Attacking CI/CD by Reza (DevSecops Giudes), 2025
In CI/CD (Continuous Integration/Continuous Deployment) environments, several methods and attacks can compromise security. Code Injection involves injecting malicious code into the build pipeline, exploiting vulnerabilities in the build system or dependencies, potentially leading to the execution of unauthorized commands or access to sensitive data. Dependency Attacks target vulnerabilities in third-party libraries or dependencies used in the CI/CD pipeline, exploiting them to introduce malicious code or cause failures. Artifact Tampering manipulates the build artifacts (e.g., binaries, containers) to include malicious payloads or vulnerabilities, which can be deployed to production systems. Pipeline Hijacking involves gaining unauthorized access to the CI/CD environment to alter build configurations, steal secrets, or inject malicious code into the pipeline.
Credential Exposure occurs when sensitive credentials or secrets (e.g., API keys, tokens) are hardcoded or improperly managed, making them accessible to attackers who can use them to gain unauthorized access. Phishing and Social Engineering tactics target developers or CI/CD administrators to trick them into revealing access credentials or executing malicious commands. Denial of Service (DoS) attacks can overwhelm CI/CD systems, disrupting the build and deployment processes. Misconfiguration of CI/CD tools and environments can inadvertently expose systems or data, leading to potential security breaches. Each of these methods requires vigilant security practices, including secure coding, regular dependency audits, and robust access controls, to mitigate risks in CI/CD workflows.
• CI Debug Enabled;
• Default permissions used on risky events;
• Github Action from Unverified Creator used;
• If condition always evaluates to true;
• Injection with Arbitrary External Contributor Input;
• Job uses all secrets;
• Unverified Script Execution;
• Arbitrary Code Execution from Untrusted Code Changes;
• Unpinnable CI component used;
• Pull Request Runs on Self-Hosted GitHub Actions Runner;
• Mitigation Strategies;
• Example GitHub Actions Workflow;
• RCE via Git Clone;
• Resources
See also:
📌 Attacking and Securing CI/CD Pipeline by Hiroki Suezawa, October 20, 2021
#SecDevOps
In CI/CD (Continuous Integration/Continuous Deployment) environments, several methods and attacks can compromise security. Code Injection involves injecting malicious code into the build pipeline, exploiting vulnerabilities in the build system or dependencies, potentially leading to the execution of unauthorized commands or access to sensitive data. Dependency Attacks target vulnerabilities in third-party libraries or dependencies used in the CI/CD pipeline, exploiting them to introduce malicious code or cause failures. Artifact Tampering manipulates the build artifacts (e.g., binaries, containers) to include malicious payloads or vulnerabilities, which can be deployed to production systems. Pipeline Hijacking involves gaining unauthorized access to the CI/CD environment to alter build configurations, steal secrets, or inject malicious code into the pipeline.
Credential Exposure occurs when sensitive credentials or secrets (e.g., API keys, tokens) are hardcoded or improperly managed, making them accessible to attackers who can use them to gain unauthorized access. Phishing and Social Engineering tactics target developers or CI/CD administrators to trick them into revealing access credentials or executing malicious commands. Denial of Service (DoS) attacks can overwhelm CI/CD systems, disrupting the build and deployment processes. Misconfiguration of CI/CD tools and environments can inadvertently expose systems or data, leading to potential security breaches. Each of these methods requires vigilant security practices, including secure coding, regular dependency audits, and robust access controls, to mitigate risks in CI/CD workflows.
• CI Debug Enabled;
• Default permissions used on risky events;
• Github Action from Unverified Creator used;
• If condition always evaluates to true;
• Injection with Arbitrary External Contributor Input;
• Job uses all secrets;
• Unverified Script Execution;
• Arbitrary Code Execution from Untrusted Code Changes;
• Unpinnable CI component used;
• Pull Request Runs on Self-Hosted GitHub Actions Runner;
• Mitigation Strategies;
• Example GitHub Actions Workflow;
• RCE via Git Clone;
• Resources
See also:
📌 Attacking and Securing CI/CD Pipeline by Hiroki Suezawa, October 20, 2021
#SecDevOps
Attacking Pipeline by Reza (DevSecops Giudes), 2025
DevOps pipelines, which integrate and automate the processes of software development and IT operations, have become critical for rapid and continuous software delivery. However, their extensive automation and integration capabilities make them attractive targets for cyberattacks. One significant threat is the insertion of malicious code through compromised repositories or Continuous Integration/Continuous Deployment (CI/CD) tools. Attackers can exploit vulnerabilities in pipeline tools or use social engineering to gain access, allowing them to insert backdoors or malware into the codebase.
