top of page
Writer's pictureAbhishek Anand

A case for source-code security posture management: Koala Spotlight

Updated: Mar 4


Koala Spotlight


State of affairs: Source-code security & its importance

Software supply chain starts with the codebase and the code repositories. Security of the codebase involves source-code review through SAST tools and security of the source code management systems like Github, Bitbucket etc.

While doing research for KoalaLab we realised two broad problems here:

  • Information and alerts fatigue due to SAST tools which do code-scanning, secret-scanning and dependency vulnerability alerts

  • Source-code management is completely overlooked with many misconfigurations like unmanaged deploy keys, missing codeowners files and underuse of branch & PR protection.


All these are real problems that have led to serious problems like Microsoft’s code leakage & Sushiswap MISO’s 3MM USD crypto loss due to lack of branch protection.


The source-code repositories also act as the gateway to CI pipelines while also housing the workflow code which runs in CI pipelines, so the securing them becomes paramount for CI/CD security too. OWASP top 10 CI/CD covers similar aspects around access controls to SCM, configurations of repositories & securely using 3rd party-code & secrets in build environments.

OWASP top 10 CI/CD



Parallels to CSPM

The SAST tools are now well-integrated with the Source-code management platforms and each repository has 100s of alerts for code, secret and vulnerability scanning. These tools also have comprehensive configuration settings at both global and repository level.


An often common feedback we encounter from security/devsecops leaders is the lack of an “inverse view” for them which covers all the asset inventory and their security posture with the ability to filter, prioritise and remediate problems from that glass-pane view.


This is akin to the problems that organisations faced when cloud became ubiquitous and the complexity of the products led to creation of CSPM(cloud security posture management tools).


At KoalaLab, we believe that source-codes are now at a similar stage in terms of complexity & scale that they require their own custom security posture management.



Solution: Koala Spotlight

After a long process of feedback across many organisations, we at KoalaLab, were able to envision Spotlight, a source-code posture management tool which provides the “inverse-view” for security and devsecops teams covering:

  • Global Access Settings for SCM: Alerts for insecure access points like Unidentified deploy keys, unused personal access tokens, stolen SSH keys & OIDC tokens etc {Github itself has 3 different types of access}

  • Asset Inventory: View of all repositories and the security posture

  • CI workflow analysis: Threat management arising from injection attacks in CI pipelines.

  • Intelligence: Filter across common security threat types and auto-remediate standard issues.


While we believe this is a great starting point for organisations to start understanding the risks around their source-code, we felt that that we needed to provide a solution for the information fatigue arising from excessive SAST scanning alerts.


Example of Spotlight running on Koala’s own Github:


Koala Spotlight on GitHub


OSSF scorecard for private repositories

Open-source security foundation has done some great work by building security scorecards for open-source repositories and that was the inspiration for us to build a similar score for private repositories.


This would help security teams prioritise their efforts across the most insecure code-repositories and filter out the noise.


The Spotlight security scorecard is built to weigh critical security issues more highly which can open up important attack vectors. Here is a rough summary of how the scoring’s been done:


Security Issue Category

Issue type

Description

Risk

Repository configuration

Branch Protection

Does the repository have branch protection enabled?

High

Repository configuration

PR Protection

Is pull request restricted?

Medium

Build System Protection

Codeowners

Is codeowners file empty or missing?

Low

Build System Protection

Dangerous workflow

Does the repository have a dangerous coding pattern in Github actions?

Critical

SAST alerts

Pinned Dependencies

Does the repository declare pinned dependencies?

Medium

SAST alerts

Vulnerabilities

Are there critical dependency vulnerabilities that are unresolved?

High

SAST alerts

Secret Scanning

Are secret scanning alerts unattended?

Medium

SAST alerts

Token Permissions

Are Github tokens declared as read only?

High



Conclusion

Koala Spotlight can be really helpful for companies starting off on their CI/CD and/or software supply-chain journey. This is part of our endeavour to bring paradigms from production/cloud systems & security rigor to supply chain security.


Spotlight is part of KoalaLab’s overall platform & is being continuously developed. We are happy to work with organisations who would want to delve more deeper into such issues and would want customised Spotlight for their use-case. Please get in touch with us for any questions and design partnership queries.


Addendum: Another view of Spotlight covering Spotlight scorecards.


Koala Spotlight in action

108 views0 comments

Comments


bottom of page