DevOps and CM Practices can identify risks with Log4j and other library based attacks. Ransomware, malware and denial of service attacks are all possible through the Log4j attack. Checkpoint reports over 60 new variations of the attack in the first 24 hours and over 100 attack attempts every minute the problem is significant.
DevOps contains many processes to ensure the quality of the SDLC. Configuration Management can be considered the basis of DevOps. Configuration Management includes the four traditional practices of:
- Configuration Identification
- Status Accounting
- Change Control
- Configuration Audit
In DevOps there is a need to focus on the entire system. In DevOps configuration management enables identification, selection and control of changes to all configuration items. In a systems wide view this includes sub-systems and applications build, test, package and deployment. This is particularly true where secure and reliable systems are concerned. Identification of system components makes security easier.
Now consider the Log4j attack. Managers worldwide turned to their CISO’s to ask if we could be infected. Do we use Log4j in our systems? If the software development lifecycle was supported through DevOps processes defined in the IEEE 2675 DevOps Standard configuration management will be implemented in a clear and structured manner. This means that configuration items in the system build can identified and tracked. CISOs could use this information to respond more quickly when asked “Could we be infected?”. Identification of the vulnerable libraries would enable them to be quickly patched and further investigation to take place to remove any malware. Better yet, this standard requires security in every part of the development process. All software should be patched and up to date at all times. Implementation of secure processes may have identified the issue of nested dependencies using old libraries.
Without going into any further depth, at this point it is clear to many that configuration management through DevOps can support fast identification of libraries such as Log4j. If you want to find out more email for a convenient appointment through Calendly.