Developers with Credential and Secrets management support Secure development starts with access protection
Organizations increasingly rely on agile software development and DevOps models to drive innovation and improve business performance. However, safety must not fall by the wayside. And it should not be an add-on, but must be an integral part.
Companies on the topic
In software development, more and more access data is generated and shared across networked systems.
(© tippapatt – stock.adobe.com)
Companies continue to underestimate security in agile development and DevOps deployments. They ignore the fact that this increases the attack surface for cyber attacks, if only because more access data is generated and shared across networked systems.
Such access data and credentials include API and SSH keys, secrets of containers or embedded passwords in program code, which is often also located in central or even publicly accessible repositories. In the hands of an external attacker, these confidential credentials pose a significant security threat, as they can ultimately allow complete control over a company’s IT infrastructure.
This awareness of the dangers has often yet to be developed on the company side – the recommendation is: Think like an attacker. And in addition, supporting security solutions must also be used that relieve the developers.
Security must always be an integral part of all process steps in agile development and the DevOps landscape: from the design phase through development and testing to the rollout of an application. In order to ensure high security and quality of the applications, two points are of high relevance: code analysis and the securing of credentials, which are available in the form of passwords, tokens or API keys, for example.
For code analysis, numerous automation tools are available for problem identification during operations or procedures. They are indispensable, since people can also make mistakes, even if only fleeting ones.
Using API keys correctly
However, the typical point of attack and thus the greatest security risk are the credentials, such as the API access keys used programmatically by applications and services. Among other things, they are used for access validation in automation tools that are used to provisioning a container or making changes in the cloud environment, such as stopping and starting a server.
The basic problem here is that credentials are often stored statically, such as stored in code or stored in repositories such as GitHub. The solution must therefore be: Generate credentials dynamically and load them only at runtime.
Based on the API key usage, this results in the following procedure: Starting the function call, handing over the credentials and checking the authorization, for example for application or database access. For the storage and management of access data and API keys, a digital data vault (vault), i.e. a specially “hardened” server, offers reliable protection against unauthorized access with several different security layers.
Cloud accounts as a source of danger
Cloud usage is also closely related to DevOps models, such as the use of cloud-based source code repositories. In order to eliminate security risks when using cloud services, companies must adequately manage, secure and monitor access data to cloud management consoles and portals.
With a single cloud solution, identity and Access management (IAM) functions, multi Factor Authentication (MFA) and key management stores (KMS) can in principle be used in the respective cloud itself. For a multi-cloud solution, on the other hand, companies should use a credential and secrets management solution that is independent of a specific cloud solution and centrally regulates access to credentials.
The agile development and use of DevOps models brings companies significant benefits such as reducing costs or increasing flexibility and scalability. And safety does not have to be neglected. However, an elementary prerequisite is that security is an elementary component of the process chain from the beginning and that all login data is reliably protected.
* Christian Goetz is Director of Presales DACH at CyberArk.