Developers are increasingly under attack through the tools that they use to collaborate and to produce code — such as Docker, Kubernetes, and Slack — as cybercriminals and nation-state actors aim to access the valuable software that developers work on every day.
For instance, an attacker claimed on Sept. 18 to have used stolen Slack credentials to access and copy more than 90 videos representing the early development of Grand Theft Auto 6, a popular game from Take-Two Interactive’s Rockstar Games. And a week earlier, security firm Trend Micro discovered that attackers were systematically searching for and attempting to compromise misconfigured Docker containers.
Neither attack involved vulnerabilities in the software programs, but security missteps or misconfiguration are not uncommon on the part of developers, who often fail to take the care necessary to secure their attack surface area, says Mark Loveless, a staff security engineer at GitLab, a DevOps platform provider.
“A lot of developers don’t think of themselves as targets because they are thinking that the finished code, the end result, is what attackers are going after,” he says. “Developers often take security risks — such as setting up test environments at home or taking down all the security controls — so they can try out new things, with the intent of adding security later.”
He adds, “Unfortunately, those habits become replicated and become culture.”
Attacks against the software supply chain — and the developers who produce and deploy software — have grown quickly in the past two years. In 2021, for example, attacks that aimed to compromise developers’ software — and the open source components widely used by developers — grew by 650%, according to the “2021 State of the “Software Supply Chain” report, published by software security firm Sonatype.
Developer Pipelines & Collaboration in the Sights
Overall, security experts maintain that the fast pace of continuous integration and continuous deployment environments (CI/CD) that form the foundations of DevOps-style approaches pose significant risks, because they are often overlooked when it comes to implementing hardened security.
Slack, Teams, and Zoom top the synchronous tools used by professional developers. Source: StackOverflow
This affects a variety of tools used by developers in their efforts to create more efficient pipelines. Slack, for example, is the most popular synchronous collaboration tools in use among professional developers, with Microsoft Teams and Zoom coming in a close second and third, according to the 2022 StackOverflow Developer Survey. In addition, more than two-thirds of developers use Docker and another quarter use Kubernetes during development, the survey found.
Breaches of tools like Slack can be “nasty,” because such tools often perform critical functions and usually only have perimeter defenses, Matthew Hodgson, CEO and cofounder of messaging-platform Element, said in a statement sent to Dark Reading.
“Slack is not end-to-end encrypted, so it’s like the attacker having access to the company’s entire body of knowledge,” he said. “A real fox-in-the-henhouse situation.”
Beyond Misconfigs: Other Security Woes for Developers
Cyberattackers, it should be noted, don’t just probe for misconfigurations or lax security when it comes to going after developers. In 2021, for example, a threat group’s access to Slack through the gray-market purchase of a login token led to a breach of game giant Electronic Arts, allowing the cybercriminals to copy nearly 800GB of source code and data from the firm. And a 2020 investigation into Docker images found that more than half of the latest builds have critical vulnerabilities that put any application or service based on the containers at risk.
Phishing and social engineering are also plagues in the sector. Just this week, developers using two DevOps services — CircleCI and GitHub — were targeted with phishing attacks.
And, there is no evidence that the attackers targeting Rockstar Games exploited a vulnerability in Slack — only the claims of the purported attacker. Instead, social engineering was likely way to bypass security measures, a Slack spokesperson said in a statement.
“Enterprise-grade security across identity and device management, data protection, and information governance is built into every aspect of how users collaborate and get work done in Slack,” the spokesperson said, adding: “These [social engineering] tactics are becoming increasingly common and sophisticated, and Slack recommends all customers practice strong security measures to guard their networks against social engineering attacks, including security awareness training.”
Slow Security Improvements, More Work to Do
Developers have only slowly accepted security as application security professionals call for better controls, however. Many developers continue to leak “secrets” — including passwords and API keys — in code pushed to repositories. Thus, development teams should focus on not just protecting their code and preventing the importing of untrusted components but also ensuring that the critical capabilities of their pipelines are not compromised, GitLab’s Loveless says.
“The whole zero-trust part, which is typically about identifying people and things like that, there also should be the same principles that should apply to your code,” he says. “So don’t trust the code; it has to be checked. Having people or processes in place that assumes the worst — I’m not going to trust it automatically — particularly when the code is doing something critical, like build a project.”
In addition, many developers still do not use basic measures to strengthen authentication, such as using multifactor authentication (MFA). There are changes afoot, however. Increasingly, the various open source software package ecosystems have all started requiring that major projects adopt multifactor authentication.
In terms of tools to focus on, Slack has gained attention because of the latest major breaches, but developers should strive for a baseline level of security control across all of their tools, Loveless says.
“There are ebbs and flows, but it is whatever works for the attackers,” he says. “Speaking from my experience of wearing all kinds of hats of different colors, as an attacker, you look for the easiest way in, so if another way becomes easier, then you say, ‘I will try that first.'”
GitLab has seen this follow-the-leader behavior in its own bug bounty programs, Loveless notes.
“We see when people send in bugs, all the sudden something — a new technique — will become popular, and a whole slew of submissions resulting from that technique will come in,” he says. “They definitely come in waves.”