Is This Your Pipe? Hijacking the Build Pipeline.

DEF CON 22

Presented by: Greg Anderson, Kyle Kelley
Date: Sunday August 10, 2014
Time: 15:00 - 15:50
Location: DEF CON 101

As developers of the web, we rely on tools to automate building code, run tests, and even deploy services. What happens when we're too trusting of CI/CD pipelines? Credentials get exposed, hijacked, and re-purposed. We'll talk about how often and what happens when people leak public cloud credentials, how some are protecting themselves using encrypted secrets, how to bypass protections against leaking decrypted secrets and how to turn their Jenkins into your own butler. Come hijack credentials out of repositories, steal hidden and encrypted secrets using builds, and hijack infrastructure via their continuous deployment.

Kyle Kelley

Kyle Kelley writes software, sneaks in security tomfoolery, and dabbles in as many open source projects as possible. During the day he writes code, builds systems, and helps developers with APIs and SDKs, infrastructure design, and not hanging themselves in the clouds. On the side he does ops and dev work for various open source projects, including their build infrastructure and public facing sites. He loves strange bugs.

Greg Anderson

Greg Anderson is a Software Security Engineer at Rackspace. He likes to find different ways to poke things and watch them fall over. Breaking things in automation over large scale server deployments is his forte. Twitter: @rgbkrk GitHub: rgbkrk


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats