2025-12-13 –, Track 2
What's a key component in today's CI/CD landscape with (broad) access to your environment?
Execution agents. These are your build servers, where your pipelines run. They have a few gotchas:
(1) They have direct access to the environments you are deploying to;
(2) They are complex, with plenty of layers that make attestation, detection and attribution hard;
(3) They are less scrutinized and their criticality is often underestimated, compared to classic compute workloads.
So what? you ask. Isn't this "just" an insider threat scenario? How would someone even get onto the machine, especially when in an organization with multiple layers of defense. Direct access to the build agent is needed - OR is it? (that was slightly sarcastic - it's not needed; let me show you).
By the end, build server security will be top of mind and (hopefully) on someone's @TODO list.
In first part of the talk I will raise awareness on why execution agents (aka build servers) matter in the CI/CD environment. Once we understand where they sit in the current environment, I'll move onto a few scenarios that explore the relationship between access vectors and impact:
Access vectors: Insider threat, compromised user account, malicious or vulnerable binary/package (supply chain).
Impact: Data/secret exfiltration, Denial of Service/Wallet, Persistence/Lateral movement, Compromise of internal artifacts, Stop/tamper with security tooling.
The second part of the talk goes slightly deeper on the technical side, but not too much. To show these sort of exploits are more likely than not:
I'll deep dive on a couple of scenarios of medium complexity involving trojanised payloads and overwriting malicious DLLs.
There are a few mental notes to note down and be aware that I'll drop throughout. I'll suggest actions to prioritize, describe what makes them the biggest bang for buck and what challenges will be faced.
I'll bring my experience of actually trying to implement some of the actions I'm recommending.
