Kong announced Kong Konnect Dedicated Cloud Gateways, the simplest and most cost-effective way to run Kong Gateways in the cloud fully managed as a service and on enterprise dedicated infrastructure.
DevSecOps Begins at the Application Layer
February 19, 2019
In the fast-moving world of DevOps, security sometimes got left by the wayside on the way to the next iteration. But today's threat landscape is so perilous that developers need to have solid security top of mind as they design and build applications. This includes features like user authentication, digital signatures, and encryption.
Learning from Insecurity at Uber
Uber's operating procedures provide many cautionary tales, but this one gives a vivid description of why security is needed at every level and what can go wrong if it is not in place. An Uber software developer stored a service credential in application code to access sensitive information from the database. He then stored the code in a private repository in GitHub.
Including service credentials – a "shared secret" – inside software would, in itself, have been a violation of security best practices, since these can be compromised in many places besides the GitHub repository. This would include testing environments, staging machines and, of course, the production infrastructure itself.
Here's the rub: GitHub wanted software developers to protect their repositories from unauthorized access, so it had already implemented FIDO-based strong authentication. Despite the deployment of one of the strongest authentication protocols in the industry, GitHub neither encourages its users to sign up nor sign in with FIDO technology. Consequently, the Uber software developer used one or more shared secrets – username/password, one-time passcodes, etc. – to authenticate to the Uber repository.
But wait – there's more. Uber also automatically deployed its applications into Amazon Web Services (AWS) using yet another shared secret: an application programming interface (API) key with a secret key – in other words, a username and password.
The result was a perfect storm of insecure practices: using passwords to store software in a repository, containing passwords to access a protected database, using passwords to automatically deploy applications into the public cloud. It all eventually led to the compromise of sensitive data. Uber suffered a breach of 57 million passenger and driver records in 2016.
Security at the Application Level
This story included many security faux pas, but malicious actors only need to find one. FIDO's multiple uses make it an ideal security option. Though FIDO protocols were primarily designed to enable strong authentication to web applications, they can also support transaction authorization. Sadly, as noted above, organizations are apparently not using either feature in any consistent, meaningful way.
This leads to unnecessary losses. FIDO protocols not only have the potential to strengthen transaction security, but they eliminate the password nightmare that end-users go through while protecting them and web applications from many attacks on the internet.
Ransomware is a prime example of why organizations need application security. Such attacks work because applications allow authenticated users to modify files – encrypting them and deleting the original file – without secondary authentication and/or authorization. Consequently, malware executing on users' computers do so with full privileges of the user. FIDO digital signatures change that framework, leading to higher levels of security.
An additional security measure at this point is transaction-level authorization to not only deter transaction fraud but also to protect against ransomware. The protocols are available today; the tools are available now. All that is required is the resolve to implement these measures.
Laying a Secure Groundwork
One of the reasons bad actors continue their successful streak of data breaches is that organizations are still operating on the mistaken assumption that it is easier to deter "barbarians at the gate" than to protect sensitive data in the application. As a result, companies over-invest in network-based security tools – firewalls, anti-virus, malware detection, intrusion prevention, etc. – rather than also invest in the control mechanism that provides the highest level of data-protection: application-level encryption.
By adding application-level encryption from the ground up, software developers serve their users well. While some risk can be reduced by using FIDO-based strong authentication controls, reasonable data security requires multiple controls to deter attackers – a practice the security industry terms as "defense in depth."
The most secure data protection a company can hope to implement, without eliminating sensitive data from a system, involves encrypting and decrypting data within authorized applications (combined with a hardware-backed cryptographic key management system). Adding FIDO-based strong authentication creates a high level of risk mitigation. By building these security measures in from the start, DevSecOps professionals lay the groundwork for maximum-strength protection where it counts most.
Industry News
September 28, 2023
Sisense unveiled the public preview of Compose SDK for Fusion.
September 28, 2023
Cloudflare announced Hyperdrive to make every local database global. Now developers can easily build globally distributed applications on Cloudflare Workers, the serverless developer platform used by over one million developers, without being constrained by their existing infrastructure.
September 27, 2023
Kong announced full support for Kong Mesh in Konnect, making Kong Konnect an API lifecycle management platform with built-in support for Kong Gateway Enterprise, Kong Ingress Controller and Kong Mesh via a SaaS control plane.
September 27, 2023
Vultr announced the launch of the Vultr GPU Stack and Container Registry to enable global enterprises and digital startups alike to build, test and operationalize artificial intelligence (AI) models at scale — across any region on the globe. \
September 27, 2023
Salt Security expanded its partnership with CrowdStrike by integrating the Salt Security API Protection Platform with the CrowdStrike Falcon® Platform.
September 26, 2023
Progress announced a partnership with Software Improvement Group (SIG), an independent technology and advisory firm for software quality, security and improvement, to help ensure the long-term maintainability and modernization of business-critical applications built on the Progress® OpenEdge® platform.
September 26, 2023
Solace announced a new version of its Solace Event Portal solution that gives organizations with Apache Kafka deployments better visibility into, and control over, their Kafka event streams, brokers and associated assets.
September 26, 2023
Reply launched a proprietary framework for generative AI-based software development, KICODE Reply.
September 26, 2023
Harness announced the industry-wide Engineering Excellence Collective™, an engineering leadership community.
September 25, 2023
Harness announced four new product modules on the Harness platform.
September 25, 2023
Sylabs announced the release of SingularityCE 4.0.
September 25, 2023
Timescale announced the launch of Timescale Vector, enabling developers to build production AI applications at scale with PostgreSQL.
September 21, 2023
Check Point® Software Technologies Ltd. has been recognized as a leader in The Forrester Wave™: Zero Trust Platform Providers, Q3 2023 report.
September 21, 2023
Red Hat and Oracle announced the expansion of their alliance to offer customers a greater choice in deploying applications on Oracle Cloud Infrastructure (OCI). As part of the expanded collaboration, Red Hat OpenShift, the industry’s leading hybrid cloud application platform powered by Kubernetes for architecting, building, and deploying cloud-native applications, will be supported and certified to run on OCI.
