I'm not a software dev, nor am I even in a software-centric or security-centric role, but I love watching your videos and love learning about cybersecurity! You make this field accessible even to people with only moderate technical knowledge.
Really cool John. I am happy to see someone put in a lot of hard work on this as like you say, not a lot of people have access to production tools like this. This kind of environment is so dynamic and very few people in an org may even understand all of the moving pieces. Then tack on things like Ansible[Tower], MQQT, etc. and other APIs of the things you want to actually control (end user devices through network or VMware ESXi etc) then you have a ton of avenues for attack to cover.
I am a devsecops engineer I use azure devops with azure key vault pull in secrets and they values are never exposed and u can add great governance around who can trigger a pipeline and who is authorised to execute a pipeline to actually run this is great to see exposure in this place there is many environments I see that lack pulling secrets from external vaults or don't add restrictions to who can execute a pipeline great video thanks for highlighting these security risks for devops engineers
Nice Timing John. I'm doing DevOps and ci/cd pipeline is must to be . My next goal ist DevSecOps that is why trying to pass CKS. Nowadays trying to build pipelines with (Tekton and GitLab also) for image scaning and so on. Thanks for this video, hope you will share more videos about such importang things .
As a programmer currently working on CI/CD workflows for multiple projects, I’m personally offended people would come for these tools. We really do have to be worried about security everywhere we go 😭
The thing is that security is in everything. One might find it riddiculous to put a magnet sensor connected to an alarm on a bathroom window, but think about it - every weakness in your system is an intruder's strength. Just because you think nobody is going to think about going there to bypass security doesn't mean it is so. Try thinking like a hacker. Try to think about every possible way one could intrude your system. And yes, try to think about the most riddiculous possibilities as well. If you find a vulnerability in your own system, even in the most unthinkable places you could imagine, then you've got an issue. This CI/CD vulnerability was actually abused in the wild. Culprit used social engineering to become a developer for a Minecraft server, which gave him access to the deployment process. He made a special kind of malware that would be undetected in manual and automatic tests, and only be implanted in a deployment process. He modified it in such way that the source code looked clean upon inspection, manual tests didn't show any kind of suspicious activity, automatic tests didn't show any kind of suspicious activity eighter, and only the deployment process was exploited, which essentially implanted the malware right as it was compiled as a production ready binary. That gave the culprit access to the internal systems, and access to the console and could cause wreack havoc (and did). He was then arrested, but it showed serious weakness in CI/CD systems and also how easily abusable and exploitable a human factor can really be.
Yes, as someone who provides people with products (software), you should always be worried about security! It is good that everything gets ripped apart by security researchers so that we can learn from mistakes and improve. Imagine a company would produce and sell cars whose seat belts fail in the event of a crash...
can't tell if you're joking or not haha. You definitely want people like John doing this type of work. Then you can make patches and keep getting paid (half joking). And not have your software involved with some public and embarrassing vulnerability or real world security event
16:52 - I'm super confused what the vulnerability is here? The line above it looks like a secret token hardcoded in source lol but you highlighted a snippet of code that is just broadcasting the app on a specified port?
@Nordgaren yeah that is true. I was wondering because Parrot looks nicer design wise, and if I'm correct, it has tools, then what Kali has. I have a Kali Live USB, a Parrot VM, and a Raspberry Pi that I've been trying to decide what to run. The touchscreen that's on the Pi is giving me some issues working with both Parrot and Kali. I've also been thinking about setting up Kali Nethunter on an old phone.
@@JordanFayter At that point, it depends on preference, I guess. I have a Kali VM with all the tools I need on it. Sure, it didn't come with as many as Parrot, but I have added to the existing tools on my VM. If you are constantly making new VMs and Parrot comes pre-installed with a lot of tools you need, anyways, then that is probably the better choice. Personally, I think they are both good distros, but I prefer Kali as that is what I learned on. Maybe John will see this and chip in what his preferences are! :)
So is the security issue that you run builds for pull requests without approval first? If you let someone check code into your repo - they know everything your code needs to know. Doesn't even need to be CI/CD pipeline.
@VersaceBroccoli I get that. But the vulnerability isn't really made clear in the video. Anybody can hack your secrets if you let them commit code to your repo. I'm also guessing this is for open source projects because if you can't trust your developers not to try and hack you - no amount of hardening your system will save you.
Se que metí la pata y francamente no sé cómo disculparme ruego que tengan consideración con esto como explicar algo así muchas gracias por todo lo bueno resibido así es la aventura de la internet
Is there a slight delay in the audio, compared to the video, or am I losing my mind? Look at his lips, while he talks and you will probably see it, too.
I'm not a software dev, nor am I even in a software-centric or security-centric role, but I love watching your videos and love learning about cybersecurity! You make this field accessible even to people with only moderate technical knowledge.
Really cool John. I am happy to see someone put in a lot of hard work on this as like you say, not a lot of people have access to production tools like this. This kind of environment is so dynamic and very few people in an org may even understand all of the moving pieces. Then tack on things like Ansible[Tower], MQQT, etc. and other APIs of the things you want to actually control (end user devices through network or VMware ESXi etc) then you have a ton of avenues for attack to cover.
As a DevOps Engineer I've been waiting for this
I am a devsecops engineer I use azure devops with azure key vault pull in secrets and they values are never exposed and u can add great governance around who can trigger a pipeline and who is authorised to execute a pipeline to actually run this is great to see exposure in this place there is many environments I see that lack pulling secrets from external vaults or don't add restrictions to who can execute a pipeline great video thanks for highlighting these security risks for devops engineers
Usually i'm not this guy, but please take a few of these mate:
..................,,,,,,,,,,,,,,,,,,,,,,,,,??????!!!!!!!!!!
