Exploring Microsoft’s DevOps Threat Matrix
Traditionally, apps were built first and secured second, but attacks are too frequent and severe for your company to continue operating this way. Instead, security professionals are recommending DevOps security, which can help you develop your apps with security integrated into the build. With application security tools, you can monitor your app’s vulnerabilities and fix them during development and after release to minimize your risk of attack.
The Need for DevOps Security
DevOps security, or development and operations security, is a strategy that addresses compliance and security during app development. Building applications with security in mind ensures that vulnerabilities and glitches in the code are addressed early, which minimizes the risk of potential exploits. The code is more cohesive and secure, which reduces the likelihood of misconfigurations that need patches and updates after release.
With the number of vulnerabilities increasing by over 1900 every month this year, organizations need to seriously consider their approach to building apps. One of the problems with building an app, often on a short deadline, and then worrying about patching vulnerabilities later is that you expose yourself to attack by having available weak points. Another potential problem is supply chain attacks.
A supply chain attack occurs when an attacker infiltrates your systems and plants malicious code that is transmitted to your customers via patches and updates. So, if you build an app with vulnerabilities that you must later fix, an attacker has two ways in. Either they can attack the customer through the app itself, or they can attack you and hide malware in your environment that will be transmitted to your customers through app updates. To mitigate this problem, your security and development teams need to have a logical and coordinated approach to threat management.
The DevOps Threat Matrix
DevOps has proven useful for getting well-made apps ready for release quickly, but without security built in, they have many potential exploits. Since apps require online access and connect the customer and the company that made it, they are very attractive targets for attack. If a weakness can be exploited, the attacker may be able to access either your data or your customer’s, or both.
To address this, Microsoft has categorized techniques and tactics for attack and mapped them to create a DevOps threat matrix. Some important points:
- Initial access. Attackers may use repositories, pipelines, and dependencies to infiltrate your app. Once inside, the next steps could include SCM authentication, CI/CD service authentication, access to an organization’s public repositories, endpoint compromise, or webhook configurations.
- Execution. Attackers may try to access your app’s execution pipeline and infect scripts. Some techniques include poisoned pipeline execution (PPE), direct PPE (d-PPE), indirect PPE (i-PPE), public PPE, and dependency tampering. Generally, execution tactics inject code into your organization’s repository or security environment. Execution techniques may exploit OS vulnerabilities or install malware on devices within the network.
- Persistence. Once an attacker has accessed your app, he may try to stay there. One method for doing this is to create new (secret) credentials to use later.
- Privilege escalation. When an attacker compromises your security, it is likely that he will attempt to give himself more privileges so as to access more information and make changes to permissions and credentials as desired.
- Credential access. Attackers will often try to access, steal, or change credentials. This creates opportunities to access more data and privileges.
- Lateral movement. Often, attackers are interested in finding new targets, which could be more of your data or your app build. Alternatively, it could be your customers’ data.
- Defense evasion. These techniques are used in conjunction with persistence. An attacker tries to stay inside your environment, so he may change your logs or change the compilation process.
- Impact. The resources that an attacker finds could be used for DDoS attacks or cryptocurrency mining. Resources could also be deleted during an attack either from the DDoS or ransomware.
- Exfiltration. In case they are kicked out, many attackers will copy your data and logs so they have your information even if they cannot access it through your network again.
This mapping is designed to help development and security teams to better understand how an attacker might operate so that they can create their app with precautions in mind. This will equip the app with protections against infiltration directly from initial release.
Protecting Against DevOps Threats
Evidently, there are quite a few threats you need to be thinking about. AppSec tools can help to detect or protect against some of these threats, providing you with peace of mind and protecting your app from infiltration. Automated application security testing can help identify vulnerabilities and make your app more resilient to attack.
You can filter traffic with WAFs and RASPs, which protect against exposure and suspicious activity. A software composition analysis can work with security testing to better identify potential exploits, and to begin creating an inventory of vulnerabilities, consider static and dynamic application security testing (SAST and DAST). Once you have found your app’s vulnerabilities, be sure to prioritize appropriately and patch as soon as possible.
Application development is on a tight schedule as the industry grows at a breakneck pace. To make the best use of your development team’s time and resources over the long term, integrate security protocols and Microsoft’s DevOps Threat Matrix. This can help you effectively prioritize possible security problems and fix vulnerabilities before an attacker finds and exploits them.
