Security That Enables: Breaking Down Security Silos in the DevOps Ecosystem

The importance of security in the Agile development process and the need for a good security culture in organizations

• Developers tend to overlook security in the fast-paced nature of Agile development
• Attacks on the developer ecosystem are becoming more common
• User education and training is important, especially for developers who are not involved with security
• Scanning for vulnerabilities and private keys is crucial to reduce attack surfaces
• Zero trust frameworks can help differentiate good from bad users
• A good security culture builds trust, simplifies access and workflows, encourages people to speak up, and enables users to be security-minded
• A bad security culture erodes trust, complicates access and workflows, and encourages users to hide their mistakes

The Dropbox breach was a sophisticated spear-phishing attack that targeted developers who were using Circle CI internally. The attackers were able to clone 30 internal repositories after the developers clicked on a malicious link and entered their GitHub credentials and a one-time passcode. This attack highlights the need for user education and training, as well as the importance of scanning for vulnerabilities and private keys.

This talk addresses two core themes: First, the rise in attackers targeting developers and container image repositories to access pre-production resources. Second, good security should enable DevOps teams to better perform their role, secure builds, and remove the stigma that security = roadblocks. First, we break down how traditional CI/CD workflows are siloed from a security tooling perspective. Siloed security tools create gaps when developer ecosystems are targeted, as it’s difficult to trace attackers across environments. Monitoring a developer’s laptop may be completely isolated from the security data from registry scanning, which in turn may be completely isolated from monitoring runtime services. Second, a walkthrough breaking down the step-by-step flow of the recent Dropbox breach where attackers targeted developers and ultimately stole 130 GitHub repositories. This will be a deep dive into how the attackers targeted developers by impersonating CircleCI, with the ultimate goal of stealing GitHub repos and accessing backend infrastructure. And third, we end with a more positive look at how the right security controls (zero-trust access and registry scanning) in the CI/CD process enable developer teams to better perform their roles and more confidently deploy builds.