Des vulnérabilités dans des applications tierces ont causé le vol de code de GitHub

github vulnerabilities

GitHub a signalé qu’un pirate exploitait apparemment une faille de sécurité ou
erreur humaine sur les applications tierces Travis et Heroku.

La faille de sécurité a exposé les jetons, permettant au pirate de voler les jetons et de les utiliser pour entrer dans des référentiels privés sur GitHub (y compris NPM)
il a donc réussi à télécharger ces référentiels – y compris tout le code et les informations qu’ils contiennent.

Cela signifie que : des vulnérabilités dans des applications tierces ont causé le vol de code de GitHub

Comment pouvez-vous empêcher un piratage similaire de votre dépôt git ?

Il existe plusieurs solutions différentes – et vous devez toutes les mettre en œuvre :

1) Réduire les autorisations

Si vous utilisez GitHub dans le cloud public (github.com) et donnez aux fournisseurs tiers un accès Oauth (le type de jetons volés) –
minimiser les autorisations que vous accordez à des tiers pour accéder à vos informations.

Vous devez également passer en revue les autorisations qu’ils demandent et vous assurer qu’elles ne sont pas trop larges et permissives.

Une erreur courante consiste à accorder des autorisations globales.

Il en va de même lors de l’octroi d’autorisations aux applications GitHub (qui génèrent également des jetons).

2) Ajouter des couches de protection

Vous devriez également envisager de passer à GitHub / GitLab Enterprise sur un serveur privé
(sur site / locataire unique / autogéré) derrière des couches de protection supplémentaires telles que pare-feu, SSO ou accès distant sécurisé,

ou utilisez uniquement des adresses IP autorisées (dans les éditions de cloud public), qui offrent des couches de protection supplémentaires contre les utilisateurs non autorisés du monde entier.

3) Protéger les secrets

Au-delà de cela – il est important que le fournisseur tiers stocke les jetons dans un outil de coffre-fort centralisé – ce qui aurait rendu très difficile pour les pirates d’obtenir les jetons (le rendant presque toujours inaccessible).

Si vous utilisez de tels tiers, vérifiez ou assurez-vous (dans le cadre de votre chaîne d’approvisionnement) qu’ils le stockent dans des outils Vault tels que Akeyless Vault (SaaS et une solution hybride) ou HashiCorp pour les réseaux fermés.

Il en va de même pour toute application qui accorde des autorisations d’accès à des tiers à l’aide de jetons.

ALM-Toolbox fournit des solutions ALM et DevSecOps et peut vous aider à protéger vos référentiels et vos environnements logiciels/cloud.

Contactez-nous : devsecops@almtoolbox.com   ou +33(0)1 84 17 53 28    

Pourquoi choisir l’architecture Microservices?

Dans la vidéo suivante, Armon Dadgar, CTO et fondateur de HashiCorp, explique pourquoi l’architecture des microservices est adaptée à de nombreuses applications lorsqu’elle est transférée vers le cloud, et souligne les nouveaux problèmes qui peuvent survenir lors du transfert d’applications vers des microservices pour les mauvaises raisons – notant que ces les problèmes ont été résolus .

En bref l’architecture  microservice permet un développement plus agile ainsi qu’une croissance rapide des applications, et avec une conception appropriée, il permettra aux développeurs de se concentrer sur le développement de leur code plutôt que sur leur infrastructure.

Dans le même temps – le passage aux microservices crée de nouveaux défis – liés à l’infrastructure; Pour la communication entre les composants; Pour la sécurité; Pour la surveillance, l’observabilité et le temps de fonctionnement.

Il est important de ne pas résoudre un seul problème (démanteler un monolithe) en créant un nouveau problème, il explique donc  les nouveaux défis dans cette  vidéo – et recommande de séparer la plate-forme (gérée par des personnes DevOps) de l’application elle-même, afin que les développeurs se concentrent uniquement sur développement, et ceux   du DevOps dans les défis de la plate-forme.

Il souligne également que certains des problèmes d’infrastructure peuvent être résolus à l’aide des outils Consul et Vault de HashiCorp.

Pour votre commodité, nous avons également ajouté le texte intégral sous la vidéo (afin que vous puissiez, par exemple, ouvrir cet article dans 2 fenêtres et écouter tout en tout lisant le texte. 

