The deputy shot the sheriff: Privilege escalation in build pipelines
Who is this presentation for?
- Software engineers, site reliability engineers, and test engineers
CI/CD systems are usually tightly coupled, and inherit for the CD part a lot of administrative privileges combined with network access to production systems. We tend to believe that we only execute trusted software within those systems, but it quickly becomes clear that code from a huge variety of sources is loaded and executed in that system that isn’t under your control.
Andreas Sieferlinger walks you through how to identify the most relevant issues along the steps of actual pipelines. You’ll take a deep dive on the confused deputy, a trusted third-party that can be tricked into abuse of its privileges, which will explain how the direct association of code with access permissions on a public cloud provider can help to eliminate the need to trust components in between.
- Experience working with a version control system (e.g., Git), any CI/CD system (e.g., Jenkins, Travis), and any cloud provider (e.g., AWS, GCP)
What you'll learn
- Understand which parts of a build pipeline privilege escalation can happen in
- See practical examples of how to mitigate the risk in your own build setups
- Learn how to design more secure CI/CD setups in public clouds
Andreas Sieferlinger is a cloud platform engineer at Scout24, where he works on building CI/CD systems. He focuses on simplifying workflows by making it easy to follow best practices. Previously, he worked on designing scalable AWS architectures for video streaming and developer tooling to simplify cloud migrations. Aside from IT, he spends most of his time in Boy Scout-ing, outdoor activities, and fiddling around with synthesizers. You can find him on Twitter as @webratz.
Premier Diamond Sponsor
For conference registration information and customer service
For more information on community discounts and trade opportunities with O’Reilly conferences
For information on exhibiting or sponsoring a conference
For media/analyst press inquires