• Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions
Flyy Tech
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs
  • Camera
  • Audio
No Result
View All Result
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs
  • Camera
  • Audio
No Result
View All Result
Flyy Tech
No Result
View All Result

App Developers Increasingly Targeted via Slack, DevOps Tools

flyytech by flyytech
September 23, 2022
Home Security
Share on FacebookShare on Twitter


Developers are increasingly under attack through the tools that they use to collaborate and to produce code — such as Docker, Kubernetes, and Slack — as cybercriminals and nation-state actors aim to access the valuable software that developers work on every day.

For instance, an attacker claimed on Sept. 18 to have used stolen Slack credentials to access and copy more than 90 videos representing the early development of Grand Theft Auto 6, a popular game from Take-Two Interactive’s Rockstar Games. And a week earlier, security firm Trend Micro discovered that attackers were systematically searching for and attempting to compromise misconfigured Docker containers.

Neither attack involved vulnerabilities in the software programs, but security missteps or misconfiguration are not uncommon on the part of developers, who often fail to take the care necessary to secure their attack surface area, says Mark Loveless, a staff security engineer at GitLab, a DevOps platform provider.

“A lot of developers don’t think of themselves as targets because they are thinking that the finished code, the end result, is what attackers are going after,” he says. “Developers often take security risks — such as setting up test environments at home or taking down all the security controls — so they can try out new things, with the intent of adding security later.”

He adds, “Unfortunately, those habits become replicated and become culture.”

Attacks against the software supply chain — and the developers who produce and deploy software — have grown quickly in the past two years. In 2021, for example, attacks that aimed to compromise developers’ software — and the open source components widely used by developers — grew by 650%, according to the “2021 State of the “Software Supply Chain” report, published by software security firm Sonatype.

Developer Pipelines & Collaboration in the Sights

Overall, security experts maintain that the fast pace of continuous integration and continuous deployment environments (CI/CD) that form the foundations of DevOps-style approaches pose significant risks, because they are often overlooked when it comes to implementing hardened security.

Professional developers' synchronous tools
Slack, Teams, and Zoom top the synchronous tools used by professional developers. Source: StackOverflow

This affects a variety of tools used by developers in their efforts to create more efficient pipelines. Slack, for example, is the most popular synchronous collaboration tools in use among professional developers, with Microsoft Teams and Zoom coming in a close second and third, according to the 2022 StackOverflow Developer Survey. In addition, more than two-thirds of developers use Docker and another quarter use Kubernetes during development, the survey found.

Breaches of tools like Slack can be “nasty,” because such tools often perform critical functions and usually only have perimeter defenses, Matthew Hodgson, CEO and cofounder of messaging-platform Element, said in a statement sent to Dark Reading.

“Slack is not end-to-end encrypted, so it’s like the attacker having access to the company’s entire body of knowledge,” he said. “A real fox-in-the-henhouse situation.”

Beyond Misconfigs: Other Security Woes for Developers

Cyberattackers, it should be noted, don’t just probe for misconfigurations or lax security when it comes to going after developers. In 2021, for example, a threat group’s access to Slack through the gray-market purchase of a login token led to a breach of game giant Electronic Arts, allowing the cybercriminals to copy nearly 800GB of source code and data from the firm. And a 2020 investigation into Docker images found that more than half of the latest builds have critical vulnerabilities that put any application or service based on the containers at risk.

Phishing and social engineering are also plagues in the sector. Just this week, developers using two DevOps services — CircleCI and GitHub — were targeted with phishing attacks. 

And, there is no evidence that the attackers targeting Rockstar Games exploited a vulnerability in Slack — only the claims of the purported attacker. Instead, social engineering was likely way to bypass security measures, a Slack spokesperson said in a statement.

“Enterprise-grade security across identity and device management, data protection, and information governance is built into every aspect of how users collaborate and get work done in Slack,” the spokesperson said, adding: “These [social engineering] tactics are becoming increasingly common and sophisticated, and Slack recommends all customers practice strong security measures to guard their networks against social engineering attacks, including security awareness training.”

