Raunak Parmar - Attacking & Securing CI/CD Pipeline Certification (ASCPC) by White Knight Labs - DCTLV2025

Name of Training: Attacking & Securing CI/CD Pipeline Certification (ASCPC) by White Knight Labs
Trainer(s): Raunak Parmar
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2,000 

Course Description: 

The Attacking and Securing CI/CD course is an on-demand and self-paced program designed to equip participants with the knowledge and skills to identify vulnerabilities and implement security measures within Continuous Integration and Continuous Deployment (CI/CD) pipelines. This course combines theoretical knowledge with practical, hands-on labs that simulate real-world scenarios in a CI/CD environment.

Course Outline: 

The Attacking and Securing CI/CD course covers the following key areas:

• CI/CD Overview: Pipeline security, GitHub Actions and security

• Hijacking Techniques: content script injection, issues comment injection, self hosted runners

• Artifact Handling: leaking secrets via uploads and poisoning artifacts

• Abusing race conditions

• Bypassing branch protections

• Abusing OIDC misconfigurations

• Dependabot Automerge vulns

• AWS Codebuild Abuse and Best Practices

• Github Actions Best Practices

• Azure Devops

Difficulty Level:

Intermediate/advanced

Suggested Prerequisites:

• Scripting: Familiarity with scripting languages such as python and bash
• Prerequisite knowledge: A background in CI/CD processes, DevSecOps practices, and a basic understanding of cybersecurity principles is recommended. Familiarity with scripting and automation in CI/CD environments will be beneficial.

What Students Should Bring: 

• Resources: 2 GitHub accounts, an AWS environment, Docker installed on host system

• Hardware requirements: Admin access to your host system and cloud

Trainer(s) Bio:

Raunak Parmar works as a senior cloud security engineer at White Knight Labs. His areas of interest include web penetration testing, Azure/AWS security, source code review, scripting, and development. He enjoys researching new attack methodologies and creating open-source tools that can be used during cloud red team activities. He has worked extensively on Azure and AWS and is the author of Vajra, an offensive cloud security tool. He has spoken at multiple respected security conferences like Black Hat, Defcon, Nullcon, RootCon, and also at local meetups.

Registration Terms and Conditions: 

Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.

Trainings are non-refundable after July 8, 2025.

Training tickets may be transferred. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions.