►
From YouTube: Software Supply Chain SIG Meeting - May 12, 2022 (Top 10 CI/CD Security Risks and CI/CD Goat)
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
B
C
Hey
it's
over
here
daniel
will
be
back.
A
So
terry
have
a
question
while
we
wait
others
to
join.
I
responded
your
comments
on
hack
md,
this
proof
of
concept
document.
Did
you
receive
notification.
B
No,
I
I
couldn't
see
where
you'd
updated
those.
Perhaps
if
you
can
send
me
a
link
I'll
I'll
check.
B
A
A
A
So
yeah
nine
people
well
coming
around
sorry
for
talking
about
the
art
of
identity
at
the
beginning.
So
I
see
we
have
quite
a
few
people,
so
we
can
slowly
start
with
the
agenda
bashing
and
then
look
at
other
topics.
We
have
on
the
agenda
and
let
me
put
the
link
for
our
meeting
document
on
the
chat,
so
people
can
block
their
attendance
so
welcome
again.
Everyone
on
the
agenda.
A
Today
we
have
action,
item
review
and
followed
up
with
a
presentation
demo
from
daniel
and
omar
on
top
10
cicd
security
risks
and
cicd
god,
and
I
see
both
of
them
here
and
the
next
two
topics
are
the
topics
we
have
been
talking
about
last
couple
of
weeks
or
since
the
beginning
of
the
sikh
the
discussion
around
starting
this
proof
of
concept-
and
I
have
some
news
about
how
we
can
start
with
that,
as
well
as
some
comments
that
are
from
yora,
arahan
emil
and
terry
and
then
finally,
the
topic
on
a
pull
request.
A
I
sent
to
specialties
group
interoperability
pipeline
stage,
steps
terminology
and
then,
if
there
are
other
topics
you
can
take
them
if
the
time
allows
so
before.
Like,
instead
of
spending
so
much
time,
perhaps
we
can
directly
move
to
the
presentation
and
demo
from
dandelion,
because
we
don't
have
an
action
item
and
then
I
stop
sharing
so
daniel
or
mario
can
take
over
the
sharing.
A
We
think
about
the
security
risks
within
ci
cd
systems
pipelines
themselves
and
how
to
make
sure
actors
with
different
interests.
Don't
exploit
our
cicd
systems
and
while
I
was
reading
that
white
paper,
I
noticed
you
also
created
the
ci
cd.
Go
that
increased
my
interest
as
well
because,
like
that
was
kind
of
a
real
way
to
you,
know,
play
with
these
things
and
then
that's
how
we
got
talking
about
your
visit
to
our
sikh
and
with
that
I
passed
the
word
to
you,
daniel
or
amer,
or
both
of
you.
E
Yeah
sure
so,
hi
everyone
thanks
for
hosting
us.
We
have
a
short
deck
that
we'll
use,
but
maybe
before
we
begin
how
much,
how
much
time
do
we
have
just
so
we
set
expectations.
A
Well,
normally,
we
try
to
use
half
automatic
like
30
minutes
for
the
presentation
and
discussion,
but
like
the
topic
is
interesting
and
we
have
lots
of
people
here.
So
we
can
use
the
entire
meeting
if
we
get
questions
or
we
have
a
good
conversation,
so
feel
free
to
use
the
entire
meeting.
E
So
so
I'm
daniel
this
is
omel
we're
from
cider
security,
we're
based
in
tel
aviv,
both
of
us
tel
aviv,
israel,
and
so
I'm
going
to
give
you
a
little
bit
of
context
about
cider
in
case
you
haven't
heard
of
us
and
then,
when
we
dive
into
both
the
top
10
cicd
security
risks
initiative
and
the
cicd
goat
that
we
released,
I
think,
a
month
or
two
months
after
we
released
the
top
10.
E
and,
of
course
feel
free
to
interrupt.
If
you
have
any
questions
or
thoughts
down
the
down
the
way.
So
cider
is
a
cyber
security
startup
from
israel.
We
kicked
off
our
journey
about
almost
a
year
and
a
half
ago,
we're
based
out
of
tel
aviv
in
israel,
with
a
little
bit
of
presence
in
in
europe
and
in
north
america,
with
70
employees
and,
besides
being
a
catchy
five-letter
word.
We're
called
cider,
because
the
area
of
focus
for
us
is
cicd
security.
E
E
I'm
one
of
the
founders,
together
with
the
guy
fletcher,
who
was
the
cso
at
apps
flyer,
a
big
israeli
unicorn
and,
and
we
kind
of
we
felt
we
felt
throughout
the
years,
how
the
the
application
security
domain
has
developed
or
the
challenges
that
application
security
practitioners
face
have
have
really
changed.
E
Ever
since
devops
and
cicd
became
prevalent
and
became
a
commodity,
the
engineering
ecosystem
has
changed
a
lot
over
the
past.
I
would
say
three
four:
five
years
with
a
larger
diversity
in
the
technical
stack,
that's
used
for
development
and
the
technical
stack
that's
used
for
deployment
a
lot
less
manual
processes
a
lot
more
automations.
E
The
the
time
it
takes
to
adopt
new
technologies
is
a
lot
shorter,
a
lot
more
usage
of
third
parties,
and
so
the
ecosystem
has
evolved
a
lot
and
created
a
lot
more
challenges
and
a
lot
more
opportunities
for
attackers
to
to
abuse
engineering
processes
to
get
to
production
and
and
the
objective
of
cider,
and
our
mission
statement
is
to
empower
applications.
E
Security
practitioners
to
really
address
the
the
current
challenges
of
application
security
having
to
do
both
with
the
security
of
the
code
and
weaving
in
all
the
appropriate
measures
and
controls
to
make
sure
that
we're
not
shipping
code
with
security
flaws
code
or
any
type
of
other
artifact,
with
security
flaws
or
security
misconfigurations
to
production,
but
also
that
we're
looking
at
our
engineering
ecosystem
from
the
attacker's
perspective,
understanding
the
type
of
the
types
of
risks
and
the
types
of
activities
that
attackers
would
carry
out
and
be
able
to
abuse
within
our
engineering
ecosystem
and
then
help
organizations
uplift
their
their
ci
cd
posture
of
each
and
every
individual
system
involved
in
the
cicd
process
and,
of
course,
the
way
they
they
interact
and
communicate
with
each
other.
E
And
obviously
this
is
all
bundled
together
within
one
single
platform
and
a
big
part
of
what
we're
doing
in
in
insider.
Besides
developing
a
technology
that
helps
absent
practitioners
meet
today's
challenges
is
also
really
spend
a
lot
of
time.
Thinking
about
how
we
can
empower
the
community
and
how
we
can
help
create
knowledge
and
spark
discussions
within
the
community
about
the
new
flavor
of
risks.
E
Around
cicd
we've
all
witnessed,
I
think,
in
the
past
year
or
two,
some
really
high
magnitude
and
high
exposure
attacks
and
flaws,
like
the
sovereigns
hack,
like
dependency,
confusion
like
code
cove,
like
you
know,
the
the
bi-weekly
compromise
of
an
npm
or
python
package,
that's
downloaded
by
millions
of
users
and
ci
systems,
and
so
the
ci
or
the
cicd
ecosystem
has
become
a
really
big
target
for
attackers,
and
I
think
defenders
lack
not
only
the
right
technologies,
but
also
the
right
knowledge
in
order
to
cope
and
tackle
these
challenges.
E
And-
and
so
this
is
why
we
were
highly
motivated
to
to
get
to
work
on
projects
like
the
top
10,
like
the
cicd
goat
to
help.
Defenders
and
the
infosys
community,
have
good
knowledge
and
good
capabilities
to
understand
the
characteristics
of
today's
risks
and
challenges
that
cider
in
a
nutshell,.
E
Okay,
so
so
oman
and
I
led
the
top
10
ci
cd
security
risks
initiative.
E
It
was
obvious
to
us
oman
and
I
were
excited
from
day
one,
and
it
was
obvious
for
us
coming
from
an
absent
background
being
exposed
to
the
projects
projects
like
the
oauth
top
ten
and
the
serverless
security
top
ten
and
and
their
impact
on
on
the
community
and
how
they
contributed
to
making
the
ecosystems
or
domains
they
they
addressed
more
secure
and
obviously
we
we
knew
that
creating
an
artifact
that
gathers
all
of
the
different
risks
and
the
technical
characteristics
of
the
different
risks
around
the
cicd
ecosystem
would
have
a
tremendous
impact
and
would
be
very
helpful
to
the
needs
of
the
community.
E
So
the
motivation
was
really
to
create
the
equivalent
of
the
oauth
top
10
or
the
serverless
security
top
10
only
focused
on
ci,
cd,
security
risks
and
and
and
the
way
we
chose
to
to
tackle
the
challenge.
Obviously,
cicd
processes
and
systems
and
environments
are
very
different
and
they
vary.
E
You
know,
depending
on
on
the
different
sizes
of
organizations
and
verticals
and
and
every
organization,
has
different
types
of
challenges
and
different
levels
of
knowledge
and
capabilities
to
cope
with
the
challenge,
and
so
one
of
the
guiding
principles
for
us
was
to
make
sure
we're
making
the
top
10
city
security
risks
as
relevant
as
possible
to
as
many
people
and
as
many
types
of
environments
and
technical
stacks
as
possible.
So
the
first
thing
we
did
was
gather
together
and
I'll
show
this
to
you
in
the
document
later.
E
But
we
gather
together
as
many
details
and
documentations
about
different
types
of
hacks
and
security
flaws
that
revolved
around
the
cicd
space.
We,
we
analyzed
the
anatomy
of
ci,
cd,
hacks
and
ci
cd
flaws,
and
I
think
it
was
I
don't
know
it
was
many
many
dozens
of
of
these
technical
blogs
and
resources
and
and
read-ups
that
that
we
analyzed
and
summarized
and
gathered
the
different
types
of
flaws
and
the
different
types
of
behaviors
that
attackers
carried
out.
E
We
combined
that
with
many
many
ci
cd
environments
and
many
organizations
that
we
worked
with
before
tenure
insider
and
during
our
tenure
insider.
So
you
know
we
have
we're
fortunate
enough
to
be
in
a
position
where
we're
analyzing
different
types
of
ci,
cd
environments
and
and
deployments,
and
setups
and
configurations
on
a
daily
basis
and-
and
we
partnered
with
many
of
the
organizations
that
we
worked
with
to
understand
some
of
the
common
denominators
and
some
of
the
more
prevalent
challenges
that
organizations
face.
