Protecting DevOps Software Development Pipeline from Attack; Taking it a Step Further with BlastShield™

Security for software developers is an important yet often overlooked part of the software build process. Your build pipeline is a foundational part of your system security and warrants much more attention than is usually given. The compromise of your software build pipeline can have a wide-reaching impact. An article by Jamie H, Senior Security Researcher at the National Cyber Security Centre (NCSC), highlights the need to protect your software builds from attack. I’d like to touch on three key areas from the article that are extremely important when considering how to defend your software build process.

1. ELIMINATE PASSWORDS ALL TOGETHER

Most people would agree that “robust authentication with strong password management and multi-factor authentication," as the NCSC article states, is a MUST. At BlastWave, we would also go a step further and eliminate passwords. It’s time to step into the future using passwordless methods that simplify the sign-in experience and reduce the risk of attacks. BlastShield™ from BlastWave provides free Password-less MFA as standard on all of our BlastShield solutions. This eliminates the threat of account takeovers (ATO) for remote users accessing the network.

2. ZERO TRUST

The NCSC article also stated that authorization should be done by "using the principle of least privilege." Again, we agree with this, but would also take it a step further and say that Zero Trust principles should be applied. Traditional security models assume that everything inside a network should be implicitly trusted. In contrast, zero trust means threat actors and malicious insiders are no longer free to move laterally and access or exfiltrate sensitive data. BlastShield™ is a Zero Trust solution with added "invisibility" to protect assets from being fingerprinted through unauthorized reconnaissance.

3. MICROSEGMENTATION

The NCSC recommends that developers should “protect builds from each other.” At BlastWave we call this micro-segmentation, a function of BlastShield™ that allows our customers to virtually air-gap groups of users and assets from each other using simple policy management that runs as an overlay on top of your existing network infrastructure. This eliminates the dwell time and pivoting capabilities of adversaries within your network by creating containers of hosts and users authorized to communicate.

We also have some unique features that allow us to integrate with container management services such as #kubernetes, where the developer can spin up a container and add two lines of code which will automatically configure the container's security profile and place it within the correct groups and policies on the BlastShield™ orchestrator.

To find out how to get your free download of the BlastShield™ Starter Pack, visit us at www.blastwave.io

‍