DevOps - A NECESSITY FOR ALL
Thanks to the introduction of new technologies over the past decade the Internet has become much less of a luxury (as former US President Obama insisted) but instead a necessity.
Today's software developers are now also armed with the tools to make many more software releases in a single day to offer their users new features and bug fixes more frequently.
With the pervasive adoption of innovative tools and applications such as Docker containers and Kubernetes which helps to stop containers misbehaving when containers are used in numbers, microservices have become the new norm. Instead of software being one large monolith, today's modern practices mean that lots of smaller, decoupled services speak to each other through Application Programming Interfaces (APIs). Developers have embraced a more modular approach you might say with each microservice component somewhat casually announcing a list of commands it's willing to respond to via an API.
On the less-friendly internet of today, however, such microservices need to have security checks and balances in place just as all devices and systems connected online do.
Recent news stories suggest however that there's still much work to do in this area. In one reputable weekly security publication called Security Newsletter under its Breaches and Leaks section, it regretfully reported: "It's quite a long list this week I'm afraid".
The number of entries on the list, which strictly as per the calendar might not all fit precisely within the last seven days necessarily, are alarming nonetheless.
One such entry discusses that reportedly the German telecoms giant, T-Mobile, suffered an attack through an API leaking data (https://threatpost.com/t-mobile-alerts-2-3-million-customers-of-data-breach-tied-to-leaky-api/136896/) which meant a staggering 2.3 million customer details were stolen.
And, the list, which is certainly not all DevOps related, continues with an Amazon storage S3 "bucket" being left unsecured which reportedly provided access, via an API or via online interfaces potentially, to text messages, calls, emails and locations for the customers of a surveillance company named Spyfone.
According to the press report there was also an API left unprotected allowing anyone able to guess a Web address to reveal a fully up-to-date list of customers.
Embracing new technologies is exciting and can deliver cost-savings and greater efficiencies across a number of processes. In hand with the Internet's evolution, DevOps tech is no different. Their unprecedented combined uptake has been compared to the industrial revolution in the past. Businesses need to factor in security much earlier in their CI/CD pipelines, however. Multinationals are still treating much of the cloud-native technologies in the same way they were treating physical boxes in Data Centers. Security in DevOps should be automated and intertwined as code throughout all processes. Over the coming years, we will be automatically remedying threats such as leaky APIs or unsecured S3 buckets much more commonly using automation. We are innovating at such a rate of knots that we now need computers to automatically fix our security issues for us.
Among other names on the newsletter's breach list for the last week alone was the airline, Air Canada who reportedly had information relating to 20,000 users leaked (https://www.cbc.ca/news/business/air-canada-mobile-app-1.4802879). Reports suggest this was yet another bug from within an API.
Although not all APIs are necessarily running DevOps-orientated services, if, as a business, you are not already deeply concerned about damaging your brand through such incidents then you might just be forced to take more notice in the near future.
About the author: Chris Binnie
Chris has been a friend of the DevOps and Cloud desk at Citrus for over a year now. He is a DevSecOps expert and has provided some of the largest businesses across the UK and Europe with specific consulting know-how relevant to his specific skill set.
Please feel free to have a look at his website https://www.devsecops.cc