Dev, Sec, Oops: How Agile Security increases Attack Surface

If you ask a product security professional, how Agile changes the traditional Security approach, he would answer: “DevSecOps”. Behind the term a lot of new processes that involve new tools (CI/CD and bug-tracking systems, container-management, monitoring systems) and new roles (developers, DevOps-engineers, administrators, analysts, etc).

Let’s redefine typical targeted attack scenarios and look at security analysts and their daily tools as the pivot point for adversaries. During the research, we performed vulnerability research on popular security solutions (including open source) and got its attack surface. Trivial web attack paths (for example, XSS and CSRF) acquire new value in the context. We show how the vulnerabilities discovered in the security analyst’s environment could be exploited in non-trivial ways to establish a foothold for a targeted attack