A set of practices in software development and information technology known as DevOps has become the leading reference for software development and IT operations that aim to provide continuous integration, delivery and software quality assurance. These practices have brought many advantages such as rapid development and delivery of software and system platforms, along with integration with cloud platforms. These new advantages come with a price and that price is the augmentation of attack surface. This presentation shows the different attack vectors in the CI/CD Devops attack surface broken down by components and implications for those enterprises using Devops practices. Specific attack tools along with methodology will be provided to showcase with proof of concepts how to apply read team methodology against Devops practices.


@@ José Hernández @@

José is a Principal Security Researcher at Splunk. He started his professional career at Prolexic Technologies (now Akamai), fighting DDOS attacks from “anonymous” and “lulzsec” against Fortune 100 companies. As an engineering co-founder of Zenedge Inc. (acquired by Oracle Inc.), José helped build technologies to fight bots and web-application attacks. While working at Splunk as a Security Architect, he built and released an auto-mitigation framework that has been used to automatically fight attacks in large organizations. He has also built security operation centers and run a public threat-intelligence service. Although security information has been the focus of his career, José has found that his true passion is in solving problems and creating solutions. As an example, he built an underwater remote-control vehicle called the SensorSub, which was used to test and measure toxicity in Miami's waterways.

@@ Rod Soto @@

Worked at Prolexic, Akamai, Caspida. Won BlackHat CTF in 2012. Co-founded Hackmiami, Pacific Hackers meetup, and conferences.