Developers are increasingly under attack from the tools they use to collaborate and produce code – such as Docker, Kubernetes and Slack – as cybercriminals and nation-state actors aim to gain access to the valuable software on which developers work daily.
For example, an attacker claimed on September 18 that he used stolen Slack credentials to access and copy more than 90 videos depicting early development of Grand Theft Auto 6, a popular game from Take-Two Interactive’s Rockstar Games. And a week earlier, security firm Trend Micro discovered that attackers were systematically looking for and trying to compromise misconfigured Docker containers.
None of the attacks involved vulnerabilities in the software, but security errors or misconfigurations are not uncommon on the part of developers, who often do not take the necessary care to secure their attack surface area. says Mark Loveless, security engineer at GitLab, a DevOps platform provider.
“A lot of developers don’t see themselves as targets because they think the finished code, the end result, is what attackers are looking for,” he says. “Developers often take security risks, such as setting up test environments at home or removing all security controls, so they can try new things, in an effort to add value. safety later.”
He adds: “Unfortunately, these habits reproduce themselves and become a culture.”
Attacks against the software supply chain – and the developers who produce and deploy software – have increased rapidly over the past two years. In 2021, for example, attacks aimed at compromising developer software – and the open source components widely used by developers – increased by 650%, according to the “2021 State of the “Software Supply Chain” report, published by the software security company Sonatype.
Development pipelines and collaboration in sight
Overall, security experts say the fast-paced continuous integration and deployment (CI/CD) environments that form the foundations of DevOps-like approaches pose significant risks, as they are often overlooked when is to implement enhanced security.
This affects a variety of tools used by developers in their efforts to create more efficient pipelines. Slack, for example, is the most popular synchronous collaboration tool used by professional developers, with Microsoft Teams and Zoom coming in second and third place, according to the StackOverflow 2022 Developer Survey. developers use Docker and another quarter use Kubernetes during development, according to the survey.
Breaches of tools like Slack can be “nasty” because these tools often perform critical functions and typically only have perimeter defenses, said Matthew Hodgson, CEO and co-founder of messaging platform Element, in a statement sent to Dark Reading.
“Slack isn’t end-to-end encrypted, so it’s as if the attacker has access to all of the company’s knowledge,” he said. “A real fox situation in the chicken coop.”
Beyond Misconfigurations: Other Security Issues for Developers
It should be noted that cyber attackers do not just look for misconfigurations or lax security when it comes to prosecuting developers. In 2021, for example, a threat group’s access to Slack through the gray market purchase of a login token led to a breach by gaming giant Electronic Arts, allowing cybercriminals to copy nearly 800 GB of source code and company data. And a 2020 survey of Docker images found that more than half of the latest releases had critical vulnerabilities that put any container-based application or service at risk.
Phishing and social engineering are also plagues in the sector. Just this week, developers using two DevOps services – CircleCI and GitHub – were targeted by phishing attacks.
And, there is no evidence that the attackers targeting Rockstar Games exploited a vulnerability in Slack – only the claims of the alleged attacker. Instead, the social engineering was likely a way to circumvent security measures, a Slack spokesperson said in a statement.
“Enterprise-grade security in identity and device management, data protection, and information governance is built into every aspect of how users collaborate and work in Slack,” the spokesperson said, adding: “These [social engineering] The tactics are becoming more commonplace and sophisticated, and Slack recommends that all customers have strong security measures in place to protect their networks from social engineering attacks, including security awareness training. »
Slow security improvements, more work to do
Developers have accepted security only slowly, however, as application security professionals demand better controls. Many developers continue to leak “secrets” – including passwords and API keys – in code sent to repositories. Thus, development teams should focus not only on protecting their code and preventing the import of untrusted components, but also on ensuring that the critical capabilities of their pipelines are not compromised, says GitLab’s Loveless .
“All of the zero-trust part, which is generally identifying people and things like that, there should also be the same principles that should apply to your code,” he says. “So don’t trust the code, it needs to be verified. Having people or processes in place who assume the worst – I’m not going to trust it automatically – especially when the code is doing something critical, like building a project. “
Additionally, many developers are still not using basic measures to strengthen authentication, such as using multi-factor authentication (MFA). However, there are changes underway. Increasingly, the various open source software ecosystems have all started to require large projects to adopt multi-factor authentication.
In terms of which tools to focus on, Slack has garnered attention due to the latest major flaws, but developers should strive for a basic level of security screening across all of their tools, Loveless says.
“There are ebbs and flows, but that’s all that works for forwards,” he says. “In my experience of wearing all kinds of different colored hats, as a striker you’re looking for the easiest way in, so if another way becomes easier then you say, ‘I’ll try. that first. “”
GitLab has seen this leader tracking behavior in its own bug bounty programs, Loveless notes.
“We see that when people submit bugs, suddenly something – a new technique – is going to become popular, and a whole bunch of submissions resulting from that technique will come in,” he says. “They definitely come in waves.”