E
E
We
worked
with
adrian
the
cso
of
atlassian
and
asta,
who
leads
out
second
netflix
and
and
many
other
prominent
figures
in
the
apsec
industry
with
that
same
motivation
to
not
be
reliant
on
on
our
own
knowledge
and
experience
solely,
but
to
make
sure
that,
when
we're
gathering
this
huge
artifact
together
that
we're
making
sure
that
we're
as
diligent
as
possible
and
making
sure
that
you
know
we
gather
as
many
perspectives
as
possible
and
and
so
what
we
did
was
fuse
that
knowledge
and
those
insights.
E
Coming
from
the
discussions
with
the
industry,
experts
from
the
research
and
analysis
of
environments
that
we
did
from
reading
and
analyzing,
the
anatomy
of
different
types
of
attacks,
flaws,
hacks
and
the
result
is:
is
this
project
the
top
10
ci
cd
risk
initiative?
E
There's
a
website
for
it?
So
obviously
there
are
three
types
of
ways
to
consume:
the
top
10
ci
cd
risks
project.
This
is
this
is
a
short
intro.
The
first
is
the
website.
The
second
is
the
pdf,
and
the
third
is
the
github
repo
which
I'll
show
you
in
a
sec.
E
So
this
is
just
a
short
intro
into
the
changes
that
have
occurred
over
the
past
years
in
the
in
the
cicd
ecosystem
and
their
ramifications
or
their
meaning
from
the
security
perspective,
the
types
of
hacks
and
exposures
that
we
as
defenders
witnessed
and
and
and
then
the
actual
risks
each
risk.
We
have
a
consistent
format
for
the
risks,
so,
for
example,
this
is
the
first
risk.
Insufficient
flow
control
mechanisms.
E
This
risk
specifically
is
relating
to
as
as
it
is
written
here.
How
far
can
someone
can
go?
How
far
can
someone
go?
Can
an
adversary
go
down?
The
cicd
process
and
pipeline,
if
they're,
able
to
obtain
any
set
of
permissions,
what
controls
exist
to
prevent
any
single
set
of
permissions
from
pushing
malicious
code
or
artifacts
down
the
pipeline
without
any
additional
reviews
or
controls
or
approvals.
E
So
for
each
risk.
We
have
the
definition
of
the
risk,
a
description,
the
the
impact
from
from
a
cyber
perspective.
Obviously,
what
the
attacker
would
be
able
to
do
a
set
of
recommendations,
technical
recommendations,
that
organizations
and
defenders
should
buy
the
domain,
cider.io
technical
recommendations,
that
organizations
could
carry
out
to
to
cope
with
the
risk,
and
then
the
references
are
the
actual,
the
actual
artifacts
that
I
mentioned
earlier.
E
The
actual
technical
documents
that
we
used,
which
contained
abuse
of
of
that
specific
flaw
or
risk
in
question
and
and
this
format
is
consistent
across
each
and
every
one
of
the
of
the
risks
that
we
have.
We
also
have
the
sorry.
We
also
have
the
repo,
the
github
repo
for
the
project.
E
We
made
sure
that
we
not
only
have
the
website,
but
we
have
also
the
repo,
because
again,
this
is
a
contribution
from
us
to
the
community
and
the
objective
behind
the
repo
is
to
allow
anyone
to
to
contribute
and
share
their
thoughts,
insights,
knowledge
and
ideas
around
this.
So
this
project
in
github
has
the
exact
same
content
of
the
document,
the
pdf
and
and
and
and
the
website
that
I
showed
earlier.
E
This
is
the
list
of
of
experts
that
collaborated
with
us
on
the
effort
you
can
see
they're
coming
from
different
positions,
different
verticals
different
organizations,
but
a
lot
of
prominent
figures
in
the
industry
and
and,
of
course,
the
actual
risks
themselves
and
again.
The
the
objective
is
for
this
to
be
a
document
that
really
sparks
the
discussion
and
and
helps
the
community
steer
the
focus
to
the
right
direction.
As
far
as
the
today's
ci
cd
risks
and
today's
cicd
security
challenges.
That
defenders
face.
E
As
far
as
what
happened
since
we
published
what
happened
since
we
published
the
project
and
and
and
what's
next
as
far
as
the
project-
it's
it's
rece-
it
was
very
well
received
by
the
community
and
resonated
with
a
lot
of
a
lot
of
people.
E
We
got
a
lot
of
great
feedbacks
around
around
the
document
being
very
useful
for
the
types
of
challenges
that
different
types
of
organizations
all
over
the
world
are
facing,
and
obviously
there
are
many
different
types
of
initiatives
that
are
being
carried
out
on
top
on
top
of
the
top
10
city
security
risks,
like
the
discussion
we're
having
now
a
lot
of
people
reached
out
to
us
to
see
how
they
can
adapt
the
findings
and
the
insights
from
this
within
their
day-to-day
within
their
organizations.
E
We
talked
about
this
in
several
podcasts
and
and
other
types
of
meetups
and
gatherings
we're
talking
about
this
actually
in
in
san
francisco.
In
less
than
a
month
in
the
rsa
conference,
we
have
a
talk
dedicated
to
the
top
ten
and,
and
we
have
many
different
discussions
and
and
forums
and
meetups
here
in
israel
and
abroad
that
are
focused
on
talking
about
the
top
ten.
E
Obviously
we're
very
keen
and
motivated
to
to
work
with
you
know
the
cd
foundation
and
and
any
other
entity
who's,
also
passionate,
as
we
are
about
securing
ci
cd
to
to
see
how
we
can
work
together
to
capitalize
and
to
maximize
on
the
potential
of
this,
because
again,
the
feedback
so
far
were
really
good,
and
we
do
believe
that
this
does
have
a
very
good
potential
to
have
to
have
a
strong
impact,
and
it
has
already
had
a
had
a
strong
impact
on
on
the
industry.
E
C
In
a
minute,
you
can
leave
it
on
the
slide
for
a
moment.
Okay,
so
hi,
I
I
didn't
introduce
myself
yet
so
my
name
is
adam
gill.
I
also
work
at
cider
security
as
daniel
said,
leading
research
here
and
participated
in
writing
the
top
10
security
risks
project
and
also
led
internally,
with
my
team,
also
with
we,
I
mean
with
danielle
and
asi,
which
is
also
on
his
call
and
a
few
more
people
from
cider,
the
god
initiative,
the
goat
project.
C
So
for
those
of
you
who
are
less
familiar
with
with
the
goat,
like
our
projects,
which
is
an
unofficial
term
for
for
specific
type
type
of
projects,
so
there
are
more
than
a
few
gold
projects
which
is
which
is
like
a
deliberately
vulnerable
system
or
application
or
environment
with
the
purpose
of
helping
a
security
practitioner.
So
anyone
else
who
likes
to
to
learn
how
to
hack
specific
type
of
a
system
or
environment
to
provide
them
with
the
environment.
C
They
can
do
that
and
learn
how
to
how
to
hack
and
then
maybe
also
how
to
to
protect
against
specific
types
of
of
risks
in
some
popular
examples
of
osps.
For
example,
released,
I
think,
more
than
one
project
more
than
one
gold
project
for
availability,
vulnerable
web
applications.
E
C
C
There
was
cloud,
for
example,
and
we
saw
that
if,
when
people
talk
about
cacd
risks
and
threats,
so
many
many
times
we
hear
about
misconfigurations
and
best
practices,
but
when
you
want
to
learn
about
practical
ways
of
hacking
csd
and
how
an
actual
hack
in
this
domain
looks
like
it's,
not
that
easy
or
straightforward
to
understand,
and
if
you
want
to
do
a
hands-on
assignment
for
that
it's
there
are.
C
To
practice
that
so
nearly
a
year
ago,
there's
there
were
the
devops,
the
devops
days
conference
in
in
in
israel
those
devops
days,
as
you
know,
in
many.
C
So
we
gathered
and
thought
about
an
interesting
architecture
that
we
can
create,
which
can
also
be
docker
docker-based
with
all
of
the
different
systems
that
usually
that
we
usually
see
in
csv
environments,
there's
a
source
control
management
system,
there's
a
ci
and
a
cd
and
and
some
system
that
simulates
a
production
environment
and
we're
going
to
talk
about
specific
architecture
at
the
moment,
and
we
prepared
this
environment
and
thought
about
a
few
challenges
that
we
created
over
this
over
this
framework
that
was
created
for
just
for
the
purpose
of
this
conference
and
a
few
dozens
of
people
arrived
and
like
joined
us
and
participated
in
the
workshop,
and
it
was
a
pretty
good
success.
C
C
So
we
thought
that
it's
a
great
opportunity
to
expand
this
project
and
make
it
open
source
and
allow
anyone
in
the
world
to
practice
on
hacking,
cacd
environments
and
to
practically
understand
the
risks
I
mean
in
the
top
10
security
risks
project.
C
We
did
a
lot
of
work
in
gathering
all
the
all
of
the
knowledge
that
we
can
everything
that
we
think
is
relevant
and
put
everything
in
a
in
a
concise
way,
so
anyone
can
can
consume,
but
it's
not
the
same
like
reading
these
materials,
it's
not
the
same
like
actually
like,
actually
practicing
it
hands-on.
C
This
is
why
we
created
the
go-to
to
complete
the
top
10
initiative.
We
thought
that
when
people
practice
it
it's
much
easier
to
to
consume
this,
this
material
so
we'll
be
cared.
It
is
this
project.
C
We
we
decided
to
take
what
we
prepared
for
the
workshop
and
making
it
more
stable,
more
and
an
open
source,
so
anyone
can
can
participate
and
collaborate.
I
can
show,
maybe
now
I'll
show
you
my
screen
just
a
moment.
I'll
show
you
the
project.
C
Okay,
so
this
is
the
gita
project
you
can.
You
can
find
it
here.
You
can
also
you
can
share
it
in
the
chat.
Maybe
while
we
speak
so
anyone
can
listen
top
10
projects,
so
anyone
can
access
it.
If
they
want
to.
This
is
the
csd
code.
You
can
find
it
in
our
github
organization
this
in
the
top
10
it's
in
the
same
github,
all
it's.
C
It
got
pretty
good
traction
by
by
since
when
we
released
it
as
you
can
see-
and
we
also
have-
we
already
have
some
pull
requests
that
were
delivered
and
and
issues
that
were
open
and
we
already
resolved
mean
we
got
some
really
good
feedback
on
this
project.
