►
Description
Introducing the Breach and Attack Simulation CI/CD template for extending your existing security testing.
Please feel free to add feedback around BAS in this issue: https://gitlab.com/gitlab-org/gitlab/-/issues/404809
A
A
So
with
May
16th
comes
the
sort
of
wrap-up
of
getting
into
the
of
his
6-0
mile
Milestone,
a
major
Milestone
and
major
release
for
gitlab
and
I'm,
pretty
excited
to
be
introducing
the
breach
and
attack
simulation.
Ci
CD
template
for
gitlab
this
template's
going
to
add
some
intro,
some
new
features
and
add
some
future
supports
for
different
security
scanners,
but
I'll
get
straight
into
the
demo
portion
of
my
my
update.
A
So
if
we
drop
into
the
demo
video,
we
can
see
there
as
shown
previously,
there
is
a
configuration
section
in
the
security
configuration
page
in
your
project.
If
you
then
go
to
the
configuration
guide
it
as
an
ultimate
user,
you
can
see
that
there's
a
guide
for
extending
your
dash
to
configuration
to
include
region
attack
simulation
features.
What
this
will
do
is
this
will
then
pull
in
the
gitlab
CI
CD
templates,
as
I
mentioned
by
including
it
in
your
configuration
in
different
ways,
once
you've
included
any
configuration,
it
will
either
pull
in
DOS.
A
The
latest
dos
templates.
If
you
haven't
already
pulled
the
data
sampling
in
or
if
it's
a
detector,
that
you've
you're
using
dust,
it
will
go
ahead
and
only
append
additional
variables.
On
top
of
your
job
off
the
back
of
this,
we
can
see
that
we
will
I've
I've
added
in
multiple
hidden
jobs
and
so
there's
hidden
jobs.
A
They
add
variables
in
and
they
override
the
image
for
dust.
So
I
will
use
a
future
build
of
dust
which
includes
additional
breach,
attack,
simulation
features
and
there's
a
Services
container,
there's
a
Services
hidden
job,
and
if
you
use
the
dust
with
bus
using
Services,
hidden,
head
and
job,
what
that
will
do
is
that
will
give
you
additionally
it'll
Define
a
serve
as
a
container
for
callbacks,
where
we
will
listen
to
to
traffic
coming
from
your
application
in
test,
so
that
just
goes
through
and
it's
we.
A
We
connect
to
the
service
and
we
enable
some
feature.
Flags
for
network
connectivity
in
your
Runner,
if
your
runner's
default
configuration,
doesn't
allow
for
a
container
to
container
networking
off
the
back
of
that.
We
can
see
that
we
have
the
finding
here
and
we've
escalated
the
severity
for
this
particular
finding
to
critical,
because
we've
been
able
to
perform
code
injection
and
get
a
callback
attack.
A
This
injection
this
code
injection
vulnerability
here,
yeah
I'm,
pointing
at
a
vulnerable
vulnerable
test
application.
If
you
can
see
that
upon
sending
it
a
payload
which
includes
the
unique
correlation
ID
based
on
the
location,
I'm
sending
it
to
and
the
configuration
of
the
job,
we
can
see
that
we
get
back
a
callback,
and
so
we
tested
that
out
of
band
application
security,
testing,
we've
performed
that
and
we
can
see
that
we've
verified
a
callback.
A
So
that
makes
the
particular
attack
successful
and
we're
able
to
say
it
is
a
critical
finding,
because
an
attacker
with
a
van
will
execute
arbitrary
code
and
call
back
to
the
server
in
this
case
the
different
attacks.
So
if
this
was
a
different
type
of
one
of
these,
such
like
entity
injection
that
may
not
be
critical,
but
initially
in
this.
A
What
we've
done
is
for
code
injection,
we've
added
support,
end
for
performing
callback
attacks
and
proving
arbitrary
execution
where
which
we
surf
as
additional
details
inside
of
your
your
security
report,
so
that
wraps
up
the
breach,
attack
simulation,
temp,
CI
CD
templates
go
go
to
the
documentation
or
add
any
feedback.
If
there's
anything
missing
in
the
documentation,
I
would
love
love
your
input
there
outside
of
that
new
opportunities
that
I've
identified,
bartek
didn't
mention
to
myself
to
reach
out
to
three
for
cloud
seed.
A
Siri
is
the
incubation
manager
that
running
the
cloud
seed,
incubation
engineering,
sag
and
so
the
cloud
ctec
has
support
for
Google,
Cloud
and
sort
of
bringing
up,
Google,
Cloud
resources
and
creating
those
Resources
with
a
little
knowledge
on
infrastructure's
code
and
so
for
as
a
workflow
and
doing
asset,
Discovery
and
reconnaissance
as
Region's
accumulation.
A
This
work,
this
flows
really
well
with
what
I'm
doing
and
so
we've
had
a
great
conversation
and
I've
got
some
great
next
steps
for
the
reconnaissance
piece
where,
if
you
connect
your
project
to
gitlab,
you
can
then
in
the
future,
will
you'll
be
able
to
use
bass
to
enumerate
your
attack
surface
through
gcp
or
other
Cloud
providers
going
forward,
and
next
talking
about
next
focuses.
Then
shipping
scan
option.
Metrics
is
still
one
of
my
top
of
Mind
items.
A
A
It's
just
a
really
good
supportability
use
case
where,
if
a
customer
sends
the
security
reports,
we're
able
to
see
information
about
their
scouting
options,
if
security
analyzers
have
enabled
thoughts,
but
there's
no
certain
Telemetry
around
this
yeah
and
that's
something
I
I
look
forward
to
doing
and
helping
out
and
there's
been
some
collaboration
there
for
myself
and
other
Engineers
insecure,
starting
next
up,
I'm
going
to
be
starting
templates
like
assets
and
domain
Discovery
job,
so
getting
a
sort
of
workflow
that
I
mentioned.
A
If
facing
instances
you
may
have,
or
public
DNS
zones
that
you
have
and
doing
that
enumeration
with
a
sort
of
from
a
trusted
perspective,
we're
able
to
see
more
than
what
a
attacker
May
potentially
see
and
then
I
was
being
able
to
sort
of
highlight,
saying:
hey
this
we've
found
this
assets
and
this
one
it
has
a
public
DNS
name
and
it
has
an
SSL
certificate,
so
there's
sort
of
highlighting
how
things
have
been
discovered
and
how
attackers
may
get
to
the
reconnaissance
piece
of
the
kill
chain,
as
opposed
to
showing
like
the
exploitation
down
at
the
end.
A
So
this
is
going
back
all
the
way
to
the
beginning
of
the
kill
chain
to
show
people
hey.
This
is
what
we
can
discover
and
highlight
highlighting
that
risk
for
for
folks.
A
As
always,
if
there's
any
feedback,
please
go
ahead
and
drop
comments
in
any
of
my
issues,
there's
especially
the
feedback
issue
for
adding
General
feedback
and
any
feedback
of,
and
issues
that
you've
had
with
testing
it.
If
you're,
an
ultimate
user
who's
been
able
to
use
the
Dost
extension
so
far,
thanks
and
I
hope
to
see
you
all
again
soon,
bye.