Sign up to save your podcasts
Or
Share Is your CI/CD Pipeline your Biggest Security Risk?
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Is your CI/CD Pipeline your Biggest Security Risk?
How CI/CD Tools can expose your Code to Security Risks? In this episode, we’re joined by Mike Ruth, Senior Staff Security Engineer at Rippling and returning guest, live from BlackHat 2024. Mike dives deep into his research on CI/CD pipeline security, focusing on popular tools like GitHub Actions, Terraform, and Buildkite. He reveals the hidden vulnerabilities within these tools, such as the ability for engineers to bypass code reviews, modify configuration files, and run unauthorized commands in production environments.
Mike explains how the lack of granular access control in repositories and CI/CD configurations opens the door to serious security risks. He shares actionable insights on how to mitigate these issues by using best practices like GitHub Environments and Buildkite Clusters, along with potential solutions like static code analysis and granular push rule sets. This episode provides critical advice on how to better secure your CI/CD pipelines and protect your organization from insider threats and external attacks.
Guest Socials: Mike's Linkedin
Podcast Twitter - @CloudSecPod
If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:
- Cloud Security Podcast- Youtube
- Cloud Security Newsletter
- Cloud Security BootCamp
Questions asked:
(00:00) Introductions
(01:56) A word from episode sponsor - ThreatLocker
(02:31) A bit about Mike Ruth
(03:08) SDLC in 2024
(08:05) Mitigating Challenges in SDLC
(09:10) What is Buildkite?
(10:11) Challenges observed with Buildkite
(12:30) How Terraform works in the SDLC
(15:41) Where to start with these CICD tools?
(18:55) Threat Detection in CICD Pipelines
(21:31) Building defensive libraries
(23:58) Scaling solutions across multiple repositories
(25:46) The Fun Questions
Resources mentioned during the call:
GitHub Actions
Terraform
Buildkite
Mike's BSidesSF Talk
View all episodes
By Cloud Security Podcast Team
5
5454 ratings
How CI/CD Tools can expose your Code to Security Risks? In this episode, we’re joined by Mike Ruth, Senior Staff Security Engineer at Rippling and returning guest, live from BlackHat 2024. Mike dives deep into his research on CI/CD pipeline security, focusing on popular tools like GitHub Actions, Terraform, and Buildkite. He reveals the hidden vulnerabilities within these tools, such as the ability for engineers to bypass code reviews, modify configuration files, and run unauthorized commands in production environments.
Mike explains how the lack of granular access control in repositories and CI/CD configurations opens the door to serious security risks. He shares actionable insights on how to mitigate these issues by using best practices like GitHub Environments and Buildkite Clusters, along with potential solutions like static code analysis and granular push rule sets. This episode provides critical advice on how to better secure your CI/CD pipelines and protect your organization from insider threats and external attacks.
Guest Socials: Mike's Linkedin
Podcast Twitter - @CloudSecPod
If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:
- Cloud Security Podcast- Youtube
- Cloud Security Newsletter
- Cloud Security BootCamp
Questions asked:
(00:00) Introductions
(01:56) A word from episode sponsor - ThreatLocker
(02:31) A bit about Mike Ruth
(03:08) SDLC in 2024
(08:05) Mitigating Challenges in SDLC
(09:10) What is Buildkite?
(10:11) Challenges observed with Buildkite
(12:30) How Terraform works in the SDLC
(15:41) Where to start with these CICD tools?
(18:55) Threat Detection in CICD Pipelines
(21:31) Building defensive libraries
(23:58) Scaling solutions across multiple repositories
(25:46) The Fun Questions
Resources mentioned during the call:
GitHub Actions
Terraform
Buildkite
Mike's BSidesSF Talk
More shows like Cloud Security Podcast
View all
Risky Business
361 Listeners
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
629 Listeners
The Cloudcast
153 Listeners
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
368 Listeners
CyberWire Daily
1,011 Listeners
AWS Podcast
201 Listeners
Smashing Security
313 Listeners
Malicious Life
925 Listeners
Darknet Diaries
7,821 Listeners
Cybersecurity Today
164 Listeners
CISO Series Podcast
188 Listeners
Hacking Humans
310 Listeners
Defense in Depth
78 Listeners
Cyber Security Headlines
119 Listeners
Risky Bulletin
33 Listeners