Dev and Ops got together, and then along came Security. Well, Security was always there, they just weren’t invited to the party early. Today all three silos are working in synergy in top-performing DevOps organizations - what we know as DevSecOps.
Aditya Balapure (@adityabalapure) is an infosec specialist at Haven. He was at GrubHub when he spoke at the All Day DevOps conference. He emphasized the importance of protecting your authorizations, an area often overlooked.
Aditya started his presentation pointing out that in traditional DevSecOps, security is visibility and control. Organizations focus a lot on the pipeline, making sure the code is scanned, conducting static and dynamic analysis, building artifacts, scanning deployments, monitoring, and running automated penetration testing.
While organizations had great success focusing on the pipeline, adversaries are changing and working hard to stay ahead. Applications now have more and more vendors and third-party integrations, public API endpoints, and credentials, tokens, keys, and certificates that all need authentication. These are all potential vulnerabilities for attacks.
It underscores the need to know your whole ecosystem. He emphasizes that you need to continually look outside of our own infrastructure rather than just focusing on our pipeline. Aditya asks, are we looking at the public web? What about third-party integrations and libraries? What is the impact of employees and customers sharing confidential info and credentials, such as on public boards? Adversaries expect that users will reuse credentials - which, let’s be honest, is often true.
Aditya focuses in on how authentication has evolved. He specifically explores how, in the past, http sites hosted credentials. Yet, security in transit is hard to achieve. It is now easier and cheaper to get SSL and TSL as the cost of certificates came down. Now, certificate transparency is a savior. It is an open framework for real-time monitoring and auditing of SSL certificates. This helps you detect malicious certificates. It is vital that you integrate these checks into your application and pipeline.
Aditya covers more in his talk, including:
- Developing better threat models to test authentication
- Building awareness/monitoring outside your organization
- Expanding your ecosystem awareness to better protect it
- Crowdsourcing the security community to stay ahead of adversaries
- Boosting security through insecurity and chaos engineering
You can watch the full talk here.