As a young man, I was given some advice that seemed too obvious to really be considered advice. It went something along the lines of, "If a person keeps a checkbook that's not accurate or up to date, don't hire them as your accountant..." As DevOps rises in popularity, I am reminded of this adage often.

In my practice, I am frequently asked about the security of DevOps. My response, while not always well received, is to answer the question with a question: “I don’t know; are your software and applications secure now?”  DevOps doesn’t magically fix systemic problems; just as an accountant must understand the flow of the money and its intended use and lifecycle, understanding the flow of source code, its intended use and lifecycle, is equally important in DevOps. An organization with loose or no control over code release and configuration management processes will typically become worse with the move to DevOps.

To thoroughly evaluate an organization’s release and configuration management processes would require a lengthy and expensive audit. However, like an accountant with a mismanaged checkbook, there are some telltale signs that an organization’s release controls are not as tight as they should be. Two of my favorite tires to kick for a quick, non-intrusive assessment are the existence of rogue sub-domains and outdated JavaScript libraries. These two exposures can be quickly assessed using a few open source tools I will be demonstrating at InfoSec World 2016 this April in Orlando.

When conducting Web assessments, I always search for sub-domains that look like they were put up quickly outside of normal release processes since that usually means security was bypassed in the process. For example, I once found a site called “testing-today-do-not-delete.—website--.com.” The sub-domain had been there for several years and contained lots of production data, but absolutely no security. On another assessment I found a sub-domain advertising a contest give-away for tickets to a major sporting even that had taken place four years earlier. The site and its hosting software had not been updated since, and there were still plenty of vulnerabilities to be exploited.

One of the five tools I will demonstrate at InfoSec World is called dnsmap. I can point dnsmap at a URL and it will provide a list of associated sub-domains. Besides being a huge security exposure, orphaned or rogue sub-domains make a nice litmus test suggesting the answer to the question, “Are we ready for DevOps?”

My other favorite tire to kick when assessing an organization’s control over their releases and configurations is the existence of outdated third-party JavaScript libraries. JavaScript is code used by developers for efficiency. However, like most code, vulnerabilities are found over time and need to be patched. As an example, in 2007 a vulnerability was found in the popular jQuery library that allowed an attacker to execute “JavaScript Hijacking.” In spite of this being an easy (and free!) upgrade, even today there are sites that run this vulnerable code! The existence of this type of old library in new code is another sign indicating that an organization may need to get its house in order before embarking on DevOps.

While this kind of code review would be a tedious job manually, the second of the five tools I will be demonstrating during my talk at InfoSec World is retire.js, an easy-to-use scanner that will automatically find and report outdated, risky libraries. I will show several different ways to run a retire.js scan, including how to integrate it in to some current DAST tools and how to automate it as part of your continuous integration program.

Whether you use these tools as an assessment of your internal controls or as a way to reduce risk, both are a great addition to an IT security assessment portfolio.

About the author:  Mike Landeck, CISSP, PCSM is a Cyber Security Consultant for one of the World’s largest technology companies. Mike is a frequent conference speaker and workshop presenter focusing on such topics as software security testing and security program management. He will be presentingThe Five Best Open Source Web Testing Tools You’ve Never Heard Of and How to Use Them at InfoSec World 2016.