Reverse Engineering and Exploiting Builds in the Cloud

Presented at Black Hat Europe 2019, Dec. 4, 2019, 3:40 p.m. (50 minutes)

Continuous Integration, Delivery, and Deployment (CI/CD) and Containers are common terms in today’s IT landscapes and core approaches for modern software development and operation. We will give a short, to-the-point introduction of CI/CD with regard to building containers for hackers, auditors, and everyone involved in the SDLC process. Based on this understanding, we will describe and demo various security pitfalls of multi-tenant cloud build environments which provide Container based build environments. The demos presented are based on real-world examples that were identified during the assessment of various Cloud container build systems. Several new and lesser-known attack vectors and their associated remediations will be covered.


  • Matthias Luft - Platform Security Engineer, Salesforce Heroku
    Matthias Luft is a Platform Security Engineer at Salesforce Heroku. After more than 10 years in IT Security, he is still excited about a broad range of topics (from hypervisor security to IT security management) and has presented on them on various occasions. Currently, he works on container and cloud security topics.
  • Chris Le Roy - Platform Security Engineer, Salesforce Heroku
    Chris Le Roy is a security researcher based in London and is currently attempting to solve interesting engineering problems at Salesforce Heroku. When he is not trying to bash code and clouds into submission, he is often building tools that help him break things. In his spare time, Chris likes dabbling in all things hacker related and if he were to pick his favourite animal, it would be a dog.
  • Etienne Stalmans - Platform Security Engineer, Salesforce Heroku
    Etienne Stalmans is a Platform Security Engineer at Salesforce Heroku, where he herds containers and other cloud infrastructure. He is also a security researcher with a keen interest in protocol reversing and finding ways to abuse functionality in everyday products. He completed a MSc in Network Security, focusing on Botnets and DNS. He has spoken at Botconf 2013, DEF CON 23, Troopers 17&19, EkoParty 2017, DevSecCon Boston 2018, and Brucon 2018, along with several academic conferences.


Similar Presentations: