Cloud Security Podcast

Is your CI/CD Pipeline your Biggest Security Risk?

Sep 13, 2024

Mike Ruth, a Senior Staff Security Engineer at Rippling, discusses the hidden vulnerabilities in CI/CD pipelines during a live segment from BlackHat 2024. He reveals how tools like GitHub Actions and Terraform can pose serious security risks, such as bypassing code reviews and unauthorized command execution. Mike emphasizes the importance of granular access control and offers actionable strategies to mitigate these vulnerabilities, enhancing security in cloud environments and safeguarding against insider and external threats.

29:55

Creator website

Episode guests

Mike Ruth

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The podcast emphasizes that CI/CD tools like GitHub Actions can inadvertently allow unauthorized changes, posing serious security risks due to insufficient code review processes.

It highlights the necessity for granular access control and mitigation strategies, such as branch affinities and push rule sets, to strengthen CI/CD pipeline security.

Deep dives

Understanding GitHub Actions and Security Gaps

The discussion highlights the significant gaps in security practices when using GitHub Actions, especially regarding how secrets and configurations are managed within repositories. The ability to modify configuration files through pull requests without necessary oversight poses risks, as unauthorized changes can lead to potential exploitation. It is noted that many users operate under the assumption that code review adequately secures their actions, neglecting the reality that changes can be made without thorough checks. This leads to vulnerabilities, as anyone with access to push PRs can inadvertently or maliciously alter vital configuration, making it crucial to establish safeguards.

Intro

2min

Navigating Cloud Security in CI/CD Environments

10min

Securing CI/CD Pipelines with Terraform

14min

Personal Reflections and New Adventures

2min

Climbing Safety and Route Setting in Bouldering

2min

How CI/CD Tools can expose your Code to Security Risks? In this episode, we’re joined by Mike Ruth, Senior Staff Security Engineer at Rippling and returning guest, live from BlackHat 2024. Mike dives deep into his research on CI/CD pipeline security, focusing on popular tools like GitHub Actions, Terraform, and Buildkite. He reveals the hidden vulnerabilities within these tools, such as the ability for engineers to bypass code reviews, modify configuration files, and run unauthorized commands in production environments.

Mike explains how the lack of granular access control in repositories and CI/CD configurations opens the door to serious security risks. He shares actionable insights on how to mitigate these issues by using best practices like GitHub Environments and Buildkite Clusters, along with potential solutions like static code analysis and granular push rule sets. This episode provides critical advice on how to better secure your CI/CD pipelines and protect your organization from insider threats and external attacks.

Guest Socials:⁠ ⁠⁠⁠⁠Mike's Linkedin

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp

Questions asked:

(00:00) Introductions

(01:56) A word from episode sponsor - ThreatLocker

(02:31) A bit about Mike Ruth

(03:08) SDLC in 2024

(08:05) Mitigating Challenges in SDLC

(09:10) What is Buildkite?

(10:11) Challenges observed with Buildkite

(12:30) How Terraform works in the SDLC

(15:41) Where to start with these CICD tools?

(18:55) Threat Detection in CICD Pipelines

(21:31) Building defensive libraries

(23:58) Scaling solutions across multiple repositories

(25:46) The Fun Questions

Resources mentioned during the call:

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Cloud Security Podcast

Is your CI/CD Pipeline your Biggest Security Risk?

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Understanding GitHub Actions and Security Gaps

Mitigating Risks in CI/CD Environments

Challenges and Solutions in Software Development Lifecycle

Future Directions in CI/CD Security Enhancements

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights

Cloud Security Podcast

Is your CI/CD Pipeline your Biggest Security Risk?

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Understanding GitHub Actions and Security Gaps

Mitigating Risks in CI/CD Environments

Challenges and Solutions in Software Development Lifecycle

Future Directions in CI/CD Security Enhancements

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights