There is a lot of discussion these days about the need to reduce or eliminate friction from customer experiences, whether it’s easing the process of finding and buying products online, slashing wait times to reach customer service representatives, speeding up delivery, or other efforts. But what about addressing another kind of friction, the kind that exists between the software development and product security teams at organizations?
By Yotam Perkal, Head of Vulnerability Research Researchers here at Rezilion wanted to assess the current potential attack surface of the Log4Shell vulnerability today, 4 months later, now that the dust has settled. We hoped that due to the massive amount of media coverage the Log4Shell vulnerability has received, that the majority of applications have been patched. We assumed finding services that are still vulnerable would be challenging. We were wrong.
Shift left approaches to software development can lead to enhanced software security without creating more work for developers. These initiatives are made possible in large part by workflow integration. Workflow is a big part of software development, because when it’s automated, workflow is what enables teams to complete tasks more quickly and increase efficiency and accuracy.
Nissan North America learned a painful lesson when the source code for its mobile apps and internally developed tools leaked online after the company misconfigured one of its Git servers. The Git server was left exposed to the internet because it used its default username and password of admin/admin, one of its engineers said.
The term “shift left” refers to software development and the concept of taking a task that’s typically done at a later stage of the process and performing it at earlier stages. This is increasingly done when it comes to testing software code. Shift left can also apply to security, and baking security into the software development lifecycle (SDLC).
CI/CD is a method to regularly deliver applications to customers by introducing automation into the stages of software development. It’s where organizations integrate all of the processes that go into delivering software. The main concepts attributed to CI/CD are continuous integration, continuous delivery, and continuous deployment. But the CI/CD pipeline can also be a target of exploits and compromise.
If you’re looking at things from the development side, the motto when working to build software products would be “ship it”—get it out the door and into the hands of users as soon as possible. From the perspective of the security team, the maxim would be “secure it”—make sure the code is as free of vulnerabilities as possible and is ready for safe use before it ever reaches users.
For the month of April, we are kicking off a series of posts here at Rezilion to celebrate our new partnership with GitLab. Our theme is: Secure it. Ship it. Why? Because the GitLab CI and Rezilion partnership is the answer to meet the needs and demands of modern developers and security teams who want to both innovate quickly and ensure the products they create are secure.
By: Ofri Ouzan, Security Researcher, Rezilion
The recently discovered flaw in Apache’s popular open source logging library for Java, Log4j, could wreak havoc for years to come. Analysts are predicting it could take as long as five years to finish patching related security flaws because of the widespread adoption of the logging library and the complexity involved in maintaining third-party software libraries.
