Untangling fall2017 week2_try2
Untangling fall2017 week2_try2
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
My "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsMy "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails Projects
 
Introduction to go lang
Introduction to go langIntroduction to go lang
Introduction to go lang
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 

Mehr von Daniel Garcia (a.k.a cr0hn)

Rooted 2018 - Crawlino: The next level of crawling systems
Rooted 2018 - Crawlino: The next level of crawling systemsRooted 2018 - Crawlino: The next level of crawling systems
Rooted 2018 - Crawlino: The next level of crawling systemsDaniel Garcia (a.k.a cr0hn)
 
Ingenieria social aplicada: Mucho mas fácil de lo que parece
Ingenieria social aplicada: Mucho mas fácil de lo que pareceIngenieria social aplicada: Mucho mas fácil de lo que parece
Ingenieria social aplicada: Mucho mas fácil de lo que pareceDaniel Garcia (a.k.a cr0hn)
 
Ingeniería social aplicada: Mucho más fácil de lo que parece
Ingeniería social aplicada: Mucho más fácil de lo que pareceIngeniería social aplicada: Mucho más fácil de lo que parece
Ingeniería social aplicada: Mucho más fácil de lo que pareceDaniel Garcia (a.k.a cr0hn)
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesDaniel Garcia (a.k.a cr0hn)
 
Identificando y rompiendo servicios de las 4 capas de TCP/IP
Identificando y rompiendo servicios de las 4 capas de TCP/IPIdentificando y rompiendo servicios de las 4 capas de TCP/IP
Identificando y rompiendo servicios de las 4 capas de TCP/IPDaniel Garcia (a.k.a cr0hn)
 
Cybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincherasCybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincherasDaniel Garcia (a.k.a cr0hn)
 
Tu DevOp me da trabajo: Soy auditor de seguridad
Tu DevOp me da trabajo: Soy auditor de seguridadTu DevOp me da trabajo: Soy auditor de seguridad
Tu DevOp me da trabajo: Soy auditor de seguridadDaniel Garcia (a.k.a cr0hn)
 
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azulScapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azulDaniel Garcia (a.k.a cr0hn)
 
III Hack and beers: evadiendo técnicas de fingerprinting en Linux y Wordpress
III Hack and beers: evadiendo técnicas de fingerprinting en Linux y WordpressIII Hack and beers: evadiendo técnicas de fingerprinting en Linux y Wordpress
III Hack and beers: evadiendo técnicas de fingerprinting en Linux y WordpressDaniel Garcia (a.k.a cr0hn)
 
El poder de los reptiles: Hacer herramientas de hacking es fácil
El poder de los reptiles: Hacer herramientas de hacking es fácilEl poder de los reptiles: Hacer herramientas de hacking es fácil
El poder de los reptiles: Hacer herramientas de hacking es fácilDaniel Garcia (a.k.a cr0hn)
 
Qué es el fingerprinting: Definición, peligros y medidas mitigadoras
Qué es el fingerprinting: Definición, peligros y medidas mitigadorasQué es el fingerprinting: Definición, peligros y medidas mitigadoras
Qué es el fingerprinting: Definición, peligros y medidas mitigadorasDaniel Garcia (a.k.a cr0hn)
 

Mehr von Daniel Garcia (a.k.a cr0hn) (20)

Security in AWS Lambdas - NavajaNegra CON 2018
Security in AWS Lambdas - NavajaNegra CON 2018Security in AWS Lambdas - NavajaNegra CON 2018
Security in AWS Lambdas - NavajaNegra CON 2018
 
Rooted 2018 - Crawlino: The next level of crawling systems
Rooted 2018 - Crawlino: The next level of crawling systemsRooted 2018 - Crawlino: The next level of crawling systems
Rooted 2018 - Crawlino: The next level of crawling systems
 
Ingenieria social aplicada: Mucho mas fácil de lo que parece
Ingenieria social aplicada: Mucho mas fácil de lo que pareceIngenieria social aplicada: Mucho mas fácil de lo que parece
Ingenieria social aplicada: Mucho mas fácil de lo que parece
 
Ingeniería social aplicada: Mucho más fácil de lo que parece
Ingeniería social aplicada: Mucho más fácil de lo que pareceIngeniería social aplicada: Mucho más fácil de lo que parece
Ingeniería social aplicada: Mucho más fácil de lo que parece
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
 
Identificando y rompiendo servicios de las 4 capas de TCP/IP
Identificando y rompiendo servicios de las 4 capas de TCP/IPIdentificando y rompiendo servicios de las 4 capas de TCP/IP
Identificando y rompiendo servicios de las 4 capas de TCP/IP
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
RootedCON 2016 - Broker & MQ injection
RootedCON 2016 - Broker & MQ injectionRootedCON 2016 - Broker & MQ injection
RootedCON 2016 - Broker & MQ injection
 
