Reverse Engineering and Exploiting Builds in the Cloud presented at BlackHatEurope 2019

by Etienne Stalmans, Chris Luft,

Summary : Continuous Integration, Delivery, and Deployment (CI/CD) and Containers are common terms in today’s IT landscapes and core approaches for modern software development and operation. We will give a short, to-the-point introduction of CI/CD with regard to building containers for hackers, auditors, and everyone involved in the SDLC process. Based on this understanding, we will describe and demo various security pitfalls of multi-tenant cloud build environments which provide Container based build environments. The demos presented are based on real-world examples that were identified during the assessment of various Cloud container build systems. Several new and lesser-known attack vectors and their associated remediations will be covered.