“The risks associated with software vulnerabilities are also for the organization”

Security is one of the most important points for most companies today. This implies not only protecting your systems, but also involving the entire workforce in the need to protect them, and taking care of access to data and sensitive information. Also to certain teams and work groups, such as those dedicated to DevOps. And with the rise of hybrid working, let everyone realize that additional measures are needed to protect sensitive company information and infrastructure. Of all this, among other things, we have spoken with Albert Tort, CTO & SogetiLabs Manager of Sogeti Spain MU.

[MCPRO] The CEOs and security managers of the companies have to extend the care of security and also take it to the development teams. Especially to DevOps teams, since hackers have already managed to access the spaces used by developers for their work and fill them with malicious code, in addition to gaining access to sensitive data about ongoing developments. How can cybercriminals attack DevOps teams and what effects can their activities have on your work?

[Albert Tort] The assurance of the different software quality attributes, and especially security, must be managed throughout the entire development and delivery process. Any activity that is carried out, as well as the platforms, tools and professionals that support them, are sources of risk. Being aware of these potential vulnerabilities is essential to apply a transversal security strategy throughout these activities. It is a mistake to think that we can focus on security last, since all the previous activities that are carried out iteratively in a DevOps environment to end up delivering software versions are potential sources of vulnerability.

In the same way that software engineers focus on approximations shift-left (assure quality as soon as possible), also hackers are doing this shift-left. In the recent book “Securing Enterprise DevOps Environments” published by Sogeti and Microsoft, three areas that require attention are identified: the developer environment (credentials, work devices, diverse networks…), the DevOps platform (code repositories, branches , pipelines…) and the application environment itself (landing zones, subscriptions, deployments, roles…).

For each area, potential attacks and good practices are identified to form a transversal strategy that addresses security risks. For example, in the developer environment, privileged credential hijacking, plugin exploits, remote connection hacks, or third-party dependency exploits can occur. In the DevOps platform environment, malware intrusions into the pipeline itself or escalation of privileges can occur. And in the environment of the application itself, theft of secrets, escalation of privileges and security breaches in data and access can also occur.

[MCPRO] In view of the importance of the damage that hackers can cause in DevOps teams, protecting their environment is increasingly important, how can companies protect their DevOps teams and their developments?

[Albert Tort] Indeed, the teams that work with a DevOps approach do so through activities under an ecosystem of development platforms, production pipelines, pre-production and production environments, code repositories, etc. On the part of the hackers it is not necessary to go to production when the previous environments go to production, the code repositories or the pipelines themselves may have vulnerabilities.

For this reason, we propose to take into account the following good practices: (1) ensure that team members do not keep secrets in the code, in the repositories or in the environments, thus motivating the use of secret management vaults; (2) implement scans of infrastructure-as-code (IaC) components that form the foundation of DevOps development through inner-source platforms (corporate component communities) such as Sogeti’s Cloud Boost Library; (3) implement automatic tracking (who, what, when, from and where actions are performed); and (4) automate code contribution approval flows.

[MCPRO] Many fear that the protective measures to be taken to increase security can hinder the development cycle and slow it down. How can security measures be implemented so that this does not happen, and that the development process can also be streamlined?

[Albert Tort] Any activity to pay attention to quality and safety assurance requires focus, effort and investment. I do not agree that these activities slow down or hinder, as they are key activities of software development and delivery, such as coding. We have to see the efficiency not only going forward, but also considering the rework that may occur and the impact of non-quality in the development processes.

An analogy: it is useless to move forward with a car without applying monitoring and safety measures along the way and in the car itself, if what is intended is to arrive and do it efficiently. The same thing happens in software engineering processes. When these activities are applied, the risk of rework and high-impact efforts to resolve vulnerabilities as early as possible is also reduced.

[MCPRO] The increase in telecommuting and hybrid working has meant that members of different company work teams access the Internet, and company data and environments from Wi-Fi networks that are not secure. This can lead to situations where companies can experience security breaches and hackers gain access to sensitive data through, for example, identity theft. How to avoid it and protect developers so that they can work remotely safely?

[Albert Tort] Today, the speed of developers is directly associated with this ability to get work done in diverse environments, networks and locations, whether in the office, at home or in any other space. Remote work is therefore an obvious reality that those responsible for cybersecurity must live with and contemplate.

At Sogeti we propose good practices such as: (1) facilitating a corporate cloud development environment with self-service capacity for templates, virtual machines and pre-formatted resources provided with ease and integrated security (Sogeti’s OneShare is one of these solutions); (2) secure the development environment with containers that facilitate security borders and validation activities; (3) implement a “least privileges” policy, in which a higher level of access/authorization is only accessed on a timely basis (just-in-time access); (4) limit who can approve/change code with a proper branch management policy; and (5) have a catalog of trusted extensions, tools, and integrations by the organization.

In short, rather than limiting, the objective should be to provide the use of components that facilitate development work with quality and safety, avoiding other unreliable ways outside the organization’s policy.

Improving security in software development environments, from start to finish, is also key in government entities. The harmful action of a hacker can jeopardize the software development and delivery process, with the political, social and economic consequences that this entails. That is why governments are increasingly concerned about improving the security of the supply chain and software delivery. How to achieve it, and how to educate this type of organization and entities related to the supply chain to reinforce their security? ?

[Albert Tort] Today, I can think of hardly any organization that does not depend on software for their day-to-day operations, so the associated risks of vulnerabilities in their software are directly for the organization as well. For example, a recent executive order from the White House focuses on the need to perceive software development as a software supply chain with potential end-to-end vulnerabilities with a chapter called “Enhancing Software Supply Chain Security.”

For this reason, it is important to align the security assurance framework to this reality, with good practices such as: (1) the use of previously analyzed and reliable components and libraries in the organization; (2) exclusive use of trusted DevOps framework integrations; (3) implantation of landing zones safe and with automated elements based on what we call a Well Architected Framework (WAF) as a basis for secure development; (4) apply segmentation (management groups in cloud subscriptions, isolate environments and workloads…); and (5) give security teams visibility into automated scans of components and pipelines.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *