grandeduc - Fotolia

Tip

Prevent man-in-the-middle attacks on apps, CI/CD toolchains

Man-in-the-middle attacks pose a serious threat to both CI/CD tools and the apps those tools support. Learn how these attacks typically occur -- and how to stop them -- to do DevOps securely.

Distributed apps and CI/CD toolchains result in an IT environment that is open to endless network crossings. Every connection is a chance for a man-in-the-middle attack.

To prevent man-in-the-middle attacks, businesses should know about potential attack vectors, create a mitigation strategy and educate employees. These defenses must become part of an IT organization's overall cybersecurity strategy, and security is a team effort for DevOps adopters in cross-functional teams. DevOps shops should focus on two potentially vulnerable areas, both the CI/CD tools that teams use to produce new code quickly and with high levels of automation, and the many distributed applications for which DevOps teams are responsible.

What is a man-in-the-middle attack?

A man-in-the-middle (MitMattack happens when an attacker modifies a connection to reroute a user away from their intended destination and onto a system attacker controls. The attacker's system can mimic a legitimate site. For example, an attacker might send a developer to a site that looks like the login to their CI/CD tool. Once the attacker gains access to the organization's CI/CD toolchain, it can compromise sensitive information and sabotage applications before they go live to users.  

An MitM attack can occur through several vectors:

  • An attacker inserts malware into a developer's or user's PC or mobile device via phishing or another technique.
  • An attacker injects false information into the domain name system (DNS) resolver to trick a user to connect to a server that the attacker controls. DNS spoofing can come from inside or outside an organization's network.
  • An attacker performs IP spoofing on an organization's local area network. They inject transmission control protocol (TCP) packets that contain well-predicted sequence numbers to intercept an ongoing TCP/IP connection with the gateway.
  • An attacker registers a domain name that looks like the organization's distributed app or a CI/CD tool's URL. This web-browser bar spoofing enables the attacker to deliver the URL through phishing.
  • An attacker gains full server control via SQL injections to the web server.
  • An attacker accesses the organization's router, due to outdated firmware or insufficient default security.

Protect distributed apps

To prevent man-in-the-middle attacks on distributed apps, build a concrete application security strategy and renew focus on IT infrastructure. Everything from authentication approaches to physical access barriers can help keep attackers out.

Implement public key pair-based authentication, using platforms such as RSA or Verisign, in various layers of the application stack. A public key pair ensures users or customers communicate with the organization's legitimate application and not the attacker's facsimile.

Use only HTTPS for web applications to support HTTP communications via public-private key exchange. HTTPS denies an attacker access to data, so configure web applications to use only HTTPS.

Bake security into all facets of DevOps culture and technology to protect a toolchain from [man-in-the-middle] attacks.

Enable strong wired equivalent privacy and wireless application protocol encryption on all access points. This security component is out of the organization's control if its apps serve external customers; however, in the case of its own enterprise access points, strong encryption prevents users from joining the network while in the building's lobby or parking lot. The stronger access point encryption is, the safer the enterprise and its users are.

To defend against DNS spoofing, clear the DNS cache of local servers and machines. Microsoft Windows shops should evaluate Domain Name Security System Extensions, which aim to identify and remediate DNS security risks.

For internal business applications, insist that users connect to a VPN to create a secure environment when they work remotely, or access third-party cloud applications outside your organization's network devices. Even if attackers gain access to the network, they won't be able to decipher VPN traffic. Make a corporate-supported VPN part of the standard build for enterprise laptops and mobile devices.

Automated threat modeling tools, such as Security Compass and ThreatModeler, are helpful to prevent man-in-the-middle attacks -- but don't depend on them exclusively. Threat modeling demands a human understanding of network and cloud architecture. Invest in specialized security, including cloud security, training for all IT staff.

Use penetration testing as a final pass/fail check at the end of the development process for any business-critical application before IT ops deploys it to production.

Communicate and train well

This risk of man-in-the-middle attacks increases when organizations convert from running apps only in the local data center to a cloud-centric IT landscape. An ongoing communication campaign around distributed application and CI/CD security is critical. Invest the time, staff and money to develop realistic IT security training scenarios and create a dedicated developer track within this education program.

Communicate the importance of proper security practices in a way that resonates with business users, as well. IT must develop relationships between the business users and security teams. Generic and obligatory security training -- and infrequent communication -- won't build up a good relationship or trust.

Ensure CI/CD security

Bake security into all facets of DevOps culture and technology to prevent man-in-the-middle attacks on a CI/CD toolchain.

Rein in any real, or suspected, shadow DevOps tools that might be part of teams' CI/CD processes. While free and open source DevOps tools abound, a product picked up off a website by a developer in a rush to get code out hasn't been vetted by security specialists or deployed in a hardened manner.

To make DevOps work, automate as many application security tasks as is realistic, but maintain security professionals' involvement at the beginning and end of the development process. Audit application and CI/CD security tools and processes ruthlessly -- and on a reoccurring basis. This includes penetration testing your organization's toolchain, not just the apps currently in development. Use a cloud management platform to gain visibility into, and control over, the operation and security of any cloud-hosted tools in the pipeline. 

Review your threat modeling approach to ensure it covers all applications and platforms that compose the CI/CD toolchain. IT operations must do this work upfront, and routinely run penetration tests against DevOps tools to keep them safe.

Dig Deeper on Containers and virtualization