Sep 14 2024

How to make Infrastructure as Code secure by default

The article explains how to enhance the security of Infrastructure as Code (IaC) by default. It emphasizes integrating security policies into CI/CD pipelines, automating IaC scanning, and using the application as the source of truth for infrastructure needs. It highlights the risks of manual code handling, such as human error and outdated templates, and discusses the challenges of automated remediation. The solution lies in abstracting IaC using tools that generate infrastructure based on application needs, ensuring secure, compliant infrastructure.

Read more here.

Making Infrastructure as Code (IaC) secure is crucial for maintaining the security of cloud environments and preventing vulnerabilities from being introduced during deployment. Here are some best practices to ensure the security of IaC:

1. Use Secure IaC Tools

  • Trusted Providers: Use reputable IaC tools like Terraform, AWS CloudFormation, or Ansible that have strong security features.
  • Keep Tools Updated: Ensure that your IaC tools and associated libraries are always updated to the latest version to avoid known vulnerabilities.

2. Secure Code Repositories

  • Access Control: Limit access to IaC repositories to authorized personnel only, using principles of least privilege.
  • Use Git Best Practices: Use branch protection rules, mandatory code reviews, and signed commits to ensure that changes to IaC are audited and authorized.
  • Secrets Management: Never hardcode sensitive information (like API keys or passwords) in your IaC files. Use secret management solutions like AWS Secrets Manager, HashiCorp Vault, or environment variables.

3. Enforce Security in Code

  • Static Code Analysis (SAST): Use tools like Checkov, TFLint, or Terraform Sentinel to analyze your IaC for misconfigurations, like open security groups or publicly accessible S3 buckets.
  • Linting and Formatting: Enforce code quality using linters (e.g., tflint for Terraform) that check for potential security misconfigurations early in the development process.

4. Follow Least Privilege for Cloud Resources

  • Role-based Access Control (RBAC): Configure your cloud resources with the minimum permissions needed. Avoid overly permissive IAM roles or policies, such as using wildcard * permissions.
  • Security Groups: Ensure that security groups and firewall rules are configured to limit network access to only what is required.

5. Monitor and Audit IaC Changes

  • Version Control: Use version control systems like Git to track changes to your IaC. This helps maintain audit trails and facilitates rollbacks if needed.
  • Automated Testing: Implement continuous integration (CI) pipelines to automatically test and validate IaC changes before deployment. Include security tests in your pipeline.

6. Secure IaC Execution Environment

  • Control Deployment Access: Limit access to the environment where the IaC code will be executed (e.g., Jenkins, CI/CD pipelines) to authorized personnel.
  • Use Signed IaC Templates: Ensure that your IaC templates or modules are signed to verify their integrity.

7. Encrypt Data

  • Data at Rest and In Transit: Ensure that all sensitive data, such as configuration files, is encrypted using cloud-native encryption solutions (e.g., AWS KMS, Azure Key Vault).
  • Use SSL/TLS: Use SSL/TLS certificates to secure communication between services and prevent man-in-the-middle (MITM) attacks.

8. Regularly Scan for Vulnerabilities

  • Security Scanning: Regularly scan your IaC code for known vulnerabilities and misconfigurations using security scanning tools like Trivy or Snyk IaC.
  • Penetration Testing: Conduct regular penetration testing to identify weaknesses in your IaC configuration that might be exploited by attackers.

9. Leverage Policy as Code

  • Automate Compliance: Use policy-as-code frameworks like Open Policy Agent (OPA) to define and enforce security policies across your IaC deployments automatically.

10. Train and Educate Teams

  • Security Awareness: Ensure that your teams are trained in secure coding practices and are aware of cloud security principles.
  • IaC-Specific Training: Provide training specific to the security risks of IaC, including common misconfigurations and how to avoid them.

By integrating security into your IaC practices from the beginning, you can prevent security vulnerabilities from being introduced during the deployment process and ensure that your cloud infrastructure remains secure.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Secure By Design, Secure Code, Secure Infrastructure


Sep 06 2024

How cyber criminals are compromising AI software supply chains

Category: AI,Cybercrime,DevSecOpsdisc7 @ 9:55 am

The rise of artificial intelligence (AI) has introduced new risks in software supply chains, particularly through open-source repositories like Hugging Face and GitHub. Cybercriminals, such as the NullBulge group, have begun targeting these repositories to poison data sets used for AI model training. These poisoned data sets can introduce misinformation or malicious code into AI systems, causing widespread disruption in AI-driven software and forcing companies to retrain models from scratch.

