Developers must take security seriously; developers and security teams need to work together to secure DevOps environments, writes Chris Smith, Director, DevOps and Application Security Product Marketing, at the cyber firm CyberArk.
This week sees us celebrate National Coding Week, an event designed to promote the vital role of coding and other digital skills in today’s connected world. Coding, and the languages it uses, provides the bedrock on which we’ve built our digital world – a world which has become even more integral to everyday life given this year’s events. Thanks to greater connectivity we’re all becoming digital natives. But this increasing connectivity also increases our vulnerability to cyber security attacks. This National Coding Week, let’s talk about the importance of integrating robust security practices while developing code, and making sure security sits at the very foundation of all innovation.
Development environments can often be vulnerable, and easily exploited by cyber attackers. Recently, a massive trove of leaked code from more than 50 enterprises across multiple industries, including tech, finance, retail, manufacturing, food and ecommerce made news around the world. Tillie Kottman, a Swiss software developer, collected this leaked code into a public GitLab repository that could be accessed by anyone. So how did attacks manage to access and leak the source code of these major players? Most of it was found by scanning misconfigured DevOps applications and third-party sources.
Aside from the obvious intrusion a leak like this invokes, what makes it particularly alarming is the number of hard coded credentials that were exposed. Hard coded credentials are passwords, access keys and other types of secrets that were stored in the source code, sometimes even as plain text. Each of these credentials could be used by an attacker to gain a foothold on that company’s cloud, development environment or IT infrastructure and, potentially, lead to further data leaks or other cyber security nightmares.
There are some valuable security lessons from this leak that every developer, whether they’re just beginning their career or are an experienced pro, and what better time to learn them than in National Coding Week.
Although it’s unclear if hard coded credentials played a role in making this leak possible, the leak certainly made those credentials available to anyone who might visit GitLab. This would make it extremely easy for a cyber attacker to steal passwords and other secrets and potentially start using them to gain privileged access to any of these companies’ IT infrastructure. Some of the companies involved in the data leak also hard coded their cloud access keys, which could allow a cyber attacker to take over a company’s cloud environment or steal sensitive information the company has on the cloud.
This is a great example of why developers need to keep security front of mind when developing software. Certain decisions that may seem logical or common practice may end up having dire consequences if other steps are not taken. This National Coding Week, we’re hopeful more developers will recognise that learning to code securely. Ensuring the code developers write is secured is essential to delivering long-time viability and success of applications and programmes.
Right now, we only know that the source code of Nintendo and other parties was found by scanning third-party sources and misconfigured DevOps applications. We’re still not clear on its origins. However, it is likely that at least some code was taken from a repository. After all, code repositories are established as an essential part of the modern development process. It’s a familiar scenario. The developers who created the leaked source code probably thought they were putting code into a private repository – but that wasn’t the case.
Either that code was inadvertently made public or a misconfiguration or stolen credential was used to expose it – which is an easy mistake, but a dangerous one. Another valuable lesson developers should take this week is to not only make sure the repository is correctly configured, but also to protect the credentials they use to access and configure the repository. Being mindful of this can save companies from irreparable damages stemming from stolen code.
Some of the developers contacted about the code leak weren’t concerned about their code being exposed. This unfortunate example highlights a key issue: some developers are less concerned about security than they should be. But exposed code can quickly lead to big problems – like this data leak – and that’s a risk worth taking seriously.
Consider: even before this trove of source code was found and shared on GitLab, it was unprotected and available to attackers. This massively increases developers’ exposure to potential malfeasance by other online actors with illicit intentions Not only could attackers use the code to steal intellectual property and potentially any hardcoded credentials or cloud access keys, they could get way more creative. For example, an attacker with access to the code could also add their own malicious code into automated builds and include it in an organisation’s code base. This demonstrates that one of the most important takeaways for this year’s National Coding Week – and for many previous editions – is for developers to understand the implications of code and builds being exposed or compromised, and act to prevent this from happening.
It’s not exactly a surprise that poorly protected DevOps tools and applications – and access to those tools – contributed to this leaked code. The trend toward greater independence for developers has introduced risks and cultural changes that create clear security challenges. Specifically, the responsibility for managing risk in development environments is too often shifting from IT and security teams to development and DevOps teams.
In today’s high velocity developer culture, low-security shortcuts often flourish and traditional security processes are not always easy to integrate. To secure developers without slowing them down, the security team must work with their developer and DevOps counterparts to follow cyber security best practices. The goal is to find the right balance of securing the development environments while not overburdening developers. With developers and security teams working together, it’s much harder for something like this code leak to happen to you.
Next steps
The leak mentioned above is a perfect example of what can go wrong if developers do not take security seriously throughout the coding process. If organisations learn nothing else from this leak, they should learn that security can’t – and shouldn’t – be separated from development. The use of security best practices might have prevented these companies from having their credentials exposed in a public repository – and the potential leaks, breaches and takeovers that it could lead to.
Adding security into the development process after the fact can be difficult and disruptive. Integrating security right from the beginning to keep credentials and repositories secure is a must. This National Coding Week, developers must take a step back to understand the impact of misplaced coding or security oversights. Together with security teams, developers can secure coded credentials, hard-coded credentials, and any other loophole cyber attackers may exploit. Only then can we pave the way forward for secure innovation and connectivity powered by today and tomorrow’s generation of coders.