Slow Security Improvements, More Work to Do

Developers have only slowly accepted security as application security professionals call for better controls, however. Many developers continue to leak “secrets” — including passwords and API keys — in code pushed to repositories. Thus, development teams should focus on not just protecting their code and preventing the importing of untrusted components but also ensuring that the critical capabilities of their pipelines are not compromised, GitLab’s Loveless says.

“The whole zero-trust part, which is typically about identifying people and things like that, there also should be the same principles that should apply to your code,” he says. “So don’t trust the code; it has to be checked. Having people or processes in place that assumes the worst — I’m not going to trust it automatically — particularly when the code is doing something critical, like build a project.”

In addition, many developers still do not use basic measures to strengthen authentication, such as using multifactor authentication (MFA). There are changes afoot, however. Increasingly, the various open source software package ecosystems have all started requiring that major projects adopt multifactor authentication. 

In terms of tools to focus on, Slack has gained attention because of the latest major breaches, but developers should strive for a baseline level of security control across all of their tools, Loveless says.

“There are ebbs and flows, but it is whatever works for the attackers,” he says. “Speaking from my experience of wearing all kinds of hats of different colors, as an attacker, you look for the easiest way in, so if another way becomes easier, then you say, ‘I will try that first.'”

GitLab has seen this follow-the-leader behavior in its own bug bounty programs, Loveless notes.

“We see when people send in bugs, all the sudden something — a new technique — will become popular, and a whole slew of submissions resulting from that technique will come in,” he says. “They definitely come in waves.”



Source_link

flyytech

flyytech

Next Post
‎Amazon Prime Video on the App Store

‎Amazon Prime Video on the App Store

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended.

GIGABYTE introduces AORUS 17, AORUS 15, and AERO 14 OLED gaming laptops

GIGABYTE introduces AORUS 17, AORUS 15, and AERO 14 OLED gaming laptops

February 12, 2023
When Low-Tech Hacks Cause High-Impact Breaches – Krebs on Security

When Low-Tech Hacks Cause High-Impact Breaches – Krebs on Security

February 27, 2023

Trending.

Review: Zoom ZPC-1

Review: Zoom ZPC-1

January 28, 2023
Image Creator now live in select countries for Microsoft Bing and coming soon in Microsoft Edge

Image Creator now live in select countries for Microsoft Bing and coming soon in Microsoft Edge

October 23, 2022
Elden Ring best spells 1.08: Tier lists, sorceries, incantations, and locations

Elden Ring best spells 1.08: Tier lists, sorceries, incantations, and locations

January 14, 2023
Allen Parr’s false teaching examined. Why you should unfollow him.

Allen Parr’s false teaching examined. Why you should unfollow him.

September 24, 2022
How to View Ring Doorbell on a Roku TV

How to View Ring Doorbell on a Roku TV

December 20, 2022

Flyy Tech

Welcome to Flyy Tech The goal of Flyy Tech is to give you the absolute best news sources for any topic! Our topics are carefully curated and constantly updated as we know the web moves fast so we try to as well.

Follow Us

Categories

  • Apple
  • Applications
  • Audio
  • Camera
  • Computers
  • Cooking
  • Entertainment
  • Fitness
  • Gaming
  • Laptop
  • lifestyle
  • Literature
  • Microsoft
  • Music
  • Podcasts
  • Review
  • Security
  • Smartphone
  • Travel
  • Uncategorized
  • Vlogs

Site Links

  • Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions

Recent News

Announcing Windows 11 Insider Preview Build 25193

Announcing Windows 11 Insider Preview Build 25324

March 24, 2023
New vulnerabilities found in industrial control systems of major vendors

New vulnerabilities found in industrial control systems of major vendors

March 24, 2023

Copyright © 2022 Flyytech.com | All Rights Reserved.

No Result
View All Result
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs

Copyright © 2022 Flyytech.com | All Rights Reserved.

What Are Cookies
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
Cookie SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT