Veracode DevOps Penetration Testing

Manual Penetration Testing

In addition to performing manual testing for an application, Veracode DevOps Penetration Testing can evaluate the following areas:

Infrastructure

  • Datacenter attack surfaces (proprietary or cloud-based) including:
    • Architecture that hosts applications
    • Border-security devices
    • Communication systems (PBX, routing)
    • Unknown or ‘rogue’ servers or services
  • Microservices and related interactions
  • Searches for major sources of data leaks and breaches, such as:

    • Misconfigured AWS S3 buckets
    • Exposed MongoDB instances
    • Elasticsearch databases

    Veracode DevOps Penetration Testing also uses Open Source Intelligence (OSINT) techniques to locate vulnerabilities in the infrastructure.

Application Developers

  • Use of Open Source Intelligence (OSINT) techniques to conduct GitHub repository and Stackoverflow analysis for:
    • Exposed credentials
    • Exposed sensitive data related to application development
    • Job boards
    • Other potential problem areas
  • Locating information that could be used for targeted phishing or social engineering attacks on developers and the organization

Veracode DevOps Penetration Testing meets PCI DSS 11.3 and GDPR Article 32 compliance requirements.