 Voir la video (10 minutes):

Nous sommes spécialisés dans le conseil dans la transition vers les microservices tant en termes d’architecture qu’en termes d’infrastructure et de DevOps, et sommes expérimentés dans le démantèlement de monolithes, dans la conception, le téléchargement de solutions de microservices vers le cloud et la conception intégrée Kubernetes et conteneurs.

ALMtoolbox est le  représentant officiel de GitLab, Hashicorp  en France et dans d’autres pays.

Contactez pour nous toute question, un devis ou même une license d’évaluation.

ALMtoolbox : 01 84 17 53 28, devops.fr@almtoolbox.com

Transcript:

Hello! Today I want to spend a little bit of time talking about why microservices?
I think you know we often talk about microservices. It’s definitely a hot buzzword today but I think it’s useful to go one level deeper in terms of why are we actually motivated to adopt a microservices architecture and what are the implications of adopting it right because I think oftentimes we might not be adopting it for the right reasons, or we’re not fully cognizant of all the implications that come with adopting a microservice architecture.

Microservices in High Level:

So maybe starting high level you know what are microservices? Why adopt them?

I think if you look at sort of the way we historically developed applications it had a bit more of a monolithic design pattern, so if we had a large application that had multiple sorts of subsystems, so it might be retail banking and you have you know your login; your balance view; you know transfers; you know bill pay let’s say, as an example, you might have had each of these were built by a different team, so each of this is a distinct application team, but ultimately they’re building pieces sort of a common app, so the challenges in this type of a setting each of the application teams had to coordinate tightly with one another:
team A couldn’t do a release without team B, C and D all being ready. so what you tend to see is a very tight sort of release train, where all the teams have to coordinate on when do you cut the release candidate; when do you do betas; how do you do integration testing you have sort of almost a waterfall development timeline that comes with this.

Monolithic design
Monolithic design

And the reason is you have this tight coupling of the organization design, you have these four different teams app teams they’re tightly coupled into the application design we’re shipping a single app but it spans multiple parts of the organization.

Scale

Now this is even relatively simpler when you only have 4 teams but for simplicity of drawing you can see how this explodes in complexity, you know as you expand and if you had to say 10 different application teams working on a common code base.
Part of the design of microservices insofar as their technology is it’s closely aligned to the organizational reality, so I think when microservices are best to use the best leverage is when you look at this organizational reality and say “what we really want to do is allow each of these application teams to work independently of one another”, so we still have these different teams but now what we’ve done is actually split them out into different unique services, so each of these is now what we might call a microservice . We took the giant monolith we decomposed it into its constituent parts but we did it in a way that’s ideally aligned to the organization itself, because the goal was what we wanted to eliminate was sort of the human cost of coordination – the cost of each of these app teams having to talk to one another constantly, having to figure out “okay can I cut a release because I have a bug in system A, but code base for B is not ready to go out”? etc.

When microservices are best used?

So this is when I think microservices are best used. When you have this larger organization you have many different teams that need to work together on a common code base, and you can decompose such that each of them now has their own schedule. So if A has has a bug they can deploy without needing to tightly coordinate with B, C and D. Now in reality there’s no free lunch, right? so you know the human cost of coordinating between these teams on a release that has to go somewhere. There still is a coordination cost – we’re just moving it around. This is okay we’re making trade-offs here so the trade-off now becomes the great if a wants to be able to deploy at any time because they’re fixing a bug or they’re adding new features. Well if they have dependencies – if B and C depend on A then they have to have an API contract. They can’t just change their API because they’re pushing out a bug fix because they’re going to break B and C.
So part of this now requires that you have a little bit more discipline a little bit more rigor in terms of how do you do things like API management. You have to
actually manage versioning; you have to have some sort of a deprecation schedule or work at least closely with your downstream to coordinate what might be a breaking change.
So in general when you’re in a mode of “I’m just fixing a bug – I’m not changing my API” that’s great. You don’t have to coordinate – you have total freedom. If I’m adding net new APIs that’s great – I don’t have to tightly coordinate.

