►
From YouTube: Software Supply Chain SIG Meeting - May 12, 2022 (Top 10 CI/CD Security Risks and CI/CD Goat)
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
B
A
B
B
A
A
A
So
yeah
nine
people
well
coming
around
sorry
for
talking
about
the
art
of
identity
at
the
beginning.
So
I
see
we
have
quite
a
few
people,
so
we
can
slowly
start
with
the
agenda
bashing
and
then
look
at
other
topics.
We
have
on
the
agenda
and
let
me
put
the
link
for
our
meeting
document
on
the
chat,
so
people
can
block
their
attendance
so
welcome
again.
Everyone
on
the
agenda.
A
I
sent
to
specialties
group
interoperability
pipeline
stage,
steps
terminology
and
then,
if
there
are
other
topics
you
can
take
them
if
the
time
allows
so
before.
Like,
instead
of
spending
so
much
time,
perhaps
we
can
directly
move
to
the
presentation
and
demo
from
dandelion,
because
we
don't
have
an
action
item
and
then
I
stop
sharing
so
daniel
or
mario
can
take
over
the
sharing.
A
We
think
about
the
security
risks
within
ci
cd
systems
pipelines
themselves
and
how
to
make
sure
actors
with
different
interests.
Don't
exploit
our
cicd
systems
and
while
I
was
reading
that
white
paper,
I
noticed
you
also
created
the
ci
cd.
Go
that
increased
my
interest
as
well
because,
like
that
was
kind
of
a
real
way
to
you,
know,
play
with
these
things
and
then
that's
how
we
got
talking
about
your
visit
to
our
sikh
and
with
that
I
passed
the
word
to
you,
daniel
or
amer,
or
both
of
you.
E
A
E
and,
of
course
feel
free
to
interrupt.
If
you
have
any
questions
or
thoughts
down
the
down
the
way.
So
cider
is
a
cyber
security
startup
from
israel.
We
kicked
off
our
journey
about
almost
a
year
and
a
half
ago,
we're
based
out
of
tel
aviv
in
israel,
with
a
little
bit
of
presence
in
in
europe
and
in
north
america,
with
70
employees
and,
besides
being
a
catchy
five-letter
word.
We're
called
cider,
because
the
area
of
focus
for
us
is
cicd
security.
E
Ever
since
devops
and
cicd
became
prevalent
and
became
a
commodity,
the
engineering
ecosystem
has
changed
a
lot
over
the
past.
I
would
say
three
four:
five
years
with
a
larger
diversity
in
the
technical
stack,
that's
used
for
development
and
the
technical
stack
that's
used
for
deployment
a
lot
less
manual
processes
a
lot
more
automations.
E
And
obviously
this
is
all
bundled
together
within
one
single
platform
and
a
big
part
of
what
we're
doing
in
in
insider.
Besides
developing
a
technology
that
helps
absent
practitioners
meet
today's
challenges
is
also
really
spend
a
lot
of
time.
Thinking
about
how
we
can
empower
the
community
and
how
we
can
help
create
knowledge
and
spark
discussions
within
the
community
about
the
new
flavor
of
risks.
E
E
E
You
know,
depending
on
on
the
different
sizes
of
organizations
and
verticals
and
and
every
organization,
has
different
types
of
challenges
and
different
levels
of
knowledge
and
capabilities
to
cope
with
the
challenge,
and
so
one
of
the
guiding
principles
for
us
was
to
make
sure
we're
making
the
top
10
city
security
risks
as
relevant
as
possible
to
as
many
people
and
as
many
types
of
environments
and
technical
stacks
as
possible.
So
the
first
thing
we
did
was
gather
together
and
I'll
show
this
to
you
in
the
document
later.
E
But
we
gather
together
as
many
details
and
documentations
about
different
types
of
hacks
and
security
flaws
that
revolved
around
the
cicd
space.
We,
we
analyzed
the
anatomy
of
ci,
cd,
hacks
and
ci
cd
flaws,
and
I
think
it
was
I
don't
know
it
was
many
many
dozens
of
of
these
technical
blogs
and
resources
and
and
read-ups
that
that
we
analyzed
and
summarized
and
gathered
the
different
types
of
flaws
and
the
different
types
of
behaviors
that
attackers
carried
out.
E
We
combined
that
with
many
many
ci
cd
environments
and
many
organizations
that
we
worked
with
before
tenure
insider
and
during
our
tenure
insider.
So
you
know
we
have
we're
fortunate
enough
to
be
in
a
position
where
we're
analyzing
different
types
of
ci,
cd
environments
and
and
deployments,
and
setups
and
configurations
on
a
daily
basis
and-
and
we
partnered
with
many
of
the
organizations
that
we
worked
with
to
understand
some
of
the
common
denominators
and
some
of
the
more
prevalent
challenges
that
organizations
face.
E
E
So
this
is
just
a
short
intro
into
the
changes
that
have
occurred
over
the
past
years
in
the
in
the
cicd
ecosystem
and
their
ramifications
or
their
meaning
from
the
security
perspective,
the
types
of
hacks
and
exposures
that
we
as
defenders
witnessed
and
and
and
then
the
actual
risks
each
risk.
We
have
a
consistent
format
for
the
risks,
so,
for
example,
this
is
the
first
risk.
Insufficient
flow
control
mechanisms.
E
This
risk
specifically
is
relating
to
as
as
it
is
written
here.
How
far
can
someone
can
go?
How
far
can
someone
go?
Can
an
adversary
go
down?
The
cicd
process
and
pipeline,
if
they're,
able
to
obtain
any
set
of
permissions,
what
controls
exist
to
prevent
any
single
set
of
permissions
from
pushing
malicious
code
or
artifacts
down
the
pipeline
without
any
additional
reviews
or
controls
or
approvals.
E
So
for
each
risk.
We
have
the
definition
of
the
risk,
a
description,
the
the
impact
from
from
a
cyber
perspective.
Obviously,
what
the
attacker
would
be
able
to
do
a
set
of
recommendations,
technical
recommendations,
that
organizations
and
defenders
should
buy
the
domain,
cider.io
technical
recommendations,
that
organizations
could
carry
out
to
to
cope
with
the
risk,
and
then
the
references
are
the
actual,
the
actual
artifacts
that
I
mentioned
earlier.
E
E
We
made
sure
that
we
not
only
have
the
website,
but
we
have
also
the
repo,
because
again,
this
is
a
contribution
from
us
to
the
community
and
the
objective
behind
the
repo
is
to
allow
anyone
to
to
contribute
and
share
their
thoughts,
insights,
knowledge
and
ideas
around
this.
So
this
project
in
github
has
the
exact
same
content
of
the
document,
the
pdf
and
and
and
and
the
website
that
I
showed
earlier.
E
This
is
the
list
of
of
experts
that
collaborated
with
us
on
the
effort
you
can
see
they're
coming
from
different
positions,
different
verticals
different
organizations,
but
a
lot
of
prominent
figures
in
the
industry
and
and,
of
course,
the
actual
risks
themselves
and
again.
The
the
objective
is
for
this
to
be
a
document
that
really
sparks
the
discussion
and
and
helps
the
community
steer
the
focus
to
the
right
direction.
As
far
as
the
today's
ci
cd
risks
and
today's
cicd
security
challenges.
That
defenders
face.
E
We
talked
about
this
in
several
podcasts
and
and
other
types
of
meetups
and
gatherings
we're
talking
about
this
actually
in
in
san
francisco.
In
less
than
a
month
in
the
rsa
conference,
we
have
a
talk
dedicated
to
the
top
ten
and,
and
we
have
many
different
discussions
and
and
forums
and
meetups
here
in
israel
and
abroad
that
are
focused
on
talking
about
the
top
ten.
C
In
a
minute,
you
can
leave
it
on
the
slide
for
a
moment.