Furthermore, the reliance on third-party tools and libraries within these pipelines can introduce security risks if these dependencies are not adequately vetted or monitored. Once the pipeline is compromised, the malicious code can propagate quickly, leading to widespread and potentially catastrophic impacts on production environments.
Security issues in DevOps pipelines also stem from misconfigurations and insufficient access controls. Often, credentials and sensitive data are inadvertently exposed through improper configuration management or poor secret handling practices, such as hardcoding credentials within noscripts. Inadequate segmentation and over-privileged access can also exacerbate the problem, allowing attackers who gain a foothold in one part of the pipeline to move laterally and escalate their privileges. Abuse of the pipeline can result in unauthorized deployment of code, data breaches, and significant disruption to services. To mitigate these risks, organizations need to implement robust security practices, including regular security audits, continuous monitoring, strict access controls, and the use of security tools designed to detect and prevent threats within the DevOps lifecycle.
• DevOps resources compromise;
• Control of common registry;
• Direct PPE (d-PPE);
• Indirect PPE (i-PPE);
• Public PPE;
• Changes in repository;
• Inject in Artifacts;
• User/Services credentials;
• Typosquatting docker registry image;
• Resources.
See also:
📌 Compromising CI/CD Pipelines with Leaked Credentials by Security Zines, 2022
📌 Attacking GitLab CI_CD via Shared Runners by Denis Andzakovic, 2023
📌 Compromising the Code: Inside CI/CD Pipeline Attacks, Urshila Ravindran, 2025
📌 Securing CI/CD Pipelines: Common Misconfigurations and Exploits Paths by Charlie Klein, 2025
#SecDevOps
DevOps pipelines, which integrate and automate the processes of software development and IT operations, have become critical for rapid and continuous software delivery. However, their extensive automation and integration capabilities make them attractive targets for cyberattacks. One significant threat is the insertion of malicious code through compromised repositories or Continuous Integration/Continuous Deployment (CI/CD) tools. Attackers can exploit vulnerabilities in pipeline tools or use social engineering to gain access, allowing them to insert backdoors or malware into the codebase.
Furthermore, the reliance on third-party tools and libraries within these pipelines can introduce security risks if these dependencies are not adequately vetted or monitored. Once the pipeline is compromised, the malicious code can propagate quickly, leading to widespread and potentially catastrophic impacts on production environments.
Security issues in DevOps pipelines also stem from misconfigurations and insufficient access controls. Often, credentials and sensitive data are inadvertently exposed through improper configuration management or poor secret handling practices, such as hardcoding credentials within noscripts. Inadequate segmentation and over-privileged access can also exacerbate the problem, allowing attackers who gain a foothold in one part of the pipeline to move laterally and escalate their privileges. Abuse of the pipeline can result in unauthorized deployment of code, data breaches, and significant disruption to services. To mitigate these risks, organizations need to implement robust security practices, including regular security audits, continuous monitoring, strict access controls, and the use of security tools designed to detect and prevent threats within the DevOps lifecycle.
• DevOps resources compromise;
• Control of common registry;
• Direct PPE (d-PPE);
• Indirect PPE (i-PPE);
• Public PPE;
• Changes in repository;
• Inject in Artifacts;
• User/Services credentials;
• Typosquatting docker registry image;
• Resources.
See also:
📌 Compromising CI/CD Pipelines with Leaked Credentials by Security Zines, 2022
📌 Attacking GitLab CI_CD via Shared Runners by Denis Andzakovic, 2023
📌 Compromising the Code: Inside CI/CD Pipeline Attacks, Urshila Ravindran, 2025
📌 Securing CI/CD Pipelines: Common Misconfigurations and Exploits Paths by Charlie Klein, 2025
#SecDevOps
Embold Static Code Analysis Platform
Embold — статический анализатор кода, который необходим в любом процессе DevSecOps. Он позволяет управлять и контролировать качество проектов по разработке ПО.
