developer

now browsing by tag

 
 

#cybersecurity | #hackerspace | Secure Developer Workstations Without Slowing Them Down

Source: National Cyber Security – Produced By Gregory Evans

Fueled by automation, the adoption of DevOps processes and more, the role of the developer has become increasingly important and widespread for enterprises going through digital transformation. Developers need access to privileged credentials in order to access key developer tools like Kubernetes or Jenkins admin console. These credentials can be saved locally, making developers’ workstations — whether they are Macs or PCs — high-value targets for hackers.

These workstations are often vulnerable to something as simple as a phishing email, which attackers can use as an entry point to get access to the developer’s credentials. Because of these vulnerabilities, developers’ workstations are extremely important to secure. However, developers are famous for prizing speed above all else — and seeing security as little more than a speed bump.  So how to ensure that developers take security seriously?

Securing privileged access through the principle of least privilege needs to be a top security priority. It is no secret that no-one should have full-time admin rights. But, what does that mean for developers?

Security teams face a difficult dilemma. They need to better secure developer workstations while still providing them the elevated permissions and privileges—and freedom—they need to get their job done. And they need to do all that without impacting velocity.

I recently encountered this comment on the Stackoverflow forum:

 “There is almost no legitimate operational reason for restricting admin access to local PCs for staff that need it to do their job.”

Is that true?

Developers, DevOps and other engineers all perform administrative tasks as part of their job responsibilities, so they also have “full control” of their environment. Furthermore, because of the work developers do, there are extra challenges involved in hardening and restraining their workstations regardless of whether they are using Windows or macOS.

Developers install and uninstall software, drivers and system updates. They change operating system internals and use debugging programs on a regular basis. Without full control, developers often can’t do their jobs.

However, developers have access to source code, API keys and other shared secrets – usually more access than the standard user. Compromising a developer is a quick way for attackers to gain immediate elevated access to the most essential, mission-critical information an organization has. Consequently, developers have the kind of access that attackers want, which makes them the type of user who needs the highest levels of protection – whether they like it or not.

Want to take over a company or cause reputational damage quickly? Compromise a developer endpoint.

There are even specific types of attacks designed to target developers.  For instance, “watering hole” attacks where cyber attackers will compromise common, popular developer web sites known to be good places to share code and get help troubleshooting programming issues. For example, four of the largest software developer companies in the world were compromised during a single cyber attack campaign that placed a zero-day Java exploit on an iOS developer web site.

Rights and Responsibilities

One way to deal with developers’ requests for full admin rights would be to provide them with virtual machines dedicated to programming, which could be perfectly patched and thoroughly hardened. This is doable with the right amount of monitoring and alerting, antimalware and IPS.

However, a workaround like this has a huge management overhead. It requires more budget, additional machines and another user to manage those machines.  It’s not a comfortable situation for the IT team or the developer – and let’s not forget the cost of such a solution.

Additionally, while using their development tools, developers consume a lot of computer resources (e.g. generating millions of temporary files during code compilation). This leaves the security team with the job of ensuring that no significant performance impact occurs while implementing endpoint security products – not an easy task.

Conventional attempts to counter this typically require system administrators or security staff to perform manual inspections and craft security policies in response. As application complexity and development velocity increase, it becomes impractical to determine least privilege ahead of time manually. Furthermore, a central policy gatekeeper won’t scale efficiently and is likely to negatively impact delivery velocity.

Cutting the Gordian Knot

There has to be a better way to balance the needs of the developer with security concerns. Organizations need to be able to remove administrative privileges from developers without preventing them from doing their jobs, reducing velocity or overburdening security teams.

CyberArk Endpoint Privilege Manager can overcome these obstacles, allowing organizations to remove privileged credential rights on Windows workstations, servers and MacOS. It provides privileged access management (PAM), allowing enterprises to easily remove local Admin users – including developers. For instance, CyberArk Endpoint Privilege Manager can elevate specific applications used by the developer on a day-to-day basis or provide just-in-time user elevation for a specified time while recording and logging all user activity.