With AI systems relying heavily on vast open-source data sets, attackers have found it easier to infiltrate AI development pipelines. Compromised data sets can result in severe disruptions across AI supply chains, especially for businesses refining open-source models with proprietary data. As AI adoption grows, the challenge of maintaining data integrity, compliance, and security in open-source components becomes crucial for safeguarding AI advancements.

Open-source data sets are vital to AI development, as only large enterprises can afford to train models from scratch. However, these data sets, like LAION 5B, pose risks due to their size, making it difficult to ensure data quality and compliance. Cybercriminals exploit this by poisoning data sets, introducing malicious information that can compromise AI models. This ripple effect forces costly retraining efforts. The popularity of generative AI has further attracted attackers, heightening the risks across the entire AI supply chain.

The article emphasizes the importance of integrating security into all stages of AI development and usage, given the rise of AI-targeted cybercrime. Businesses must ensure traceability and explainability for AI outputs, keeping humans involved in the process. AI shouldn’t be seen solely as a cost-cutting tool, but rather as a technology that needs robust security measures. AI-powered security solutions can help analysts manage threats more effectively but should complement, not replace, human expertise.

For more detailed insights, check the full article here.

Blockchain, IoT, and AI Technologies for Supply Chain Management (Innovations in Intelligent Internet of Everything (IoE))

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: AI software supply chains


Aug 15 2024

Education in Secure Software Development

Category: DevSecOpsdisc7 @ 7:54 am

The Linux Foundation and OpenSSF released a report on the state of education in secure software development.

…many developers lack the essential knowledge and skills to effectively implement secure software development. Survey findings outlined in the report show nearly one-third of all professionals directly involved in development and deployment ­ system operations, software developers, committers, and maintainers ­ self-report feeling unfamiliar with secure software development practices. This is of particular concern as they are the ones at the forefront of creating and maintaining the code that runs a company’s applications and systems.

Designing Secure Software: A Guide for Developers

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: security education, software


Feb 17 2024

Demystifying DevSecOps

Category: DevSecOpsdisc7 @ 10:34 am

The DevSecOps Playbook: Deliver Continuous Security at Speed

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DevSecOps, The DevSecOps Playbook


Jan 31 2024

How to make developers accept DevSecOps

Category: DevSecOpsdisc7 @ 11:38 am

According to a recent Dynatrace report, only 50% of CISOs believe that development teams have thoroughly tested the software for vulnerabilities before deploying it into the production environment.

This is a statistic that needs to change and the only way to change it is to make sure developers are on the same page as security practitioners.

The challenges

Making developers accept the importance of security in their software development process comes with numerous challenges. They can be split into four categories:

  • Tool-related challenges
  • Practice-related challenges
  • Infrastructure-related challenges
  • People-related challenges

Integrating security tools into existing DevOps tools can be complicated. “A significant barrier in implementing security into [DevSecOps] is the differences in tool-sets between security and other teams,” researchers Roshan N. Rajapaksea, Mansooreh Zahedia, M. Ali Babara and Haifeng Shenc noted. Also, each team member has their own preferences in tools based on specific advantages.

Some toolsets may also be inadequate, and without standards or documentation developers will have even more difficulties with the integration.

Practice-related challenges involve automation and deployment. DevOps processes are mostly automated, but security requires human action, i.e., manual security practices that are difficult to automate.

Developers are also all about pushing the product as soon as possible, yet, by implementing DevSecOps, the development process needs to slow down to allow possible vulnerabilities to be fixed.

When it comes to infrastructure, a complex cloud environment can slow down secure software development, while a multi-cloud environment can pose difficulties when securing data. Highly regulated environments (air-gapped environments, medical infrastructure, etc.) can also make DevSecOps adoption difficult.

