After researching, cross-referencing and analyzing some of the most notorious CI/CD security breaches, such as CodeCov, SolarWinds, and PHP, this talk will present the Top 10 CI/CD risks that were distilled from the most common patterns found in these attacks.
Description
All of us have heard about some of the most notorious CI/CD attacks over recents months and years from CodeCov, to SolarWinds, and PHP, just to name a few. But what many of us have been missing have been the specific attack vectors that these all have in common - and what you can do about them.
After researching, cross-referencing, and analyzing these attacks in detail, we'd like to present the Top 10 CI/CD risks based distilled from the patterns identified among these attacks, as result of many common anti-patterns in modern engineering organizations today, that all engineers should be aware of, and take precautions against. We will take a look at some of the obvious risk areas, and some of the less well-known risks you are exposed to - from the code and architecture, to the culture, through the processes. And finally, what we can learn from well-known previous attacks to try and protect ourselves from future ones.
Speaker Biographies
Omer Gil is a seasoned application and cloud security expert with 15 years of experience across multiple security disciplines. An experienced researcher and public speaker, Omer discovered the Web Cache Deception attack vector in 2017, co-authored the "Top 10 CI/CD Security Risks" project, and participated in the creation of the "CI/CD Goat" project.
After having spent many years in various positions in the InfoSec domain, including the IDF, EY HASC and Magic Leap (leading cloud security), today, Omer leads research at Cider Security, a hyper-growth startup focused on securing CI/CD pipelines. [Twitter: @omer_gil]
Daniel Krivelevich is a Cyber Security expert and problem solver, with more than 15 years of enterprise security experience with a strong orientation to Application & Cloud Security. Daniel held several positions in 8200, after which spent several years hopping between defensive and offensive security positions.
After having led Application Security and Cloud Security with Sygnia for four years, working with 100+ enterprises on optimizing Cyber resilience, Daniel Co-Founded Cider Security as the company's CTO. Cider is an hyper-growth startup building the world’s first AppSec OS, focused on securing CI/CD pipelines, flows, and systems. [Twitter: @Dkrivelev]
Информация по комментариям в разработке