How CI/CD Tools can expose your Code to Security Risks? In this episode, we’re joined by Mike Ruth, Senior Staff Security Engineer at Rippling and returning guest, live from BlackHat 2024. Mike dives deep into his research on CI/CD pipeline security, focusing on popular tools like GitHub Actions, Terraform, and Buildkite. He reveals the hidden vulnerabilities within these tools, such as the ability for engineers to bypass code reviews, modify configuration files, and run unauthorized commands in production environments.
Mike explains how the lack of granular access control in repositories and CI/CD configurations opens the door to serious security risks. He shares actionable insights on how to mitigate these issues by using best practices like GitHub Environments and Buildkite Clusters, along with potential solutions like static code analysis and granular push rule sets. This episode provides critical advice on how to better secure your CI/CD pipelines and protect your organization from insider threats and external attacks.
Guest Socials: Mike's Linkedin
Podcast Twitter - @CloudSecPod
If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:
- Cloud Security Podcast- Youtube
- Cloud Security Newsletter
- Cloud Security BootCamp
Questions asked:
(00:00) Introductions
(01:56) A word from episode sponsor - ThreatLocker
(02:31) A bit about Mike Ruth
(03:08) SDLC in 2024
(08:05) Mitigating Challenges in SDLC
(09:10) What is Buildkite?
(10:11) Challenges observed with Buildkite
(12:30) How Terraform works in the SDLC
(15:41) Where to start with these CICD tools?
(18:55) Threat Detection in CICD Pipelines
(21:31) Building defensive libraries
(23:58) Scaling solutions across multiple repositories
(25:46) The Fun Questions
Resources mentioned during the call:
GitHub Actions
Terraform
Buildkite
Mike's BSidesSF Talk
