Avoid the Snares of Open SourceMarch 4, 2021 Tweet
Reusable code components are fundamental to DevOps. But free and open source software (FOSS) can introduce vulnerabilities into integrated codebases without the knowledge of developers or their security teams. Repositories hosting these components are also being exploited to serve up counterfeit code that takes advantage of open source dependencies, as demonstrated recently by researcher Alex Birshan. In the experiment, Apple, Microsoft, Tesla and 33 other companies uploaded fake components through NPM, PyPl, RubyGems and other repositories. These techniques are now being weaponized to trick developers in large tech companies.
In this expert interview, we talk with Jim Routh, a well-known DevSecOps expert, who breaks security controls down to three areas of focus:
- Protect the repositories and DevOps environments with strong identity and access controls (password complexity, secrets management).
- Apply third party governance controls to repository management platforms (GitHub, GitLab, Bitbucket, etc.) and use binary vulnerability scanning for all 3rd party components before building them into the software product.
- Try innovative solutions in workload run time protection initially in an alert mode, and eventually in a prevent mode.
You talk about cloud-first and software is infrastructure. Please explain how that ties into third party components.
“Everyone understands that development is evolving into a cloud first model rather than on prem development. But what they don’t recognize is that software development today is fundamentally different in a cloud first model versus on-premises. Before apps were developed in and to the cloud, security teams built up a secure environment for developers, so their build environments had protection in place. In the cloud, however, developers are mostly left to fend for themselves to configure the cloud accounts and development environments.”
“Today, that same developer starts with an AWS account and has to spin up secure provisioning for account access. They choose their configuration management software, such as Terraform and Kubernetes, establish privilege access management, and define the data classification and protection requirements, such as encryption. Then they need to implement authentication controls, apply composition analysis, and manage the secure build process.”
Meanwhile, developers are pulling third party components from cloud repositories and using them like building blocks, he continues. Those components are also developed in the cloud, pushed up to repositories and downloaded by other developers for use in their builds.
“The software no longer runs on a physical server with a standard configuration in a dedicated enterprise data center, it runs on cloud servers running workloads in many co-locations where configuration management for the build process is performed through software,” he adds.
That’s the definition of a software-defined network, where code is the infrastructure.
Pro Tip: Check out these best practices for scaling infrastructure as code securely.
What can developers do to use this trend for their advantage and improve software delivery?
“The Ideal controls are third party governance in SaaS starting with identity and access management, followed with static analysis and binary software vulnerability scanning—along with composition analysis,” he says.
Pro Tip: For advice on component policies, restrictions, acceptable use, and other critical controls, visit OWASP’s Component Analysis Page.
Unfortunately, not all developers apply basic IT hygiene to secure their access. In case of SolarWinds, the development team used a shared password, Solarwinds123. This is where build management programs help.
“Think of build management as guardrails for developers to improve quality and security as the software is configured. That quality saves you time and money that would be spent fixing mistakes later, after build is complete.”
What are some tips for securing and testing third party code drawn from public repositories?
Repository management is a software as a service and should be governed that way, he says. Developers need to automate their workload processes to scan third-party components without access to the source code. This is referred to as software composition analysis or binary analysis scanning.
“Running binary scanning on third party products without requiring access to the source code is a game changer for third party governance,” he says. “Use a binary scan of the software to identify vulnerabilities and build a Software Bill of Materials, which says ‘here is where the software originated from’ and defines the quality of the software from a resilience standpoint. Buyers can use the findings and ask their third-party provider to fix code defects identified in the binary scan results.”
Pro News: SBOM is the focus of our next expert interview.
His third suggestion requires new innovation around workload runtime protection, which is protective software that runs in the build environment or server and identifies behavioral attributes of the application and what the code is doing once it’s compiled. “Behavioral models of how the software is supposed to perform are used to identify and prevent abnormal or malicious software behavior,” he explains. “In a developer environment this would be a way of discovering the back door embedded in the SolarWinds Orion update before it installed in victim companies.”