Compromising CI/CD Pipelines with Leaked Credentials [Security Zines]

Thomas Segura -

Security Zines' Rohit Sehgal is back with an example case of how forgotten Jenkins credentials can lead to the complete compromise of a software supply chain.

Let's see:  

1. What is a Jenkins pipeline?
2. What is CI/CD?
3. Why credentials are required in pipelines?
4. Problems with credentials.
5. Attack Scenario.

If you enjoyed the zine, spread the word and share it around!

🙌
Security Zines is a project led by Rohit Sehgal, Staff Security Engineer at Gojek. Check out his work at securityzines.com/#comics and give him a follow on Twitter @sec_r0 to see what he comes up with next!

Want to learn more about supply chain security?

Here's everything you need to get from zero to hero:

How To Secure Your CI/CD Pipeline
After CircleCI breach, it is a good moment for any team relying on CI/CD infrastructure to review their pipeline security as there are some steps they can take to be proactive.
GitGuardian Blog - Automated Secrets DetectionDwayne McDaniel
Supply Chain Attacks: 6 Steps to protect your software supply chain
This article looks at software supply chain attacks, exactly what they are and 6 steps you can follow to protect your software supply chain and limit the impact of a supply chain attack.
GitGuardian Blog - Automated Secrets DetectionMackenzie Jackson
Codecov supply chain attack breakdown
Codecov recently had a significant breach as attackers were able to put a backdoor into Codecov to get access to customers’ sensitive data. This article reviews exactly what happened, how attackers gained access, how they used sensitive information and of course, what to do if you were affected.
GitGuardian Blog - Automated Secrets DetectionMackenzie Jackson
Best practices: 5 Risks to Assess for a Secure CI Pipeline
More and more parts of the software development process can occur without human intervention. However, this is not without its drawbacks. To keep your code and secrets safe, you should add the following security practices to your CI pipeline.
GitGuardian Blog - Automated Secrets DetectionGuest Expert
How can engineering leaders mitigate software supply chain threats?
This report from Gartner outlines the best practices to thwart supply chain attacks targeting developers, open-source artifacts, and DevOps pipelines.
GitGuardian Blog - Automated Secrets DetectionZiad Ghalleb

CodeCov breach explained - Video

Don't forget to bookmark these links and share them with your developer friends and colleagues!