In many ways, the DevOps movement is about removing complexity in the development process to increase release velocity and efficiency. While those abstractions may increase simplicity and narrow focus for developers, the pressure to adopt new tools and processes increases the complexity of securing DevOps infrastructure. Furthermore, DevOps culture empowers developers with a focus on increasing agility and removing roadblocks. However, when done without proper security precautions, this also opens the door to new risks.
Challenges to Security
While there are many tools to identify source code vulnerabilities and protect applications in runtime, securing the development pipeline infrastructure itself is largely an unmet need. The biggest infrastructure security challenge is the source control management (SCM) system. This seems validated by the constant headlines about source code leakage or theft. The list of companies having leaked code recently is a who’s-who of software development: Microsoft, Nintendo, Apple, Tesla, YouTube and more. Even GitHub themselves had a code leak in early November 2020.
Git has made collaboration between developers and teams more streamlined than ever. Yet, several industry trends are increasing the complexity of securing SCMs including: multiple SCMs, often centralized for legacy apps and Git for modern apps; public and private repositories; microservices architectures driving rapid proliferation of repositories; and geographically distributed teams.
The difficulty securing SCMs tends to increase in direct proportion to the size and age of the development organization; the phrase, “Nothing ever really goes away in IT,” contains a grain of truth, despite being cliché. Legacy apps are still run on centralized SCMs like Subversion, Perforce, CVS, etc., while modern apps are in Git-based SCMs like GitHub, GitLab, Bitbucket or Azure DevOps. Managing access controls across individual repositories and between cloud and enterprise versions of the same SCM is difficult enough, but establishing and enforcing consistent policy across multiple SCMs is nearly impossible.
The key threats to consider are insider vs. outsider and theft vs. accidental leakage. After creating an inventory of the SCM (users, teams, repos, policies, etc.), to prevent theft from insiders and outsiders, software development organizations must apply a “least privilege” access policy, enforce multifactor authentication, investigate all repository forks/clones to ensure they are necessary and monitor public repositories and other sites for the organization’s source code.
While insider and outsider threats are scary enough, inadvertent mistakes are a far more common cause of source code leakage. In addition to the steps taken to prevent theft, organizations should also disable private repositories from being forked/cloned with public access to prevent inadvertent source code leaks.
For organizations developing software, source code is their most valuable asset – it’s what drives user growth and adoption. Far more than plans or trade secrets, source code is, quite literally, a software company’s intellectual property. Repositories are being used to manage configurations for downstream continuous integration/continuous delivery (CI/CD) pipelines and infrastructure as code. Not only does this further validate the critical necessity of securing SCMs, it also means we must begin to think beyond securing just source code, as we rocket into the era of everything as code.
Change is the Only Constant
Nowadays, every company is a software company, and the source code itself, and the SCMs, grow every day. Challenges exist in terms of the amount of code that needs to be protected, and also in the battle for development and security talent. Constantly changing teams require ongoing updates to access control rules, and the difficulty of finding and retaining security talent exacerbates the inherent SCM challenges to protecting source code while accelerating release schedules and making them more efficient. Much like the focus of IT security has recently shifted from the firewall to the identity and access management (IAM) provider, we expect everything as code will shift the focuse of application security from runtime protection and testing to the SCM itself.