The Heroku and Travis-CI credential compromise – Action items for defenders
This weekend, GitHub security announced that they are investigating malicious activity, which appears to indicate that credentials associated with Travis-CI and Heroku GitHub integrations were compromised, and are actively used by threat actors to access private information of GitHub tenants which have installed these integrations. The fact that these applications are very common, combined with...
The Top 10 CI/CD Security Risks – Official Release
Today, we are proud to announce the release of the “Top 10 CI/CD Security Risks project” This extensive effort was led by Omer Gil, Director of Research at Cider Security, and myself, in collaboration with some of the industry’s top Application Security experts: Iftach Ian Amit (Advisory CSO @ Rapid7) Jonathan Claudius (Director of Security...
Why generating SBOM based on your code is far from enough
This isn’t yet another blog giving the SBOM 101. There is an abundance of those. This is a deep dive into things we need to consider to generate the most accurate SBOM. Authors Rotem Bar, Head of Research @ Cider SecurityDaniel Krivelevich, CTO @ Cider Security The more our industry learns about SBOM (Software Bill of Materials),...
Exploiting Jenkins build authorization
The default build authorization configuration in Jenkins — controlling the permissions allocated to pipelines — is insecure and is often left unmodified in production environments. To address this issue, you should use the “Authorize Project” and the “Role-Based Authorization Strategy” plugins to define secure build authorization configurations.
PPE — Poisoned Pipeline Execution
Dev environments have become a major part of today’s attack surface. And within them, the most lucrative assets are the systems responsible for CI and CD — those that build, test, and deploy code — and typically possess the secrets and access to the most critical assets of the organization. So it’s only natural that attackers are continuously on the lookout for novel ways to gain access to these systems.
Secret Diver — Searching for deeply hidden secrets
Docker images are composed of layers. These containers, even after modifications and updates, may have secrets hiding in previous layers. One often overlooked but vital practice should be to check and verify that these layers don’t expose your secrets.
We have built a tool that searches the different layers in a fun and easy way.
Our dependencies are under attack, and this time we were lucky…
In the past few weeks, our world infrastructure has been under attack. The attack is very simple: Find a dependency package most of the world is using, hack into the developer’s account and update to a new version with some malware inside. Why was this possible? How can we protect ourselves? What are the potential problems and how can we address them?
Visualizing CI/CD from an attacker’s perspective
CI/CD environments and processes are increasingly becoming a key area of focus for both hackers and — consequently — for defenders. At Cider Security, we believe that visualizing these environments and modeling the relationships between the different objects in them is a key guiding principle for anyone interested in building the necessary capabilities to protect CI/CD...
NPM might be executing malicious code in your CI without your knowledge
Optimizing your resilience against Log4Shell
Collection of actionable measures — across Prevention, Mitigation, Detection and assessment — for coping with the Log4Shell chaos
Malicious code analysis: Abusing SAST (mis)configurations to hack CI systems
I recently found a new method that allows secure code analysis mechanisms to be bypassed and even worse — abused to execute malicious code on their host. This allows anyone with access to a source control repository to run malicious code in sensitive environments — which may be abused to steal credentials, access tokens and more.
This is a result of ongoing research around exploiting SAST scanners that was first presented at DEF CON 29 this summer.
Bypassing required reviews using GitHub Actions
A newly discovered security flaw in GitHub allows leveraging GitHub Actions to bypass the required reviews mechanism and push unreviewed code to a protected branch, potentially allowing malicious code to be used by other users or flow down the pipeline to production.