DevSecOps code process

Read Time:5 Minute, 56 Second

Best practices

In the first article in this series we covered the basics. In the second article about the planning process, we covered how developers incorporate security at the beginning of their project. This article explores DevSecOps during the Continuous Integration (CI) phase of the coding process and how to protect the code from supply chain attacks, license issues, and theft. Developers are advised during planning to use secure coding best-practices during the coding process.

The focus of DevSecOps in the coding process switches to securing the source code developers write. Code is stored in a centralized repository where it is now the single source of truth. From the repository, code can be retrieved and modified by other developers and automation tools.

What is a source code repository?

A source code repository “repo” is a centralized file storage location that uses a revision control system to retain the history of file changes and comments from the developers on why changes were made.  Repos also allow collaboration within a team of developers who are working on the same project while being protected from overlapping or conflicting changes. Developers have a choice of which repo to use based on requirements and purpose of the software they’re building. For example, a public repo would be appropriate for open source (FOSS) while a private repo may be needed to protect the proprietary software code “crown jewels” of the business.

Public versus private repo

Software as a Service “SaaS” repo websites like Github, Gitlab, and Bitbucket are examples of public repos where people can store a project, collaborate, and share with others around the world. Because public repos are accessible from the Internet, they are designed primarily to be available to everyone.

Private repos in services like Azure DevOps (can be public or private) or an on-premises setup of Gitlab offer additional layers of security but also come with more administrative overhead. Network security controls like virtual private network (VPN) access, firewalls, data loss protection (DLP) systems, and intrusion detection / protection systems protect the private repo from malicious activity. The overhead of managing and administering the private repo platform falls on the company.

In addition to administering system level security, the company must also maintain patches, version upgrades, and availability to protect the repo. The benefit is increased security and privacy because the repo should be accessible only to those within the company. The following sections are additional layers of security to consider when implementing for all repos.

Authentication and authorization

Authentication verifies who the requester is and authorization defines what the requester has access to. Access to the repo for a project should operate with the principal of least privilege. In other words, only the developers and tools that need access to the repo are authorized. In most cases, the project owner will approve or deny all user access requests to the repo. The owner can also grant the necessary permissions based on the type of user.

For example, an auditor may only need read-only access while a developer would need to add or modify items in the repository. For private repos, DevSecOps recommends authentication be integrated into the company’s single sign-on (SSO) platform and multifactor authentication (MFA) will provide a stronger measure of protection against password attacks.

Source code branching

A project in the repo most likely has several user stories that multiple developers are working on to deliver the application. The “main” branch of source code in the repo represents the “single source of truth”.

When a developer creates a feature branch, they are taking a snapshot of the code in the main branch and creating a copy to work on with their user story. When the developer completes the coding for the user story, they can merge their feature branch into the main branch.

Main branches aren’t always the best version of the software to send into production. Release branches are a snapshot of the main branch and dedicated to delivering a specific version of the application to production. Release branches offer additional control and can help with applying hot fixes for bugs or adding temporary features that may not need to be in the main branch.

Hot fixes are used to quickly solve a problem identified in production. They can also use a branching strategy to give developers time and flexibility while still quickly solving the problem. Hot fix branches make it easy to deliver a targeted resolution to a specific issue or vulnerability. For a temporary hot fix, the hot fix branch does not have to be merged into the next release. This often happens when a more long-term solution is being developed.

Pull requests

Merging from a feature branch into the main branch should be restricted from happening without a pull request. A pull request is a tool in repos that announces a desire by the developer for others on the team to review the changes they made. Other developers review the changes made and can send feedback for additional changes or approve the request to merge the code into the main branch. Once the peer review is complete, the pull request is approved, and the feature branch code is merged into the main branch to create a new “single source of truth”. After the merge is complete, the feature branch can be deleted.

Forking

There may be times when a developer wants to take the source code of an application and use it for an entirely different project than its original intention. In this case, the developer can create a new repo by forking (making a copy) the main branch from the current repo for the new project.

This is acceptable in the FOSS community because it fosters innovation and allows faster delivery of projects by reusing snippets of code. It also carries risks that malicious actors can create supply chain attacks through forking. Also, forking does not free the developer from the original license. For private repos, DevSecOps recommends that forking is disabled to prevent software code theft.

Source code separation

Not all applications have the same security requirements, which is based on the risk associated with the application source code. An application that is critical to revenue generation in the business may need more security than an informational website. The critical application may need to be hosted in a separate project or an entire source code repo platform can be created with separate authentication and authorization. The DevOps and DevSecOps models can support multiple repos and projects for however the business needs to adjust.

Next steps

The decision for which software repository platform to use depends on several criteria including public or private, automated workflows, and seamless transitions that help the developer with their user story. Automation and easy to use security tools also promote DevSecOps and improve the security quality of code. Combined with continuous security training for developers, using the repo security features will protect companies from supply chain attacks, licensing issues, and code theft. The next step is to compile the code into a package or artifact using the build process.

Read More

3 biggest cyber risks from the Ukraine-Russia conflict

Read Time:38 Second

The invasion of Ukraine by Russia is reason enough for all CISOs to place their teams at a heightened state of alert and readiness in the event of deleterious cyber actions by nation-state actors or the cybercriminal groups. Three areas that should be reviewed immediately are preparation for cyberattacks, supply chain disruption, and business continuity concerns.

U.S. preparing offensive cyber measures?

NBC News reported on February 24, that the White House had been provided a plethora of cyber options which could be used against Russia, which included disrupting the internet, attacking infrastructure and transportation networks, which was sourced to “two U.S. intelligence officials, one Western intelligence official, and another person briefed on the matter.”

To read this article in full, please click here

Read More

CVE-2020-36510

Read Time:11 Second

The 15Zine WordPress theme before 3.3.0 does not sanitise and escape the cbi parameter before outputing it back in the response via the cb_s_a AJAX action, leading to a Reflected Cross-Site Scripting

Read More

Previously Unseen Backdoor Bvp47 Potentially Victimized Global Targets

Read Time:2 Minute, 10 Second

FortiGuard Labs is aware of a report by Pangu Lab that a new Linux backdoor malware that reportedly belongs to the Equation group was used to potentially compromise more than 200 organizations across over 40 countries around the globe. The Equation group is regarded as one of the most highly skilled threat actors, which some speculate have close connections with National Security Agency (NSA). The threat actor is also reported have been tied to the Stuxnet malware that was used in 2010 cyber attack on a nuclear centrifuge facility in Iran.Why is this Significant?Bvp47 is a previously undiscovered backdoor malware that was reportedly used in cyber attacks carried out by the Equation group. According to the report and information available in the documents that presumably leaked from the Equation group, over 200 organizations spread across more than 40 countries may have been infected with the Bvp47 malware.The Bvp47 file called out in the report was first submitted to VirusTotal in late 2013, which indicates that Bvp47 was used and undiscovered for close to a decade.How was the Connection between the Bvp47 malware and the Equation Group Established?Pangu Lab concluded that Bvp47 belongs to the Equation group because one of the folders included in the documents leaked by the Shadow Brokers in 2017 contained a RSA private key required by Bvp47 for its command execution and other operations.What is the Shadow Brokers?The Shadow Brokers is a threat actor who claimed to have stolen highly classified information from the Equation group in 2016. The stolen information includes zero-day exploits, operation manuals and description of tools used by the Equation group. The Shadow Brokers then attempted to sell the information to the highest bidder. After no one purchased the information, The threat actor released the information to the public after the auction attempt failed.One of the most famous exploits included in the leaked documents is EternalBlue. Within a few weeks of the leak, EternalBlue was incorporated in Wannacry ransomware which caused global panic in 2017.What are the Characteristics of Bvp47?Bvp is a Linux backdoor that performs actions upon receiving commands from Command and Control (C2) servers.Because the Bvp47 framework is incorporated with components such as “dewdrops” and “solutionchar_agents” that are included in the Shadow Brokers leaks, the backdoor is for mainstream Linux distributions, FreeBSD, Solaris as well as JunOS,.Bvp47 also runs various environment checks. If the requirements are not met, the malware deletes itself.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against Bvp47:ELF/Agent.16DC!tr

