Attacking and Defending the DevOps Toolchain
Containers, Configuration management, Infrastructure as Code, Microservices, Message queues, Service Discovery, and Continuous Integration/Continuous Deployment, are the rage these days and rightfully so, they solve some of the most challenging problems of modern application development stack. These tools and techniques provide great benefits to the organization by delivering software to the customers at speed and scale. However, they are difficult to secure and configure in complex environments (lots of moving parts, newer technologies, the scale of operations, cloud providers).
This talk will cover the attacks and misconfigurations associated with these modern technologies and how we can leverage above technologies to get a foothold into network, pivot and maintain access during pentesting and blue/red teaming exercises. We will go over how to discover issues in DevOps systems using manual and automated tools. Finally, we will discuss how to secure these systems.
Whats a better way to see this than a live demo? All the demos and examples will be shown on DevSecOps Studio, an open-source project.