C
You
can
see
the
architecture
here,
it's
it's
based
on
gt,
which
is
which
is
an
a
light
open
source
source
control
mechanism
for
for
for
imagining
the
old
code
base,
which
is
linked
with
jenkins
pipelines.
There's
another
jenkins
agent,
all
based
on
containers.
There's
local
stack
to
simulate
aws.
C
We
didn't
want
anyone
to
to
start
deploying
on
aws
in
order
to
to
use
the
environment.
I
wanted
everything
to
be
docker-based
and
deployed
on
your
own
machines,
which
is
much
faster
and
easier
to
to
do
and
free,
there's
also
another
http
server
here
and
there's
ctfd
cdfd
is
a
framework
for
for
cdf
capture
the
flag
challenges,
I'm
going
to
show
it
in
a
moment.
This
is
where
we
manage
the
challenges.
C
There
are
ten
different
challenges
here,
a
more
somewhat
more
easy
to
solve
so
more
hard
to
solve,
and
you
can
run
it
wherever
you
want,
since
it's
all
again
docker
based
you,
you
can
see
the
solutions
here
in
case
you,
you
get
frustrated
and
you
want
to
get
on
the
short
path
to
solve
the
challenges,
but
in
general
it's
really
fun
to
to
to
to
really
challenges,
to
try
and
break
through
the
acd
to
reach
production
or
any
other
sensitive
trophy
that
you
need
to
to
need
to
catch
as
a
baseline.
C
And
then
you
understand,
if
you
install,
if
you
got
it
right
or
not,
I
can
show
you.
I
can
also
show
you
a
quick
demo
if
you
want
I'm
going
to
use
this
solution,
so
you
can
see
how
you
can
use
it
if
you
wanted
to
solve
it.
So,
as
you
can
see
here,
this
is
one
of
the
challenges.
It's
called
the
white
rabbit.
C
Each
of
the
challenges
here
is
is
inspired
by
alice
in
wonderland,
including
the
description
of
the
challenges
you
can
see
that
each
challenge
is
also
associated
with
one
or
more
of
the
top
10
csd
security
risks.
From
the
from
the
initiative.
Here
you
can
see
the
cdfd
platform.
C
You
can
see
all
the
challenges
and
decide
with
what
you
want
to
to
begin
with.
For
example,
we
can
start
with
an
easy
one
white
rabbit,
so
you
can
see
the
description
in
this
case.
We
need
to
still
flag
one,
which
is
a
secret
secret
store
in
jenkins
in
the
jenkins
credential
store,
and
you
can
use
the
hints
the
different
hints
to
to
solve
it.
C
If,
if
it's
too
hard
for
you-
and
then
eventually,
you
put
this
like
that-
you
find
here
there's
also
gt
where
you
can
see
all
the
different
repos.
There
are
private
peoples
and
public
reports
and
different
organizations.
There
are
really
complex
scenarios
here
in
the
more
complex
challenges.
C
Okay,
here
you
can
see
jenkins
with
the
different
pipelines
for
each
challenge
that
you
eventually
probably
need
to
execute
malicious
code
there,
or
whatever
I
mean
right
now.
We
have
like
a
user
with
a
really
light
permissions
on
jenkins
and
in
most
challenges.
You
need
to
leverage
your
permissions
on
this
system
or
in
aws,
which
is
local
stack,
not
with
aws.
C
So
I
can
show
a
quick
demo
which
is
really
straightforward.
You
can
see
again
it's
the
white
rabbit
one.
Let's
say
that
you
need
to
access
the
flag,
one
secret
store
in
the
jenkins
credential
store,
but
you
only
have
access
to
gt.
You
have
right
permissions
to
the
right
to
habit
repository,
which
is
linked
with
a
pipeline
on
jenkins.
C
There
there's
a
pipeline
for
white
limit,
but
I
can't
do
much
with
it.
I
mean
I
can't
modify
its
code
or
configuration,
I'm
not
an
admin
on
on
jenkins.
I
can't
access
the
credential
stores
directly.
If
I'll
see
this
solution,
I
mean
go
over
it.
I
can
see
that
the
purpose
is
to
create
to
conduct
a
direct
poison
partner,
execution
attack.
This
is
a
term
that
we
said
insider,
but
it
is
a.
It
is
a
an
attack
that
was
referenced
a
few
times
back
by
various
people.
C
We
released
a
blog
post
on
it
a
few
months
ago
and
the
it's
one
of
the
top
10.
It's
one
of
the
top
10
risks
that
we
mentioned
in
the
initiative.
C
C
If
it's
jenkins
or
other
files
referenced
by
this
air
configuration
file,
you
can
create
a
pull
request
or
push
to
an
unprotected
branch
with
the
purpose
of
triggering
a
malicious
pipeline
where
your
malicious
code
is
executed
and
then
from
there
you
can
access
production
or
access
secrets
stored
in
that
ci
instance,
and-
and
we
see
this
type
of
text
which
is
out
there-
I
mean
attackers
that
are
able
to
put
their
hands
on
an
access
token
for
a
github
or
gitlab
or
an
ssh
key
or
a
username.
D
C
Have
access
to
one
user,
or
even
one
repository
on
github?
If
it's
linked
with
a
pipeline?
It's
it's
much
more
than
access
to
a
repository,
it's
a
gateway
to
your
entire
ccd
pipelines,
to
a
css
environment
and
even
to
your
production
environment,
because
it's
all
linked
together-
and
this
is
one
of
the
messages
that
we
want
to
to
to
deliver-
that
the
update
that
access
to
your
source.
C
System
is
not
just
access
to
your
source
code,
which
is
serious
enough,
but
it's
much
more
than
that.
It's
access
to
your
to
an
entire
ecosystem
of
of
the
different
cic
system
and
production
system
that
are
all
linked
together,
working
automatically
with
the
different
processes
defined
by
the
organization.
C
So,
if
we'll
get
back
to
the
challenge,
which
is
a
really
straightforward
one,
I
can
see
that
this
white
rabbit
repository
contains
a
jenkins
file
which
might
lead
much
much
lead
on
the
fact
that
it's
linked
with
a
pipeline
on
jenkins
in
this
specific
scenario
also
have
acts
direct
access
to
jenkins
with
low
permissions.
C
But
so
I
can
see
that
it's
actually
linked,
but
I
can't
do
anything
on
jenkins
directly,
but
I
do
have
permissions
for
the
white
libid
depository.
C
I'm
really
brave
that
I'm
presenting
a
live
demo
here
so
bear
with
me.
I
mean
it
always
fails
right,
but
I
decided
to
not
I'll
show
you
a
pre-coded
video,
but
let's
do
this.
C
Changing
the
jenkins
file
to
print
the
to
print
the
secret,
then
I'll,
move
on
to
jenkins.
C
C
C
I
need
to
keep
this
this
first
line
here,
dealspace
line
here
so
I'll
skip
it
for
now,
but
the
the
the
main
point
is
that
eventually
this
pipeline,
that
I
would
run
they'll
be
able
to
view
the
secret
from
the
console
output
or
from
a
remote
server
that
I
send
this
secret
to
then
I
get
this
secret
and
send
it
and
insert
it
here.
I
submit
it
and
I
can
tell
that
I
got
it
right.
C
This
is
a
really
straightforward
challenge,
but
there
are
really
complex
challenges
here,
like
code
execution
for
pipelines
or
bypassing
auto,
merge
rules
similar
to
the
kodkov
hack
or
to
the
hack
of
brew,
the
pool
project.
We
some
of
these
challenger
challenges
were
inspired
by
actual
hacks
or
write-ups
about
security
vulnerabilities
that
were
found
and
reported.
C
So
it's
pretty
cool
and
I
really
recommend
you
to
to
try
it
out
anything.
You
want
to.
E
No
I
this
is,
I
mean
just
just
to
reiterate
on
the
fact
that
this
is
something
that
we
built
to
help
just
like
the
top
10
project,
to
help
spark
the
discussions
and
and
really
contribute
to
the
community
so
that
we
have
more
people
talking
about
ci
cd
security,
more
people
experiencing
it
and
you
know
making
the
general
the
general
state
of
cicd
security
better,
and
this
is
again
why
this
is
on
github
and
we,
you
know,
we
we
have
encouraged
and
we
continue
to
encourage
anyone
who's
interested
to
to
participate.
E
And
you
know.
Hopefully
this
will
be
something
that
other
contributors
outside
of
site
would
be
able
to
add
their
own
challenges
to
and
customize,
and
we've
already
received
some
feedbacks
and
ideas
and
insights,
and
also
a
lot
of
teams
that
have
spent
quite
some
time
solving
these
challenges
and
so
yeah
we're
looking
forward
to
see.
You
know
the
the
potential
of
both
the
goat
and
the
top
10.
E
We
believe
we're
just
scratching
the
surface
for
both
projects
as
far
as
the
potential
and
and
how
many
people
are
are
excited
by
these
initiatives
and
and
obviously
we're
also
very
appreciative
and
excited
about
the
fact
that
you
know
that
you
approached
us
and
asked
us
to
talk
about
this
today
and-
and
we
would
love
to
hear
your
ideas
and
thoughts
and
insights
about
what
we
presented
to
you,
but
also
what
you
believe
are
some
ways
that
we
can
help.
G
A
Yeah
this,
I
think
again,
this
is
related
to
this
proof
of
concept.
A
I
think
the
discussions
we
have
been
having
daniel-
and
I
saw
you
get
context
and
one
of
the
things
as
part
of
our
sixth
proposal-
was
to
look
at
this
type
of
topics
as
well,
not
just
like
what
gets
produced
by
our
cicd
pipelines
or
production
systems,
but
also
the
cicd
systems
as
well,
and
the
work
you
have
done
and
the
you
know
the
project
cicd
got
is
pretty
relevant
to
why
we,
you
know,
went
and
proposed
this
special
place
group
so
how
to
bring
it
into
what
we
are
doing
here
like
similar
to
what
we
discussed
with
secret
software
factory.
A
Folks,
like
mike
lieberman,
others
also
cncf
tag
app
security
tag,
app
delivery
group.
I
think
we
could
take
a
look
at
what
is
there
under
ci
cd
got
and
think
of
making
that
part
of
our
proof
of
concepts
with
system
and
pipelines
we
are
bringing
up
like
it
is
not
just
about
the
stuff
we
are
producing
on
our
pipelines,
but
also
includes
these
aspects,
the
you
know,
challenges
and
so
on.
A
So
when
people
bring
up
such
an
environment,
they
can
look
at
both
things
or
to
see
icd
itself
as
well
as
what
goes
through
ci
cd.
I
don't
know
if
it
makes
sense
to
obviously
increase
the
scope
but
yeah.
I
think
we
have
lots
of
things
we
can.
You
know
collaborate
on
and
play
with,
especially
seeing
after
the
demo.
G
It
could
interleave
the
sauce
in
a
way
like
salsa
is
like
here's
what
you
should
do
with
your
supply
chain,
and
this
is
sort
of
like
here's.
What
you
should
not
do
with
your
supply
chain
right
here
are
all
the
counter
examples
I
haven't
had
a
map
or
if
they
map
nicely
to
the
salsa
goals
and
objectives.
A
E
Yeah,
I
think
salsa
is,
I
mean,
obviously
we're
familiar
with
salsa
and
it's
still
it's
still
evolving.
I
think
it's
it's
still
in
the
relatively
the
project
itself
is
amazing.
It's
still
in
the
relatively
early
phases
of
its
maturity
and
so
we're
curious
to
see
what
it
will
evolve
to
and
obviously
we're
drawing
a
lot
of
inspiration
from
it,
and
we
do
believe
it.
E
It
has
the
potential
to
be
something
that
serves
as
a
benchmark
to
organizations
as
far
as
where,
where
they
are
in
terms
of
their
supply
chain,
security
controls
and
what
they
need
to
do
to
be
at
a
better
place.
I'm
not
I'm
not
entirely
sure
yeah.
I
think
you
know
the
salsa
is
really
coming
at
it.
From
the
builder's
perspective
or
defender
perspective.
These
projects
are
more
focused
on
helping
defenders
have
a
better
view
of
the
attacker's
perspective.
E
But
yeah
I
mean,
if
you
guys,
have
any
ideas
on
different
types
of
collaboration
or
fusion
between
them.
Then
we're
really
motivated
to
to
you
know
to
do
whatever
we
can
to
get
this
to
get
to
collaborate
with
with
anyone.
That's
interested
in
collaborating
with
us
on
us
collaborating
with
us
on
this.
F
So
there
was
this
one
thing
that
you
showed
where
you
know
like
someone
can
actually
go
into
this.
You
know
like
pipeline
and
then
just
you
know
like
print
out.
You
know
like
the
credentials
right,
so
that
is
an
issue
that
we
actually
have
with.
You
know
like
jenkins
x,
which
is
why
we
don't
show
the
pipeline
logs
to
you
know
like
users,
so
this
was
very
nice
to
see
that
this
is.
You
know
like
one
of
the
tests
or
like
one
of
the
checks,
so
yeah.
A
Yeah,
that
brings
up
an
additional
question
to
you,
daniel
and
I
are
like,
I
think,
ankit.
You
asked
a
similar
question
when
you
were
having
the
seekers
of
effect
representation
and
that
initially
picked
tecton
as
their.
You
know,
ci
cd
tool,
as
you
know,
cdf
is
home
to
like
tecton
spinnaker
jenkins,
jenkins
x,
squidward,
like
I
suppose,
like.
If
we
try
to
do
something
similar
for
techton,
just
an
example
that
could
be
contributed
to
your
repo
to
see
icd
gold.
A
F
F
Right
so
so
we
so
you
know,
like
jenkins
x,
can
be
you
know
like
installed
on
a
local.
You
know
like
a
kubernetes
cluster,
so
you
can
have
it
installed
on.
So
you
know
like
mini
cube,
or
you
know
like
a3s,
so
we
can
probably
do
you
know
like
something
like
that.
I
I
don't
know
how
well
we
support
you
know
like
here.
F
Like
the
last
time
I
checked,
it
did
not
really
work
that
well,
but
that
is
something
that
we
can
fix
so
yeah
that
would
be
nice
or
we
can
just
use
like
you
know,
like
github
up.
You
know
like
a
personal
github
account
for
the
tests
and
then
eventually
improve
yeah.
H
I
just
wanted
to
say
thank
you
for
the
demo
that
was
great
and
and
for
talking
about
the
project,
I'm
quite
excited
to
have
a
go
at
the
challenges
and
similar
to
anne-marie.
I
was
thinking
of
how
it
could
work
with
more
best
practice
standards,
and
I
know
that
terry's
been
working
quite
a
lot
on
within
our
best
practice's
sake.
So
maybe
terry,
you
have
something
ideas
of
how
it
could
fit
with
the
work
that
you're
doing
now.
B
Well,
we
can
certainly
give
some
thought
to
to
how
we
might
be
able
to
integrate
that
if
nothing
else,
we
do
provide
a
resources
section
in
in
best
practices
where
we
could
potentially
link
out
to
that
as
a
further
source
of
information.
E
Yeah,
I
think
also
I
I
mentioned
this
just
briefly,
but
you
know.
Obviously
the
projects
are
coming
from
the
attacker's
perspective,
but
they're
oriented
towards
defenders,
and-
and
so
we
do
have
quite
a
lengthy
section
on
within
each
and
every
one
of
the
top
10
risks
about
the
types
of
controls
and
measures
that
defenders
can
take
to
cope
with
those
risks.
E
A
Yeah
thanks
out
for
joining
like,
I
am
just
going
to
ask
one
more
time,
like
any
other
comments
or
questions
from
anybody
else
before
we
start
wrapping
up
the
meeting.
