We're all starting to see the news trickle out about government agencies, tech giants, and security firms all being compromised by suspected nation-state actors. A concerning new reality faces the development community.
Details from the SolarWinds hack shows that the hostile actors compromised the servers that take source code and build executable software from it (the "build" servers). The hackers injected their own malicious code into the Solarwinds software directly at the source—and it was happily passed out to thousands of customers via regular best-practice software updates.
What this means to the future of DevOps is clear. The security of the DevOps infrastructure and pipelines must be paid as much or more scrutiny as the application security itself or the traditional network boundaries (between organization and the internet).
While there is much talk around "DevSecOps," especially integrating security INTO the pipeline with automated vulnerability scanning and other tools, it's equally as important to focus on the security OF the pipeline. As we can now all see, a compromised DevOps pipeline or toolchain can lead to insidious results for you and your customers.
At SingleStone, we specialize in DevOps security. We can help you accomplish both goals necessary to keep your faster and more agile development practices from actually getting you into more trouble. We like to say we'll help you build better software, faster. And, we're here to help keep your tech investments secure.
Reach out if you have a question, want to chat DevSecOps, or are thinking to yourself, "is our pipeline really secure?"