Chapter 1. An Introduction to the Identity Security Essentials for Software Development
When ride-share company Uber was hacked in 2022, nothing was stolen but the company came close to a total system shutdown. Like many security breaches, the hacker preyed upon human and machine weaknesses to access internal systems. An Uber employee, frustrated by a flood of multi-factor authentication (MFA) messages sent to their phone by the hacker, granted access approval to their network, *.corp.uber.com.
Once inside, the hacker discovered Microsoft Powershell scripts with hardcoded administrative credentials to several sensitive services, including Amazon Web Services (AWS), Google Drive, Slack, SentinelOne, and HackerOne admin console. Within hours, the hacker announced the breach on the company’s own Slack channel and posted screenshots to public sites like HackerOne.
Had the hacker been motivated by financial gain, the breadth of this breach would have had devastating impacts. Today, it serves as a textbook case of the power of social engineering and the consequences of multiple failures of identity security.
If you were a developer assigned to the Uber incident response team, what would you change?
Trust No One
Identity security is how developers and teams secure all identities within their code, development environments, software supply chain, and organizations. Whether packaged up as a tool, a framework, or a set of best practices, identity security assumes that any organizational asset can be compromised through a malicious attack path centered on privileged identity. If you’ve entered a password or used multi-factor authentication, you’ve seen identity security in action.
“You don’t trust anyone, that’s your problem.”
– Peter Parker (aka Spider-Man)
“I trust my barber.”
– J. Jonah Jameson
What Peter criticizes in the “Spider-Man” movie, we say with conviction: identity security must be rooted in skepticism rather than blind trust. In cybersecurity circles, this is known as “Zero Trust” where practitioners assume that an application or system is always vulnerable to attackand do their best to protect against the many ways in which malicious actors operate.
Hackers could influence a human being, like the Uber breach, or exploit a non-human entity, like a build script, remote device, and third-party application. These entities use secrets (e.g., passwords, SSH keys, API keys, license keys) to access critical and sensitive data and systems, which challenges you to figure out where these secrets are used and how to best protect them against unauthorized access.
This challenge gets harder as we see more non-human identities replace human ones. Growth in automation and an increasingly complex software supply chain means more detective work for you to find out whether that script has hardcoded credentials or that third-party library is missing an authentication mechanism.
Table 1-1 provides examples of the two categories of identities.
| Human identities | Non-human identities |
| End-user | Cloud-native applications |
| IT administrator | DevOps tools and CI/CD pipelines |
| Developer | Automation scripts |
| Contractors | Containers |
| Vendors | IoT devices |
| QA tester | Secure COTS |
| Customer prospect | Secure n-tier / Static homegrown apps |
| Grand Moff Tarkin | Imperial code cylindersa |
a While fictional, these Star Wars props are a good example of secrets encoded onto a portable device used to access sensitive areas | |
The basic job of any identity security implementation is to authenticate every identity accurately, authorize each identity with the proper permissions, and provide access appropriately. If you can identify the security issue in the following code snippet (taken from the MITRE Common Weakness Enumeration database), then you have an idea of the issues that an identity security program aims to prevent.1
## Java
int VerifyAdmin(String password) {
if (!password.equals("Mew!")) {
return(0);
}
//Diagnostic Mode
return(1);
}
Why Is Identity Security Important?
Identity security matters for two reasons. First, organizations have dramatically increased the quantities and types of identities to support cloud computing, DevOps automation, the Internet of Things (IoT), artificial intelligence (AI), and other advancements in digital services. More identities and more use cases mean you must secure and manage more credentials, secrets, and accounts than ever before.
Importantly, the number of non-human identities will only continue to grow. The CyberArk 2023 Identity Security Threat Landscape Report found that machine identities outnumber human ones by a factor of 45 to one. The potential volume of unprotected identities cannot be ignored.
Second, attackers are getting very good at exploiting gaps in identity security. According to the Trends in Securing Digital Identities report from the Identity Defined Security Alliance (IDSA), 90% of organizations experienced at least one identity-related breach in the past year, and 68% of those surveyed said the attacks directly impacted their business. These impacts include the costs of recovering from the breach and the negative impact that the breach had on the company’s reputation.
Identity Security Concepts
Attackers target identities because organizations tend to have a disconnected, inconsistent, and incomplete approach to identity security. Processes, tools, and training are run separately between teams and business units, leading to cases where one group may have robust practices and continuous improvement in place while another may not prioritize the time and knowledge required to implement them.
While reading this book, think about whether your team is applying the principles and techniques appropriately. If not, perhaps there’s something here to consider implementing.
Teams are most successful when they foster a holistic approach to securing all types of identities across all business units – including developer activities. Hackers are forcing security perimeters deeper inside organizations, so you not only have to secure external APIs, but you must also account for internal and remote users, build tools, microservices, employee devices, third-party cloud services, acquired software, and more.
As you learn the concepts, principles, technologies, and examples behind identity security, you’ll get a stronger picture of how they can be tailored to protect your organization.
Let’s briefly explain the essentials behind identity security to help you understand the purpose and relevance of each before going into more detail in subsequent chapters. Some of these may be familiar to those experienced with general cybersecurity principles.
Authentication
Authentication is the process of validating a user’s identity. Usernames and passwords are the most basic and familiar forms of authentication, and you may have used techniques like signed digital certificates to improve application protections against unauthorized acccess.
We’ll help you level up the robustness of authentication mechanisms, such as using Multi-Factor Authentication (MFA) to require two or more forms of identity verification to gain system access, and mechanisms to standardize how authentication is performed across your organization, such as the OpenID Connect (OIDC) identity authentication protocol that allows users to authenticate across multiple services.
Authorization
Authorization is the method of granting access to specific resources once a user’s identity is verified. For example, your infrastructure lead may have root-level access to all build servers, while junior developers might have their access restricted or disallowed completely.
There are many aspects of authorization that we’ll help you understand, from the Principle of Least Privilege (PoLP) to specific types of access control (role-based versus attribute-based). We’ll also look at solutions to help you integrate authorization functions into development workflows.
Code Security Testing and Validation
Securing applications isn’t just about delivering features; it’s also about proactively testing, measuring, proving, and improving code resilience.
The code testing and validation techniques we’ll explain – like penetration testing and code reviews – help answer the question, “Is my code vulnerable to attack?” More often than not, the answer is “maybe” and that’s where the other practices described in this book help remediate any vulnerabilities.
Data Protection
The Uber breach of September 2022, in which multiple corporate systems were compromised, is a stark reminder of the consequences of the lack of data protection. While much of the discussion around the breach focused on its social engineering and MFA attack vectors, the core of the threat was the presence of hardcoded credentials in a misconfigured network share. Harvesting these credentials allowed the attacker to gain high-level access, escalate privileges, and cause chaos inside Uber’s IT environment.
Whether at rest, in use, or in transit, it’s essential to keep data secure at all times to minimize exposure in case of a breach.
We’ll cover different types of data protection, including encryption and obfuscation, to help you guard against the improper use of sensitive data and render data useless to unauthorized users.
Monitoring and Logging
Continuous measurement, analysis, and learning are critical to any identity security program, and monitoring and logging techniques are key to supporting these activities. Monitoring applications and systems offers insights into performance and security-related events, facilitating the identification of anomalies that require further attention. Logging provides a historical record of system actions, which is invaluable for tracing the origin of security breaches, improving incident response, and ensuring compliance.
We will discuss different monitoring and logging methods and how they integrate into your software development processes. Chances are, you’re doing some of these methods already for debugging and testing activities, so we’ll focus on the aspects relevant to understanding the security behavior of your systems.
Software Supply Chain Security
Anything that touches an application or plays a role in application development is considered part of the software supply chain. This includes deployment infrastructure, APIs, development tools, and third-party, proprietary, and open-source code.
The SolarWinds breach – where over 18,000 public and private sector organizations were impacted by hackers exploiting access to systems with privileged account credentials – illustrates the potential wide-reaching impact of vulnerabilities in any element of the software supply chain.
Software supply chain security is the practice of securing these components and activities throughout the procurement, creation, deployment, and maintenance of software. We’ll help you understand software supply chain protections like controlling access to DevOps tool consoles and securing developer workstations.
Zero Trust
The principle of Zero Trust roots a team’s security culture in skepticism (“never trust, always verify”) rather than blind confidence. By assuming that identities across your organization – whether human or machine – will be compromised, people, processes, and tools are forced to adapt in ways that help plug any security gap.
One of the Zero Trust strategies we’ll discuss later is the continuous authentication and authorization of all identities and the secure granting of just-in-time access to resources with the approved set of permissions. Approaches like these help you build stronger protections within application code and across the organization.
Other Best Practices
We’ll discuss other practices, explain their relevance to the software development lifecycle, and provide examples of how they’re integrated into development processes. These practices are:
-
Updates and patching to keep software and systems up to date in terms of feature updates, bug fixes, and security fixes.
-
Compliance with industry standards and regulations to provide a proven and structured approach to building secure applications and demonstrating adherence to external parties (customers, standards bodies, government regulators, etc.) that require compliance.
-
Training and awareness to educate developers and related stakeholders on the techniques discussed in this book.
“Secrets have a cost, they are not for free.”
– May Parker, “The Amazing Spider-Man”
We wrote this book because identity is rapidly becoming the foremost competition between developers and hackers. By knowing the most effective route to a secure finish line, as explained in the following chapters, we hope to improve your chances of winning the security race.
1 It’s not the syntax error of the missing semicolon (we swear we copied the source site directly!), it’s the hardcoded “Mew!” in the password check. If exposed, hackers would have the correct password to exploit the system.
Get Identity Security for Software Development now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
