Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label DevOps. Show all posts

Don't Miss Open Source Software (OSS), While Assessing Cloud App Security

 

The software development process is becoming increasingly rapid. Devops teams are under additional pressure to get to market quickly, thanks in part to open-source software (OSS) packages. OSS has become so common that it is estimated to account for 80 to 90% of any given piece of modern software. 

However, while it has been a great accelerator to software development, OSS creates a large surface area that must be protected because there are millions of packages created anonymously that developers use to build software. Most open-source developers act in good faith; they want to make life easier for other developers who may face the same problem they are. According to GitHub’s Open Source Survey, “the most frequently encountered bad behavior is rudeness (45% witnessed, 16% experienced), followed by name calling (20% witnessed, 5% experienced) and stereotyping (11% witnessed, 3% experienced).”

Unfortunately, not every open-source software package can be relied on. Because attribution for modifications made to open-source code is difficult to track, identifying malicious actors who want to negotiate the code's integrity becomes nearly impossible. Malicious open-source software packages have been incorporated to highlight the fact that large corporations use these packages but do not fund their development, as well as for purely nefarious purposes.

If an OSS package is utilized to build software and it encompasses a vulnerability, the resulting software also contains a vulnerability. As witnessed with Log4j last year, a back-door vulnerability has the possibility of compromising millions of applications. As per OpenLogic's State of Open Source Report, 77% of organizations increased their use of OSS last year, and 36% reported that the increase was significant. But research from the Linux Foundation shows that only 49% of organizations have a security policy that covers OSS development or use. So, how can you effectively understand and reduce the threat that OSS poses to your cloud application development?

Get visibility

Understanding the surface area of your application is the first step in determining the type of threat you face. Integrate automation into your cybersecurity measures to gain visibility into the OSS packages and versions used in your software. You can incorporate this practice into your developers' workflow by starting as early as the integrated development environment (IDE).

Consider infrastructure as code (IaC) tools like Terraform. Do you know what modules you're using? Do they follow your security controls if they were built by someone else?

Once you understand the scope of your OSS usage, you can gradually begin to gain control. You must strike a balance between supervision and developer freedom and velocity.

Dig into open-source software

Supply-chain Levels for Software Artifacts (SLSA) is the industry standard, a set of standards and controls designed to "prevent tampering, improve the integrity, and secure packages and infrastructure in your projects." There are tools available that use SLSA to determine whether an OSS package has known issues before your developers begin using it.

The Open Source Security Foundation's (OpenSSF) composition analysis can help inform what that "allow list" should look like. Because these packages are used by tech giants, they have also gotten involved in open-source software security. Google pledged $100 million to "support third-party foundations, such as OpenSSF, that manage open-source security priorities and assist in the resolution of vulnerabilities." 

It also has a bug bounty program, which it refers to as a "reward program," to compensate researchers who discover bugs in open-source software packages. A separate initiative led by Amazon, Microsoft, and Google includes $10 million to strengthen open-source software security, but that represents only 0.001% of the companies' combined revenue in 2021. From there, you should either create a "allow list" of trusted sources and reject all others, or at the very least audit instances where non-allow list sources are used.

Increase awareness

Larger investments from tech behemoths who rely on OSS and its ongoing innovations are required, but so are increased community participation and education. OSS packages benefit the greater good of developers, and the landscape encourages code authors to remain anonymous. So, where do we go from here in terms of security priorities?

Training developers at the university level on the risks of blindly incorporating OSS packages into software code is a good place to start. This training should continue at the professional level so that organizations can protect themselves from the threats that occasionally infiltrate these packages and, most likely, their software as well.

Leveraging organizations such as the Cloud Native Computing Foundation (CNCF), which has charted some of the best open-source projects, is also a good starting point.

Open-source software packages are an important component of increased application development velocity, but we need to pay closer attention to what's inside them to limit their risk and defend against cyberattacks.

LastPass, Okta, and Slack: Threat Actors Switch to Targeting Core Enterprise Tools


In the beginning of year 2023, CircleCI, a development-pipeline service provider cautioned online users of a security breach, advising companies to take immediate action on the issue by changing the passwords, SSH keys, and other secrets stored on or managed by the platform. 

The security attack on the DevOps services left the organization scrambling in order to assess the extent of the breach, restrict attackers' access to alter software projects and identify which development secrets had been compromised. The company updated configuration settings, rotated authentication tokens, worked with other providers to expire keys, and investigated the situation. 

The company states in an advisory last week, "At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well." 

In the past year, identity services like Okta and LastPass have acknowledged system vulnerabilities, and developer-focused services like Slack and GitHub have reacted quickly to successful attacks on their infrastructure and source code. 