New challenges

As you break things that’s when you still need to have some of that coordination or you need to have you know a well-known policy of how you do it: you add new features you have a deprecation period B and C can update independently and you know move to the newer API as an example.
Now at the same time you also inherit a set of operational challenges when you go to microservices.
Here by virtue of deploying this as a single monolithic application, if A needed to interact with D – this is an in memory function call. We don’t have to worry about networks. We don’t have to worry about authentication or authorization or all the challenges that come with now becoming a distributed system, so I think as you move into this world you inherit a bunch of challenges. Part of them around things like “how did these pieces discover and network to one another” so if A needs to communicate to D “how do we do that discovery?”

Networking challenges

So there’s a whole set of service networking challenges that we need to look at
so when you talk about service networking. The most basic initial challenge is how do you just do Discovery?
so A needs to find D somehow to be able to route to it – this is piece one.
I think especially as we move to a more sort of secure posture we don’t want any app to be able to call any app you have to start to think about things like “how do I authenticate and authorize these different interactions”
so A might be allowed to talk to D but C should not be allowed to. so I need to have some way to authenticate to note is my caller A as my caller B as my caller C that’s the off end challenge.

Security challenges

Then I have an authorization challenge where I define and say “which of these sort of communications are allowed or disallowed?”.
Then as you get more sophisticated you have things like a traffic management challenge right so we talk about traffic management you might get into scenarios where you’re saying “great I’m actually running obviously multiple copies of service A. Maybe I want to send 90% of my traffic to version 1 and 10% to version 2 so I can do a canary or a blue green test before going 100 rolled out to version 2.
As you get more sophisticated, these become your sort of networking challenges that you didn’t necessarily have or at least not to the same degree when you had kind of a monolithic challenge. I think at the same time closely related to some of these pieces for example (authentication and authorization)
is things like secret management credential management if the way I’m authenticating A talking to D is I’m using a signed JWT token or I’m using a certificate that’s signed to prove my identity, well then I have a challenge of how do these applications get those certificates get those JWTs sign and verify transactions
So that’s where you typically have sort of a secret management problem as well, and so this might be something where you’re using a solution like Vault.

This might be something we’re using a solution like Consul that’s providing the networking and then like I said Vault might be providing this, but I think part of the way to think about it again coming back to this organizational challenge is the reason and the motivator to go to this kind of microservice architecture is ultimately i want to make these application teams more agile. So what I don’t want to do is burden them with all of this complexity of service networking and secret management and application deployment etc
because in some sense that’s going to take away from the original goal which is to let them focus on the application
and allow them to be more agile so I think often when you’re moving to a microservices design what’s helpful to think about is what’s the platform experience right and so what we really want ideally is that our developers are really focused on you know their source code; their application and then you know to the lightest degree possible
some additional metadata you know this might live in a manifest of sorts, right?
That describes you know what their application needs what regions it should run in upstream dependencies; configuration … things like that, and then these should really be the inputs to sort of a platform layer.

The Platform Layer

The platform layer is ultimately what should shield them from the reality of how this thing operates.
Everything below this line really becomes an operational concern.

microservices-platform-layer
Everything below the Platform line should become an operational concern

So this is where you really see teams that are successful with this you have sort of a strong notion of a platform team a central operations team that they own everything up to this line, and the developers can really focus on what matters to them — the actual app ; the lifecycle and operation of that and to the degree possible we can mask these things right The platform teams obviously then have to deal with a bunch of these pieces of you know how do we standardize things on you know infrastructure management;  provisioning how do we think about security and you know things like secret management how do we do networking you know what how’s our application runtime actually look like you know what’s our container runtime platform as an example;
you know how do we do builds; how do we do observability.

microservices-platform-layer-devops
The platform is managed by Ops

There’s a lot underneath this line, but I think if you’re going to be successful you want the platform to largely standardize these details, put that below the line making an operational problem or a platform problem and then let the developers operate at this higher level.
I think ultimately again it’s coming back to understanding what’s the organizational problem we’re trying to solve. it’s that as we scale this cost of sort of communication and coordination becomes increasingly expensive that slows down our development velocity — — versus if we can move and have tens hundreds of these teams operating in parallel and not having to tightly coordinate but instead have a set of norms around

things like API management and then allow them to operate on top of a platform that gives them that agility, then these teams can go much much faster. You could be making changes on a daily basis rather than on a quarterly basis

Epilog

Hopefully, this gave a little bit of a useful overview in terms of what microservices are and why.
What’s the organizational impact of adopting them as well as what are some of the implications as we go down this model.