Tuesday, July 1, 2025

Security Boulevard Logo

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Creators Network
    • Latest Posts
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming Webinars
    • Calendar View
    • On-Demand Webinars
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
    • Techstrong.tv Podcast
    • TechstrongTV - Twitch
  • Library
  • Related Sites
    • Techstrong Group
    • Cloud Native Now
    • DevOps.com
    • Security Boulevard
    • Techstrong Research
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • Devops Chat
    • DevOps Dozen
    • DevOps TV
  • Media Kit
  • About
  • Sponsor

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
DevOps Security Bloggers Network 

Home » Cybersecurity » DevOps » Study: DevOps Servers In The Wild Highlight Infrastructure Security Needs

SBN

Study: DevOps Servers In The Wild Highlight Infrastructure Security Needs

by Ben Layer on May 2, 2018

A mature DevOps practice involves applying multiple tools at different steps of the delivery pipeline, and a new study from IntSights focuses on these tools that may be open to attack on the Internet.

Each new tool added to your process can expand your attack surface area – and, in many cases, new development and delivery tools are being used without oversight from a security team. With complex tools being used in each DevOps step, potential attack vectors and the risk of compromise rapidly increase.

Techstrong Gang Youtube
AWS Hub

Under the assumption that the majority of DevOps tools are web-based, IntSights studied DevOps servers and software found accessible via the internet.

The research centered around a list of nearly 26,000 URLs and subdomains compiled by combining known DevOps tool names with the domains of different organizations, such as by searching for Jenkins automation servers under the hostname “jenkins.example.com.”

Every server that answered with a live and valid response was considered an open server and was then subjected to further investigation to determine what sort of security was present. No “fancy attack tools” were used. Only OSINT (Open Source Intelligence) tools and websites.

Are DevOps Tools Expanding Your Attack Surface?

The results show that 23.6 percent – or 5,967 out of 25,876 – of the URLs tested were accessible via the web, with a variety of access levels. In some cases, some software was totally exposed with no username and password combination.

In one example, a Jenkins server was available with multiple builds to investigate. Automated build tools often have hardcoded credentials or accidentally expose data via commands or output in log files, providing information for further attacks.

In another example, an open Elasticsearch server, which requires no authentication by default, was found. Elasticsearch is a distributed search and analytics engine (Read more...)

*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Ben Layer. Read the original post at: https://www.tripwire.com/state-of-security/devops/report-devops-servers-in-the-wild-highlight-infrastructure-security-needs/

May 2, 2018May 2, 2018 Ben Layer DEVOPS, Featured Articles, security
  • ← Dispelling the Myth: How to Optimize Your Company for Both Cyber Security and Productivity
  • The Importance of Innovation in Network Monitoring →

Techstrong TV

Click full-screen to enable volume control
Watch latest episodes and shows

Tech Field Day Events

Upcoming Webinars

Securing Vibe Coding: Addressing the Security Challenges of AI-Generated Code
How to Spot and Stop Security Risks From Unmanaged AI Tools

Podcast

Listen to all of our podcasts

Press Releases

GoPlus's Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Subscribe to our Newsletters

ThreatLocker

Most Read on the Boulevard

N. Korean Group BlueNoroff Uses Deepfake Zoom Calls in Crypto Scams
‘IntelBroker’ Hacker Arrested for Wave of High-Profile Data Breaches
Abstract Security Adds Data Lake to Reduce Storage Costs
NIST’s CURBy Uses Quantum to Verify Randomness of Numbers
ICE’s Shiny New ‘AI’ Facial Recognition App: False Positives Ahoy!
Cybersecurity Snapshot: U.S. Gov’t Urges Adoption of Memory-Safe Languages and Warns About Iran Cyber Threat
AI vs. AI: How Deepfake Attacks Are Changing Authentication Forever
Best SAST Solutions: How to Choose Between the Top 11 Tools in 2025
Best Application Security Testing Tools: Top 10 Tools in 2025
Frequently Asked Questions About Iranian Cyber Operations

Industry Spotlight

ICE’s Shiny New ‘AI’ Facial Recognition App: False Positives Ahoy!
Analytics & Intelligence Cyberlaw Cybersecurity Data Privacy Featured Governance, Risk & Compliance Humor Identity & Access Industry Spotlight Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threat Intelligence Threats & Breaches 

ICE’s Shiny New ‘AI’ Facial Recognition App: False Positives Ahoy!

June 30, 2025 Richi Jennings | Yesterday 0
Russian Throttling of Cloudflare ‘Renders Many Websites Barely Usable’
Cloud Security Cybersecurity Data Security Featured Industry Spotlight Mobile Security Network Security News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Social Engineering Spotlight 

Russian Throttling of Cloudflare ‘Renders Many Websites Barely Usable’

June 30, 2025 Jeffrey Burt | Yesterday 0
WhatsApp BANNED by House Security Goons — But Why?
Application Security Cloud Security Cyberlaw Cybersecurity Data Privacy Data Security DevOps Endpoint Featured Governance, Risk & Compliance Humor Incident Response Industry Spotlight Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threats & Breaches Vulnerabilities 

WhatsApp BANNED by House Security Goons — But Why?

June 24, 2025 Richi Jennings | Jun 24 0

Top Stories

Sysdig Extends AI Agent Reach Across Portfolio
Cybersecurity Featured News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threats & Breaches Vulnerabilities 

Sysdig Extends AI Agent Reach Across Portfolio

June 30, 2025 Michael Vizard | Yesterday 0
NIST’s CURBy Uses Quantum to Verify Randomness of Numbers
Cloud Security Cybersecurity Data Privacy Data Security Featured Identity & Access Mobile Security Network Security News Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threat Intelligence Threats & Breaches 

NIST’s CURBy Uses Quantum to Verify Randomness of Numbers

June 29, 2025 Jeffrey Burt | 1 day ago 0
‘IntelBroker’ Hacker Arrested for Wave of High-Profile Data Breaches
Cloud Security Cybersecurity Data Privacy Data Security Featured Identity & Access Mobile Security Network Security News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threat Intelligence Threats & Breaches 

‘IntelBroker’ Hacker Arrested for Wave of High-Profile Data Breaches

June 28, 2025 Jeffrey Burt | 2 days ago 0

Security Humor

The face of the Statue Of Liberty

ICE’s Shiny New ‘AI’ Facial Recognition App: False Positives Ahoy!

Download Free eBook

The State of Cloud Native Security 2020

Security Boulevard Logo White

DMCA

Join the Community

  • Add your blog to Security Creators Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: [email protected]

Useful Links

  • About
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • DMCA Compliance Statement
  • Privacy Policy

Related Sites

  • Techstrong Group
  • Cloud Native Now
  • DevOps.com
  • Digital CxO
  • Techstrong Research
  • Techstrong TV
  • Techstrong.tv Podcast
  • DevOps Chat
  • DevOps Dozen
  • DevOps TV
Powered by Techstrong Group
Copyright © 2025 Techstrong Group Inc. All rights reserved.
×