A mature DevOps practice involves applying multiple tools at different steps of the delivery pipeline, and a new study from IntSights focuses on these tools that may be open to attack on the Internet.

Each new tool added to your process can expand your attack surface area – and, in many cases, new development and delivery tools are being used without oversight from a security team. With complex tools being used in each DevOps step, potential attack vectors and the risk of compromise rapidly increase.

Under the assumption that the majority of DevOps tools are web-based, IntSights studied DevOps servers and software found accessible via the internet.

The research centered around a list of nearly 26,000 URLs and subdomains compiled by combining known DevOps tool names with the domains of different organizations, such as by searching for Jenkins automation servers under the hostname “jenkins.example.com.”

Every server that answered with a live and valid response was considered an open server and was then subjected to further investigation to determine what sort of security was present. No “fancy attack tools” were used. Only OSINT (Open Source Intelligence) tools and websites.

Are DevOps Tools Expanding Your Attack Surface?

The results show that 23.6 percent – or 5,967 out of 25,876 – of the URLs tested were accessible via the web, with a variety of access levels. In some cases, some software was totally exposed with no username and password combination.

In one example, a Jenkins server was available with multiple builds to investigate. Automated build tools often have hardcoded credentials or accidentally expose data via commands or output in log files, providing information for further attacks.

In another example, an open Elasticsearch server, which requires no authentication by default, was found. Elasticsearch is a distributed search and analytics engine (Read more...)