4–7 Nov 2019
Please log in

The deputy shot the sheriff: Privilege escalation in build pipelines

Andi Sieferlinger (Scout24)
13:2514:05 Wednesday, 6 November 2019
Location: R2
Building Secure Systems
Average rating: *****
(5.00, 1 rating)
Download slides (PDF)

Who is this presentation for?

  • Software engineers, site reliability engineers, and test engineers

Level

Intermediate

Description

CI/CD systems are usually tightly coupled, and inherit for the CD part a lot of administrative privileges combined with network access to production systems. We tend to believe that we only execute trusted software within those systems, but it quickly becomes clear that code from a huge variety of sources is loaded and executed in that system that isn’t under your control.

Andreas Sieferlinger walks you through how to identify the most relevant issues along the steps of actual pipelines. You’ll take a deep dive on the confused deputy, a trusted third-party that can be tricked into abuse of its privileges, which will explain how the direct association of code with access permissions on a public cloud provider can help to eliminate the need to trust components in between.

Prerequisite knowledge

  • Experience working with a version control system (e.g., Git), any CI/CD system (e.g., Jenkins, Travis), and any cloud provider (e.g., AWS, GCP)

What you'll learn

  • Understand which parts of a build pipeline privilege escalation can happen in
  • See practical examples of how to mitigate the risk in your own build setups
  • Learn how to design more secure CI/CD setups in public clouds
Photo of Andi Sieferlinger

Andi Sieferlinger

Scout24

Andreas Sieferlinger is a cloud platform engineer at Scout24, where he works on building CI/CD systems. He focuses on simplifying workflows by making it easy to follow best practices. Previously, he worked on designing scalable AWS architectures for video streaming and developer tooling to simplify cloud migrations. Aside from IT, he spends most of his time in Boy Scout-ing, outdoor activities, and fiddling around with synthesizers. You can find him on Twitter as @webratz.

  • Oracle Cloud Infrastructure
  • Cloudflare
  • JFrog
  • Akamas
  • Aqua Security Software
  • Fastly
  • Google
  • Instana
  • JetBrains
  • LaunchDarkly
  • LightStep
  • OVHcloud
  • SignalFx
  • VictorOps
  • Wayfair
  • Blameless
  • Chronosphere
  • FusionReactor
  • humanitec
  • replex GmbH
  • StackState
  • Datadog
  • GitLab
  • Gremlin
  • StormForger
  • SysEleven GmgH
  • Vamp.io
Become a sponsor

Contact us

confreg@oreilly.com

For conference registration information and customer service

partners@oreilly.com

For more information on community discounts and trade opportunities with O’Reilly conferences

velocity@oreilly.com

For information on exhibiting or sponsoring a conference

pr@oreilly.com

For media/analyst press inquires