Hacking y python: Hacking de redes con Python
Hacking y python: Hacking de redes con PythonHacking y python: Hacking de redes con Python
Hacking y python: Hacking de redes con Python
 
Cybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincherasCybercamp 2015 - Python, hacking y sec-tools desde las trincheras
Cybercamp 2015 - Python, hacking y sec-tools desde las trincheras
 
Tu DevOp me da trabajo: Soy auditor de seguridad
Tu DevOp me da trabajo: Soy auditor de seguridadTu DevOp me da trabajo: Soy auditor de seguridad
Tu DevOp me da trabajo: Soy auditor de seguridad
 
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azulScapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
Scapy: Crear un Frankenstein de red y hacerlo pasar por el príncipe azul
 
Topera: Evadiendo Snort con IPv6
Topera: Evadiendo Snort con IPv6Topera: Evadiendo Snort con IPv6
Topera: Evadiendo Snort con IPv6
 
III Hack and beers: evadiendo técnicas de fingerprinting en Linux y Wordpress
III Hack and beers: evadiendo técnicas de fingerprinting en Linux y WordpressIII Hack and beers: evadiendo técnicas de fingerprinting en Linux y Wordpress
III Hack and beers: evadiendo técnicas de fingerprinting en Linux y Wordpress
 
GoLismero: The Web Knife
GoLismero: The Web KnifeGoLismero: The Web Knife
GoLismero: The Web Knife
 
El poder de los reptiles: Hacer herramientas de hacking es fácil
El poder de los reptiles: Hacer herramientas de hacking es fácilEl poder de los reptiles: Hacer herramientas de hacking es fácil
El poder de los reptiles: Hacer herramientas de hacking es fácil
 
Cybercam 2014
Cybercam 2014Cybercam 2014
Cybercam 2014
 
Introduccion muy básica a Python
Introduccion muy básica a PythonIntroduccion muy básica a Python
Introduccion muy básica a Python
 
Qué es el fingerprinting: Definición, peligros y medidas mitigadoras
Qué es el fingerprinting: Definición, peligros y medidas mitigadorasQué es el fingerprinting: Definición, peligros y medidas mitigadoras
Qué es el fingerprinting: Definición, peligros y medidas mitigadoras
 
Extreme security in web servers
Extreme security in web serversExtreme security in web servers
Extreme security in web servers
 

Kürzlich hochgeladen

The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 

Kürzlich hochgeladen (20)

