Author: Dwayne McDaniel

On August 21, 2023, security researcher and HackerOne Advisory Board Member Corben Leo announced on social media that he had "hacked a car company" and went on to post a thread explaining how he "gained access to hundreds of their codebases."

Corben was participating in a bug bounty program run by the car maker. This is a very common practice across industries, as it rewards ethical hackers for finding issues and reporting them in a responsible way. This path has been time-tested and produced some fantastic results for many companies. At the same time, there is some reporting that says that compared to other industries, car manufacturers tend to pay far less for bug bounties. In this case, the car company had the right incentives, and Corben had the right motivation to find and report this potentially crisis-inducing vulnerability.

On July 11, 2023, Microsoft released details of a coordinated attack from threat actors, identified as Storm-0558. This state-sponsored espionage group infiltrated email systems in an effort to collect information from targets such as the U.S. State and Commerce Departments. While this was a fairly sophisticated attack leveraging multiple vulnerabilities, there are multiple lessons we can take from this incident to help any DevOps and security team improve their organization's security posture.

What Happened

Starting on May 15 of this year, the China-based state actor identified as Storm-0558 gained access to Azure-based Office 365 email systems. The attack was discovered after Office 365 customers began to report unusual mail activity. On June 16, Microsoft began the investigation and remediation process.

Richmond, Virginia, has a vibrant and storied history. While Edgar Allan Poe is more associated with Baltimore, he actually grew up in Richmond, home to the Edgar Allan Poe Museum. Richmond was also home to Maggie Lena Walker, the first woman to own a bank. It is also where Patrick Henry gave his famous "Give me liberty or give me death" speech. While nobody declared anything so revolutionary this year, many security professionals did gather to share ideas and opinions at RVAsec 2023, taking place June 13 and 14.

This year marked the 12th gathering and the largest attendance for the event to date, with 740 tickets sold. This year there was a capture-the-flag, lock-picking village, and an extremely fun casino-themed after-party. 28 speakers presented on a wide range of topics, including your author. All the sessions were recorded and will be available on the RVAsec website.

Here are just a few highlights from this year's event.

Most folks managing or working within a DevOps organization are already familiar with the book "Accelerate" and DevOps Research and Assessment, commonly abbreviated as DORA, metrics. For those who are not familiar or just need a quick refresher, DORA metrics categorize the performance of a DevOps organization based on four key leading indicators:

1. Deployment Frequency: The cadence of an organization’s successful releases to production. The more often, the better.
2. Mean Lead Time for Changes: How long it takes a developer's commit to get into production. The more, the better.
3. Mean Time to Recover: How long it takes a team to restore service in the event of an unplanned outage or another incident. The shorter the time interval, the better.
4. Change Failure Rate: How often making changes lead to failures in production. The smaller the percentage, the better.

DORA metrics help you quickly gauge the overall health of your team and output. There are a lot of metrics that influence these indicators, they are a handy way to think about DevOps performance from a high level. This methodology groups organizations into one of three tiers for overall performance: Low, Medium, or High.

If you know anything about St. Louis, it is likely the home of the Gateway Arch, the Cardinals, and St. Louis-style BBQ. But it is also home to a DevOps event that featured some fresh perspectives on scaling, migrating legacy apps to the cloud, and how to think about value when it comes to your applications and environments; DevOps Midwest.

The quality of the conversations was notable, as this event drew experts and attendees who were working on interesting enterprise problems of scale, availability, and security. The speakers covered a wide range of DevOps topics, but throughout the day, a couple of themes kept showing up: DevSecOps and secrets management. Here are just a few highlights from this amazing event.

When you think of Milwaukee, you might think of squeaky cheese curds, polka music, and the Bronze Fonz. But now, I will always associate this city on the lake with cybersecurity, thanks to Cyphercon 6, which was held on March 30 and 31, 2023. This year there were nearly 1500 participants, making it the largest security or technology conference in Wisconsin.

Cyphercon is a 'hacker conference' much like Schmoocon or DEFCON. While there are sessions, the event also focuses on villages and capture-the-flag competitions. Unique among conferences I have attended, the first day started after lunch and ran until 10:30 pm, when the networking after-party officially started.

From this view, you can quickly see high-level incident information that can help you triage your incidents, assign them to workspace members and begin the process of fixing the issue. The team has put a lot of thought and effort into making this a very user-friendly interface that customers can quickly learn and leverage when dealing with secrets sprawl.

The GitGuardian API

Some teams might prefer to leverage the power of the GitGuardian platform without using the dashboard directly in some cases. This is entirely possible thanks to the powerful GitGuardian API, which is available to all customers. With our API, you can interact with incidents, teams, workspace members, and audit logs; or even implement your own secrets scanning.

When you think of Baltimore, Maryland, you might immediately think of The Ravens, Edgar Allan Poe, or Old Bay Seasoning. Moving forward, I will always associate "BMore" (as the locals call it) with improved security across the public and private sectors, thanks to participating in the 18th International Conference on Cyber Warfare and Security, ICCWS, which happened March 9th and 10th, 2023, at Towson University, in the heart of Baltimore county.