In addition, since developers may save credentials to their development environments, Endpoint Privilege Manager protects those repositories from credential theft while allowing trusted applications to use the credential stores.

Another key feature for the developers use-case is the out-of-the-box predefined policies for different developer tools like visual studio, Eclipse, Git and others.

Final Thought – The Developer Resistance

Each new security-driven restriction impacts the developer productivity throughout the entire software development process. Consequently, developers may fight the rules and restrictions necessary to maintain a strong security posture. What makes Endpoint Privilege Manager any different?

Endpoint Privilege Manager minimizes interference in the developer workflow. Developers – and other users – don’t need to go through the extra step of involving an administrator when they need access to certain applications. For a predefined, approved set of applications, users can seamlessly gain access through an automated process.

Furthermore, Endpoint Privilege Manager allows users to elevate privileges to access these approved applications while continuing to access other, unapproved applications as non-privileged users. This means that developers can continue to access the majority of the applications they use on a  daily basis without having to slow down – without losing out on the benefits of application security.

Developers are like builders constructing a house on an empty lot. They need to be armed with the best tools to do their best work. If you give them old equipment, they will spend more time working around it than actually building. Endpoint Privilege Manager lets developers do what they do best – without interrupting their workflow with compliance and security requirements – so that they can write code faster.

Developers don’t need to be the last hold out for administrator rights within an organization. Learn how this is possible today.

The post Secure Developer Workstations Without Slowing Them Down appeared first on CyberArk.

*** This is a Security Bloggers Network syndicated blog from CyberArk authored by Vadim Sedletsky. Read the original post at: https://www.cyberark.com/blog/secure-developer-workstations-without-slowing-them-down/

Source link

The post #cybersecurity | #hackerspace |<p> Secure Developer Workstations Without Slowing Them Down <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Bug took Apple’s Developer website down amid hacking fears

Source: National Cyber Security – Produced By Gregory Evans

After several developers reported a possible security breach in Apple’s Developer website as their account addresses showed an address in Russia, Apple has said the problem originated owing to a bug in its account management application. According to a MacRumours report on Thursday, several developers reported that all of their…

The post Bug took Apple’s Developer website down amid hacking fears appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Intern – Software Developer

Source: National Cyber Security – Produced By Gregory Evans

Intern – Software Developer

Job Description: JENSEN HUGHES is seeking a summer intern in the area of software development.  You will work with a dynamic team to assist in developing software for user interfaces and robotic platforms. The position will be with our expanding …

The post Intern – Software Developer appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cyber Tool Developer

new8

Source: National Cyber Security – Produced By Gregory Evans

Cyber Tool Developer

Description:
Provide Software Engineering/Software Development support for applications, tools, application enhancement modules, exploits and network capability. Use industry standard development languages to develop tools and applications. Perform analysis and assessment of computer network components; design, development, implementation and unit testing

The post Cyber Tool Developer appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cyber Tool Developer III

images-14

Source: National Cyber Security – Produced By Gregory Evans

Cyber Tool Developer III

Description:
Provide Senior level support for Software Engineering/Development of applications/tools/exploits and enhancements for wired/wireless network capabilities using industry standard development languages. Perform SME analysis and assessment of computer network components; design, development, implementation and unit testing of behavioral detection technology. Perform RE of code; conduct research on computer network component internals; producing

The post Cyber Tool Developer III appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

IT Applications Developer

newjob1

Source: National Cyber Security – Produced By Gregory Evans

IT Applications Developer

Job Summary

ECRI Institute seeks an Application Development Manager to manage a team / workgroup of Application Developers.   Applies significant knowledge of Microsoft Technologies, including .NET, SQL Server, SharePoint and Silverlight, to implement application solutions

The post IT Applications Developer appeared first on National Cyber Security.