Finally, there’s the people-related challenges: developers may have difficulties with the imminent changes that DevSecOps bring to the development process, and may lack security skills required to carry out certain security practices in DevSecOps.

CISOs and developers (69% and 64%, respectively) both see that the lack of communication and collaboration between developers and security teams is a significant problem.

Implementing DevSecOps will also not work without the right knowledge, which developers have yet to build.

The solutions

To make developers accept DevSecOps, they need to be heard, which means making sure they have a say when security decisions are made. This can contribute to a more productive and constant collaboration and communication between security and development engineers, while also defining roles and responsibilities.

Shifting left is a must, but developers need to know exactly what is expected of them when it comes to secure coding.

“A big part of improving the DevSecOps experience is not introducing more tooling, but getting clear on the process and expectations of how developers should use the tools they already have. Clear communication about policies ensures an organized and consistent approach to implementing security throughout the SDLC,” says Nick Liffen, director at GitHub Advanced Security.

Training is an important part of DevSecOps implementation, but developers need to be reassured that their job will not be disrupted when security gets integrated into coding.

To further motivate them, it’s good to let them see that knowing how to code securely can contribute to both the company’s success and their personal growth.

Learning that being a DevSecOps professional is a good career choice can additionally boost their motivation.

“Between 2021 and 2028, the DevSecOps market is expected to grow at a CAGR of 24.1%. DevSecOps professionals have several job opportunities as a result of this rapid rise. This demand is expected to grow as more companies adopt DevSecOps practices,” said Misbah Thevarmannil, content lead at Practical DevSecOps.

The DevSecOps Playbook

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DevSecOps, The DevSecOps Playbook


Jan 10 2024

DevSecOps: 5 Tips for Developing Better, Safer Apps

Category: DevSecOpsdisc7 @ 8:48 am

https://www.crowdstrike.com/blog/devsecops-tips-to-develop-better-safer-apps/

According to the CrowdStrike 2023 Global Threat Report, there was a 95% increase in cloud exploits in 2022, with a three-fold increase in cases involving cloud-conscious threat actors. The cloud is rapidly becoming a major battleground for cyberattacks — and the cost of a breach has never been higher. The estimated average cost of a breach impacting multi-cloud environments is more than $4.75 million USD in 2023.1 The acceleration of cloud-focused threat activity and its effects has made security a key priority across organizations.

Security in the Cloud Is a Shared Responsibility

Security teams are accountable for protecting against risks, but they cannot be the only ones. Each team must try to communicate why their part of the development lifecycle is important to the other teams in the pipeline. With the growth of cloud-native applications and the demand for faster application delivery or continuous integration/continuous delivery (CI/CD), the use of containers is increasing widely. As businesses adopt containerized and serverless technologies and cloud-based services, more complex security issues arise.

Application developers have a tricky balance to maintain between speed and security. In DevOps, security used to be an issue addressed after development — but that’s changing. Now, developers who previously had to code right up to the last minute — leaving almost no time to find and fix vulnerabilities — are using tools like Infrastructure as code (IaC) scanning to validate they have fewer security vulnerabilities before they move to the next phase of development. 

When security is considered at every step in the pipeline, it ensures developers find and address issues early on and it streamlines the development process. DevSecOps helps developers find and remediate vulnerabilities earlier in the app development process. Vulnerabilities discovered and addressed during the development process are less expensive and faster to fix. By automating testing, remediation and delivery, DevSecOps ensures stronger software security without slowing development cycles. The goal is to make security a part of the software development workflow, instead of having to address more issues during runtime.

5 Tips to Develop Apps with Security and Efficiency

1. Automate security reviews and testing. Every DevSecOps pipeline should utilize a combination or variation of tools and features like those listed below. A good automated and unified solution will provide broad visibility and address those issues as they arise, while alerting, enforcing compliance and providing customized reports with relevant insights for the DevOps and security teams. 

