Application Security, DevOps, DevSecOps, GitOps, Leadership, Security I gave a talk at a GitLab virtual event with Nico Meisenthal from White Duck and Philippe Lafourcière, a distinguished engineer at GitLab. The premise was simple: show, don’t tell. We picked a real (if deliberately vulnerable) application and walked the audience through an attack and response in real time. Here’s what we built and what it taught me. The application Nico put together a small Go app running in Azure Kubernetes Service. It had one job: accept an IP address or hostname, ping it, and show you the output. Clean, simple, and as it turned out, broken in a predictable way. The app passed user input directly to the ping command without validation. That’s a command injection vulnerability, and it’s as old as the web itself. What the attacker did (that was me) I played the attacker. Starting from that one flaw, I was able to: Confirm the app was running as root by typing ; whoami after an IP address List all…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.