The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 

12 tricks to avoid hackers breaks your CI / CD

  • 1. 12 tricks to avoid hackers breaks your CI / CD
  • 2. WHO WE ARE Security research. Hacking tools developer, DevSecOps. Python developer. Daniel García (cr0hn) Can’t define myself. I go where my curiosity drives to. Most of the time goes bad. I process TeraBytes for breakfast. César Gallego @ggdaniel https://bit.do/cr0hn @CesarGallegoR https://bit.do/cesar-gallego
  • 3. Disclaimer! Any opinions expressed are personal opinions and don’t represent our employer’s view in any way
  • 4. https://www.99cs.io We’re working on free online book this controls of this presentation. Leave us your email and we will notify you when it is published We’ll not SPAM you, we promise :)
  • 10. STEPS IN BUILDING SOFTWARE CONSTRUCTION User Code Building step Deployment step Production
  • 11. STEPS IN BUILDING SOFTWARE CONSTRUCTION User Code Building step Deployment step Production
  • 12. Follow us down the rabbit hole Starting the journey
  • 14. IN THE SOURCE CODE User Code Building step Deployment step Production
  • 15. No all StackOverflow people are good persons (or even humans) In STACK OVERFLOW Works Great! https://trojan-killer.net/the-most-copied-piece-of-java-code-on-stackoverflow-contains-an-error/
  • 16. ● Are your developers using safe libraries? ● Are you check the libraries they use? ● Even more… they ask you for advice when choice a new library? All Libraries Allowed! https://securityintelligence.com/news/popular-javascript-library-for-node-js-infected-with-malware-to-empty-bitcoin- wallets/ You trust all libraries? so you know that all libraries are malware / vulnerabilidades free?
  • 17. ● Passwords ● API keys ● Private keys ● …. SECRETS & LEAKS
  • 19. IN THE BUILDING STEP User Code Building step Deployment step Production
  • 20. ● What if an user can execute anything in a Pipeline? ● What if the C.I. has not limited the output traffic? A reverse Shell in the Pipeline https://alionder.net/jenkins-script-console-code-exec-reverse-shell-java-deserialization/ Limit user permissions and output destinations
  • 22. ● Do you control what can download a developer when they runs in a pipeline? ● Do you control which command can launch a developer in a C.I. / C.D. configuration file? (Jenkinsfile, gitlab.yaml…) ● Is your C.I / C.D. in different network? Are you sure? The EVIL AGENT (1 / 3)
  • 23.
  • 24. The EVIL AGENT (3 / 3) ➔ Limit internet access in the pipeline. ➔ Fix the execution permissions
  • 25. ● Is your company using free tier services? ● Has your company GitHub Business account? The Greedy Service consumer! Keep in mind that free tier has limits by IP. Like GitHub, Google Maps… If your deploy rely on this services may be stuck if someone exceed the IP quota.
  • 26. ● Is your company using free tier services? ● Has your company GitHub Business account? The Greedy Service consumer! Keep in mind that free tier has limits by IP. Like GitHub, Google Maps… If your deploy rely on this services may be stuck if someone exceed the IP quota.
  • 27. A git Bomb cannot be cloned. Only a problem with old git versions. Be aware in your older systems. The Git BOMB! ● Are your commits PGP signed? ● You know who can access rights? ● Are you using third party repositories?
  • 28. A very fat container can spend all free space and avoid new docker builds. A fat container make deploy a slow and error prone process. The Fat DOCKER! ● Do you inspect your Dockerfiles? ● Do you have Docker builds correctly configured? ● Do you control where layers are built?
  • 30. IN THE DEPLOYMENT STEP User Code Building step Deployment step Production
  • 31. ● ZIP Bomb is an old attack. ● The attack is very simple but very useful ● Some of system has basic routines to detect these kinds of attacks. The ZIP BOMB (1 / 4)
  • 32. ● Major of packaged software is packed as a ZIP file: .jar, .war, .docx, .xlsx…. ● Some Application Servers auto deploy them when put files in specific path ● What if we put a ZIP bomb renamed as a valid packed Application for a Tomcat? The ZIP BOMB (2 / 4)
  • 33.
  • 34. Perform a correct hardening of host and set conservative limits of files, CPU and memory that a processes can get The ZIP BOMB (4/ 4)
  • 35. ● Memory bomb is type of attack that aims to fill all system memory. ● Not only RAM also SWAP is affected. ● If you don’t have limits in your host it can consume all of your HD space as a SWAP space. Memory BOMB (1 / 5)
  • 36. ● What if you can run a memory bomb in a C.I. / C.D. system? ● What if the C.I. is deployed as multi- agent? Memory BOMB (2 / 5)
  • 37. Jenkins agent 1 Jenkins agent 1 Jenkins agent 1 Jenkins behavior: 1 - You put a memory bomb in your Jenkinsfile Memory BOMB (3 / 5) 2 - The Jenkins Master send to the job to an Jenkins agent and it runs the pipeline and the memory bomb. So the Jenkins agent host break down Jenkins master 3 - Jenkins Master detect that the jobs was not finished. So the send the same job to another Jenkins Agent 4 - Jenkins agent runs memory bomb and… break down 5 - Go to step 2
  • 38.
  • 39. ➔ Less known but more effective in Docker. ➔ Today powerful computers can die very fast with no clue who pipeline is responsible. ➔ You can lost all your agents before you find where the problem is. ➔ Limit jobs run retries ➔ Perform a correct Operation System Disk Partition Memory BOMB (5 / 5)
  • 40. ● Fork bomb is type of attack that aims exhaust a system by creating new processes recursively ● It very difficult to detect if you don’t have a very good log system configured ● Run in a Pipeline is so easy ● In multi-agent system the results are the same that with Memory Bomb Fork BOMB! (1 / 3)
  • 41.
  • 42. ➡ Perform a correct hardening of O.S. ➡ Limit tasks by user and process ➡ Improve monitoring Fork BOMB! (3 / 3)
  • 44. The API contract must be fulfilled. No less, No more. The more is more problematic. Is your API Honest!? ● Do you use thread model on you APIs? ● How do you know all the endpoints that you have deployed? ● Are debug url opened in production?
  • 45. The API contract must be fulfilled. No less, No more. The more is more problematic. Is your API Honest!? ● Do you use thread model on you APIs? ● How do you know all the endpoints that you have deployed? ● Are debug url opened in production?
  • 47. IN THE DEPLOYMENT STEP User Code Building step Deployment step Production
  • 48. ● Old hack attack but useful ● Alias commands could be the best trojan in a system. ● There are very complicated to detect The Evil Alias! Perform a well hardening of your host systems & be careful with the bot users
  • 49.
  • 50. Keep this in mind Conclusions
  • 51. ➔ Assume that you have a lot of potential insiders attackers. ➔ Protect your C.I. as your production systems. ➔ Monitoring. Always monitoring. Not only in the building step. QUIS CUSTODIET IPSOS CUSTODES?