View full post on National Cyber Security

German Developer responsible for HeartBleed Bug in OpenSSL

We have already read so many articles on Heartbleed, one of the biggest iNternet threat that recently came across by a team of security engineers at Codenomicon, while improving the SafeGuard feature in Codenomicon’s Defensics security testing tools. The story has taken every media attention across the World, as the bug opened doors for the cyber criminals to extract sensitive data from the server’s memory and almost every major site have been affected by it.UNINTENTIONAL BIRTH OF HEARTBLEEDMore than two years ago, German programmer Robin Seggelmann introduced a new feature called “Heartbeat” in the most secured open source encryption protocol, OpenSSL, which is used by several social networks, search engines, banks and other websites to enable secure connections while transmitting data. But introducing heartbeat feature cost him dearly, as here the most critical bug resides.Dr. Seggelmann allegedly was just trying to improve OpenSSL and working on an update and while submitting the updates enabling heartbeat feature, an “oversight” led to an error that unintentionally created the “Heartbleed” vulnerability, according to The Guardian.Heartbleed is the encryption flaw that left large number of cryptographic keys and private data such as usernames, passwords, and credit card numbers, from the most important sites and services on the Internet open for hackers, forcing some security researchers to warn internet users against using even their everyday sites for the next few days until the problem is fully solved. The developer is responsible for what may be the biggest Internet vulnerability in recent history, but it was just a single programming error in the new feature as he didn’t notice the missing validation and unfortunately the same skipped by the code reviewer as well before introducing it in the new released version.”I am responsible for the error,” Robin Seggelmann told Guardian, “because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.”Robin Seggelmann submitted the code of OpenSSL with the heartbeat feature in an update on New Year’s Eve, 2011. This means the most critical threat has been around for more than two years unnoticed.Dr Seggelmann said it was obvious to assume that the bug was intentionally inserted, especially after various revelations by Edward Snowden of the surveillance activities carried out by the US National Security Agency (NSA) and other countries intelligence agencies.”But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”Despite denying the code he put intentionally, he said it could be entirely possible that the government intelligence agencies had been making use of this critical flaw over the past two years.”It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know [about] the bug until it was released and [I am] not affiliated with any agency, I can only speculate,” he told The Sydney Morning Herald.

Source: http://whogothack.blogspot.co.uk/2014/04/german-developer-responsible-for.html#.VkPBfvmqqko

The post German Developer responsible for HeartBleed Bug in OpenSSL appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

‘Oversight’ causes an error HeartBleed; says it’s Developer

Robin Seggelmann, a programmer based in Germany, submitted the code in an update submitted at 11:59pm on New Year’s Eve, 2011. It was supposed to enable a function called “Heartbeat” in OpenSSL, the software package used by nearly half of all web servers to enable secure connections.
He says the “Heartbleed” vulnerability to the open-source code used by thousands of websites says it was an “oversight” – but that its discovery validates the methods used.

His update did enable Heartbeat, but an “oversight” led to an error with major ramifications. But it accidentally created the “Heartbleed” vulnerability, which has been described as a “catastrophic” flaw which laid the contents of thousands of web servers open to hackers.
Seggelmann worked on the OpenSSL project during his PhD studies, from 2008 to 2012, but isn’t involved with the project any more.

It has also been discovered in Cisco and Juniper routing gear, which could mean that hackers could capture sensitive data such as passwords passing over the internet.

He said that the mistake has nothing to do with its festive datestamp. “The code… was the work of several weeks. It’s only a coincidence that it was submitted during the holiday season.

“I am responsible for the error,” he continued, “because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.”

Source: http://whogothack.blogspot.co.uk/2014/04/oversight-causes-error-heartbleed-says.html#.VjKYL_mqqko

The post ‘Oversight’ causes an error HeartBleed; says it’s Developer appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

Solve cannot open unidentified developer app in MAC OS x – Missing Computer AlertMissing Computer Alert

missingcomputeralert.com – Computer Services. Remotely or Locally solve Malware, Popups, Virus, Boot, Connectivity, Internet, Emails, Browsing, errors issues. Windows server and VMWare support Your Canadian computer…

View full post on Hi-Tech Crime Solutions Weekly