Question: What threats to developers and development environments should I know about, and how do I defend against them?
Brad Causey, CEO at Zero Day Consulting: Developers should be on the lookout for several threats. First, be wary of what libraries and thirty-party code you integrate into your applications. Aside from the obvious older and vulnerable versions out there, many companies are seeing supply chain attacks. This is where the attacker compromises an application or library in use by the organization but hosted and provided by a vendor. Recently, for example, a Chinese hacker group, Wicked Panda, has been compromising system admin tools and vendor update repositories in order to gain footholds into their consumer networks. The takeaway? Make sure anything you bundle into your software is vetted and safe. Also, take a close look at your integrated development environment (IDE) and other development tools.
Development environments pose a few unique risks to the organization. First, the security of these environments is generally lacking. Often, they will have weak permissions or poor/reused credentials. Additionally, they often have production data used for testing. This combination can often lead to production data being exposed to an attacker who homes in on the weaker security of a development environment.
Another common mistake is to use production credentials and configurations in both development and production environments. For example, if the username and password for a system administrator is the same for both production and development databases, attackers can pivot from one to the other more easily. Always segment out and protect your production environment from any attacks on dev.
What do you advise? Let us know in the Comments section, below.
Do you have questions you’d like answered? Send them to [email protected].
Brad Causey is an active member of the security and forensics community worldwide. Brad tends to focus his time on Web Application security as it applies to global and enterprise arenas. He is a member of the OWASP Global Projects Committee and the President of the … View Full Bio