True Story, Verbatim

Let’s stop the test here, and continue tomorrow,” came unexpectedly from the CISO of a multi-billion technology company as the PenTera platform exposed the company’s Git source code repository. “In a few minutes, this software showed us that our entire IP and source code can be reached by nefarious hands.” 

Indeed within minutes (18 min and 21 seconds to be exact), a new attack vector discovered managed to compromise the admin’s password, available in free-text format. “It’s ‘all hands on deck’ until we plug this loophole. No one is going home ‘til we do,” the CISO continued while elevating the organization’s risk level, grasping the full business impact and potential disruption of this critically identified vulnerability. 

Later the CISO said when discussing with the Pcysys team, “I’m sorry the POV is going to extend to two days but I just can’t live with this situation once I’ve seen it evolve with my own eyes on your attack vector display. I’m not going to let anyone gut our GIT.

As additional details regarding the SolarWinds supply chain attack unfold, the above true story reminded me how much continuous testing of our complete attack surface (the one we are aware of and the one we are not) is absolutely critical.

Breach Recap

In the current breach making news, the adversaries gained access to the SolarWinds source code. These malicious actors inserted a single, digitally signed, malicious DLL file  – SolarWinds.Orion.Core.BusinessLayer.dll –  which once loaded provided a local admin access backdoor capable of generating SAML tokens for seamless authentication and unlimited access across the organization’s infrastructure. All while performing an extensive list of checks to evade discovery and C2 communication detection. Just a few innocent-looking, yet deadly, lines of code amongst millions of them. 

For many organizations, their Git is their crown jewel, and if maliciously accessed or tampered with, havoc can ensue. Internally to the organization’s own elevated business risk, or like in the case of SolarWinds where you are part of the supply chain, eventually opening that same backdoor everywhere the software is used. 

So how do you protect yourself against this type of attack? Illicit access to your code repository? Modification or insertion of benign-lookalike lines of code? 

Back to Basics

There is no doubt that the source code repository in a software company is the ultimate target for hackers that are after a supply chain attack. But the issue is that the attack vectors leading to it are rarely tested.

MFA alone at the gate will not suffice and – even if you add to your CI/CD cycle an array of SecDevOps application security tools (SAST, DAST, IAST, and RASP), those will not be able to detect an attack easily if it is performed with legitimate privilege gained by lateral movement takeover of one of your development workstations. That is because once your infrastructure is “owned,” the legitimate programmer remote access cannot be distinguished from wrongful programmer access. The battle has to ‘shift left’ in the attack stages to make sure your infrastructure is resilient to wrongful access, lateral movement, credential takeover, and privilege escalation. 

The Missing Attack Vector Testing Towards your R&D environments

To assure IT and development environment integrity, whether on-premises or in the cloud, every organization requires continuous and rigorous penetration testing across their entire attack surface towards your GIT and development CI/CD environments. That is impossible today with manual penetration testing services, but a no-brainer when employing automated penetration testing software. A daily pen test can provide assurance that your R&D environment is resilient to attackers gaining a foothold in the first place.

Pcysys developed PenTera, a modern security pen-testing platform that assures that you are resilient to the breadth and depth of attacks, helping you recognize and stop the breach before any material damage is done. Ask a Pcysys expert or schedule a demo to see for yourself how you can test and validate that your infrastructure is safe against supply chain attacks. 

Written by: Aviv Cohen
Show all articles by Aviv Cohen
Learn more about automated security validation
Resource center
Get blog updates via email
The Fundamentals of Cloud Security Stress Testing
The Fundamentals of Cloud Security Stress Testing

“Defenders think in lists, attackers think in graphs” said John Lambert from Microsoft, distilling the fundamental difference in mindset between those who defend IT systems and those who try to compromise them. The traditional approach for defenders is to list security gaps directly related to their assets in the network and eliminate as many as […]

Pentera’s 2024 report reveals hundreds of security events per week, highlighting the criticality of continuous validation
Pentera’s 2024 report reveals hundreds of security events per week, highlighting the criticality of continuous validation

Over the past two years, a shocking 51% of organizations surveyed in a leading industry report have been compromised by a cyberattack. Yes, over half.  And this, in a world where enterprises deploy an average of 53 different security solutions to safeguard their digital domain.  Alarming? Absolutely. A recent survey of CISOs and CIOs, commissioned […]

Four steps the financial industry can take to cope with their growing attack surface
Four steps the financial industry can take to cope with their growing attack surface

The financial services industry has always been at the forefront of technology adoption, but the 2020 pandemic accelerated the widespread use of mobile banking apps, chat-based customer service, and other digital tools. Adobe’s 2022 FIS Trends Report, for instance, found that more than half of financial services and insurance firms surveyed experienced a notable increase […]

Learn more about our platform