According to Lori MacVittie, a renowned engineer and evangelist at cloud security firm F5, the series of attacks on fundamental enterprise tools reflects the fact that organization should anticipate these types of providers turning into frequent targets in the future. 

"As we rely more on services and software to automate everything from the development build to testing to deployment, these services become an attractive attack surface […] We don't think of them as applications that attackers will focus on, but they are," she says. 

Identity & Developer Services Vulnerable to Cyberattacks 

Lately, threat actors have targeted two major categories of services, i.e. identity and access management systems, and developer and application infrastructure. Both of the given services support the critical components of enterprise infrastructure. 

According to Ben Smith, CTO at NetWitness, a detection and response firm, identity is the glue that supports the organizations’ interface in every way, along with connecting the companies to their partners and customers. 

"It doesn't matter what product, what platform, you are leveraging, adversaries have recognized that the only thing better than an organization that specializes in authentication is an organization that specializes on authentication for other customers," says Smith. 

Meanwhile, developer services and tools have developed into yet another frequently attacked enterprise service. For example, a threat actor accessed the Rockstar Games creators' Slack channel in September and downloaded videos, pictures, and game codes from the upcoming Grand Theft Auto 6 Title. In regards to this, Slack says "a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository." 

Since identity and developer services enable access to a wide range of corporate assets, from application services to operations to source code, compromising these services can be a ‘skeleton key' to the rest of the company, adds Smith. "They are very very attractive targets, which represent low-hanging fruit […] These are classic supply chain attacks — a plumbing attack because the plumbing is not something that is visible on a daily basis."

Protect Yourselves by Managing Secrets Wisely, Establish Playbooks 

In order to administer cyber-defense, one of the tactics suggested by Ben Lincoln, managing senior consultant at Bishop Fox, is to organize a comprehensive management of secrets. Companies should be able to “push the button” and rotate all necessary passwords, keys, and sensitive configurations. 

"You need to limit exposure, but if there is a breach, you hopefully have a push button to rotate all those credentials immediately," Smith further says. "Companies should plan extensively in advance and have a process ready to go if the worst thing happens." 

Organizations can also deceive intruders using traps. Security teams can receive a high-fidelity warning that attackers might be on their network or using a service by employing various honeypot-like tactics. Credential canaries—fake accounts and credentials—help identify when threat actors have access to critical assets. However, in all other ways, the companies must prioritize the need to apply zero-trust principles in order to minimize the attack surface area of — not just machines, software, and services but also operations, according to MacVittie.  

Gitlab Patches a Critical RCE Flaw in Latest Security Advisory

 

Security researchers at Gitlab have issued a patch for a critical vulnerability that allows hackers to execute code remotely. 

The security bug tracked as CVE-2022-2185, impacts all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authorized user could import a maliciously designed project to launch remote code execution. 

GitLab is a web-based DevOps life cycle platform offering an open-source license from GitLab Inc. to offer wiki, problem-tracking, and continuous pipeline integration and deployment capabilities. Ukrainian programmers Dmytro Zaporozhets and Valery Sizov have manufactured the program.

 Multiple security flaws 

Fixes for a number of other vulnerabilities were also released in the latest version, including two separate cross-site scripting (XSS) bugs. The vulnerabilities impacted both GitLab Community Edition and Enterprise Edition. Security researchers have recommended users upgrade to the latest version. 

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected,” an advisory from GitLab reads. 

Last year in July, Gitlab patched multiple vulnerabilities — including two high-impact online security flaws by updating its software development infrastructure. In GitLab's GraphQL API, a cross-site request forgery (CSRF) developed a mechanism for a hacker to call modifications while impersonating their victims. The Gitlab Webhook feature was exploited for denial- of service (DoS) assaults because of a second high-level security vulnerability. 

An attack by a Denial-of-Service (DoS) is designed to shut down a user computer system or network, which makes it unreachable to its intended users. DoS attacks achieve this by flooding or delivering information to the target causing a crash. 'Afewgoats' researchers identified DoS vulnerability and reported it via a HackerOne-operated GitLab bug reward program. 

For both higher intensity vulnerabilities, CVE trackers were requested, although identification was not assigned. "The webhook connections usually have timeouts set, but my badly-behaving webserver can bypass them and keep the connection open for days," afewgoats explained. 

"It's the only Denial of Service, but it could tie up huge amounts of memory on the victim servers." To mitigate the risks, Gitlab patched 15 medium severity and two low-impact issues. These add-on vulnerabilities also included a clipboard DOM-based cross-site scripting (XSS) issue, a reflected XSS in release edit pages, and the audit log problem of the stored XSS.