CI/CD toolchain which builds and deploys the infrastructure and code into production is as critical as a production-grade system. CI/CD pipelines are at the heart of daily operations for many organisations today, also the place in our technology stack where our infrastructure has access to many different resources, from development and production environment to analytics keys and code signing credentials.
With such wide access comes security considerations making CI/CD tools effectively extend the attack surface of our production system to our build and automated test and deployment environment. We should always keep in mind that the attack vectors are not always external, internal threats always exist.
Medium
This blog post is an attempt to explain how malicious insiders, penetration testers, or attackers with limited privileges can target CI/CD tools to penetrate deep inside and gain access to the information infrastructure. The term developer in the blogpost refers to Developers with limited access, Grey box Penetration testers, and hackers who gained access to internal infrastructure.
This blog post is originally published at https://cloudsecguy.dev
Top comments (0)