Okay,
so
hi,
I
I
didn't
introduce
myself
yet
so
my
name
is
adam
gill.
I
also
work
at
cider
security
as
daniel
said,
leading
research
here
and
participated
in
writing
the
top
10
security
risks
project
and
also
led
internally,
with
my
team,
also
with
we,
I
mean
with
danielle
and
asi,
which
is
also
on
his
call
and
a
few
more
people
from
cider,
the
god
initiative,
the
goat
project.
C
So
for
those
of
you
who
are
less
familiar
with
with
the
goat,
like
our
projects,
which
is
an
unofficial
term
for
for
specific
type
type
of
projects,
so
there
are
more
than
a
few
gold
projects
which
is
which
is
like
a
deliberately
vulnerable
system
or
application
or
environment
with
the
purpose
of
helping
a
security
practitioner.
So
anyone
else
who
likes
to
to
learn
how
to
hack
specific
type
of
a
system
or
environment
to
provide
them
with
the
environment.
C
E
C
C
C
C
C
Okay,
so
this
is
the
gita
project
you
can.
You
can
find
it
here.
You
can
also
you
can
share
it
in
the
chat.
Maybe
while
we
speak
so
anyone
can
listen
top
10
projects,
so
anyone
can
access
it.
If
they
want
to.
This
is
the
csd
code.
You
can
find
it
in
our
github
organization
this
in
the
top
10
it's
in
the
same
github,
all
it's.
C
C
We
didn't
want
anyone
to
to
start
deploying
on
aws
in
order
to
to
use
the
environment.
I
wanted
everything
to
be
docker-based
and
deployed
on
your
own
machines,
which
is
much
faster
and
easier
to
to
do
and
free,
there's
also
another
http
server
here
and
there's
ctfd
cdfd
is
a
framework
for
for
cdf
capture
the
flag
challenges,
I'm
going
to
show
it
in
a
moment.
This
is
where
we
manage
the
challenges.
C
And
then
you
understand,
if
you
install,
if
you
got
it
right
or
not,
I
can
show
you.
I
can
also
show
you
a
quick
demo
if
you
want
I'm
going
to
use
this
solution,
so
you
can
see
how
you
can
use
it
if
you
wanted
to
solve
it.
So,
as
you
can
see
here,
this
is
one
of
the
challenges.
It's
called
the
white
rabbit.
C
C
You
can
see
all
the
challenges
and
decide
with
what
you
want
to
to
begin
with.
For
example,
we
can
start
with
an
easy
one
white
rabbit,
so
you
can
see
the
description
in
this
case.
We
need
to
still
flag
one,
which
is
a
secret
secret
store
in
jenkins
in
the
jenkins
credential
store,
and
you
can
use
the
hints
the
different
hints
to
to
solve
it.
C
C
Okay,
here
you
can
see
jenkins
with
the
different
pipelines
for
each
challenge
that
you
eventually
probably
need
to
execute
malicious
code
there,
or
whatever
I
mean
right
now.
We
have
like
a
user
with
a
really
light
permissions
on
jenkins
and
in
most
challenges.
You
need
to
leverage
your
permissions
on
this
system
or
in
aws,
which
is
local
stack,
not
with
aws.
C
So
I
can
show
a
quick
demo
which
is
really
straightforward.
You
can
see
again
it's
the
white
rabbit
one.
Let's
say
that
you
need
to
access
the
flag,
one
secret
store
in
the
jenkins
credential
store,
but
you
only
have
access
to
gt.
You
have
right
permissions
to
the
right
to
habit
repository,
which
is
linked
with
a
pipeline
on
jenkins.
C
There
there's
a
pipeline
for
white
limit,
but
I
can't
do
much
with
it.
I
mean
I
can't
modify
its
code
or
configuration,
I'm
not
an
admin
on
on
jenkins.
I
can't
access
the
credential
stores
directly.
If
I'll
see
this
solution,
I
mean
go
over
it.