  • SAST: Static application security testing to detect insecure code before it’s used (tools like GitHub, GitGuardian and Snyk, to name a few) 
  • SCA: Software composition analysis to detect library vulnerabilities before building (tools like GitHub and GitLab)
  • CSA: Container scanning analysis to detect Operating System Library vulnerabilities and mitigate risk (tools like CrowdStrike Falcon® Cloud Security and GitLab)

Figure 1. Dynamic container analysis in the Falcon platform (click to enlarge)

  • IaC scanning: Infrastructure-as-code scanning to detect vulnerabilities in infrastructure (tools like Falcon Cloud Security and GitLab)

Figure 2. Falcon infrastructure-as-code (IaC) scanning (click to enlarge)

  • ASPM: Application security posture management to detect application vulnerabilities and risks once deployed (such as Falcon Cloud Security)

Figure 3. Architecture view of apps, services, APIs and more in Falcon (click to enlarge)

2. Integrate with developer toolchains. Streamline and consolidate your toolchain so developers and security teams can focus their attention on a single interface and source of truth. The tighter the integration between security and app development, the earlier threats can be identified, and the faster delivery can be accelerated. By seamlessly integrating with Jenkins, Bamboo, GitLab and others, Falcon Cloud Security allows DevOps teams to respond to and remediate incidents faster within the toolsets they already use.  

3. Share security knowledge among teams. DevSecOps is a journey enabled by technology, but a process that starts with people. Your DevSecOps team should share lessons learned and mitigation steps after resolving the compromise. Some organizations even assign a security champion who helps introduce this sense of responsibility of security within the team. Be prepared to get your teams on board before changing the process, and ensure everyone understands the benefits of DevSecOps. Make security testing part of your project kickoffs and charters, and empower your teams with training, education and tools to make their jobs easier. 

4. Measure your security posture. Identify the software development pain points and security risks, create a plan that works well for your organization and your team, and drive execution. Make sure to track and measure results such as the time lost in dealing with vulnerabilities after code is merged. Then, look for patterns in the type or cause of those vulnerabilities, and make adjustments to detect and address them earlier. This introduces a shared plan with integration into the build and production phases. CrowdStrike offers a free comprehensive Cloud Security Risk Review and services to help you plan, execute and measure your plan.  

5. “Shift right” as well as “shift left.” Detection doesn’t always guarantee security. Shifting right and knowing how secure your applications and APIs are in production is just as important. By leveraging ASPM to uncover potential vulnerabilities in the application code once they are up and deployed, teams can find potential exposure in their application code that could allow backdoor access to other critical data and systems. 

The bottom line is that while security and development used to be separate, the lines are now blurring to a point where security is becoming more and more integrated with the day-to-day job of developers. The benefit is that the modern practice brings together teams across the company to a common understanding, which then drives business growth. DevSecOps requires teams to collaborate and enables the organization to deliver safer applications to customers without compromising security.

How CrowdStrike Powers Your DevSecOps Journey

Security is not meant to be a red light on the road to your business goals or slow down your software development. It is meant to enable you to reach those goals safely with minimal risk. Falcon Cloud Security empowers DevSecOps teams to “shift left” in the application security paradigm, with tools including Infrastructure-as-Code Scanning, Image Assessment, and Kubernetes Admission Controller, all designed to ensure applications are secure earlier in application development and deployment. 

CrowdStrike Falcon Cloud Security lets DevOps and security teams join forces to build applications securely before deployment, monitor they are compliant once deployed, and ensure the code is secure during runtime using ASPM. With ASPM in a unified interface that’s easy to visualize and understand, customers can “shift right” to reduce risk and stop breaches from applications that are already deployed.

The DevSecOps Playbook: Deliver Continuous Security at Speed

 DevSecOps A leaders Guide

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DevOps, DevSecOps, The DevSecOps Playbook


Dec 20 2023

The Future of DevSecOps: Emerging Trends in 2024 and Beyond

Category: DevSecOpsdisc7 @ 12:21 pm

https://istari-global.com/insights/articles/future-of-devsecops-emerging-trends-2024/

In the rapidly evolving landscape of software development and cybersecurity, the integration of security planning earlier in the software development life cycle has become paramount. This practice, known as DevSecOps, has gained significant traction in recent years as businesses recognize its potential to bolster cyber defenses and ensure the security of their digital assets. As we look ahead to 2024 and beyond, it is crucial to understand the key trends that will shape the future of DevSecOps. I wanted to take a few moments to discuss the emerging trends that will drive innovation and efficiency in the field of DevSecOps, including automation, tool consolidation, infrastructure as code, remediation, and the evolution of the software bill of materials (SBOMs).

