How CI/CD Tools can expose your Code to Security Risks? In this episode, we’re joined by Mike Ruth, Senior Staff Security Engineer at Rippling and returning guest, live from BlackHat 2024. Mike dives deep into his research on CI/CD pipeline security, focusing on popular tools like GitHub Actions, Terraform, and Buildkite. He reveals the hidden vulnerabilities within these tools, such as the ability for engineers to bypass code reviews, modify configuration files, and run unauthorized commands in production environments.
Mike explains how the lack of granular access control in repositories and CI/CD configurations opens the door to serious security risks. He shares actionable insights on how to mitigate these issues by using best practices like GitHub Environments and Buildkite Clusters, along with potential solutions like static code analysis and granular push rule sets. This episode provides critical advice on how to better secure your CI/CD pipelines and protect your organization from insider threats and external attacks.
Questions asked:
00:00 Introductions
01:56 A word from episode sponsor - ThreatLocker
02:31 A bit about Mike Ruth
03:08 SDLC in 2024
08:05 Mitigating Challenges in SDLC
09:10 What is Buildkite?
10:11 Challenges observed with Buildkite
12:30 How Terraform works in the SDLC
15:41 Where to start with these CICD tools?
18:55 Threat Detection in CICD Pipelines
21:31 Building defensive libraries
23:58 Scaling solutions across multiple repositories
25:46 The Fun Questions
--------------------------------------------------------------------------------
📱Cloud Security Podcast Social Media📱
_____________________________________
🛜 Website: https://cloudsecuritypodcast.tv/
🧑🏾💻 Cloud Security Bootcamp - https://www.cloudsecuritybootcamp.com/
✉️ Cloud Security Newsletter - https://www.cloudsecuritynewsletter.com/
Twitter: / cloudsecpod
LinkedIn: / cloud-security-podcast
#cloudsecurity
Смотрите видео Is your CI/CD Pipeline your Biggest Security Risk? онлайн, длительностью часов минут секунд в хорошем качестве, которое загружено на канал Cloud Security Podcast 01 Январь 1970. Делитесь ссылкой на видео в социальных сетях, чтобы ваши подписчики и друзья так же посмотрели это видео. Данный видеоклип посмотрели 996 раз и оно понравилось 25 посетителям.