This unique event brings together academics, military professionals, government agencies, and professionals from all around the security world to discuss their research findings and the state of cybersecurity. All the sessions I attended were very informative, and I will be summarizing a few in this post, but the best part of this event was the lively hallway conversations and connections that were made. It is hard to imagine another event where Ph.D. candidates, developer advocates, and intelligence agency officers would get to share thoughts on the future of cyber threats while sharing a meal.

While there were a lot of different subjects covered in the two days of sessions, there were some themes that popped up across multiple talks.

Zero Trust

Most everyone working in security and DevOps by now is familiar with the notion of Zero Trust, the approach that denies all access by default. We apply this in practice by implementing "the principle of least privilege," granting only enough access to let people and non-human entities get their work done and no more. In his talk "Can Zero Trust Restore Our Ailing Trust?" Justin Fanelli, Technical Director, Dept of Navy PEO Digital and Georgetown University, argues that for a lot of the industry, Zero Trust is just a buzzword at the moment, albeit the "Beatles of our current jargon."

For the first time since 2019, the "world's largest developer and engineering expo" was back in person, this time in Oakland in February: DeveloperWeek 2023! Approximately 2000 attendees, speakers, and exhibitors got together face to face to meet and talk about the state of the software industry. People came from all over the world to be part of this 15+ track event that covered everything from application and API design, to Kubernetes and Terraform deployment fundamentals, and basically everything in between. I got to give a talk as well on the state of cloud development environments, which I have written about here before.

There was a noticeable thread around cybersecurity throughout all the tracks. As security becomes more and more of a focus for the enterprise, it should be no surprise to see so many talks about securing your data and your applications. Here are just a few highlights from some of the sessions centered around security from DeveloperWeek 2023.

We should do our best to ensure our network and pipeline perimeters are secure and make it hard for attackers to gain access. However, the reality is that intruders will stop at nothing to gain access, as evidenced by the Uber, CircleCI, and Dropbox breaches, just to name a few.

Common to all of those incidents was the attacker's behavior once they were inside. Each time they quickly found and exploited hardcoded credentials, giving them further access. Since we know this is something attackers do time after time, it is time to turn this behavior against them by engaging in some blue team cyber deception and start planting honeytokens in our environments.

IAM stands for "Identity and Access Management." IAM provides answers to the fundamental question in DevOps: "Who can access what?"

The roots of IAM go back to the early days of computing, where users of UNIX systems needed a username and password to access their accounts and files. As systems got more complex, grew in number, and larger pools of users needed access, identity management solutions like Lightweight Directory Access Protocol, LDAP, became increasingly popular, where a central team could manage access for multiple departments and roles.

Recently, we learned of a breach of CircleCI. They strongly suggest that all their customers:

• Immediately rotate any and all secrets stored in CircleCI.
• Review internal logs for their systems for unauthorized access from December 21, 2022, through January 4, 2023, or the date you rotated the secrets in CircleCI.

The CircleCI team also invalidated all Project API tokens and informed users that they would need to be replaced.

The Javits Center in NYC opened its doors to hundreds of security experts from all around the world on November 15th and 16th, 2022. Over those two info-packed days, attendees participated in panels and presentations and shared their knowledge about enterprise security. Here are just some of the highlights from CyberTech NYC 2022

The Larger the Organization, the More Turtles to Corral

Early in the conference, CyberTech Co-Founder Amir Rapaport shared a very good analogy for how large enterprises have transformed, corralling turtles.

Turtles move slowly, akin to how fast we adopt new tech or modify existing systems. If you only have a few turtles, keeping up with them and making sure they are safe is pretty straightforward. But when you add more and more turtles, it becomes increasingly difficult to manage them. When you get to hundreds or thousands of turtles, or IT services, manually chasing them and keeping them safe becomes overwhelming.

Unfortunately, there is no silver bullet to this problem of herding turtles; it just takes staying vigilant and aware of newly emerging threats. This introductory session set the tone of the event, and his message of staying on top of new trends was echoed throughout the rest of CyberTech.

There is a good chance that your next "local development environment" won't be local, it will be cloud-based, and all you will need locally will be a browser and an internet connection. You might already be using a Cloud IDE for certain projects. This exciting evolution of the local dev environment has a lot of advantages but also brings some new risks. This article will help you stay safe as you embrace the cloud for your coding needs.

What Is a Cloud IDE or CDE?

Simply put, a cloud IDE is an integrated development platform, IDE based in the cloud.

Most developers love working in the terminal, tying together all sorts of tools with command line interfaces, CLIs, via scripting. Working with CLIs is powerful, but it can be challenging to initially learn all the ways a tool can help you do your work. While the only real way to learn any tool is by using it, one time-tested method to get over the learning curve is to keep a short list of common commands, as well as concept recaps, on hand for using the tools.

At the same time, it is pretty common to adopt a tool for one or two specific functions, without investigating what other commands a tool offers. For example, just think about how many Git commands you use regularly out of the 164 currently available commands. Getting a holistic view of how a command line tool is structured and the possible commands can help you make better use of the platform.