ANOTHER WEEK, ANOTHER LEAK

Andy Prowse

Andy Prowse

Manager, Platform & DevOps

With all the press and buzz in the market around security breaches, data leaks and general privacy concerns, we thought it appropriate and timely to give a little background as to why these seem to occur so often. Since we’re not a security focussed firm, but rather a business that focusses on DevOps and DevSecOpswe decided to approach the topic from that perspective. Having said that, we feel the real questions are how do these leaks, flaws and breaches actually happen? Why do we care, and how do we stop them? 
 
How Do They Happen? 
 
Collaborative software development and the use of source code repositories like Git have all served to revolutionize the development processAs a result, DevOps is pretty much ubiquitous in development shops todayIn those environments, Git is used for source code and artifact management, covering everything from text files to media and binary filesSometimes when a developer submits their code to a source code repository, it can include unintentional artifacts like passwords, private encryption keys and certificates.  When these “secrets” happen to be the same ones used in public systems or devices – everything from web applications to Internet routers – and this information unintentionally gets pushed to a publicly accessible Git repository, your secrets are no longer private. 
 
Why DWCare? 
 
When secrets that were not intended to be made publicly available are discoveredthey can be used by malicious characters to compromise systems and devices that would otherwise be considered secure.  It would be like leaving your house key laying around outside your front door for anyone to find and use as they see fit.  What’s worse is that many of these now accessible systems store confidential information that can be exposed. This could be things like health records, financial information or other personally identifiable information. That alone is a good cause for concern, but of course, there’s more. 
Secure IP traffic is made possible via private and public key pairs. Public keys get exchanged, hashed together with private keys, and used for trusted communication between the two systems. It’s the security that the private key holder can only provide the correct hash that ensures you are in communication with the right entity. Once the private key is shared, anyone can use it to create a trusted connection with you, assuming the identity of an otherwise trusted source. Once that trust is compromised, any bad actor can gain access to these systems, distribute malicious code, or eavesdrop on the communication between parties.  
We live in a world where virtually everything is interconnected – cars, smart devices, phones, etc. – often referred to as IoT (the Internet of Things), antrusted, encrypted connection is essential between systems and devices in order to keep us, and the information we transmit, safe.  
 
How DWStop Them? 
 
When publishing code to any source code repository or publicly accessible cloud storagealways ensure that secrets information is properly scrubbed before submissionTo prevent this situation altogetherwe’ve identified three methods for storing and managing secrets securely in the points below:   
  • Vault  is a feature of Red Hat Ansible  that allows you to keep sensitive data such as passwords or keys in encrypted files, rather than as plaintext in playbooks or roles. 
  • Kubernetes Secret  Objects let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Putting this information in a secret offers both safety and flexibility. 
  • HashiCorp Vault  allows you to secure, store and tightly control access to tokens, passwords, certificates and encryption keys for protecting secrets and other sensitive data using a variety of interfaces and access methods. 
 
At HighVail, we work with our clients to assist them in adopting best practices in their DevOps processes, encompassing automation, DevSecOpscontainers and cloud.  Looking only at the physical and logical security aspects are clearly not enough.  Diligent processes and an adherence to best practices are a critical part of ensuring private data remains private.  We invite you to get in touch with us to find out more about how we can help your organization in your Day 2 Operations processes. Our experience and proven methodologies allow HighVail to help keep you out of the news when it comes to security. 

Not all press is good.  Let HighVail keep you out of the news when it comes to security, with our team of highly trained DevOps experts.