Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Incubation Engineering - Latest / 16 May 2023
GitLab / Incubation Engineering - Latest / 16 May 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Incubation Engineering - Breach and Attack Simulation - Weekly update 2023-05-16

Description

Introducing the Breach and Attack Simulation CI/CD template for extending your existing security testing.

Please feel free to add feedback around BAS in this issue: https://gitlab.com/gitlab-org/gitlab/-/issues/404809

A

Hey y'all welcome to the breach and attack simulation weekly update for the week of May 16 2023.

A

For those who don't know me hi, my name is Aaron I'm, a staffing curation engineer at gitlab and I work on the breach and attack simulation uh single engineer group.

A

So uh with May 16th comes the sort of wrap-up of getting into the of his 6-0 mile Milestone, a major Milestone and major release for gitlab and I'm, pretty excited to be uh introducing the breach and attack simulation. uh Ci CD template for gitlab this template's going to add some intro, uh some new features and add some future supports for different security scanners, but I'll get straight into the demo portion of my uh my update.

A

So if we drop into the demo video, we can see there as shown previously, there is a configuration section in the security configuration page in your project. If you then go to the configuration guide it as an ultimate user, you can see that there's a guide for extending your dash to configuration to include region attack simulation features. What this will do is this will then pull in the gitlab CI CD templates, as I mentioned by including it in your configuration in different ways, once you've included any configuration, um it will either pull in DOS.

A

The latest dos templates. If you haven't already pulled the data sampling in or if it's a detector, that you've you're using dust, it will go ahead and only append additional variables. On top of your job off the back of this, we can see that uh we will uh I've I've added in multiple uh hidden jobs and so there's hidden jobs.

A

um They add variables in and they override the image uh for dust. So I will use a future build of dust which includes additional breach, attack, simulation features and there's a Services uh container, there's a Services hidden job, and if you use the dust with bus using Services, hidden, head and job, what that will do is that will give you additionally it'll Define a serve as a container for callbacks, where we will listen uh to uh to traffic coming from your application in test, so that just goes through and it's we.

A

We connect to the service and we enable some feature. Flags for uh network connectivity in your Runner, if your runner's default configuration, doesn't uh allow for a container to container networking off the back of that. We can see that we have the finding here and we've escalated the severity for this particular finding to critical, because we've been able to perform code injection and get a callback attack.

A

um This injection this code injection vulnerability here, yeah I'm, pointing at a vulnerable vulnerable test application. If you can see that upon sending it a payload which includes the unique correlation ID based on the location, I'm sending it to and the configuration of the job, um we can see that uh we get back a callback, and so we tested that out of band application uh security, testing, we've performed that and we can see that we've verified a callback.

A

So that makes the particular attack successful and we're able to say it is a critical finding, because an attacker with a van will execute arbitrary code and call back to the server in this case um the different attacks. uh So if this was a different type of one of these, such like entity injection that may not be critical, um but initially in this.

A

What we've done is for code injection, we've added support, end for uh performing callback attacks and proving arbitrary execution where which we surf as additional details inside of your your security report, so that wraps up the breach, attack simulation, temp, uh CI CD templates uh go uh go to the documentation or add any feedback. If there's anything missing in the documentation, I would love uh love your input there um outside of that new opportunities that I've identified, um bartek didn't mention to myself uh to reach out to three uh for cloud seed.

A

uh Siri is the incubation manager that uh running the cloud seed, um incubation engineering, uh sag and so the cloud ctec has support for uh Google, Cloud um and sort of bringing up, Google, Cloud resources and creating those Resources with a little knowledge on infrastructure's code um and so for as a workflow and doing asset, Discovery and reconnaissance as Region's accumulation.

A

This work, this flows really uh well with what I'm doing and so we've had a great conversation and I've got some great next steps for the reconnaissance piece where, if you connect your project to gitlab, you can then in the future, will you'll be able to use bass to enumerate your attack surface through gcp or other Cloud providers going forward, and next talking about next focuses. Then uh shipping scan option. Metrics is still uh one of my top of Mind items.

A

um This is something that I would sort of enable all. uh This has been enabled in a previous version in the 1511 uh Milestone this it got shipped um right now.

A

It's just a really good supportability use case where, if a customer sends the security reports, we're able to see information about their scouting uh options, if security analyzers have enabled thoughts, um but there's no certain Telemetry around this yeah and that's something I I look forward to doing and helping out and there's been some collaboration there for myself and other Engineers insecure, um starting uh next up, I'm going to be starting templates like assets and domain Discovery job, so getting a sort of workflow that I mentioned.

A

In my conversation, with Cloud seed having a workflow where you can configure a job that does that enumeration for you and enumerates what your tax service might look like from the cloud provider perspective around what uh what public?

A

If facing instances you may have, or uh public DNS zones that you have and doing that enumeration uh with a sort of from a trusted perspective, we're able to see more than what a attacker May potentially see and then I was being able to sort of uh highlight, saying: hey this uh we've found this assets and this one it has a public DNS name and it has an SSL certificate, so there's uh sort of highlighting how things have been discovered and how attackers may get to the reconnaissance piece of the kill chain, as opposed to uh showing uh like the exploitation down at the end.

A

So this is going back all the way to the beginning of the kill chain um to show people hey. This is what we can discover and uh highlight highlighting that risk for uh for folks.

A

um As always, if there's any feedback, please go ahead and drop comments in any of my issues, um there's especially the feedback issue for adding General feedback and any feedback of, and issues that you've had with testing it. If you're, an ultimate user who's been able to use the Dost extension so far, um thanks and I hope to see you all again soon, bye.