「Attacking and Securing CI/CD Pipeline - Speaker Deck」

Attacking and Securing CI/CD Pipeline - Date: Oct 20th, 2021 - Place: CODE BLUE 2021 OpenTalks at Tokyo - Presenter: Hiroki SUEZAWA (https://www.suezawa.net) I also published ATT&CK-like Threat Matrix for CI/CD Pipeline on GitHub https://github.com/rung/threat-matrix-cicd Presentation: With the popularization of Dev(Sec)Ops, CI/CD (Continuous Integration and Delivery) is becoming more and more common in modern application development and infrastructure management. On the other hand, the security of the CI/CD environment itself has not been focused on as much as it should be from security perspective. In 2021, Mercari have been affected by a supply chain attack caused by the use of CodeCov, which allowed an intrusion into the CI/CD environment. The purpose of this presentation is to share a comprehensive summary of both the attack methods often used against CI/CD environments and our experience in securing Mercari's CI/CD infrastructure. While we acquired most of this knowledge the hard way -- through direct incident response, we hope that our experience will be useful to anyone trying to proactively improve the security posture of their CI/CD infrastructure.

Attacking and Securing CI/CD Pipeline - Date: Oct 20th, 2021 - Place: CODE BLUE 2021 OpenTalks at Tokyo - Presenter: Hiroki SUEZAWA (https://www.suezawa.net) I also published ATT&CK-like Threat Matrix for CI/CD Pipeline on GitHub https://github.com/rung/threat-matrix-cicd Presentation: With the popularization of Dev(Sec)Ops, CI/CD (Continuous Integration and Delivery) is becoming more and more common in modern application development and infrastructure management. On the other hand, the security of the CI/CD environment itself has not been focused on as much as it should be from security perspective. In 2021, Mercari have been affected by a supply chain attack caused by the use of CodeCov, which allowed an intrusion into the CI/CD environment. The purpose of this presentation is to share a comprehensive summary of both the attack methods often used against CI/CD environments and our experience in securing Mercari's CI/CD infrastructure. While we acquired most of this knowledge the hard way -- through direct incident response, we hope that our experience will be useful to anyone trying to proactively improve the security posture of their CI/CD infrastructure.

speakerdeck.com

Webページ

コンテンツ文字数:0 文字

見出し数(H2/H3タグ):0 個

閲覧数:100 件

2021-10-20 20:04:01

オリジナルページを開く

B!

タグ一覧
Attacking
and
Securing
CI
CD
Pipeline
Speaker
DeckAttacking
Date
Oct
20
th
2021
Place
CODE
BLUE
OpenTalks
at
Tokyo
Presenter
Hiroki
SUEZAWA
https
www
suezawa
net
also
published
ATT
amp
CK-like
Threat
Matrix
for
on
GitHub
github
com
rung
threat-matrix-cicd
Presentation
With
the
popularization
of
Dev
Sec
Ops
Continuous
Integration
Delivery
is
becoming
more
common
in
modern
application
development
infrastructure
management
On
other
hand
security
environment
itself
has
not
been
focused
as
much
it
should
be
from
perspective
In
Mercari
have
affected
by
supply
chain
attack
caused
use
CodeCov
which
allowed
an
intrusion
into
The
purpose
this
presentation
to
share
comprehensive
summary
both
methods
often
used
against
environments
our
experience
securing
39
While
we
acquired
most
knowledge
hard
way
--
through
direct
incident
response
hope
that
will
useful
anyone
trying
proactively
improve
posture
their
Suezawa
More
Decks
Featured
Transcript