February 7, 2017 | Gunanand Nagarkar
In this era of Cloud and DevOps, learn how critical it is for Business Transformation that developers take security more seriously than ever before.
Business transformation is one of the key initiatives across many companies today. Cloud Adoption and DevOps are the chosen path for technology and process transformation. With this, it is even more critical that the developers take security even more seriously than before.
In the past, the operations and the security teams provided the required security shields along with checks and balances. They brought the very important security aspect in running the solution that is exposed to the world. But with DevOps, the Ops role is getting blurred, and developers are transforming themselves to play this role. Let us accept the fact that Developers will transition to this with time, but the mistakes made in this transition period will cost heavily for a company. This post discusses bringing out the importance of security for developers, in the hope that most would become true DevOps engineers, or even better DevSecOps engineers. Developers will evolve into thinking deeply about mitigation security and deploying just the right amount of infrastructure in their day to day development, just like they focus on choosing the right variable types, memory and heap allocation sizes, or compiling and debugging their code. Below are certain examples the industry has experienced:
Developers committing the secrets in public git repos. Secret keys committed to git repositories can be exploited by hackers. They can use them to create, for example, hundreds of large instances on Cloud platforms resulting in thousands of dollars of unwanted expenses for a company. There can be more than just monetary loss in this incident. The hackers can get access to the instances running the pre-production and production DBs and in-turn access to some critical customer data, impacting the credibility of the business. Hackers can even destroy a company in a day, such as CodeSpaces, because they left their secret keys in github.
Not forcing the expiry of the secrets in the code. Someone can easily get access to the tokens used by some APIs, even when they are internal APIs, and create havoc in your system/solution.
Keeping the ports open to the whole world. Developers do not think twice before doing this, even if they are penalized by hackers by compromising such an instance in the Cloud. When softwares like MySQL or Elasticsearch expose the port to whole world, they provide free invitation to hackers to disrupt the environment. The instance could also be used in a DDOS attack.
Black Box penetration testing is something which helps identify application vulnerabilities, but static code analysis and unit tests are very critical and should be used wisely. Static code analysis rules and unit tests should be in place wherever possible for scenarios, such as below, running in your daily CI/CD pipelines.
- No file should store secrets – consider using roles or access tokens
- There should be no column in any application tables which store passwords
- There should be no default user as “admin”
- There should be no variables holding the secrets
- There should be no decrypt or encrypt like functions implemented
- Look for the usage of MD5 or other weak encryptions and flag such issues
- Tokens created should always have an expiry period (not beyond a few hours)
If the real consequences are known then developers can be more prudent towards security and accidents that could be avoided. This is small attempt towards helping developers transition towards being DevOps centric developers.
At REAN Cloud, not only do we practice security and compliance best practices for the infrastructure we build for our clients, but also advise clients on how to instill a DevOps culture and practice along with our platform. We understand that to have a successful business transformation, there needs to be a buy in from senior leadership AND developers, and also have the right mindset and philosophy to use the DevSecOps principles daily. Please contact us at firstname.lastname@example.org if you have a question or would like to learn more about how we can help with your DevOps and business transformation.