Code security platform provider GitGuardian has announced the launch of a new open-source Canary token project to help organizations detect compromised development and DevOps environments. According to the firm, security teams can use GitGuardian Canary Tokens (ggcanary) to create and deploy canary tokens in the form of Amazon Web Services (AWS) secrets to trigger alerts whenever they are tampered with by attackers. This release reflects a broader industry trend of emerging standards and initiatives designed to address software supply chain and DevOps tool risks.
ggcanary offers “very sensitive” intrusion detection
In a press release, GitGuardian said organizations’ continued adoption of cloud and modern software development practices is leading them to unknowingly expand their attack surfaces. Internet assets and poorly secured corporate networks cause attackers to look to components of the software supply chain such as continuous integration and deployment (CI/CD) pipelines as entry points, a he added.
Searching for GitGuardian reported that after gaining initial access, attackers often search for valid hard-coded credentials that they can use for further lateral movement. The ggcanary project is designed to help enterprises detect compromises faster, said GitGuardian, built with the following features:
- Reliance on Terraform, using HashiCorp’s popular Infrastructure-as-Code software tool, to create and manage AWS Canary tokens.
- Highly sensitive intrusion detection that uses AWS CloudTrail audit logs to track all types of actions performed on canary tokens by attackers.
- Scalable up to 5,000 active AWS canary tokens deployed on an organization’s internal perimeter, in source code repositories, CI/CD tools, ticketing and messaging systems such as Jira, Slack or Microsoft Teams.
- Its own alert system, integrated with AWS Simple Email Service (SES), Slack and SendGrid. Users can also extend it to forward alerts to SOCs, SIEMs, or ITSMs.
Depending on adoption rates, GitGuardian said it would consider integrating ggcanary into its end-to-end automated detection and remediation platform in the future.
Industry Takes Action to Combat Open Source Software Security Threats
The release of the ggcanary project follows other initiatives recently launched to help address and resolve security complexities in the open source software and development landscape. In May 2022, the Open Source Security Foundation published The Open Source Software Security Mobilization Plan, outlining a 10-pronged investment strategy with steps for immediate improvements and solid foundations for a more secure future. Its three main security objectives are:
- Secure production OSS with a focus on preventing security flaws and vulnerabilities in open source code and packages.
- Improve the discovery and remediation of vulnerabilities by improving the process of defect detection and remediation.
- Shorten ecosystem patch response times by accelerating patch distribution and implementation.
In the same monthJFrog presented the Pyrsia projecta community-based open source software initiative that uses blockchain technology to protect software packages from vulnerabilities and malicious code.
Manjunath Bhat, VP analyst, DevOps and software engineering at Gartner, told CSO that given the widespread use of open source and the associated risks, it is promising to see the growth of tools, standards and security practices to protect open source software. . “We find the threat landscape in open source software spread across many layers, including source code, packages, public container images, repositories, CI/CD pipelines, development and delivery tools. Attackers begin to realize that the more “upstream” the attack, the more damage they can inflict. As a result, the risks have expanded to include typosquatting, malicious code injection and tampering, hard-coded secrets, and certificate theft and modification. The idea is to protect the integrity of open source software using open source tools.
Organizations are taking open source software security more seriously
Organizations are also taking software supply chain risks more seriously than ever, especially as they begin to realize that open source underpins many of their core platforms and basic services, says Bhat. “We are seeing more and more customers trying to govern the use of open source software dependencies through the combined use of trusted component registries and software composition analysis tools,” he adds. “This approach gives organizations a secure yet fast way to consume open source.”
Janet Worthington, senior analyst at Forrester, agrees. “Organizations are increasingly concerned about vulnerable components that could be downloaded and integrated into their applications and the consequences of using certain open source licenses. The industry has also seen a dramatic increase in open source supply chain attacks that affect not only organizations but also their customers. Is open source inherently a threat to organizations? No, but the business risk comes from the assumption that the quality and security of open source software is the responsibility of open source maintainers and outside the responsibility of your organization.
Bhat’s advice for organizations to securely integrate open source software includes a three-pronged approach: secure source code, DevOps pipelines, and a secure operating environment. “At the code level, make sure to use secure open source dependencies. This can be achieved through reliable component catalogs and software BOMs that provide visibility and traceability, while ensuring developers are using the latest versions. corrected,” he continues. “Our recommendation is to make every effort to adopt DevSecOps practices as well – using automation to build security into every phase of the development lifecycle. software that is secure by design, let alone secure by default.
For Worthington, software composition analysis (SCA) tools that provide information about the health and safety of open source components and prevent vulnerable components from entering development processes are also critical. “Finally, contribute financially to the open source projects you depend on and to the open source community to lay the foundation for future innovation.”
Copyright © 2022 IDG Communications, Inc.