Automate! (Wherever Possible.) – An Excerpt from Cybernews
May 11, 2023 by Jason McIntosh
This interview with Jason McIntosh, Principal Engineer at Armory, originally appeared on Cybernews. Read it in full here. https://cybernews.com/security/jason-mcintosh-armory-with-the-current-developer-workload-the-best-practice-is-to-automate-wherever-possible/
What would you consider the main challenges development teams run into nowadays?
A primary challenge is a continuous growth in complexity introducing friction into the innovation process. As organizations accelerate their transition to cloud-native architectures, developers have more ways to approach the same engineering tasks, and the growing number of environments and customers complicates deployment. As a result of tool sprawl and increased expectations, developers become inundated with options, taxing their creativity and monopolizing time with tedious imperative tasks that could easily be automated.
How did the recent global events affect your field of work?
The pandemic accelerated businesses’ move to the cloud, increasing developers’ workload. With users increasingly relying on software, development teams face even more pressure to ensure reliability and deliver new features more quickly than ever. The need and desire for automation grew significantly, inspiring Armory to create new functionalities to help assuage the challenges.
What are the best practices companies should follow when developing, and, when launching applications?
With the current developer workload and the availability of tools, a best practice is to automate wherever possible. Continuous integration/continuous delivery (CI/CD) greatly improves DORA metrics. CI enables collaboration by automatically integrating code changes into a single deployable unit. The process emphasizes frequent code check-ins while creating and testing the new build. CD transforms changes into a state ready for production deployment and pushes changes through the pipeline, adding safety and speed to the development cycle and automating tedious but essential steps.
Where does continuous deployment fit? Continuous deployment requires the use of CD. In addition to making a new code version available, continuous deployment ensures it is in use in your production environment. Continuous deployment removes the need for pre-scheduled releases, increases user feedback, and allows developers to address user feedback faster. It standardizes deployment practices, automates pipeline creation, replaces manual checks, allows for progressive deployment and collects and manages observability data.
With automated processes, developers can spend more time writing code and creating a superior product.
What are the most common vulnerabilities nowadays, that if overlooked, can lead to serious problems for a business?
The simplest and largest vulnerability most users hit is still the OWASP top 10. Broken access controls are one of the biggest we see impacting businesses. Many organizations’ authentication/authorization restrictions aren’t set or are improperly set, allowing access to cloud accounts or sensitive resources a user shouldn’t directly access. Going back later to add authentication is always more work than starting with it from the beginning! Improperly exposing or protecting your tooling leads to break-ins.
The other challenge we see is the security space still struggles to explain basic concepts around good security. OIDC is a confusing concept to most developers and a core challenge. Password rotations, protecting sensitive data and explaining how cross-site-scripting works are things many engineers struggle with. Integrating security into your workflows, making the concepts easier to understand, and simplifying the processes could help organizations more effectively implement security best practices from the beginning.
What cyber threats do you find the most concerning nowadays? What can organizations and average individuals do to protect themselves?
Social attacks are still the most concerning. Even the best engineers — including security engineers — can be hit by these! Better MFA (multi-factor authentication) and password managers have helped reduce these kinds of attacks, but they’re still very common. On the downside, password managers are still not used consistently across organizations or at home. The first thing end users should do is use a password manager. Even with this tool, they still must rotate credentials. LastPass’s recent situation is a perfect example that no system is 100% secure.
MFA is the next and mandatory line of defense. MFA has vastly improved the damage from exposed credentials, but we are also seeing new attacks take advantage of MFA “laziness” in verifying that your MFA is coming from you. Organizations should include code verification on MFA rather than just accept push responses. We see signs that “push” notifications aren’t enough, as many attackers are bypassing this by using “push burnout,” where users accidentally click yes or ignore the request promptly.
Last, we’re seeing many more supply chain attacks, including attacks on base shared libraries. A simple change to a core library can instantly infect thousands of downstream resources. This was noticed recently with NPM module changes and the Linux kernel attempt to introduce a vulnerability by security researchers. These attacks do not yet have great mitigations nor receive much focus despite having the potential to do incalculable damage. This is an area the entire development community really needs to think about.
What advancements and innovations in the software development field do you hope to see in the near future?
We want to see an increased emphasis on verification and supply chain security. There’s already been innovation in that space, but the need will grow as both developers and C-suite focus more on protecting their products and customers.
We also hope to see companies incorporate environmental sustainability into their DevOps strategy. Software plays an essential role in energy management, as the decisions made by the program influence the physical infrastructure. The environmental impact should be considered a priority from the first line of code.
