Mathias Tausig @ Continuous Lifecycle / ContainerConf and BSidesVienna 2024
Mathias Tausig, information security expert at SBA Research, gave an interesting talk on “The monster in your basement: Security risks of CI/CD systems” at both Continuous Lifecycle / ContainerConf 2024 in Mannheim and BSides Vienna 2024.
© dPunkt Verlag
Abstract
Continuous Integration and Continuous Delivery systems are omnipresent in today’s development workflows. They help developers to focus more on their actual programming duties by automating repetitive tasks and allow the periodic usage of security tools. But the messy truth is, that in many organizations they are simply taken for granted as yet another development tool instead of being recognized for what they are: a system at the core of your infrastructure with almost unbounded permissions.
This talk started by elaborating why we even want and need CI systems in the first place, in order to build up the stage for the inherent security risks. Those are outlined based on the new “OWASP Top 10 CI/CD Security Risks” list and augmented by recounting “war stories” from real world security assessments an breaches of CI systems. Finally, a live demonstration shows, how easy an attacker can gain access to your build infrastructure via a malicious container image.
About the Speaker
Mathias Tausig, graduated in mathematics and has a holistic perspective on computers: former developer, sysadmin, security officer, university teacher and even computer salesman. Now, he is a security consultant specializing in application security and open source lover.
Links
Presentation Slides
Continuous Lifecycle/ContainerConf
BSidesVienna