I
can
see
that
the
purpose
is
to
create
to
conduct
a
direct
poison
partner,
execution
attack.
This
is
a
term
that
we
said
insider,
but
it
is
a.
It
is
a
an
attack
that
was
referenced
a
few
times
back
by
various
people.
C
C
D
C
Have
access
to
one
user,
or
even
one
repository
on
github?
If
it's
linked
with
a
pipeline?
It's
it's
much
more
than
access
to
a
repository,
it's
a
gateway
to
your
entire
ccd
pipelines,
to
a
css
environment
and
even
to
your
production
environment,
because
it's
all
linked
together-
and
this
is
one
of
the
messages
that
we
want
to
to
to
deliver-
that
the
update
that
access
to
your
source.
C
System
is
not
just
access
to
your
source
code,
which
is
serious
enough,
but
it's
much
more
than
that.
It's
access
to
your
to
an
entire
ecosystem
of
of
the
different
cic
system
and
production
system
that
are
all
linked
together,
working
automatically
with
the
different
processes
defined
by
the
organization.
C
C
C
C
I
need
to
keep
this
this
first
line
here,
dealspace
line
here
so
I'll
skip
it
for
now,
but
the
the
the
main
point
is
that
eventually
this
pipeline,
that
I
would
run
they'll
be
able
to
view
the
secret
from
the
console
output
or
from
a
remote
server
that
I
send
this
secret
to
then
I
get
this
secret
and
send
it
and
insert
it
here.
I
submit
it
and
I
can
tell
that
I
got
it
right.
C
This
is
a
really
straightforward
challenge,
but
there
are
really
complex
challenges
here,
like
code
execution
for
pipelines
or
bypassing
auto,
merge
rules
similar
to
the
kodkov
hack
or
to
the
hack
of
brew,
the
pool
project.
We
some
of
these
challenger
challenges
were
inspired
by
actual
hacks
or
write-ups
about
security
vulnerabilities
that
were
found
and
reported.
E
And
you
know.
Hopefully
this
will
be
something
that
other
contributors
outside
of
site
would
be
able
to
add
their
own
challenges
to
and
customize,
and
we've
already
received
some
feedbacks
and
ideas
and
insights,
and
also
a
lot
of
teams
that
have
spent
quite
some
time
solving
these
challenges
and
so
yeah
we're
looking
forward
to
see.
You
know
the
the
potential
of
both
the
goat
and
the
top
10.
G
A
Folks,
like
mike
lieberman,
others
also
cncf
tag
app
security
tag,
app
delivery
group.
I
think
we
could
take
a
look
at
what
is
there
under
ci
cd
got
and
think
of
making
that
part
of
our
proof
of
concepts
with
system
and
pipelines
we
are
bringing
up
like
it
is
not
just
about
the
stuff
we
are
producing
on
our
pipelines,
but
also
includes
these
aspects,
the
you
know,
challenges
and
so
on.
A
So
when
people
bring
up
such
an
environment,
they
can
look
at
both
things
or
to
see
icd
itself
as
well
as
what
goes
through
ci
cd.
I
don't
know
if
it
makes
sense
to
obviously
increase
the
scope
but
yeah.
I
think
we
have
lots
of
things
we
can.
You
know
collaborate
on
and
play
with,
especially
seeing
after
the
demo.
G
It
could
interleave
the
sauce
in
a
way
like
salsa
is
like
here's
what
you
should
do
with
your
supply
chain,
and
this
is
sort
of
like
here's.
What
you
should
not
do
with
your
supply
chain
right
here
are
all
the
counter
examples
I
haven't
had
a
map
or
if
they
map
nicely
to
the
salsa
goals
and
objectives.
A
E
Yeah,
I
think
salsa
is,
I
mean,
obviously
we're
familiar
with
salsa
and
it's
still
it's
still
evolving.
I
think
it's
it's
still
in
the
relatively
the
project
itself
is
amazing.
