AppSec USA 2017 has ended
Back To Schedule
Tuesday, September 19 • 9:00am - 5:00pm
Practical DevOps Security and Exploitation (1 of 2 days)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

Practical DevOps Security and Exploitation is a brand new and unique class by Attify. This class has been created as a result of our many pentest engagement experiences where we have exploited vulnerabilities in the various systems supporting CI/CD during DevOps transition of an organisation. The class covers hands-on techniques to both exploit as well as defend various systems that support the target CI/CD Architecture.

This class takes practitioner's approach in breaking, exploiting and securing systems owned by DevOps teams, thus enabling them to move towards DevSecOps. Some of the topics that we will cover are Exploiting Various tools from the CI/CD landscape like Jenkins, Git, Multiple Cloud instances, practical security issues in Docker instances and setting up your DevSecOps architecture.

This training covers different CI/CD tools with pentesters perspective and hence each tool will be covered as below:

  • Code Versioning Systems (Git, GitHub, Bitbucket etc.)
    • Exploiting the product features
    • Finding existing exploits or implementation loopholes
    • Identifying historically stored sensitive information
    • Hardening and Securing Guidelines
  • Orchestration Tools (Ansible, Saltstack etc.)
    • Exploiting the access rights and configuration mistakes
    • Use of Orchestration tools to mass deploy the exploits
    • Finding sensitive information
    • Guidelines to securely configure and organise the orchestration tools
  • Build Servers (Jenkins, Hudson etc.)
    • Pentesting and Vulnerability Assessment
    • Risk involved with Plugins
    • Exploiting most common configuration mistakes
    • Breaking the boundaries with superuser access rights
    • Scheduling vulnerability assessment reports for the CI/CD chain.
    • Guidelines to avoid security issues with integration of various CI/CD tools
  • Container Platform (Docker, Kubernetes etc.)
    • Pentesting and Vulnerability Assessment
    • Exploiting most common configuration mistakes
    • Guidelines with respect to microservices to avoid bloating containers with superuser access rights
  • Security in Cloud (AWS, Google Cloud etc.)
    • Configuration best practices for Identity & Access Management Portals
    • Planning right network architecture with use of VPC and VPN
    • Securing instances by running only the required services
    • Configuring instances at the boot time to remove unwanted softwares or upgrade to stable software versions with no known vulnerabilities.
    • Using access tokens and Cloud API’s to regularly rotate keys/passwords.

This is an action packed class with over 20+ labs covering a number of attacks, vulnerabilities and exploitation tactics.


  • Lab handouts with readymade scripts for use
  • Printed commands cheatsheet
  • VM for pentesting and securing DevOps instances with pre-configured tools and vulnerable labs

After the training, attendees would be able to:

  • Identifying vulnerabilities in the implementation of the CI/CD instances.
  • Find and craft publicly available exploits to compromise the CI instance
  • Address configuration related vulnerabilities
  • Abuse Jenkins script console   
  • Create an attack surface map of the entire architecture
  • Implement usage of password vaults.
  • Write build jobs which can enable privileged access to the target system and steal sensitive values
  • Abuse Git history and fix/preventing the problems using git hooks
  • Create scheduled validation scripts to enforce security best practices
  • Perform docker breakouts  
  • Audit different tools used in CI/CD chain
  • Guidelines for centralized authentication and authorization
  • Design secure cloud architectures

Minimum Requirements:

  • Laptop with Windows/Linux/MacOS pre-installed
  • 8 GB RAM
  • 40 GB of free disk space.
  • Modern CPU 2.2GHz or more with Virtualization support
  • Wifi Enabled for network access
  • 1 USB 2.0 port
  • Capability to run VirtualBox/VmWare virtual machines
  • Administrative rights on the laptop to install required software packages.



avatar for Amol Bhure

Amol Bhure

Security Researcher, Attify
Amol Bhure leads the Infrastructure Pentesting team at Attify. He has more than 5 years experience leading corporate pentests and has worked extensively on breaking CI systems, DevOps security, Log analysis and monitoring, and Mobile and Web Application Exploitation. He is also an... Read More →
avatar for Suraj Biyani

Suraj Biyani

Infrastructure Security Consultant, Attify
I have several years of experience with Integration of various tools. For last couple of years have been working at multiple small startups and established organisations to setup different CI/CD tools required to support DevOps transformation. Suggesting and implementing industry... Read More →

Tuesday September 19, 2017 9:00am - 5:00pm EDT