VSHN.timer #128: Will Software Security Ever Become A National Concern?

Welcome to another VSHN.timer! Every Monday, 5 links related to Kubernetes, OpenShift, CI / CD, and DevOps; all stuff coming out of our own chat system, making us think, laugh, or simply work better.

This week we’re going to talk about how slowly governments and industry are getting to grips with the next big threat of this 21st century.

But before we start, we’d like to ask you to participate in our DevOps in Switzerland Study 2022; we’re interested in knowing how DevOps is contributing to the digital transformation of our country, and besides the good karma, you’ll have the chance to win a prize!

1. After the White House organized an Open Source Security Summit with major software companies in January, the Swiss Federal Council has called for the creation of a Swiss Digital Administration to coordinate nationwide digital transformation efforts together with the National Cyber Security Centre. Whether these efforts will prevent security issues, like the leakage of private data of travelers online, remains to be seen.

https://www.admin.ch/gov/de/start/dokumentation/medienmitteilungen.msg-id-87029.html

2. We started 2022 with the Log4j fiasco, and followed with the corruption of NPM packages by a disgruntled developer. Even if executives being grilled in US Senate hearings insist that Open Source is not the problem, the writing is in the wall: right now, there is no way to properly prevent security issues in the software pipelines cranking the code that makes our world go round, even if the Linux Foundation injects 10 million US dollars in yet another Open Source Security Foundation.

https://www.theregister.com/2022/02/09/secure_open_source_software/

3. The first line of defense against cyber threats is education. This is why we recommend you to register and attend this 3-hour training “Zero Trust Security Fundamentals” by O’Reilly on March 15th (places limited!), and to top it off, check out this Kubernetes Policy Management whitepaper by the CNCF.

https://www.oreilly.com/live-events/zero-trust-security-fundamentals/0636920066250/0636920066249/

4. You think your CI/CD pipelines are safe from intrusion and tampering? Think again. The NCC Group published a summary of attack vectors in Jenkins, GitLab CI/CD, and even on Kubernetes: badly configured S3 buckets, privileged container execution, unprotected secrets… you name it.

https://research.nccgroup.com/2022/01/13/10-real-world-stories-of-how-weve-compromised-ci-cd-pipelines/

5. AWS can provide all the security guidelines they want, humans will be humans. That’s precisely when another human, an ethical security researcher in this case, discovers thousands of open databases on AWS belonging to hospitals, crypto traders, banks, DevOps teams… A chilling story.

https://infosecwriteups.com/how-i-discovered-thousands-of-open-databases-on-aws-764729aa7f32

Do you do DevSecOps? How do you audit your software for security issues? Would you like to share your best practices with the community? Get in touch with us, and see you next week for another edition of VSHN.timer.

PS: would you like to receive VSHN.timer every Monday in your inbox? Sign up for our weekly VSHN.timer newsletter.

PS²: do you prefer reading VSHN.timer in your favorite RSS reader? Subscribe to this feed.

PS³: check out our previous VSHN.timer editions about Security: #8, #17, #22, #27, #32, #44, #54, #62, #76, #84, #93, #106, and #117.