It's
still
in
the
relatively
early
phases
of
its
maturity
and
so
we're
curious
to
see
what
it
will
evolve
to
and
obviously
we're
drawing
a
lot
of
inspiration
from
it,
and
we
do
believe
it.
E
It
has
the
potential
to
be
something
that
serves
as
a
benchmark
to
organizations
as
far
as
where,
where
they
are
in
terms
of
their
supply
chain,
security
controls
and
what
they
need
to
do
to
be
at
a
better
place.
I'm
not
I'm
not
entirely
sure
yeah.
I
think
you
know
the
salsa
is
really
coming
at
it.
From
the
builder's
perspective
or
defender
perspective.
These
projects
are
more
focused
on
helping
defenders
have
a
better
view
of
the
attacker's
perspective.
E
But
yeah
I
mean,
if
you
guys,
have
any
ideas
on
different
types
of
collaboration
or
fusion
between
them.
Then
we're
really
motivated
to
to
you
know
to
do
whatever
we
can
to
get
this
to
get
to
collaborate
with
with
anyone.
That's
interested
in
collaborating
with
us
on
us
collaborating
with
us
on
this.
F
So
there
was
this
one
thing
that
you
showed
where
you
know
like
someone
can
actually
go
into
this.
You
know
like
pipeline
and
then
just
you
know
like
print
out.
You
know
like
the
credentials
right,
so
that
is
an
issue
that
we
actually
have
with.
You
know
like
jenkins
x,
which
is
why
we
don't
show
the
pipeline
logs
to
you
know
like
users,
so
this
was
very
nice
to
see
that
this
is.
You
know
like
one
of
the
tests
or
like
one
of
the
checks,
so
yeah.
A
Yeah,
that
brings
up
an
additional
question
to
you,
daniel
and
I
are
like,
I
think,
ankit.
You
asked
a
similar
question
when
you
were
having
the
seekers
of
effect
representation
and
that
initially
picked
tecton
as
their.
You
know,
ci
cd
tool,
as
you
know,
cdf
is
home
to
like
tecton
spinnaker
jenkins,
jenkins
x,
squidward,
like
I
suppose,
like.
If
we
try
to
do
something
similar
for
techton,
just
an
example
that
could
be
contributed
to
your
repo
to
see
icd
gold.
A
F
F
Right
so
so
we
so
you
know,
like
jenkins
x,
can
be
you
know
like
installed
on
a
local.
You
know
like
a
kubernetes
cluster,
so
you
can
have
it
installed
on.
So
you
know
like
mini
cube,
or
you
know
like
a3s,
so
we
can
probably
do
you
know
like
something
like
that.
I
I
don't
know
how
well
we
support
you
know
like
here.
F
H
I
just
wanted
to
say
thank
you
for
the
demo
that
was
great
and
and
for
talking
about
the
project,
I'm
quite
excited
to
have
a
go
at
the
challenges
and
similar
to
anne-marie.
I
was
thinking
of
how
it
could
work
with
more
best
practice
standards,
and
I
know
that
terry's
been
working
quite
a
lot
on
within
our
best
practice's
sake.
So
maybe
terry,
you
have
something
ideas
of
how
it
could
fit
with
the
work
that
you're
doing
now.
E
Yeah,
I
think
also
I
I
mentioned
this
just
briefly,
but
you
know.
Obviously
the
projects
are
coming
from
the
attacker's
perspective,
but
they're
oriented
towards
defenders,
and-
and
so
we
do
have
quite
a
lengthy
section
on
within
each
and
every
one
of
the
top
10
risks
about
the
types
of
controls
and
measures
that
defenders
can
take
to
cope
with
those
risks.
E
A
Okay,
so
daniel
homer,
I
have
your
mail
addresses
now
I
don't
have
to
go
through
links
anymore,
so
I
will
definitely
reach
out
to
you
when
you
know
I
have
questions,
but
please
feel
free
to
join
to
our
slack
channel.
We
have
a
channel
for
software
supply
chain,
sig
dash,
I'm
sure
you
know
cdf
slack.
