Attackers are increasingly targeting vulnerable developer laptops to infiltrate production systems without directly attacking them, warned cloud security expert Lee Atchison. CircleCI reported a January 2023 incident where an attacker compromised an engineer’s laptop to steal credentialed access to their organization’s production systems. "Developer laptops, in particular, are really good attack surfaces." - Ryan Mack, Vice President of Infrastructure Engineering at Uptycs Atchison said that growing cloud environment complexity contributes to the challenges facing DevSecOps. “The more complex the system is, the more likely it is that there's a thin spot in it, and it's the thin spots that generate vulnerabilities,” he said. “And the more complex it is, the less likely people are willing to be compliant with following whatever the requirements are, right? So if it's hard to set up a secure environment, people are less likely to want to set up a secure environment. So simplicity leads to security; complexity leads to vulnerabilities, and vulnerability leads to attacks.” Vulnerable DevOps laptops are “not a developer issue,” Atchison said. “This is not a management issue. This is not an operations issue. This is an everybody issue. And the weak link becomes whoever in that chain doesn't pay attention.”
Instead of waiting for an application to become fully functional, hackers target the development process used to bring an application to a state of operation, Atchison said, speaking at a recent Uptycs-sponsored Cybersecurity Standup, “Castles in the Sky – Secure Your App Dev Pipeline From Laptop to Cloud.”
“We focus so much attention on keeping data and cloud data centers secure. But we haven't realized that all of this technology feeds into the data centers and that one of the primary drivers of that is developers, the source code they develop, and the machines that they develop the source code on,” Atchison said. “Those DevOps machines feed into the production systems but have nowhere near the level of protection behind them that the production data centers do.”
The COVID-19 pandemic exacerbated the challenge of securing cloud production environments. Developers have been encouraged, and some even required, to work remotely using homespun networks, coffee shop Wi-Fi, and suboptimal online settings to gain access to company resources—including the source code. In some smaller and less security-focused organizations, developers might rely on personal laptops to develop applications, bypassing the established corporate IT security measures.Attacks Targeting Developer Laptops
LastPass acknowledged a month later that a 2022 data breach compromised another DevOps engineer's home computer. The threat actor exploited a vulnerable third-party media software package that enabled remote code execution (RCE) and installed keylogger malware.
Because developers usually have source code for applications/services on their laptops, hackers have the opportunity to study and detect their weaknesses. Additionally, backdoor code changes can be inserted, making the change record seem like the developer made the change. This method makes it simple to sneak backdoors into a production system.
Ryan Mack, Uptycs' vice president of infrastructure engineering, said there are cultural issues that development teams must overcome to improve security. “If you're downloading every available package to improve your productivity, you are definitely poking holes,” he said. “If there's a security program on a developer's machine, they're smart enough to turn it off if it's slowing down their compilation. And so I think you're seeing these compounding psychological effects. Developer laptops, in particular, are really good attack surfaces.”
Shift Up Your Security
Your developers’ laptops are just a hop away from your cloud infrastructure. Attackers don’t think in silos, so why would you have siloed solutions protecting the public cloud, private cloud, containers, laptops, and servers?