Key Trends in 2024

Automation Underpinning Innovation

Automation is at the forefront of driving operational efficiency in the field of security. In 2024, we can expect to see further advancements in automation, coupled with artificial intelligence (AI), empowering companies to streamline decision-making processes and optimize resource allocation. By leveraging automation and AI, security teams can focus on strategic initiatives, leaving operational functions to automated systems. This shift will enable organizations to respond to security threats with greater precision and agility, ultimately enhancing their cyber defenses.

The concept of “secure-by-design” will also gain additional momentum in 2024. By establishing cybersecurity standards, detecting vulnerabilities, and addressing them at the outset, organizations can prevent risks before they manifest. This transformative approach will enable businesses to innovate without unforeseen impediments, ensuring that security is an integral part of the development process from the very beginning.

Tool Consolidation

As organizations seek to incorporate security into their processes, the need for tool consolidation becomes apparent. Rather than accumulating an excessive number of tools, which can lead to inefficiencies and increased costs, businesses will opt for more streamlined security tool architectures and services. According to Gartner, 75% of organizations have already begun the process of consolidating their security tools. By merging tool-chain observability and monitoring into a single platform, companies can gain a comprehensive view of their security landscape and identify any potential blockages. This consolidation will create a more conducive environment for building and strengthening security processes.

Infrastructure as Code (IaC)

Traditional IT infrastructure management processes are often manual, resulting in increased costs and resource allocation. With the rapid growth of cloud computing and the constant release of new applications, infrastructure as code (IaC) emerges as a valuable tool. By utilizing configuration files, IaC allows for the automated management and oversight of today’s ever-evolving infrastructure. This level of abstraction frees engineers from the burden of keeping up with constant changes, maximizing the potential of cloud computing and enabling developers to allocate their time more efficiently.

Remediation

In response to the rising threat of cybercrime, organizations are shifting their focus from mere detection to proactive remediation. Rather than simply identifying security breaches, companies are increasingly investing in continuous monitoring and prompt remediation to eliminate threats. Gartner recommends that organizations be prepared to perform emergency remediation on key systems immediately following the release of security patches. To achieve this, companies must adopt intelligent and automated remediation approaches that are integrated into their processes. Prescriptive “best practices” alone will not suffice; automation is necessary to effectively address security issues in real-time.

Beyond SBOMs

The software bill of materials (SBOMs), an inventory of the codebase, has gained recognition as a game-changer in software transparency. However, in 2024, we can expect SBOMs to evolve further to meet industry standards and deliver on their promise. While SBOMs provide valuable insights into the software components used by an application, there are still obstacles to overcome. Many tools designed to automate SBOM generation lack consistency in data provision, hindering their adoption. Additionally, SBOMs have limited value in procurement decisions, as they require frequent updates to remain relevant. To establish a well-managed and secure software supply chain, additional tools such as software composition analysis and code signing will become essential. Achieving this will require industry-wide collaboration, defining best practices, and incentivizing vendors to prioritize transparency.

Security Remains Vital

Despite budget constraints and organizational restructuring, DevSecOps remains a critical area of focus for businesses. Cybersecurity risks continue to be a top concern, and DevSecOps strategies offer a cost-effective solution to mitigate these risks. However, organizations will optimize their budget allocations by investing in solutions that provide actionable results. In 2024, we can expect to see a greater emphasis on remediation, integration of security into the software development life cycle, and automation to streamline operational processes.

Conclusion

The future of DevSecOps is promising, with several key trends shaping the field in 2024 and beyond. Automation, tool consolidation, infrastructure as code, remediation, and the evolution of SBOMs will drive innovation and efficiency in the industry. As organizations strive to enhance their cyber defenses and navigate the evolving threat landscape, embracing these trends will be crucial. By staying ahead of the curve and implementing robust DevSecOps practices, businesses can ensure the security of their digital assets and maintain a competitive edge in the digital economy.

Multi-Cloud Strategy for Cloud Architects: Learn how to adopt and manage public clouds by leveraging BaseOps, FinOps, and DevSecOps

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DevSecOps