If
not,
I
can
share
the
slack
invite
with
you
and
as
unmary
highlight.
A
I
think
we
have
opportunities
to
collaborate
like
bring
these
aspects
into
the
work
we
are
doing
to
our
discussions,
as
I
know
that
the
very
beginning,
the
conversation
is
around
out
of
the
stuff
that
goes
through
the
pipelines
or
the
cicd
systems,
but
what
about
the
cicd
systems
themselves?
That
is
an
interesting
aspect
and
we
could
perhaps
look
at
contributing
to
overall
effort
being
through
the
state
of
software
supply
chain.
B
A
A
I
hope
you
can
see
this.
So
this
is
the
document
we
are
talking
about
and
the
news
I
promise
to
give
is.
I
am
looking
for
resources
to
start
bringing
up
this
book.
So
if
any
of
you
are
interested
access
to
secure
software
factory
deployment
just
reach
out
to
me
on
slack,
so
I
can
share
access
details
with
you
once
we
have
the
deployment
there
and
you
can
go
and
clear.
The
secure
software
factory
create
new
type
of
things
and
perhaps
look
for
ways
to
contribute
them
back
to
seekers
of
factory.
A
So
that
is
one
thing
to
get
an
actual
deployment
to
play
with
things.
The
other
thing
is
about.
If
we
should
think
of
moving
this
document
or
turning
this
document
to
a
pull
request,
because
I
haven't
received
any
notifications
from
icandy
terry
you're,
seeing
you
don't,
you
didn't
receive
notifications
either
or
you
can
perhaps
move
this
to
github
and
have
better
collaboration
there.
A
So
that
is
one
topic.
Let
me
put
the
link
to
chat
as
well,
so
I
can
take
a
look
at
it.
While
we
move
the
document
and
the
other
topic
was
the
pull
requests
I
sent
thanks,
I'm
mary,
it's
great
that
you
are
here
today
with
us.
I
simply
went
and
a
few
more
or
three
stages
into
the
stages
term
image
you
had
in
the
interval
document,
and
you
already
provide
some
comments
there.
A
A
G
By
the
way,
I
did
get
a
little
bit
of
useful
information
on
the
on
the
steps
like
you
could
imagine
you
could
you.
You
know
we're
trying
to
do
some
logic
around
these
step
and
stage.
Well,
mostly
the
step
types,
the
lower
level
ones
like
saying.
Okay,
if
you
have
run
somebody's
static
application,
security,
tester,
then
you're
good
right.
We
there
there
could
be
a
temptation,
almost
filled
like
a
dependency
tree
of
these
things.
G
Like
say,
there
are
some
types
of
these,
but
the
feedback
that
we
got
from
somebody
who's
done
a
lot
of
work
and
build
systems
before
is
that
we
should
try
to
keep
it
flat
like
we
don't
want
a
tree
of
step
types.
We
just
want
a
flat
list,
because
when
you
get
into
dependency
trees,
it
gets
super
hard
to
process
them.
So
you
know
just
something
to
keep
in
mind
that
I
didn't
think
of
initially.
A
A
A
A
G
C
A
A
A
If
no
one
else
had
anything
else
to
add,
I
want
to
thank
all
of
you
for
joining
today
and
before
I
let
all
of
you
go,
we
will
have
a
presentation
on
a
new
project
cartographer
during
our
next
meeting,
which
will
be
on
26th
of
may
and
it
was
originally
james
rollins.
We
planned
him
to
present
the
project
to
us.
A
He
was
a
contributor
to
especially
interest
group
interability
and
junk
insects
and
all
these
things,
but
unfortunately
he
won't
be
able
to
make
it
to
our
meeting,
but
two
of
his
colleagues
will
join
to
our
next
meeting
and
talk
about
cartographer,
which
also
talks
about
supply
chains
like
all
of
us.
So
please
join
the
next
meeting.
If
you
want
to
see
what
this
project
is
about
and
talk
with
the
people
behind
the
project.