The SolarWinds Hack and Salesforce Devops
The devops industry is undergoing a transformation in 2021 as security takes center stage, mainly because of the SolarWinds hack (check here for more details). We know now that a bad actor infiltrated command-and-control (C2) code into a SolarWinds network scanning tool. Sent to 60,000 customers, several dozen of whom turned out to be government agencies, the C2 code “phoned home” for further instructions, and in some cases, it went on to further infiltrate the target network. How did the bad actors do it? By gaining access to SolarWinds source code repositories. For Salesforce devops and IT leaders, how does this security red alert impact you?
Developer Security Is A Thing
When engaged in the eternal war of IT security measures and countermeasures, every enterprise’s security considerations start with the perimeter, devices, and networks. Now, security is moving up the stack and has sprung yet another crop of imponderable four-letter acronyms. These devops security subsectors cover separate devops security concerns.
- Dynamic Application Security Testing (DAST) – DAST tools work with running systems. DAST is like a “white hat penetration test,” where the vendor applies systematic techniques to look for vulnerabilities in your application, simulating the techniques an attacker uses.
- Interactive Application Security Testing (IAST) – An IAST solution involves inserting an application security server into production operations. That server has a unique inside view of potential vulnerabilities.
Keep Your Perimeter Tight
Beating the enemy in security takes a holistic approach, so developer security must include more than a focus on code. If your enterprise has a security perimeter, then use it, even in offshore environments. Upgrade VPN usage to SD-WAN or other corporate security solutions to harden every developer’s environment. Strengthen your endpoint security by issuing work-only, centrally-managed endpoints to everyone in devops, especially to vendors and other contractors (remember Target?).
Because of SolarWinds, we know that developer security goes beyond the xAST world. We must assume that developers are now subject to high-value, targeted spear phishing attacks. Until recently, only financial crimes or state-sponsored espionage warranted such a high-value attack. Now, technology and enterprise developers are being personally profiled and targeted for network infiltration.
Developer Security Cannot Be an Afterthought
I have also heard the term “software supply chain security” to describe what happened in the SolarWinds Hack, and to express the need for developer security. And other writers use the term “shift left” to describe developers becoming more responsible for application security. So, to “shift left” means giving your developers the tools needed to make sure their code is secure. And it is called “shift left” because the typical SDLC chain has the developer on the left end? All I know is that this is another example of a confusing and alienating term we should keep clear of the C-suite.
In the Salesforce world customers handle static code analysis concerns with currently available software offerings. Last week we saw AutoRABIT purchase Codescan to add static scanning capabilities to their offerings. Other security vendors selling static security tools for Salesforce today include Clayton. S4 from DigitSec has static, dynamic, and interactive features (check out the SalesforceDevops list of companies here).
In the name of simplification of our nomenclature, let us call the entire set of xAST concerns Developer Security and that developer security is now a major concern for any technology company or enterprise that produces software. And a full developer security program needs to be in the devops budget.
Have Fun and Be Safe
Deal with the consequences of the SolarWinds hack by making overall developer security a major concern of any devops program. Look closely at the tools and services currently available. And make sure the people working on your coding efforts have well-maintained endpoints with a security perimeter protecting them from the bad actors. By offering these services as a core part of your devops program, your developers will have the power to have fun coding, safely.
Vern’s Salesforce Devops Posts
- Salesforce SDLC Nomenclature: Adopting the Ways of The Devops
- Salesforce Devops in Early 2021
- The Ways of the Salesforce Devops: Build or Buy?
- SFDX-CLI Paves The Way for Open-Source Salesforce Devops
About Vernon Keenan
Vernon Keenan (LinkedIn) works as a senior information technology industry consultant based in Oakland, California.
He earned his B.Sc. in Biomedical Engineering at Northwestern University where he programmed a PDP-8 with punched paper tape.
In his 34-year-long career he has been a teacher, SPSS programmer, database administrator, clinical researcher, technology journalist, product marketing manager, market researcher, management consultant, and industry analyst. Most recently he is a telecom operator, cloud architect, Go devops engineer and Salesforce Developer/Architect.
For inquiries about Salesforce strategy briefings or solution architect work please contact Vern directly at +1-510-679-1900 or [email protected].