A
Okay,
so
daniel
homer,
I
have
your
mail
addresses
now
I
don't
have
to
go
through
links
anymore,
so
I
will
definitely
reach
out
to
you
when
you
know
I
have
questions,
but
please
feel
free
to
join
to
our
slack
channel.
We
have
a
channel
for
software
supply
chain,
sig
dash,
I'm
sure
you
know
cdf
slack.
If
not,
I
can
share
the
slack
invite
with
you
and
as
unmary
highlight.
A
I
think
we
have
opportunities
to
collaborate
like
bring
these
aspects
into
the
work
we
are
doing
to
our
discussions,
as
I
know
that
the
very
beginning,
the
conversation
is
around
out
of
the
stuff
that
goes
through
the
pipelines
or
the
cicd
systems,
but
what
about
the
cicd
systems
themselves?
That
is
an
interesting
aspect
and
we
could
perhaps
look
at
contributing
to
overall
effort
being
through
the
state
of
software
supply
chain.
A
So
again,
thank
you
very
much
for
joining
our
meeting
and
presenting
the
top
10
cic
security
risks,
as
well
as
ci
cd
got
and.
A
A
I
hope
you
can
see
this.
So
this
is
the
document
we
are
talking
about
and
the
news
I
promise
to
give
is.
I
am
looking
for
resources
to
start
bringing
up
this
book.
So
if
any
of
you
are
interested
access
to
secure
software
factory
deployment
just
reach
out
to
me
on
slack,
so
I
can
share
access
details
with
you
once
we
have
the
deployment
there
and
you
can
go
and
clear.
The
secure
software
factory
create
new
type
of
things
and
perhaps
look
for
ways
to
contribute
them
back
to
seekers
of
factory.
A
So
that
is
one
thing
to
get
an
actual
deployment
to
play
with
things.
The
other
thing
is
about.
If
we
should
think
of
moving
this
document
or
turning
this
document
to
a
pull
request,
because
I
haven't
received
any
notifications
from
icandy
terry
you're,
seeing
you
don't,
you
didn't
receive
notifications
either
or
you
can
perhaps
move
this
to
github
and
have
better
collaboration
there.
A
So
that
is
one
topic.
Let
me
put
the
link
to
chat
as
well,
so
I
can
take
a
look
at
it.
While
we
move
the
document
and
the
other
topic
was
the
pull
requests
I
sent
thanks,
I'm
mary,
it's
great
that
you
are
here
today
with
us.
I
simply
went
and
a
few
more
or
three
stages
into
the
stages
term
image
you
had
in
the
interval
document,
and
you
already
provide
some
comments
there.
A
A
G
By
the
way,
I
did
get
a
little
bit
of
useful
information
on
the
on
the
steps
like
you
could
imagine
you
could
you.
You
know
we're
trying
to
do
some
logic
around
these
step
and
stage.
Well,
mostly
the
step
types,
the
lower
level
ones
like
saying.
Okay,
if
you
have
run
somebody's
static
application,
security,
tester,
then
you're
good
right.
We
there
there
could
be
a
temptation,
almost
filled
like
a
dependency
tree
of
these
things.
G
Like
say,
there
are
some
types
of
these,
but
the
feedback
that
we
got
from
somebody
who's
done
a
lot
of
work
and
build
systems
before
is
that
we
should
try
to
keep
it
flat
like
we
don't
want
a
tree
of
step
types.
We
just
want
a
flat
list,
because
when
you
get
into
dependency
trees,
it
gets
super
hard
to
process
them.
So
you
know
just
something
to
keep
in
mind
that
I
didn't
think
of
initially.
A
A
G
A
flat
list
actually
yeah,
so
we
should
just
keep
it
simple.
Okay,.
A
A
G
C
A
Anyway,
yeah,
so
that
thanks
a
lot
for
that
so,
like
I
know
like
how
should
we
go
at
with
this
pr
like
if
anyone
in
this
meeting
or
anyone
else
has
any
major
concerns,
then
please
highlight
them
here
because,
like
the
things
are
in
the
details,
you
know,
starting
looking
to
steps
will
really
help
us
to
see
what
we
already
know
about
or
think
of
doing
and
what
we
may
be
missing,
because
someone
has
come
and
say:
okay,
you
have
all
these
great
steps
here,
building
stuff
and
scanning
the
source
code
for
nearly
so
like
identifying
licenses.
A
A
A
If
no
one
else
had
anything
else
to
add,
I
want
to
thank
all
of
you
for
joining
today
and
before
I
let
all
of
you
go,
we
will
have
a
presentation
on
a
new
project
cartographer
during
our
next
meeting,
which
will
be
on
26th
of
may
and
it
was
originally
james
rollins.
We
planned
him
to
present
the
project
to
us.
A
He
was
a
contributor
to
especially
interest
group
interability
and
junk
insects
and
all
these
things,
but
unfortunately
he
won't
be
able
to
make
it
to
our
meeting,
but
two
of
his
colleagues
will
join
to
our
next
meeting
and
talk
about
cartographer,
which
also
talks
about
supply
chains
like
all
of
us.
So
please
join
the
next
meeting.
If
you
want
to
see
what
this
project
is
about
and
talk
with
the
people
behind
the
project.