Code security platform provider GitGuardian has announced the launch of a new open-source canary tokens project to help organizations detect compromised developer and DevOps environments. According to the firm, security teams can use GitGuardian Canary Tokens (ggcanary) to create and deploy canary tokens in the form of Amazon Web Services (AWS) secrets to trigger alerts as soon as they are tampered with by attackers. The release is reflective of a wider industry trend of emerging standards and initiatives designed to tackle risks surrounding the software supply chain and DevOps tools.
ggcanary features “highly sensitive” intrusion detection
In a press release, GitGuardian stated organizations’ continued adoption of the cloud and modern software development practices is leading to them unknowingly expanding their attack surfaces. Poorly secured internet-facing assets and corporate networks are triggering attackers to turn to components in the software supply chain like continuous integration and continuous deployment (CI/CD) pipelines as entry points, it added.
Research from GitGuardian indicated that, after gaining initial access, attackers often search for valid hard-coded credentials they can use for further lateral movement. The ggcanary project is designed to help businesses detect compromises quicker, GitGuardian said, built with the following features:
- Reliance on Terraform, using the popular infrastructure-as-code software tool by HashiCorp, to create and manage AWS canary tokens.
- Highly sensitive intrusion detection that uses AWS CloudTrail audit logs to track all types of actions performed on the canary tokens by attackers.
- Scalability of up to 5,000 active AWS canary tokens deployed on the internal perimeter of an organization, in source-code repositories, CI/CD tools, ticketing, and messaging systems such as Jira, Slack, or Microsoft teams.
- Its own alerting system, integrated with AWS Simple Email Service (SES), Slack and SendGrid. Users can also extend it to forward alerts to SOCs, SIEMs, or ITSMs.
Depending on adoptions rates, GitGuardian stated it will consider integrating ggcanary into its end-to-end automated detection and remediation platform in the future.
Industry taking action to tackle open-source software security threats
The release of the ggcanary project comes in the wake of other initiatives recently launched to help address and tackle security complexities within the open-source software and development landscape. In May 2022, the Open Source Security Foundation published The Open Source Software Security Mobilization Plan, outlining a 10-stream investment strategy with steps for both immediate improvements and strong foundations for a more secure future. Its three core security aims are:
- Securing OSS production by focusing on preventing security defects and vulnerabilities in code and open-source packages.
- Improving vulnerability discovery and remediation by enhancing the process for finding defects and fixing them.
- Shortening ecosystem patching response times by quickening the distribution and implementation of fixes.
In the same month, JFrog introduced Project Pyrsia, an open-source software community initiative that uses blockchain technology to secure software packages from vulnerabilities and malicious code.
Manjunath Bhat, VP analyst, DevOps and software engineering at Gartner, tells CSO that, given the widespread use of open source and the associated risks, it is promising to see the growth of security tools, standards, and practices to protect open-source software. “We find the threat landscape in open-source software distributed across multiple tiers including source code, packages, public container images, repositories, CI/CD pipelines, development, and delivery tools. Attackers are beginning to realize that the more ‘upstream’ the attack, the more damage they can inflict. Therefore, the risks have spread to include typosquatting, malicious code injection and tampering, hardcoded secrets, and certificate theft and modification. The idea is to protect the integrity of open-source software using open-source tools.”
Organizations taking open-source software security more seriously
Organizations are also taking software supply chain risks more seriously than ever before, especially as they begin to realize that open source underpins a lot of their foundational platforms and core services, Bhat says. “We increasingly see clients trying to govern the use of open-source software dependencies through the combined use of trusted component registries and software composition analysis tools,” he adds. “This approach provides organizations with a safe yet speedy way to consume open source.”
Forrester Senior Analyst Janet Worthington agrees. “Organizations are increasingly concerned about vulnerable components that could be downloaded and packaged with their applications and the consequences of using certain open-source licenses. The industry has also seen a dramatic increase in open-source supply chain attacks which not only impacts organizations but their customers as well. Is open source intrinsically a threat to organizations? No, but the risk to the business comes with the assumption that the quality and security of open-source software lies with the open source maintainers and outside of your organizations responsibility.”
Bhat’s advice for organizations to securely integrate open-source software includes a three-pronged approach: secure source code, DevOps pipelines, and a safe operating environment. “At a code level, ensure you are using secure open-source dependencies. This can be achieved through trusted component catalogs and software bills of materials that provide visibility and traceability as well as ensure that developers are using the latest patched versions,” he continues. “Our recommendation is to go all in on adopting DevSecOps practices too – using automation to integrate security at every phase of the development life cycle. Without automation, it’s impossible to build software that is secure by design, let alone secure-by-default.”
For Worthington, software composition analysis (SCA) tools that provide information on the health and security of open-source components and block vulnerable components from entering development processes are also key. “Finally, contribute monetarily to open-source projects that you depend on as well as the open-source community to lay the groundwork for future innovation.”