Skip to content

All the content from my Troopers 19 talk

Notifications You must be signed in to change notification settings

staaldraad/troopers19

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 

Repository files navigation

Troopers 19

This repository contains all the content from the talk I gave at Troopers 19.

Abstract

Link: https://www.troopers.de/troopers19/agenda/e93wet/

Supply-chain attacks have come to the fore recently, with more and more companies moving towards DevOps. This talk demonstrates attacks against the software used to manage and download source code and how this affects the whole software supply-chain and DevOps pipeline.

In this talk I’ll be demonstrating attacks against the software used to retrieve source code and software packages. The talk starts by examining CVE-2018-11235 a vulnerability in git and how this could lead to code-execution. From here we look into the surprising number of places, such as Docker, Kubernetes, npm, and the golang package manager, where this vulnerability could be exploited by an attacker. From here we progress into vulnerabilities in the package/source-code managers for various languages. I will demonstrate a vulnerability in go get that leads to RCE (CVE-2018-16873). Other security issues in source-code/package managers will also be examined. The talk will further examine possible defences against these type of attacks and how the DevOps pipeline can be hardened to prevent these issues from being exploitable.

Slides

The slides are published here and include speaker notes: Google Slides Presentation

Alternatively, there is a pdf copy in the repo: Troopers_2019_slides.pdf

Demos (videos)

Blog posts

About

All the content from my Troopers 19 talk

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages