DevSecOps Assessment

Despite excellent technical security controls, a compromised developer can still leverage their permissions to push malicious code into production if no effective code review and approval process exists. Merge approvals and code reviews may also be subject to circumvention through deception, inattention, or misconfiguration. We assess these human processes and the technology used to implement them.

Additional risks that we discover include:

• Exposed credentials in DevOps deployment scripts
• Code dependencies vulnerable to external hijacking (dependency confusion)
• Insecurely stored build artifacts
• Overly permissioned service accounts
• Insecure build agents
• Insufficient branch protections
• Misconfigured code security scanners
• Over-privileged third-party contractors

If we discover vulnerabilities that allow unapproved code to be deployed (and your rules of engagement allow), then we will push safe, innocuous code that proves viability of the attack path. This lets you know for sure how far a malicious change would truly make it towards production before being stopped by your controls.

We also assume the role of a “normal” insider (someone not granted developer privileges) and compare our results. Internal developer resources are often accessible to wider groups beyond development teams. This can greatly increase the attack surface for insider threats, expanding the threat of compromise from only being achievable by trusted developers to additionally include all employees or contractors.

Attacks performed, tactics used, and results collected during these simulations are compiled into actionable reports that identify these risks to your organization’s most valuable deployment infrastructure.

Our reports provide you with highly valuable information about your security posture and the security awareness levels of your employees, production code protections, detection and response effectiveness, and technology deterrents. This vital information is a crucial component toward measuring your overall security posture and helps pinpoint where security gaps need to be filled and where budgetary dollars should be directed.

Service Description

Our team will work closely with you to create your rules of engagement to solidify details such as:

• Internal development infrastructure that is in scope as targets (whitelist)
• Engagement objectives
• A high-level description of the types of attacks that could be implemented
• Guidelines or restrictions on pushing code to demonstrate attack paths
• Authorized Actions the red team may perform in pursuit of their objectives
• Explicitly restricted tactics
• Restricted items (blacklist)

We will also coordinate our access to your internal development infrastructure. This may require test accounts to be created. Many of our customers already have means to enable remote access for developers. Alternatively, we can use a virtual machine or ship a physical device to your site to enable our remote access.

As an additional service, White Knight Labs will revisit an assessment after an organization has had time to address DevOps security issues describe in one of our reports. We can also counsel you on building or improving your DevSecOps practices as part of our DevSecOps Engineering service.