As a young man, I was given some advice that seemed too obvious to really be considered advice. It went something along the lines of, "If a person keeps a checkbook that's not accurate or up to date, don't hire them as your accountant..." As DevOps rises in popularity, I am reminded of this adage often.
In my practice, I am frequently asked about the security of DevOps. My response, while not always well received, is to answer the question with a question: “I don’t know; are your software and applications secure now?” DevOps doesn’t magically fix systemic problems; just as an accountant must understand the flow of the money and its intended use and lifecycle, understanding the flow of source code, its intended use and lifecycle, is equally important in DevOps. An organization with loose or no control over code release and configuration management processes will typically become worse with the move to DevOps.
When conducting Web assessments, I always search for sub-domains that look like they were put up quickly outside of normal release processes since that usually means security was bypassed in the process. For example, I once found a site called “testing-today-do-not-delete.—website--.com.” The sub-domain had been there for several years and contained lots of production data, but absolutely no security. On another assessment I found a sub-domain advertising a contest give-away for tickets to a major sporting even that had taken place four years earlier. The site and its hosting software had not been updated since, and there were still plenty of vulnerabilities to be exploited.
One of the five tools I will demonstrate at InfoSec World is called dnsmap. I can point dnsmap at a URL and it will provide a list of associated sub-domains. Besides being a huge security exposure, orphaned or rogue sub-domains make a nice litmus test suggesting the answer to the question, “Are we ready for DevOps?”
While this kind of code review would be a tedious job manually, the second of the five tools I will be demonstrating during my talk at InfoSec World is retire.js, an easy-to-use scanner that will automatically find and report outdated, risky libraries. I will show several different ways to run a retire.js scan, including how to integrate it in to some current DAST tools and how to automate it as part of your continuous integration program.
Whether you use these tools as an assessment of your internal controls or as a way to reduce risk, both are a great addition to an IT security assessment portfolio.
About the author: Mike Landeck, CISSP, PCSM is a Cyber Security Consultant for one of the World’s largest technology companies. Mike is a frequent conference speaker and workshop presenter focusing on such topics as software security testing and security program management. He will be presentingThe Five Best Open Source Web Testing Tools You’ve Never Heard Of and How to Use Them at InfoSec World 2016.