AppSec USA 2017

Practical DevOps Security and Exploitation is a brand new and unique class by Attify. This class has been created as a result of our many pentest engagement experiences where we have exploited vulnerabilities in the various systems supporting CI/CD during DevOps transition of an organisation. The class covers hands-on techniques to both exploit as well as defend various systems that support the target CI/CD Architecture.

This class takes practitioner's approach in breaking, exploiting and securing systems owned by DevOps teams, thus enabling them to move towards DevSecOps. Some of the topics that we will cover are Exploiting Various tools from the CI/CD landscape like Jenkins, Git, Multiple Cloud instances, practical security issues in Docker instances and setting up your DevSecOps architecture.

This training covers different CI/CD tools with pentesters perspective and hence each tool will be covered as below:

• Code Versioning Systems (Git, GitHub, Bitbucket etc.)
  • Exploiting the product features
  • Finding existing exploits or implementation loopholes
  • Identifying historically stored sensitive information
  • Hardening and Securing Guidelines
• Orchestration Tools (Ansible, Saltstack etc.)
  • Exploiting the access rights and configuration mistakes
  • Use of Orchestration tools to mass deploy the exploits
  • Finding sensitive information
  • Guidelines to securely configure and organise the orchestration tools
• Build Servers (Jenkins, Hudson etc.)
  • Pentesting and Vulnerability Assessment
  • Risk involved with Plugins
  • Exploiting most common configuration mistakes
  • Breaking the boundaries with superuser access rights
  • Scheduling vulnerability assessment reports for the CI/CD chain.
  • Guidelines to avoid security issues with integration of various CI/CD tools
• Container Platform (Docker, Kubernetes etc.)
  • Pentesting and Vulnerability Assessment
  • Exploiting most common configuration mistakes
  • Guidelines with respect to microservices to avoid bloating containers with superuser access rights
• Security in Cloud (AWS, Google Cloud etc.)
  • Configuration best practices for Identity & Access Management Portals
  • Planning right network architecture with use of VPC and VPN
  • Securing instances by running only the required services
  • Configuring instances at the boot time to remove unwanted softwares or upgrade to stable software versions with no known vulnerabilities.
  • Using access tokens and Cloud API’s to regularly rotate keys/passwords.

This is an action packed class with over 20+ labs covering a number of attacks, vulnerabilities and exploitation tactics.

Deliverables:

• Lab handouts with readymade scripts for use
• Printed commands cheatsheet
• VM for pentesting and securing DevOps instances with pre-configured tools and vulnerable labs

After the training, attendees would be able to:

• Identifying vulnerabilities in the implementation of the CI/CD instances.
• Find and craft publicly available exploits to compromise the CI instance
• Address configuration related vulnerabilities
• Abuse Jenkins script console   
• Create an attack surface map of the entire architecture
• Implement usage of password vaults.
• Write build jobs which can enable privileged access to the target system and steal sensitive values
• Abuse Git history and fix/preventing the problems using git hooks
• Create scheduled validation scripts to enforce security best practices
• Perform docker breakouts  
• Audit different tools used in CI/CD chain
• Guidelines for centralized authentication and authorization
• Design secure cloud architectures

Minimum Requirements:

• Laptop with Windows/Linux/MacOS pre-installed
• 8 GB RAM
• 40 GB of free disk space.
• Modern CPU 2.2GHz or more with Virtualization support
• Wifi Enabled for network access
• 1 USB 2.0 port
• Capability to run VirtualBox/VmWare virtual machines
• Administrative rights on the laptop to install required software packages.

Practical DevOps Security and Exploitation is a brand new and unique class by Attify. This class has been created as a result of our many pentest engagement experiences where we have exploited vulnerabilities in the various systems supporting CI/CD during DevOps transition of an organisation. The class covers hands-on techniques to both exploit as well as defend various systems that support the target CI/CD Architecture.

This class takes practitioner's approach in breaking, exploiting and securing systems owned by DevOps teams, thus enabling them to move towards DevSecOps. Some of the topics that we will cover are Exploiting Various tools from the CI/CD landscape like Jenkins, Git, Multiple Cloud instances, practical security issues in Docker instances and setting up your DevSecOps architecture.

This training covers different CI/CD tools with pentesters perspective and hence each tool will be covered as below:

• Code Versioning Systems (Git, GitHub, Bitbucket etc.)
  • Exploiting the product features
  • Finding existing exploits or implementation loopholes
  • Identifying historically stored sensitive information
  • Hardening and Securing Guidelines
• Orchestration Tools (Ansible, Saltstack etc.)
  • Exploiting the access rights and configuration mistakes
  • Use of Orchestration tools to mass deploy the exploits
  • Finding sensitive information
  • Guidelines to securely configure and organise the orchestration tools
• Build Servers (Jenkins, Hudson etc.)
  • Pentesting and Vulnerability Assessment
  • Risk involved with Plugins
  • Exploiting most common configuration mistakes
  • Breaking the boundaries with superuser access rights
  • Scheduling vulnerability assessment reports for the CI/CD chain.
  • Guidelines to avoid security issues with integration of various CI/CD tools
• Container Platform (Docker, Kubernetes etc.)
  • Pentesting and Vulnerability Assessment
  • Exploiting most common configuration mistakes
  • Guidelines with respect to microservices to avoid bloating containers with superuser access rights
• Security in Cloud (AWS, Google Cloud etc.)
  • Configuration best practices for Identity & Access Management Portals
  • Planning right network architecture with use of VPC and VPN
  • Securing instances by running only the required services
  • Configuring instances at the boot time to remove unwanted softwares or upgrade to stable software versions with no known vulnerabilities.
  • Using access tokens and Cloud API’s to regularly rotate keys/passwords.

This is an action packed class with over 20+ labs covering a number of attacks, vulnerabilities and exploitation tactics.

Deliverables:

• Lab handouts with readymade scripts for use
• Printed commands cheatsheet
• VM for pentesting and securing DevOps instances with pre-configured tools and vulnerable labs

After the training, attendees would be able to:

• Identifying vulnerabilities in the implementation of the CI/CD instances.
• Find and craft publicly available exploits to compromise the CI instance
• Address configuration related vulnerabilities
• Abuse Jenkins script console   
• Create an attack surface map of the entire architecture
• Implement usage of password vaults.
• Write build jobs which can enable privileged access to the target system and steal sensitive values
• Abuse Git history and fix/preventing the problems using git hooks
• Create scheduled validation scripts to enforce security best practices
• Perform docker breakouts  
• Audit different tools used in CI/CD chain
• Guidelines for centralized authentication and authorization
• Design secure cloud architectures

Minimum Requirements:

• Laptop with Windows/Linux/MacOS pre-installed
• 8 GB RAM
• 40 GB of free disk space.
• Modern CPU 2.2GHz or more with Virtualization support
• Wifi Enabled for network access
• 1 USB 2.0 port
• Capability to run VirtualBox/VmWare virtual machines
• Administrative rights on the laptop to install required software packages.