A software build platform consists of the IT infrastructure that developers use to write, compile, run, test, and package software applications. You can easily imagine, a compromised build platform can wreak havoc; not just to your own corporate IT infrastructure and your own company; but your customers and partners collaborating with you as well.
The SolarWinds attack, for example, showcases the grave consequences of a security lapse. Between March and June 2020, roughly 18,000 businesses downloaded what seemed to be a routine software update for their SolarWinds network management system. However, Russian hackers had inserted malicious code into this update, letting them silently infiltrate the networks of SolarWinds’ customers. Over 100 high-profile companies and U.S. government agencies were compromised, including Microsoft, Intel, and the Pentagon.
If your software build platform becomes compromised, bad actors can take this opportunity to launch many different attacks. They may introduce malware into your software or insert security vulnerabilities and backdoors that give access to the machines of the software’s users. Attacks on software build platforms are one common form of what is known as a supply chain attack, in which legitimate applications are infected with malicious code.
Five ways to keep your build platform secure
The good news is that organizations can proactively secure their build platforms against compromise. To avoid falling prey to a software build platform attack and secure your build platform, follow the five best practices below:
Require developers to use strong passwords and multi-factor authentication (MFA) for their work accounts. Implement strict access controls to ensure that users don’t have permissions they don’t need.
Keep up-to-date with the latest versions of antivirus and antimalware software. Deploy automated scanning tools that can hunt for vulnerabilities in your build environment.
Write a thorough software testing suite that includes security testing to uncover threats, flaws, and risks. Ensure the application operates as expected, and watch for signs of strange behavior.
Monitor and log developers’ build activities and investigate them for potential security issues. Logs should include who accessed the build server (and at what times), what resources were accessed, and what changes were made.
Use secure communication channels and protocols such as VPNs and SFTP. This will prevent attackers from tampering with files and data when in transit to or from the build server.
If customers are left vulnerable due to a compromised build platform, you may face legal and financial repercussions—not to mention long-term damages to your reputation. An ounce of prevention is better than a pound of cure here!
(Image courtesy: Sajad Nori/Unsplash)