Practical DevOps Security and Exploitation (1 of 2 days)

Presented at AppSec USA 2017, Sept. 19, 2017, 9 a.m. (480 minutes).

Practical DevOps Security and Exploitation is a brand new and unique class by Attify. This class has been created as a result of our many pentest engagement experiences where we have exploited vulnerabilities in the various systems supporting CI/CD during DevOps transition of an organisation. The class covers hands-on techniques to both exploit as well as defend various systems that support the target CI/CD Architecture. This class takes practitioner's approach in breaking, exploiting and securing systems owned by DevOps teams, thus enabling them to move towards DevSecOps. Some of the topics that we will cover are Exploiting Various tools from the CI/CD landscape like Jenkins, Git, Multiple Cloud instances, practical security issues in Docker instances and setting up your DevSecOps architecture. This training covers different CI/CD tools with pentesters perspective and hence each tool will be covered as below: Code Versioning Systems (Git, GitHub, Bitbucket etc.) Exploiting the product features Finding existing exploits or implementation loopholes Identifying historically stored sensitive information Hardening and Securing Guidelines Orchestration Tools (Ansible, Saltstack etc.) Exploiting the access rights and configuration mistakes Use of Orchestration tools to mass deploy the exploits Finding sensitive information Guidelines to securely configure and organise the orchestration tools Build Servers (Jenkins, Hudson etc.) Pentesting and Vulnerability Assessment Risk involved with Plugins Exploiting most common configuration mistakes Breaking the boundaries with superuser access rights Scheduling vulnerability assessment reports for the CI/CD chain. Guidelines to avoid security issues with integration of various CI/CD tools Container Platform (Docker, Kubernetes etc.) Pentesting and Vulnerability Assessment Exploiting most common configuration mistakes Guidelines with respect to microservices to avoid bloating containers with superuser access rights Security in Cloud (AWS, Google Cloud etc.) Configuration best practices for Identity & Access Management Portals Planning right network architecture with use of VPC and VPN Securing instances by running only the required services Configuring instances at the boot time to remove unwanted softwares or upgrade to stable software versions with no known vulnerabilities. Using access tokens and Cloud API's to regularly rotate keys/passwords. This is an action packed class with over 20+ labs covering a number of attacks, vulnerabilities and exploitation tactics. Deliverables: Lab handouts with readymade scripts for use Printed commands cheatsheet VM for pentesting and securing DevOps instances with pre-configured tools and vulnerable labs After the training, attendees would be able to: Identifying vulnerabilities in the implementation of the CI/CD instances. Find and craft publicly available exploits to compromise the CI instance Address configuration related vulnerabilities Abuse Jenkins script console    Create an attack surface map of the entire architecture Implement usage of password vaults. Write build jobs which can enable privileged access to the target system and steal sensitive values Abuse Git history and fix/preventing the problems using git hooks Create scheduled validation scripts to enforce security best practices Perform docker breakouts   Audit different tools used in CI/CD chain Guidelines for centralized authentication and authorization Design secure cloud architectures Minimum Requirements: Laptop with Windows/Linux/MacOS pre-installed 8 GB RAM 40 GB of free disk space. Modern CPU 2.2GHz or more with Virtualization support Wifi Enabled for network access 1 USB 2.0 port Capability to run VirtualBox/VmWare virtual machines Administrative rights on the laptop to install required software packages.

Presenters:

• Suraj Biyani - Infrastructure Security Consultant - Attify
  I have several years of experience with Integration of various tools. For last couple of years have been working at multiple small startups and established organisations to setup different CI/CD tools required to support DevOps transformation. Suggesting and implementing industry best practices to securely deploy and integrate these tools have been one of the key factors for my role.
• Amol Bhure - Security Researcher - Attify
  Amol Bhure leads the Infrastructure Pentesting team at Attify. He has more than 5 years experience leading corporate pentests and has worked extensively on breaking CI systems, DevOps security, Log analysis and monitoring, and Mobile and Web Application Exploitation. He is also an author of an upcoming book on "The DevOps Exploitation Guide - a Hackers Handbook". In his previous roles, he has worked on building web applications and backend systems, before moving to a security role.

Links:

• https://appsecusa2017.sched.com/event/B2W6/practical-devops-security-and-exploitation-1-of-2-days

Similar Presentations:

• DEF CON 25 (2017) / Exploiting Continuous Integration (CI) and Automated Build systems
• AppSec USA 2017 / Practical DevOps Security and Exploitation (2 of 2 days)
• DEF CON 30 (2022) / CICD security: A new eldorado Workshop