Out of a period of severe, real-world disruption came disruption’s polar opposite: cooperation. For a long time, cybersecurity seemed to be an area that needed to be shrouded in mystery. Don’t let others know your weaknesses, and don’t erode trust in your services by revealing breaches. But this tendency only served to make efforts to increase security and thwart attackers muddier and more vulnerable.
When COVID-19 showed the world true and thorough disruption, everyone was shaken out of their comfort zone and, as the recent White House Executive Order made clear, the only path forward was consistent and transparent communication and teamwork within the cybersecurity community.
Effective cybersecurity collaboration — to build resilience and protect the people and organizations that rely on us — is possible. And taking a page from the open source community, which has been doing this for years, is a great place to start.
Open Source Collaboration: Offshoot of a New Normal?
Open source has transformed software development by bringing diverse minds, experiences and approaches together to tackle a wide range of challenges — and make solutions universally accessible. It’s grounded in the notion that no one can whistle a symphony; it takes a whole orchestra to play it. Disruptive open source innovations like Docker, Kubernetes, Ansible and Jenkins prove this is so.
According to a 2021 Red Hat study, 90% of IT leaders use enterprise open source today, citing IT infrastructure modernization (64%), application development (54%) and digital transformation (53%) as top use cases. And for these leaders, a team mentality matters, with 83% indicating they’re more likely to select a software vendor that contributes to open source projects.
Our CyberArk team has long been active in — and inspired by — the open source community. In 2019, we introduced CyberArk Commons, an open forum for developers, engineers and security professionals. We spoke with CyberArk DevOps security engineer Joe Garcia — one of the forum’s founding members — about how CyberArk Commons has evolved in the “new normal” and how this community-centric approach has shaped his own development philosophy.
“The need to share information more openly and more rapidly has increased at the rate of attacker innovation,” says Garcia. “Everything is so much faster. It doesn’t take eight hours to compile an application anymore. Attackers are watching secrets come through in real time and trying them out, so you don’t have 15 minutes to rotate that password after you onboard it. It better be done before it even hits the wire because they’re going to find it.”
CyberArk Commons became a place where developers across the industry — predominantly working remotely and independently as a result of the pandemic— could gather to talk shop, seek advice, float ideas and build secure applications even faster. And, collaboratively cut through disruption.
Structured like a traditional online forum, the Commons offers sections for general conversation, news and announcements and inquiries about specific DevSecOps tools like Conjur Secrets Manager Open Source, Conjur Secrets Manager Enterprise and Summon. Members can also dig into cutting-edge cybersecurity research and explore the many community contributions on the CyberArk Marketplace.
As Garcia explains it, CyberArk Commons is “… geared toward developers who recognize that securing their secrets is the first line of defense against DevOps pipeline attacks.” Because of COVID-19, many are working outside the protected ‘walls’ of their organizations’ networked environments for the first time — and they’re being targeted through spear-phishing, impersonation and other methods with increasing frequency.
Culture is a huge part of software engineering, and the abrupt shift to remote work has deprived developers of the ability to quickly brainstorm or bounce ideas. “Instead, they’re going to all these other websites and posting their source code up,” Garcia explains. “The last thing we want are hard-coded secrets leaking out in that code.”
DevOps Security Community Service
Garcia stumbled into the DevOps security field in unusual fashion. One of the largest financial organizations in his home state of Florida was hiring, and he decided to apply.
“The first question they asked me was ‘Have you ever used PowerShell?’” he recalls with a laugh (the answer was no). The second was, “What’s your weakest skill?” — to which he replied, “Numbers.” So naturally, he got the job and was tasked with using PowerShell to automate Identity and Access Management (IAM) processes and data analysis across the organization’s information security department.
In his words, he quickly “learned how I learn” — by drinking directly from the proverbial fire hose. And he’s never stopped learning. Now a prolific open source contributor with an A+ GitHub ranking and a dedicated technical following on YouTube, Garcia is quick to recount the many times the community has helped him overcome a challenge or enhance an existing project.
“Everything that I do comes from the community, one way or another,” Garcia says. He uses the example of cyber-cli, a “Swiss army knife” command-line interface (CLI) that marries APIs across the CyberArk Identity Security Platform to simplify human and non-human interaction. “We received feature and issues feedback from both CyberArk employees and community members — I’ve even gotten pull requests from the community on this. The contributions for these community-driven projects have been fantastic.”
When it comes down to it, a nimble and communicative community only enhances cybersecurity efforts — and the approach of “we can all learn from one another” fortifies defenses, considering an ever-shifting and ever-accelerating threat landscape. The elimination of proprietary information and the removal of gate-keeperism between developers enable security teams to be better equipped to move at the speed of attack.
“There’s a lot of scary stuff out there happening so rapidly because of all of the cloud-native stuff. Attackers don’t need to manage infrastructure. They’ve got cloud services doing it for them,” says Garcia. “So, we’ve got to be just as quick as them,” he says. To disrupt the disruption, as it were.
Unveiling the “Secret” to Securing Secrets in Automation Environments
As sophisticated cyber attackers target application code and DevOps pipeline tools, the need to shift security left is widely understood. But what are the best ways to do this within an automation environment to speed processes and beef up security?
Find out in Garcia’s presentation “Red Hat + CyberArk: A Reference Architecture for Securing Ansible Automation & CI/CD Pipelines” at AnsibleFest 2021, taking place virtually September 29-30.
Organizations around the world use Ansible and CyberArk’s integrated solution to streamline the rotation and management of secrets and privileged credentials, and automate the prevention and remediation of high-risk activities. In his session, Garcia and co-presenter Roland Wolters, principle technical marketing manager at Isovalent, will detail the Red Hat Ansible Automation Platform and CyberArk reference architecture, elaborate on best practices used by organizations for layering security into their automation platforms and share proven tips for avoiding potential pitfalls along the way.