With valid developer credentials for the infrastructure, we obtain access to existing CI/CD, logging, monitoring, and remote access solutions to build a complete threat model, find access control misconfigurations, and help companies ensure no single person can cause a compromise.
Sometimes, a secured infrastructure can fall to a successful phishing attack or an internal adversary.
Historically, adversary simulations were conducted with employee-level access to the internal on-premise infrastructure. This approach is not adapted to modern development and application deployment processes, causing important access control vulnerabilities to be overlooked, leading to catastrophic effects, as seen in the recent attack on Twitter. During the attack, a successful compromise of a developer account leads to access to the entire authentication mechanism. To combat attacks like these, we have decided to consider a new service — developer/DevOps adversary simulation.
The testing process starts with valid developer credentials for the infrastructure and simulates post-exploitation activities after obtaining access to existing CI/CD, logging, monitoring, and remote access solutions as a generic developer to build a complete threat model, find access control misconfigurations, and help companies ensure no single person can cause a compromise.
Possible threats with employee-level access exploitation
If you think this can be useful to you and your partners or consider using this service to secure your development and deployment processes, please contact us for details and delivery process description.
Infrastructure penetration testing focuses on the security of both the application environment and the supporting infrastructure, including third-party services and applications. The testing is performed with a combination of manual and automated techniques, tailored for the specific environment.
Tenendo code review approach leads to detecting many vulnerabilities in real-world software and achieving amazing results, in comparison to other approaches.
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.