Embold предоставляется бесплатно для проектов с открытым исходным кодом и доступен как локальное решение или как SaaS; в последнем случае все данные надежно хранятся в облаке, а связь между браузерами и инструментом шифруется с помощью SSL для обеспечения безопасности.
В рамках бесплатного пакета доступны 5 мест для пользователей и 5 сканирований кода объёмом до 50 тысяч строк.
❗️ Официальная страница
#AppSec #SecDevOps
Embold — статический анализатор кода, который необходим в любом процессе DevSecOps. Он позволяет управлять и контролировать качество проектов по разработке ПО.
Embold предоставляется бесплатно для проектов с открытым исходным кодом и доступен как локальное решение или как SaaS; в последнем случае все данные надежно хранятся в облаке, а связь между браузерами и инструментом шифруется с помощью SSL для обеспечения безопасности.
В рамках бесплатного пакета доступны 5 мест для пользователей и 5 сканирований кода объёмом до 50 тысяч строк.
❗️ Официальная страница
#AppSec #SecDevOps
This media is not supported in your browser
VIEW IN TELEGRAM
][AKEP E-ZINE, special limited paper edition, 3th release, spring 2025
❤️🔥 Best materials 2019 - 2021❤️🔥
Issue 249, p.79 by Ivan Piskunov
#info
Issue 249, p.79 by Ivan Piskunov
#info
Please open Telegram to view this post
VIEW IN TELEGRAM
Welcome to Black Hat USA 2025 ☄️
August 2-7, 2025 Mandalay Bay / Las Vegas, NV, U.S.
The biggest infosec event of the year is back, and so are we!
lack Hat USA is the world's leading information security event, providing attendees with the very latest in research, development and trends. Black Hat USA returns to the Mandalay Bay Convention Center in Las Vegas with a 6-day program, that opens with four days of technical Trainings followed by the two-day main conference featuring Briefings, Arsenal, Business Hall, and more.
❗️Official page
👀 2024 Highlights
🏆 All materials will be there
#event
August 2-7, 2025 Mandalay Bay / Las Vegas, NV, U.S.
The biggest infosec event of the year is back, and so are we!
lack Hat USA is the world's leading information security event, providing attendees with the very latest in research, development and trends. Black Hat USA returns to the Mandalay Bay Convention Center in Las Vegas with a 6-day program, that opens with four days of technical Trainings followed by the two-day main conference featuring Briefings, Arsenal, Business Hall, and more.
❗️Official page
👀 2024 Highlights
🏆 All materials will be there
#event
Please open Telegram to view this post
VIEW IN TELEGRAM
🛡Personal blog with original articles that incorporate research security issues and practical experience in applying best practices of SecDevOps and Secure SDLC
#info
Please open Telegram to view this post
VIEW IN TELEGRAM
Профессия Специалист по кибербезопасности, SkillBox, обновленная версия, 2024
Специалист СИБ (систем информационной безопасности) выстраивает защиту для серверов компаний, чтобы не допустить утечки данных. На курсе вы научитесь искать уязвимости, отражать атаки на серверы и минимизировать последствия вторжений. Освоите профессию, спрос на которую растёт и в России, и в мире.
❗️Официальный сайт
#education #newbie
Специалист СИБ (систем информационной безопасности) выстраивает защиту для серверов компаний, чтобы не допустить утечки данных. На курсе вы научитесь искать уязвимости, отражать атаки на серверы и минимизировать последствия вторжений. Освоите профессию, спрос на которую растёт и в России, и в мире.
❗️Официальный сайт
#education #newbie
Профессия_специалист_по_кибербезопасности_part18.rar
1.2 GB
Профессия Специалист по кибербезопасности, SkillBox, обновленная версия, 2024
Формула успеха: Знания (10%) + Мышление (40%) + Окружение (50%)
Знаменитая формула успеха Томаса Дж. Леонарда, доказанная еще в ХХ веке и успешно применяемая на практике уже более 30 лет — успех в основном формируется под влиянием окружения и имеет определенную относительность составляющих:
🔻знания — 10%;
🔻мышление — 40%;
🔻окружение — 50%.
