DAY 14 - CI/CD

[Networking] CI/CD on version management software like GitHub and automatically deploying code to a variety of environments.

<aside> 💡 CI - Continuous Integration [software code is kept in repo like GitHub, all changes are stored in this repo to avoid different versions of the same code]

</aside>

<aside> 💡 CD - Continuous Delivery/Deployment [following step after CI, code is then automatically deployed to test, pre-production, or production environments]

</aside>

<aside> 💡 CI/CD is a set of practices that are put in place to enable development teams to make changes, test their code, and deploy the application more reliably. A continuous process or loop that includes steps of the software development process.

</aside>

<aside> 💡 Risks that come with CI/CD :

Access security - the increasing number of integration points can make access management difficult

Any component integrated with the process may need partial or full access to another component, and allowing too much access is dangerous.

Permissions - components are connected with each other and perform their tasks with user accounts.

Keys and secrets - many integrations are done with keys (API keys, ID keys, etc.) or secrets that need to be secured.

User security - user components are a successful attack vector. Any user who has access to the source code repository could include a malicious component in the codebase and could be included in the deployed application.

Default configuration - some platforms are known to have default credentials and vulnerabilities

</aside>

<aside> 💡 Main reasons for vulnerabilities being a result of improper access management, lax account privileges, or logic flaws. Infrastructure managed by cloud providers like Azure, AWS, GCP rarely has a critical vulnerability being unpatched.

</aside>

<aside> 💡 This room has examples based on Folder permissions that were too lax, File permissions were misconfigured, Improper key protection, Installation was not secure (cronjobs were regularly running) [cron job is a linux command used for scheduling tasks to be executed sometime in the future.]

</aside>

Questions ➖

1 - dirb

2 - enumeration

3 - change contents of loot.txt to etc/shadow

4 - change contents of loot.txt again