The SolarWinds digital supply chain attack began by compromising the “heart” of the CI/CD pipeline and successfully changing application code. It highlighted the major challenges organizations face in securing their applications across the software development lifecycle and is driving increased attention at the highest levels of enterprise and government. In fact, Reuters recently reported that the Biden administration is preparing an executive order outlining new software security and breach disclosure requirements.
As organizations look to strengthen their digital supply chain and protect the applications they develop and use, many are focusing on application secrets – which are ripe targets for attackers and can provide unrestricted privileged access to sensitive systems.
Cloud-Native Apps Expand Security Needs
Today, many organizations are taking a cloud-native approach to building, testing and deploying new applications – whether front- or back-office, consumer-facing, web or mobile. And by embracing DevOps methodologies and automation, they’re quickly moving along the digital maturity curve.
As applications are increasingly built using microservices and run in dynamic, short-lived containerized environments, everything needs to interact with each other – sharing secrets and credentials to securely access resources. The result: a lot more secrets that need to be secured.
What’s more, the powerful DevOps and automation tools developers use such as Jenkins and Ansible to build applications store massive amounts of credentials and secrets within them. This allows the projects, playbooks and scripts managed by these mission-critical “Tier 0” assets to access other tools, services and platforms. All of these tools also require high levels of privilege.
