OWASP Meetup Discusses Impact of Shadow Access on CI/CD systems

Mar 2, 2023 | Blogs

Kicking off 2023 for Stack Identity, our founder and CEO Venkat Raghavan was a guest speaker at the Bay Area OWASP meeting, discussing the topic of “Shadow Access” – an emerging attack vector in the cloud that creates exploitable pathways to an organization’s crown jewels. Cloud identities, roles, permissions, policies, entitlements and vulnerabilities combine to create exploitable access pathways to data and applications aka “Shadow Access” impacting CI CD systems.

Normal cloud operations create pathways connecting different systems, apps and data that have been weaponized in almost all recent breaches.

The most popular slide of the presentation was the slide depicting how shadow access attack vectors impact deployments. Different types of identities enable different access exploit vectors. These toxic combinations of identities + access vectors further combine with software supply chains and enable data access to sensitive cloud data.

We had some good conversations with OWASP meetup attendees on the topics of chained access, access pathways and toxic combinations, and how these become part of the Top 10 CI/CD risks.

To help reduce CI/CD risks, Stack Identity provides a live data attack map that exposes these shadow pathways, revealing what are often invisible pathways that can be utilized by external attackers to exfiltrate sensitive data.

Learn how Stack Identity’s live data attack map exposes invisible and risk access paths across multiple systems here: https://stackidentity.com/platform/. To see what types of invisible and risk access we have found, see our LinkedIn Newsletter here.
Full slides here: