Daniel Krivelevich

youtube.com/watch?v=FoEIWp… - Term Shit - הסרט המלא

Term Shit - כש- @YoavVilner ואני החלטנו להיכנס לעומק של הנושאים החשובים *באמת* באקוסיסטם של הטק בישראל. הסרטון המלא בתגובות.

הפרויקט החדש של @YoavVilner ושלי אחרי שנים שבהן סיפרנו בדיחות של גיקים במחתרת, החלטנו לצאת עם זה החוצה.. youtu.be/FoEIWp9MQg8

יזמים ישראליים בדקו כמה משחקי מילים על הייטק וטכנולוגיה אפשר לדחוס לסרטון אחד geektime.co.il/israeli-entrep…

@geektimecoil @YoavVilner

1/13 כשאנחנו נאבקים על הזמנת רכב חדש או פלייסטיישן, התירוץ על ״בעיות בשרשרת האספקה״ נזרק לאויר. יזם סייבר שמע את התירוץ ורץ להקים חברה. הקרב העמוס על הגנת סייבר לשרשרת האספקה🥊

New research: How we abused repository webhooks to access internal CI systems at scale. cidersecurity.io/blog/research/… 1/

Playing with some PPE attack vectors in my CI/CD env 👀

⚠️ GitHub Org Identity Management Risks When not using SSO * User personal emails could be compromised * IdP removal does not remove from GH org Deactivating user in IdP prevents GitHub website auth- PATs & SSH keys still work @omer_gil @yaronavital cidersecurity.io/blog/research/…

🛡️ CI/CD Credential Hygiene @TupleType examines 3 common issues: 1. Unrotated static credentials 2. Overly accessible credentials 3. Credentials exposed in console logs And strengths/weaknesses of: * Jenkins * GitHub Actions * CircleCI * GitLab CI/CD cidersecurity.io/blog/research/…

This doesn't push my agenda of hating on Jankins but it's a good in-depth analysis of a few CI tools and how they handle creds. cidersecurity.io/blog/research/…

Great blog post by @TupleType about credential hygiene risks in engineering environments, with comparison of the different security solutions offered by the main vendors - GitHub Actions, CircleCI, Jenkins and GitLab CI/CD. cidersecurity.io/blog/research/…

. @Owasp_DevSlop is going live tomorrow with Omer Gil & Daniel Krivelevich from @cider_sec to discuss the "Top 10 CI/CD Security Risks" initiative. SET YOUR REMINDER! ⏰ youtu.be/i1SO8AH4AxI Episode sponsor: @datadoghq

I re-read CI/CD top10, I would like to introduce their new term. It's the PBAC(Pipeline-Based Access Controls). Source code management like GitHub and CI/CD has different security aspects to each branch and step. [🧵1/2] cidersecurity.io/top-10-cicd-se… #Top10CICD

We are airing our eighth and final Episode in Season 3, this season is dedicated to #applicationsecurity, our guest for the show is @Dkrivelev Co-Founder and CTO of @cider_sec security-architecture.org/episodes/s03e0…

Looking forward to some fruitful followup collaborations with the industry on this #Top10CICD

@omer_gil and I are were really fortunate to collaborate with such an amazing group on this one: @iiamit @claudijd @_mwc @travismcpeak @tysbano @astha_singhal @rung @TupleType

The "CI/CD Top 10 Risks" project is out! Amazing effort together with some of best of the industry's AppSec experts 👇 cidersecurity.io/top-10-cicd-se…

🗡️ Exploiting Jenkins build authorization Jenkins default settings assign every build to “run as SYSTEM" 😱 To harden, use the “Authorize Project” and “Role-Based Authorization Strategy” plugins By @TupleType medium.com/cider-sec/expl…

Exploiting Jenkins build authorization. A default configuration we often see unchanged in production environments causes all jobs to run with the highest privileges medium.com/cider-sec/expl…