Over the past ten years, the development environment in which software is being developed has changed dramatically: with the spread of DevOps culture and the increased use of Cloud infrastructures, and applications are now deployed through CI/CD pipelines. In addition, development is now conducted not only in the office, but also outside the company.
In this slide, we will discuss how to attack and secure modern production environments, mainly from the perspective of client-side attacks using malware and supply-chain attacks, and explain comprehensive attack methods and measures, followed by hands-on exercises.
In hands-on exercises, You can decrypt your browser's cookie and password, and other credentials. Then you create a new CI/CD pipeline for automated deployment and Infrastructure as Code, attacking and securing them on your hand!
[Table of Contents]
Chapter 1: Introduction - The Changes in the Development Environment and the Attack paths
Understand that there is an attack path from the client side, as outlined below
- Recent trends in the development environment
- Differences in attack paths due to changes in the development environment
- Overview of targeted attacks and models of attack methods
Chapter 2: What remains for development devices
Learn what happens in a successful attack on a development device and think about what you can do as a developer to improve security
- Understanding the attack flow of targeted attacks
- Credential Access on developer devices
- Considering how to protect credentials
Chapter 3: CI/CD pipeline security
Learn about the new risky component: CI/CD pipeline, and why it is dangerous.
- Understanding CI/CD pipeline
- Understanding and practicing attacks targeting CI/CD pipeline
- Considering how to protect CI/CD and understand the limitations
[Hands-on Exercises] (https://github.com/rung/training-devenv-security)
- Preparation: Setup Google Cloud and GitHub
- Exercise 1: What credentials your PC has
- Exercise 2: Try to secure your token
- Exercise 3: Make and try continuous deployment and Infrastructure as code
- Exercise 4: CI/CD Attacks
- Exercise 5: Secure your CI/CD pipeline
We use GitHub as Source Code Management and Google Cloud as a public cloud in this exercise, but the contents of the slide can apply to others