Read More

F5 Releases August 2021 Security Advisory Including Critical CVE-2021-23031

Read Time:3 Minute, 40 Second

FortiGuard Labs is aware that F5 released a security advisory on August 24th about vulnerabilities affecting multiple versions of BIG-IP and BIG-IQ. The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory the next day urging the customers to apply the fixes or put necessary mitigations in place. Of the 13 vulnerabilities that are rated high by the vendor, CVE-2021-23031 is given the highest CVSS score of 8.8 out of 10 and affects BIG-IP Advanced WAF and Application Security Manager (ASM). When abused, the vulnerability allows “an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services,” which may result in the attack gaining complete control of the system. However, the CVSS score and rating jumps to 9.9 and Critical, respectively, when the products are running in Appliance mode. As Appliance mode is described as ” designed to meet the needs of customers in especially sensitive sectors”, CVE-2021-23031 requires additional attention and care.When Did the Vendor Post the Advisory?The vendor released the advisory on August 24th, 2021.What is the Breakdown of the Advisory?The advisory has 13 high vulnerabilities, 15 medium vulnerabilities, 1 low vulnerability and 6 security exposures affecting multiple versions of BIG-IP and BIG-IQ. However, high rating for CVE-2021-23031 is elevated to critical when the affected products are running in Appliance mode.For more details, see the Appendix for a link to “K50974556: Overview of F5 vulnerabilities (August 2021)”What is the Result of Successful Exploitation of CVE-2021-23031?Successful exploitation allows “an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services.” In the worst case scenario, the vulnerability enables the attack to take complete control of the system.What are the Technical Details of CVE-2021-23031?The advisory does not offer much technical details, nor why there are two separate ratings for the vulnerability other than the 9.9 rating applies to “the limited number of customers using Appliance mode.”For more details, see the Appendix for a link to “K41351250: BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2021-23031″What is Appliance Mode?The following is provided by F5 in regard with Appliance mode:BIG-IP systems have the option of running in Appliance mode. Appliance mode is designed to meet the needs of customers in especially sensitive sectors by limiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device.For more details, see the Appendix for a link to “K12815: Overview of Appliance mode”.How Does That Affect Overall Severity of CVE-2021-23031?Combining the facts that the vulnerability allows an authenticated attacker to take complete control of the system, the CVSS score is 9.9 when the affected products are running in Appliance mode. Since Appliance mode is designed especially for sensitive sectors, the actual severity could be even higher.What Products Are Vulnerable to CVE-2021-23031?BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) are vulnerable to CVE-2021-23031.Which Versions of WAF and ASM Are Vulnerable to CVE-2021-23031?The following versions are listed as vulnerable per F5:16.0.0 – 16.0.115.1.0 – 15.1.214.1.0 – 14.1.413.1.0 – 13.1.312.1.0 – 12.1.511.6.1 – 11.6.5Is the Vulnerability Exploited in the Wild?At the time of this writing, FortiGuard Labs is not aware of the vulnerability being exploited in the wild.FortiGuard Labs will continue to monitor the situation and provide updates as they become available.Is There Any Mitigation for CVE-2021-23031?According to the advisory, “the only mitigation is to remove access (to the Configuration utility) for users who are not completely trusted”.Has the Vendor Released Patches for the Vulnerabilities in their August 2021 Advisory?Yes, the vendor has released patches for all vulnerabilities listed in the advisory, including CVE-2021-23031.What is the Status of Coverage?As this time of writing, there is not sufficient information and Proof-of-Concept code available for FortiGuard Labs to create protections.FortiGuard Labs will continue to monitor the situation and provide updates as they become available.

Read More

ProxyToken (CVE-2021-33766): Authentication Bypass in Microsoft Exchange Server

Read Time:1 Minute, 53 Second

UPDATE 9/17 – An IPS signature has been released in definitions (18.160) as “MS.Exchange.Server.SecurityToken.Authentication.Bypass”FortiGuard Labs is aware of a new disclosure dubbed PROXYTOKEN, which is an authentication bypass in Microsoft Exchange server. The vulnerability was reported by security researcher Le Xuan Tuyen of the Zero Day Initiative (ZDI) in March 2021, and patched by Microsoft in the July 2021 release.Assigned CVE-2021-33766, this vulnerability allows an unauthenticated attacker to configure actions on mailboxes belonging to arbitrary users on the mail server. An example of this usage allows the threat actor to forward all emails addressed to an arbitrary user and forward them to an attacker controlled account.What are the Technical Details of this Vulnerability?Microsoft Exchange server creates two reference sites in IIS, one listening on port 80 HTTP and the other port 443 HTTPS. These pages are known as the Exchange Front End, and the Exchange Back End runs on port 81 HTTP and port 444 for HTTPS respectively. The front end is essentially a proxy to the back end. When forms require authentication, pages are served via /owa/auth/logon/aspx. Essentially, the issue lies when an Exchange specific feature called “Delegated Authentication” is deployed, the front end is unable to perform authentication on its own and passes each request directly to the back end and ultimately relies on the back end to determine if the incoming request is properly authenticated.Is there a Patch Available?Yes. Microsoft has released patches for this in the July 2021 release.What is the Status of Coverage?Customers running the latest definitions are protected by the following IPS signature:MS.Exchange.Server.SecurityToken.Authentication.BypassWhat Products are Affected?Microsoft Exchange Server 2019, 2016, 2013 are affected.Any Other Suggested Mitigation?Disconnect vulnerable Exchange servers from the internet until a patch can be applied.Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.

Read More

CVE-2021-21708

Read Time:25 Second

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.

Read More

News, Advisories and much more

Exit mobile version