Open-source stewardship key as CyberArk moves to help devs avoid another Heartbleed

The release of core privilege-management capabilities as an open-source toolkit is intended to jumpstart SecDevOps methods of secure development, according to the founder of recently-acquired privilege-management firm Conjur.

Existing open-source projects had been relatively haphazard and were “really more basic security controls”, Elizabeth Lawler, vice president of DevOps security with CyberArk – which in May snapped up the firm she co-founded, Conjur for $US42m ($A53m) – told CSO Australia.

“The tool chain hasn’t really matured in terms of being able to provide the types of security controls that enterprises need,” she explained. “Half of enterprises are adopting DevOps – and they need their security controls. The key is to get those embedded into software development processes as early as possible, but without interrupting developers that may or may not have security as top of mind.”

Improving the security of DevOps transformations has emerged as a crucial endeavour, spawning the whole idea of SecDevOps and driving security into the heart of the development process. By 2020, for example, Gartner has predicted, 40 percent of DevOps-using enterprises will have adopted application security self-testing, self-diagnosing, and self-protection technologies.

Conjur’s credential-management technology includes specific functionality for securely managing ‘secrets’ – access keys, privileged account credentials, API keys, and other sensitive information – and Lawler expects that the release of CyberArk Conjur Community Edition to the open-source community will drive a flurry of innovation that will further raise the level of open-source security overall.

“CyberArk has real domain knowledge in this space,” she said, “and it’s an opportunity to give back to the community and lead DevOps discussions around securing privileges. Our goal is to meet the developer community where they are.”

Lawler dismissed the concerns of some industry watchers that open-source projects often have variable quality and security vulnerabilities that may go unpatched, especially where the open-source code is integrated into third-party enterprise solutions.

A recent evaluation of common infrastructure components found a worrying level of high-risk vulnerabilities, warning that attacks based on open-source vulnerabilities would rise by 20 percent this year.

“We often see more issues rather than fewer issues around open source,” Lawler conceded. “they tend to be projects that either don’t have as much attention as they ought to, or don’t have the funding.”

This shortfall exploded in 2014, when the exploitation of a vulnerability in the widely-used open-source OpenSSL library led to the disastrous ‘Heartbleed’ vulnerability.

In the wake of that event, however, Lawler said the open-source community had redoubled its efforts around patching and quality control to good effect. “There wasn’t a lot of funding and a concerted effort towards the OpenSSL project at the time,” she said. “But now it’s gotten tonnes of attention and there is better funding and better contribution – and you can see that the quality of code and patches have gone up.”

Compromise of credentials was involved in 81 percent of data breaches analysed in Verizon’s latest Data Breach Investigations Report, and growing volumes of automated interactions between devices is set to increase the use of credentials even more over time. If these interactions aren’t properly secured, Lawler warned, developers will inadvertently leave holes for cybercriminals to exploit at their whim.

The key to successfully maintaining the quality of open-source security projects, she said, is to have stewardship of open-source projects so they don’t wither on the vine. With CyberArk happily filling this role and early adopters already looking into ways to expand the platform-agnostic tool across new environments, Lawler believes the code will help resolve inadvertent security holes created when, for example, developers hardcode passwords into a test build to ensure component microservices can readily authenticate to each other.

“You’d be surprised how many privileged credential dependencies there are in open-source tools,” she said. “Developers often have to put in privileged credentials to get their code to work. But now that DevOps is driving into the enterprise, this is the right time to have a conversation about driving standards – and managing security concerns at scale in security-conscious enterprises.”