The SolarWinds digital supply chain attack began by compromising the “heart” of the CI/CD pipeline and successfully changing application code. It highlighted the major challenges organisations face in securing their applications across the software development life cycle. It’s also driving increased attention at the highest levels of enterprise and government.
As organisations in Australia look to strengthen their digital supply chain and protect the applications they develop and use, many are focusing on application secrets. That being, privileged account credentials, passwords, certificates, SSH keys, API keys or encryption keys that act as a key to unlock protected resources or sensitive information in these applications
These non-human privileged credentials automatically gain real-time access and permissions to any resources belonging to the owner of the secret. Cyber attackers understand this, making them ripe targets for unrestricted privileged access to sensitive systems. A cyber attack targeting secrets can often spread far beyond the scope of the initial breach.
Cloud-native apps expand security needs
Many organisations today are taking a cloud-native approach to building, testing and deploying new applications – whether front or back office, consumer facing, web or mobile. By embracing DevOps methodologies and automation, they’re quickly moving along the digital maturity curve.
As applications are increasingly built using microservices and run in dynamic, short-lived containerised environments, everything needs to interact with each other – sharing secrets and credentials to securely access resources. The result: a lot more secrets that need to be secured.
What’s more, the powerful DevOps and automation tools developers use to build applications, such as Jenkins and Ansible, store massive amounts of credentials and secrets within them. This allows the projects, playbooks and scripts managed by these mission-critical “Tier 0” assets to access other tools, services and platforms. All of these tools also require high levels of privilege.
No problem… right? However, the ability to secure credentials and secrets often lags behind the rapid implementation of DevOps, making the enterprise increasingly vulnerable. In the worst case, the ‘technical debt’ of unsecured secrets and credentials in code increases with every release.
So many applications, so little time, no standard approach
But, of course, it’s more than just cloud-native apps. Most enterprises have many different application types in their portfolio: some legacy apps, newer apps written using .NET, for example, and even mainframe applications.
It’s becoming clear that building a strong modern IT infrastructure hinges on an organisation’s ability to secure all application types – from the back office mainframe running high volume transactions on z/OS, to Kubernetes apps running across multiple cloud regions – at the speed of business, and at scale.
That’s easier said than done, however. Today’s developer culture emphasises high velocity, intensive sharing of code, ad-hoc tooling and full-on automation – all of which can introduce new vulnerabilities such as exposed secrets and code injection.
Meanwhile, threat actors are growing in sophistication and precision, targeting applications and development environments and zeroing in on unprotected credentials and secrets with increasing ease to hijack IT resources or steal data or code. Even the most secure RPA workflows and DevOps pipelines have tiny cracks if you know how to find them.
How can time and resource constrained security teams possibly find and secure all of these applications and secrets, let alone protect new ones being created each day in these dynamic environments?
Many end up taking a piecemeal approach, securing secrets in one platform or tool with a secrets management solution, while using a different method to secure secrets in another area.
Without a standardised approach to secrets management, teams are left juggling many different moving pieces. As soon as one issue is resolved, another one pops up.
Secure all application types
It’s critical to secure cloud-native, containerised apps and DevOps environments in a centralised way. By doing so, organisations can centrally secure, manage and audit privileged credentials and secrets used by non-human identities anywhere.
This includes centralising cloud-native applications, CI/CD and DevOps tools, internally developed applications, commercial-off-the-shelf (COTs) apps, RPA software bots and automation platforms.
By taking a centralised approach, mission-critical applications running at scale can securely access high-value resources, including databases and IT infrastructure. This reduces operational complexity and drives business agility – all while shrinking the attack surface.
The right place to start
Putting a plan in place to secure the rapidly expanding number and types of applications across your organisation can feel daunting – but it doesn’t have to. Take advantage of tools that help you prioritise and focus on your most important unsecured apps first, achieve “quick wins” in reducing risk and accelerate your efforts by being more strategic.
Become consistent about secrets management to keep your applications safe and prevent them from exposing the enterprise to unnecessary vulnerabilities.
Andrew Slavkovic is a solutions engineering manager of ANZ for CyberArk.