DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv Video Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv Video Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB

Home » Blogs » DevSecOps » Protect and Defend: Repositories

Protect and Defend: Repositories

Avatar photoBy: Dwayne Melancon on March 26, 2014 Leave a Comment

When you’re creating work that gets deployed into production, there is typically a repository involved. It could be a code base, a deployment hub, a definitive software library, a library of VM or application templates, etc.

Recent Posts By Dwayne Melancon
  • Security in the operational relay race
  • Continuous integration for better security
  • DevOps and Security Are Compatible
Avatar photo More from Dwayne Melancon
Related Posts
  • Protect and Defend: Repositories
  • Datree launches a partnership with CircleCI
  • Software Supply Chain Attacks: How to Disrupt Attackers
    Related Categories
  • Blogs
  • DevSecOps
    Related Topics
  • defense
  • protect
  • repositories
  • security
Show more
Show less

Often, you may not think twice about what’s in these repositories or whether you can trust their content – after all, you and your teams built these repositories, right? That may be true, but what if your trust is misplaced?

TechStrong Con 2023Sponsorships Available

The recent Target breach illustrated (among other things) that you may be incorrect in assuming the “inbox” of your deployment process is trustworthy. In the Target example, there was a queue of patches ready for deployment but someone added additional, malicious code to that queue without being noticed. The automated deployment process grabbed both the authorized and malicious code and distributed it to every point of sale device in the network. Not a good outcome.

Their workflow included a trustworthy process to test code that before it was checked into the deployment queue, but there was also a flaw in the process: there were no controls in place to detect when anyone went around the process and made arbitrary changes to the repository. In other words, even if you put trusted packages into the queue, the packages could be modified and additional code could be added without those alterations being noticed.

What we can learn from this kind of situation is the value of the tried & true principle of “trust but verify:”  don’t assume you can trust your repositories without validating what’s in there.  With that notion in mind, think about your environment – are there repositories that people could alter without being noticed? If so, that could present a problem both for security and reliability in your organization.

To correct this, we need to treat our repositories like bank accounts – account for everything that goes in or out, and monitor the contents of the repository continuously to look for any undocumented or unauthorized “transactions” (adds, removes, or changes).  We must also add validation checks to the deployment process to make sure everything is accounted for before the deploy occurs.  Yes, this will likely mean you need to do some extra work on your deployment workflow, add technology for instrumentation, etc. but it will more than pay for itself through better security, accountability, and availability.

By the way – this same principle applies to the scripts and automation tools you rely on, as well.  If someone were to alter these tools without your knowledge, you may get results you don’t like.  You should also consider that your automated deployment repositories aren’t the only vector for untrusted code to enter production – continuous monitoring of the production environment is also a crucial activity.

Protect and defend your repositories – it’s important.

Filed Under: Blogs, DevSecOps Tagged With: defense, protect, repositories, security

« DevOps.com Podcast
DevOps Is For Horses: Stop Making Excuses For Starting »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Achieving Complete Visibility in IT Operations, Analytics, and Security
Wednesday, February 1, 2023 - 11:00 am EST
Achieving DevSecOps: Reducing AppSec Noise at Scale
Wednesday, February 1, 2023 - 1:00 pm EST
Five Best Practices for Safeguarding Salesforce Data
Thursday, February 2, 2023 - 1:00 pm EST

Sponsored Content

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

Codenotary Extends Dynamic SBOM Reach to Serverless Computing Platforms

December 9, 2022 | Mike Vizard

Why a Low-Code Platform Should Have Pro-Code Capabilities

March 24, 2021 | Andrew Manby

AWS Well-Architected Framework Elevates Agility

December 17, 2020 | JT Giri

Practical Approaches to Long-Term Cloud-Native Security

December 5, 2019 | Chris Tozzi

Latest from DevOps.com

Cisco AppDynamics Survey Surfaces DevSecOps Challenges
January 31, 2023 | Mike Vizard
Jellyfish Adds Tool to Visualize Software Development Workflows
January 31, 2023 | Mike Vizard
3 Performance Challenges as Chatbot Adoption Grows
January 31, 2023 | Christoph Börner
Looking Ahead, 2023 Edition
January 31, 2023 | Don Macvittie
How To Build Anti-Fragile Software Ecosystems
January 31, 2023 | Bill Doerrfeld

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays

GET THE TOP STORIES OF THE WEEK

Most Read on DevOps.com

Microsoft Outage Outrage: Was it BGP or DNS?
January 25, 2023 | Richi Jennings
The Database of the Future: Seven Key Principles
January 25, 2023 | Nick Van Wiggerern
Harness Acquires Propelo to Surface Software Engineering Bot...
January 25, 2023 | Mike Vizard
Don’t Hire for Product Expertise
January 25, 2023 | Don Macvittie
Software Supply Chain Security Debt is Increasing: Here̵...
January 26, 2023 | Bill Doerrfeld
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.