Изучить тему глубже:
📌 Успехи в карьере могут быть обусловлены прежде всего самоуверенностью, а не знаниями
#great
Знаменитая формула успеха Томаса Дж. Леонарда, доказанная еще в ХХ веке и успешно применяемая на практике уже более 30 лет — успех в основном формируется под влиянием окружения и имеет определенную относительность составляющих:
🔻знания — 10%;
🔻мышление — 40%;
🔻окружение — 50%.
Изучить тему глубже:
📌 Успехи в карьере могут быть обусловлены прежде всего самоуверенностью, а не знаниями
#great
Windows Privilege Escalation for Beginners, TCM Security (Udemy), 2020
This course focuses on Windows Privilege Escalation tactics and techniques designed to help you improve your privilege escalation game. Students should take this course if they are interested in:
📌Gaining a better understanding of privilege escalation techniques
📌Improving Capture the Flag skillset
❗️Official page
➡️ Download via Cloud
#education #windows
This course focuses on Windows Privilege Escalation tactics and techniques designed to help you improve your privilege escalation game. Students should take this course if they are interested in:
📌Gaining a better understanding of privilege escalation techniques
📌Improving Capture the Flag skillset
❗️Official page
#education #windows
Please open Telegram to view this post
VIEW IN TELEGRAM
Hack The Box - Learn Cyber Security & Ethical Hacking in Fun, OAK Academy Team, 2023
HackTheBox & Kali Linux- Boost Cyber Security, Ethical Hacking, Penetration Testing skills in prep for certified hacker
Hack The Box is a massive hacking playground, and infosec community of over 1.7m platform members who learn, hack, play, exchange ideas and methodologies.
An online cybersecurity training platform that allows individuals, businesses, universities, and all kinds of organizations all around the world to level up their offensive and defensive security skills through a fully gamified and engaging learning environment.
Join a dynamically growing Hack The Box hacking community and take your cybersecurity skills to the next level through the most captivating, gamified, hands-on training experience!
❗️Official page
➡️ Download via Cloud
#education #pentest
HackTheBox & Kali Linux- Boost Cyber Security, Ethical Hacking, Penetration Testing skills in prep for certified hacker
Hack The Box is a massive hacking playground, and infosec community of over 1.7m platform members who learn, hack, play, exchange ideas and methodologies.
An online cybersecurity training platform that allows individuals, businesses, universities, and all kinds of organizations all around the world to level up their offensive and defensive security skills through a fully gamified and engaging learning environment.
Join a dynamically growing Hack The Box hacking community and take your cybersecurity skills to the next level through the most captivating, gamified, hands-on training experience!
❗️Official page
#education #pentest
Please open Telegram to view this post
VIEW IN TELEGRAM
👏1
Этический взлом и кибербезопасность с помощью искусственного интеллекта, 2025
Изучите основы этичного взлома, найдите уязвимости и используйте искусственный интеллект для повышения уровня кибербезопасности и тестирования на проникновение.
❗️Official page
➡️ Downloads via Cloud
#education #AI
Изучите основы этичного взлома, найдите уязвимости и используйте искусственный интеллект для повышения уровня кибербезопасности и тестирования на проникновение.
❗️Official page
#education #AI
Please open Telegram to view this post
VIEW IN TELEGRAM
Start Hacking Education Journey with TryHackMe & HackTheBox
TryHackMe (THM) is a free online platform for learning cyber security, using hands-on exercises and labs, all through your browser! HackTheBox (HTB) is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.
Linux plays an incredibly important part in the job of cybersecurity professional. Specialized Linux distributions such as Kali Linux are used by cybersecurity professionals to perform in-depth penetration testing and vulnerability assessments, as well as provide forensic analysis after a security breach.
➡️ Download via Magnet + Mirror
See also:
📌 From Beginner to Expert Tryhackme Walkthrough
📌 TryHackMe - Home Work (GitHub)
#education #pentest
TryHackMe (THM) is a free online platform for learning cyber security, using hands-on exercises and labs, all through your browser! HackTheBox (HTB) is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.
Linux plays an incredibly important part in the job of cybersecurity professional. Specialized Linux distributions such as Kali Linux are used by cybersecurity professionals to perform in-depth penetration testing and vulnerability assessments, as well as provide forensic analysis after a security breach.
See also:
📌 From Beginner to Expert Tryhackme Walkthrough
📌 TryHackMe - Home Work (GitHub)
#education #pentest
Please open Telegram to view this post
VIEW IN TELEGRAM