ValueOps – An AI-enabled DevSecOps with integrated security and compliance automation

U.S. Hacking incident, technique and impact (March 2021)

The #SolarWinds Orion Attack was so impactful that the U.S. Department of Homeland Security (#DHS) had to issue an emergency directive. The #SolarWinds Orion platform is used by 400+ of the #Fortune500 and many U.S. government agencies. The attackers managed to inject malicious code in an Orion application library, which was then shared into customer instances through software updates. Attackers were then able to forge access tokens that allowed them to impersonate existing users on the network, including privileged accounts. It’s estimated that about 18,000 customers received the contaminated updates, and that several dozen got breached. Those affected include #Microsoft, the U.S. Department of Homeland Security (#DHS), and #FireEye, a #cybersecurity vendor.

The malicious updates were first distributed back in March, which means the list of companies and agencies impacted by this attack will undoubtedly grow. The reputation damage and financial impact still to come from this event will likely be extensive. Over the next few months, many organizations will be dissecting this incident in an effort to protect their own businesses from similar attacks. 

Learning from hacking incidents

Generally, security is after though during design and in practice an isolated team is made responsible to scrutinize all designs from security aspects before proceeding further. Management is assured that “all is well” and therefore growing the concept of “Continuous security” is considered as “unwanted cost” to development cycle. We only learn from failures and in this case when hacking incident happened, we all took learnings from it.One key learning is the importance of #DevSecOps. Let’s take a look at how this could have been avoided with more sophisticated and mature #DevSecOps practices:

Behavior Analysis based Threat Detection

In this scenario a developer’s account is likely comprised and allowed the attacker to commit the code. If there was an abnormal behavior analysis in place to review access, they could have very likely detected when the attacker first logged in to the account. Signs such as an anomalous location, unusual timestamp, login attempts, or new IP address should have raised alarm bells with the appropriate stakeholders.

How #ValueOps can Help?

#ValueOps’ Abnormal Behavior Detection capability in its #AIOps module can identify any new behaviors like a login at an odd time, no. of login attempts, no. of commits, IP addresses involved. Below are examples of abnormal behavior detection based on commits and release process performance –

Software Supply Chain Governance through Policy Automation

The attacker probably acted on a file that was rarely updated by developers. Had other developers been reviewing pull requests, they should have noticed a change to a generally static file and performed a brief review of the changes. A quick review of the modifications should have made it blatantly obvious the HTTP connections to a Command-and-Control server were malicious.

Having overall #DevSecOps governance policies in place on peer review, security testing, thresholds, segregation of duties, pull requests, commits can help identify risks before they become issues and lead to security breaches. You need to both define these policies at an atomic level, automate the validation of these policies and have guardrails in place to stop release processes and alert stakeholders instantly.

How #ValueOps can help?

#DevSecOps and Compliance Policies are setup in #ValueOps to make sure appropriate Peer Reviews are in place with approved reviewers. Also to verify that pull requests are performed before merging to master. In addition, other policies like checking if #SAST, #DAST, #OSS Testing, Image / Container Scan are performed and at the right threshold, segregation of duties, proper commits with messages, linking of commits to stories / requirements, necessary approvals, branching can be configured and validated for every build, deployment and release process using #ValueOps’ Rules Engine.

Here is a screen shot of policies around pull requests and other topics being automated in #ValueOps for a business application / initiative –

#ValueOps provides many of these policies out of the box and new policies specific to a particular organization can also be applied using the policy (rules) editor.

Effective Use of Static Application Security Testing (#SAST)

Use of #SAST in the build and deployment process will help detect the backdoor code. Sometimes vulnerabilities like this can slip through if there are too many backlog items to be resolved from prior #SAST runs. It is important to be up to date with vulnerability remediation.

Also having guardrails in the #CI-CD process to stop the process when #SAST thresholds are not met is very important.

NIST 800-53 Cybersecurity Framework

Another key consideration to address the problem is the adoption and enforcement of security standards like #NIST 800-53 #Cybersecurity Framework that specifies application security standards. The new techniques that were added to #NIST 800-53 enable groups to evaluate the security of software using interactive application security testing (IAST).

How #ValueOps can help?

ValueOps helps automate #NIST 800-53 controls using its controls automation framework. Here is a sample of NIST 800-53 controls applied on #AWS and #Azure.

#ValueOps provides sophisticated #DevSecOps workflow templates out of the box with extensive security testing included like #SAST, #DAST, Image Scan, Container Scan, Software Composition Analysis (OSS Scan) along with automated security and compliance policies and state gates to stop deployment and release processes when testing thresholds or policy requirements are not met.

Here is a sample DevSecOps template from ValueOps with build (using Jenkins), Image Scan (using #Prisma Cloud/#Twistlock), SCA Scan (using #Blackduck), SAST (using App Scan), Deployment with (#Spinnaker) along with security and #compliance policy #automation using ValueOps’ Rules Engine and stage gates for security testing thresholds and policy validation. These and many other #DevSecOps templates provided by #ValueOps can be implemented with minimum effort from Developers and #DevSecOps engineers.

#ValueOps simplifies the use of the industry standard open source and commercial #DevSecOps tools and automation of the policies so you and your teams do not have to learn all these #DevSecOps tools and best practices to achieve high degree of maturity. Also you can get to a maturity of 8 or 9 out of 10 with your #DevSecOps process in weeks instead of months taken by most organizations today.

For companies impacted by the #SolarWinds breach, it is undoubtedly frustrating to see how they could have potentially detected this vulnerability in the past nine months. For immediate risk remediation for affected organizations, please update your SolarWinds Orion software to the latest version and review the threat research post from FireEye, which outlines various mechanisms for detecting and preventing the attack. Start applying mature #DevSecOps processes including those mentioned above and avoid security breaches like the one with #SolarWinds.

#ValueWeaver #DevSecOps #ValueOps #security #compliance #cybersecurity