As developers of the web, we rely on tools to automate building code, run tests, and even deploy services. What happens when we're too trusting of CI/CD pipelines? Credentials get exposed, hijacked, and re-purposed. We'll talk about how often and what happens when people leak public cloud credentials, how some are protecting themselves using encrypted secrets, how to bypass protections against leaking decrypted secrets and how to turn their Jenkins into your own butler. Come hijack credentials out of repositories, steal hidden and encrypted secrets using builds, and hijack infrastructure via their continuous deployment.
Kyle Kelley writes software, sneaks in security tomfoolery, and dabbles in as many open source projects as possible. During the day he writes code, builds systems, and helps developers with APIs and SDKs, infrastructure design, and not hanging themselves in the clouds. On the side he does ops and dev work for various open source projects, including their build infrastructure and public facing sites. He loves strange bugs.
Greg Anderson is a Software Security Engineer at Rackspace. He likes to find different ways to poke things and watch them fall over. Breaking things in automation over large scale server deployments is his forte. Twitter: @rgbkrk GitHub: rgbkrk