Olivia
Online
Daniel Krivelevich
@Dkrivelev
Entrepreneur, Investor, Advisor | ๐ฎ๐ฑ | Co-Founder & CTO @ Cider Security
Joined September 2013
145 Following
156 Followers
51 Posts
https://t.co/mI1yO4ysOb - Term Shit - ืืกืจื ืืืื
Term Shit -
ืืฉ- @YoavVilner ืืื ื ืืืืื ื ืืืืื ืก ืืขืืืง ืฉื ืื ืืฉืืื ืืืฉืืืื *ืืืืช* ืืืงืืกืืกืื ืฉื ืืืง ืืืฉืจืื.
ืืกืจืืื ืืืื ืืชืืืืืช.
ืืคืจืืืงื ืืืืฉ ืฉื @YoavVilner ืืฉืื
ืืืจื ืฉื ืื ืฉืืื ืกืืคืจื ื ืืืืืืช ืฉื ืืืงืื ืืืืชืจืช, ืืืืื ื ืืฆืืช ืขื ืื ืืืืฆื..
https://t.co/3JCUWqCqNL
ืืืืื ืืฉืจืืืืื ืืืงื ืืื ืืฉืืงื ืืืืื ืขื ืืืืืง ืืืื ืืืืืื ืืคืฉืจ ืืืืืก ืืกืจืืื ืืื
https://t.co/kNJV6WraUs
ืืืืื ืืฉืจืืืืื ืืืงื ืืื ืืฉืืงื ืืืืื ืขื ืืืืืง ืืืื ืืืืืื ืืคืฉืจ ืืืืืก ืืกืจืืื ืืื
https://t.co/kNJV6WraUs
1/13 ืืฉืื ืื ื ื ืืืงืื ืขื ืืืื ืช ืจืื ืืืฉ ืื ืคืืืืกืืืืฉื, ืืชืืจืืฅ ืขื ืดืืขืืืช ืืฉืจืฉืจืช ืืืกืคืงืืด ื ืืจืง ืืืืืจ. ืืื ืกืืืืจ ืฉืืข ืืช ืืชืืจืืฅ ืืจืฅ ืืืงืื ืืืจื. ืืงืจื ืืขืืืก ืขื ืืื ืช ืกืืืืจ ืืฉืจืฉืจืช ืืืกืคืงื๐ฅ
New research: How we abused repository webhooks to access internal CI systems at scale.
https://t.co/YLdFQDzmSb
1/
Playing with some PPE attack vectors in my CI/CD env ๐
โ ๏ธ GitHub Org Identity Management Risks
When not using SSO
* User personal emails could be compromised
* IdP removal does not remove from GH org
Deactivating user in IdP prevents GitHub website auth- PATs & SSH keys still work
@omer_gil @yaronavital
https://t.co/IaaeVUuofn
๐ก๏ธ CI/CD Credential Hygiene
@TupleType examines 3 common issues:
1. Unrotated static credentials
2. Overly accessible credentials
3. Credentials exposed in console logs
And strengths/weaknesses of:
* Jenkins
* GitHub Actions
* CircleCI
* GitLab CI/CD
https://t.co/HiZu5wKUGU
This doesn't push my agenda of hating on Jankins but it's a good in-depth analysis of a few CI tools and how they handle creds.
https://t.co/OEoOZiYjO4
Great blog post by @TupleType about credential hygiene risks in engineering environments, with comparison of the different security solutions offered by the main vendors - GitHub Actions, CircleCI, Jenkins and GitLab CI/CD.
https://t.co/s0Q21aqdFr
. @Owasp_DevSlop is going live tomorrow with Omer Gil & Daniel Krivelevich from @cider_sec to discuss the "Top 10 CI/CD Security Risks" initiative.
SET YOUR REMINDER! โฐ https://t.co/6vRSg9ILYf
Episode sponsor: @datadoghq
I re-read CI/CD top10, I would like to introduce their new term. It's the PBAC(Pipeline-Based Access Controls). Source code management like GitHub and CI/CD has different security aspects to each branch and step. [๐งต1/2] https://t.co/T5fGLqM2Qj #Top10CICD
We are airing our eighth and final Episode in Season 3, this season is dedicated to #applicationsecurity, our guest for the show is @Dkrivelev Co-Founder and CTO of @cider_sec
https://t.co/ih0p36ZOEM
Looking forward to some fruitful followup collaborations with the industry on this
#Top10CICD
The "CI/CD Top 10 Risks" project is out!
Amazing effort together with some of best of the industry's AppSec experts ๐
https://t.co/tVN8mRJfOA
@omer_gil and I are were really fortunate to collaborate with such an amazing group on this one:
@iiamit
@claudijd
@_mwc
@travismcpeak
@tysbano
@astha_singhal
@rung
@TupleType
๐ก๏ธ Exploiting Jenkins build authorization
Jenkins default settings assign every build to โrun as SYSTEM" ๐ฑ
To harden, use the โAuthorize Projectโ and โRole-Based Authorization Strategyโ plugins
By @TupleType
https://t.co/cjo7NxX9Te
Exploiting Jenkins build authorization.
A default configuration we often see unchanged in production environments causes all jobs to run with the highest privileges
https://t.co/rxUcE0ix5T
Last Seen Users on Sotwe
เธเธเธดเธเธดเธ
Seen from United States
melamekl
Seen from Indonesia
Analiz Boscan
Seen from Venezuela
alqoshi
BOT DAM โ๏ธโฌ๏ธโฌ๏ธ
Seen from Vietnam
matden
Seen from Malaysia
Tobrut
Seen from Indonesia
KOLEKSI INDO
Seen from Indonesia
hidecyborg
Seen from Japan
pornox
Seen from Netherlands
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers