--[ Hacking DevOps

$ getent passwd pmarlow
├─── name: Phillip Marlow
├──── org: MITRE
└─ social:
   ├─ linkedin: in/phillipmarlow/
   └── twitter: @wolramp

Phillip Marlow is DevOps engineer and Security Expert (GSE #263). Through his role at MITRE, he helps government organizations design for modern, secure software systems by understanding how DevOps practices can be adopted to increase their security, not just their delivery speed. Phillip holds several security, cloud, and agile certifications as well as a Master’s Degree in Information Security Engineering from SANS Technology Institute.


Incidents like the SolarWinds compromise show the extreme impact that a compromise of the software supply chain can have. DevOps pipelines often sit right at the heart of modern software supply chains. Used by development teams to increase the quality of their software and speed of delivery, these pipelines are also target-rich environments for attack. Additionally, they are often not as well protected as other software services. This talk will highlight common DevOps misconfigurations and how they can be leveraged by an attacker to escalate privileges, move laterally to other targets, and even perform supply chain compromises. Each example will also cover how to protect and defend against such an attack, and even how to use DevSecOps principles to protect the pipelines themselves.