*I like the way you debunk almost everything*
Sweet! Thanks for the video John!! Have a blessed day!
Just discovering your channel, awesome stuff!
Es un analista pedagogo que trata sobre la veracidad de los datos informáticos más que importante, no está alcanse del usuario común felicitaciones
This is really cool. As a non-dev but dev adjacent person, this is an awesome tool.
computer security beast J.Hammond
Excellent work sir❤keep it up
Yoooooo.....
This is liquid gold !!!!
Nice Timing John. I'm doing DevOps and ci/cd pipeline is must to be . My next goal ist DevSecOps that is why trying to pass CKS. Nowadays trying to build pipelines with (Tekton and GitLab also) for image scaning and so on. Thanks for this video, hope you will share more videos about such importang things .
Hola no entiendo inglés solo me doy cuenta más o menos de lo que se trata solo se que su trabajo es muy importante felicitaciones
As a programmer currently working on CI/CD workflows for multiple projects, I’m personally offended people would come for these tools. We really do have to be worried about security everywhere we go 😭
Its a reckless world,
The thing is that security is in everything. One might find it riddiculous to put a magnet sensor connected to an alarm on a bathroom window, but think about it - every weakness in your system is an intruder's strength. Just because you think nobody is going to think about going there to bypass security doesn't mean it is so. Try thinking like a hacker. Try to think about every possible way one could intrude your system. And yes, try to think about the most riddiculous possibilities as well. If you find a vulnerability in your own system, even in the most unthinkable places you could imagine, then you've got an issue.
This CI/CD vulnerability was actually abused in the wild. Culprit used social engineering to become a developer for a Minecraft server, which gave him access to the deployment process. He made a special kind of malware that would be undetected in manual and automatic tests, and only be implanted in a deployment process. He modified it in such way that the source code looked clean upon inspection, manual tests didn't show any kind of suspicious activity, automatic tests didn't show any kind of suspicious activity eighter, and only the deployment process was exploited, which essentially implanted the malware right as it was compiled as a production ready binary. That gave the culprit access to the internal systems, and access to the console and could cause wreack havoc (and did). He was then arrested, but it showed serious weakness in CI/CD systems and also how easily abusable and exploitable a human factor can really be.
In a world with Spectre and Rowhammer, CI/CD vulnerabilities seem almost prosaic in comparison. 😂
Yes, as someone who provides people with products (software), you should always be worried about security! It is good that everything gets ripped apart by security researchers so that we can learn from mistakes and improve. Imagine a company would produce and sell cars whose seat belts fail in the event of a crash...
can't tell if you're joking or not haha. You definitely want people like John doing this type of work. Then you can make patches and keep getting paid (half joking). And not have your software involved with some public and embarrassing vulnerability or real world security event
Nice expression files open looking.
16:52 - I'm super confused what the vulnerability is here? The line above it looks like a secret token hardcoded in source lol but you highlighted a snippet of code that is just broadcasting the app on a specified port?
Thanks for posting
nice topic..i love it
I’m thinking about making a similar video but documentary format
there's is box named 'Jolly CI/CD" in the Sans holiday hack challenge 2023 which is fun to do if you want to practice a bit
John what are your thoughts on Parrot Security Os vs Kali Linux?
Well, he uses Kali in some videos. I haven't seen him use parrot, before.
@Nordgaren yeah that is true. I was wondering because Parrot looks nicer design wise, and if I'm correct, it has tools, then what Kali has. I have a Kali Live USB, a Parrot VM, and a Raspberry Pi that I've been trying to decide what to run. The touchscreen that's on the Pi is giving me some issues working with both Parrot and Kali. I've also been thinking about setting up Kali Nethunter on an old phone.
@@JordanFayter At that point, it depends on preference, I guess. I have a Kali VM with all the tools I need on it. Sure, it didn't come with as many as Parrot, but I have added to the existing tools on my VM.
If you are constantly making new VMs and Parrot comes pre-installed with a lot of tools you need, anyways, then that is probably the better choice. Personally, I think they are both good distros, but I prefer Kali as that is what I learned on.
Maybe John will see this and chip in what his preferences are! :)
So is the security issue that you run builds for pull requests without approval first? If you let someone check code into your repo - they know everything your code needs to know. Doesn't even need to be CI/CD pipeline.
I mean it's vulnerable on purpose. The lesson here is not to do that.
@VersaceBroccoli I get that. But the vulnerability isn't really made clear in the video. Anybody can hack your secrets if you let them commit code to your repo. I'm also guessing this is for open source projects because if you can't trust your developers not to try and hack you - no amount of hardening your system will save you.
I never used Jenkins, but from what I see, even after executing an insecure code, you must access the jenkins inferface and be able to see the logs...
Amazing stuff, plus you sound like Seth Rogan, what more can you ask for?
NiCe!
That thumbnail gets more cursed the more I look at it.. o.0
Se que metí la pata y francamente no sé cómo disculparme ruego que tengan consideración con esto como explicar algo así muchas gracias por todo lo bueno resibido así es la aventura de la internet
Do I need a server to run Docker or can i use my laptop. thanks ;-)
You can run docker locally, yes.
Hey john I just wanted to make a quick recommendation. I think you should make a discord server.
He has one. Check the description of the video.
It's in the "Follow Me!" line
I need to lower the volume to minimum to understand what he says
nice ai gen thumbnail
hey john sir
shshhs first one here. thanks john
Is there a slight delay in the audio, compared to the video, or am I losing my mind? Look at his lips, while he talks and you will probably see it, too.
pwnd 👲
:)
I feel like he should be playing a guitar or something, at least sing some of lines in his script