Should organizations consider using a managed service for DevOps to keep their platforms up to date and secure?
The recent disclosure of a vulnerability that would allow open source Jenkins continuous integration/continuous delivery (CI/CD) platforms to be employed to launch a distributed denial of service (DDoS) attack highlights how challenging it is to secure the platforms on which many organizations now depend to build their most critical applications.
The CVE-2020-2100 bug theoretically would have allowed cybercriminals to employ the Jenkins UDP discovery protocol to bounce traffic between servers until they could no longer respond. That same flaw also could be employed to launch DDoS amplification attacks against platforms connected to the internet. Those attacks can’t be stopped unless one of the servers is rebooted or its Jenkins service is restarted. The specific vulnerability discovered was fixed last month in Jenkins v2.219. IT organizations can either upgrade their Jenkins servers, disable the UDP discovery protocol or block the UDP port 33848.
Tracy Miranda, director of open source community for CloudBees and member of the governing board for the Continuous Delivery Foundation (CDF), which oversees the development of Jenkins, said the bug itself is at best of medium severity. However, now that it’s been disclosed, the race is on to patch Jenkins servers or block UDP port 33848 before cybercriminals exploit the vulnerability on any public-facing instance of a Jenkins server.
Given the fact that most IT organizations may not have resources at hand to patch their Jenkins servers quickly, Miranda said these and other potential future cybersecurity issues are a testament to why more organizations should rely on instances of Jenkins that are managed by third-party providers on their behalf. Organizations are spinning up more Jenkins servers than ever as they move to accelerate application development, and by relying on a managed service provider (MSP) to manage Jenkins, IT teams can focus more of their efforts on building and deploying applications rather than on managing CI/CD platforms.
These days, more organizations are looking at DevSecOps as a best practice. Much of that focus, however, is on securing the applications that DevOps teams create; not nearly as much attention is being paid to securing the underlying platforms on which those applications are being built and deployed.
It’s too early to say to what degree cybersecurity concerns might push IT organizations toward managed DevOps platforms. However, the more that cybersecurity teams participate in the DevOps process, the more they will ask questions about the fundamental security of the underlying platform.
Of course, many IT teams often view managed services provided by third-party vendors as a threat to their existence. Nevertheless, DevOps platforms are among the most complex and expensive platforms to manage. In fact, that complexity is one of the main reasons so many organizations have hired site reliability engineers rather than relied on traditional IT administrators to manage DevOps platforms such as Jenkins. The issue that often comes up is just how many SREs an organization needs to hire before the cost of a managed DevOps platform becomes economically more appealing.