State of affairs: Source-code security & its importance
Software supply chain starts with the codebase and the code repositories. Security of the codebase involves source-code review through SAST tools and security of the source code management systems like Github, Bitbucket etc.
While doing research for KoalaLab we realised two broad problems here:
Information and alerts fatigue due to SAST tools which do code-scanning, secret-scanning and dependency vulnerability alerts
Source-code management is completely overlooked with many misconfigurations like unmanaged deploy keys, missing codeowners files and underuse of branch & PR protection.
All these are real problems that have led to serious problems like Microsoft’s code leakage & Sushiswap MISO’s 3MM USD crypto loss due to lack of branch protection.
The source-code repositories also act as the gateway to CI pipelines while also housing the workflow code which runs in CI pipelines, so the securing them becomes paramount for CI/CD security too. OWASP top 10 CI/CD covers similar aspects around access controls to SCM, configurations of repositories & securely using 3rd party-code & secrets in build environments.
Parallels to CSPM
The SAST tools are now well-integrated with the Source-code management platforms and each repository has 100s of alerts for code, secret and vulnerability scanning. These tools also have comprehensive configuration settings at both global and repository level.
An often common feedback we encounter from security/devsecops leaders is the lack of an “inverse view” for them which covers all the asset inventory and their security posture with the ability to filter, prioritise and remediate problems from that glass-pane view.
This is akin to the problems that organisations faced when cloud became ubiquitous and the complexity of the products led to creation of CSPM(cloud security posture management tools).
At KoalaLab, we believe that source-codes are now at a similar stage in terms of complexity & scale that they require their own custom security posture management.
Solution: Koala Spotlight
After a long process of feedback across many organisations, we at KoalaLab, were able to envision Spotlight, a source-code posture management tool which provides the “inverse-view” for security and devsecops teams covering:
Global Access Settings for SCM: Alerts for insecure access points like Unidentified deploy keys, unused personal access tokens, stolen SSH keys & OIDC tokens etc {Github itself has 3 different types of access}
Asset Inventory: View of all repositories and the security posture
CI workflow analysis: Threat management arising from injection attacks in CI pipelines.
Intelligence: Filter across common security threat types and auto-remediate standard issues.
While we believe this is a great starting point for organisations to start understanding the risks around their source-code, we felt that that we needed to provide a solution for the information fatigue arising from excessive SAST scanning alerts.
Example of Spotlight running on Koala’s own Github:
OSSF scorecard for private repositories
Open-source security foundation has done some great work by building security scorecards for open-source repositories and that was the inspiration for us to build a similar score for private repositories.
This would help security teams prioritise their efforts across the most insecure code-repositories and filter out the noise.
The Spotlight security scorecard is built to weigh critical security issues more highly which can open up important attack vectors. Here is a rough summary of how the scoring’s been done:
Security Issue Category | Issue type | Description | Risk |
|---|---|---|---|
Repository configuration | Branch Protection | Does the repository have branch protection enabled? | High |
Repository configuration | PR Protection | Is pull request restricted? | Medium |
Build System Protection | Codeowners | Is codeowners file empty or missing? | Low |
Build System Protection | Dangerous workflow | Does the repository have a dangerous coding pattern in Github actions? | Critical |
SAST alerts | Pinned Dependencies | Does the repository declare pinned dependencies? | Medium |
SAST alerts | Vulnerabilities | Are there critical dependency vulnerabilities that are unresolved? | High |
SAST alerts | Secret Scanning | Are secret scanning alerts unattended? | Medium |
SAST alerts | Token Permissions | Are Github tokens declared as read only? | High |
Conclusion
Koala Spotlight can be really helpful for companies starting off on their CI/CD and/or software supply-chain journey. This is part of our endeavour to bring paradigms from production/cloud systems & security rigor to supply chain security.
Spotlight is part of KoalaLab’s overall platform & is being continuously developed. We are happy to work with organisations who would want to delve more deeper into such issues and would want customised Spotlight for their use-case. Please get in touch with us for any questions and design partnership queries.
Addendum: Another view of Spotlight covering Spotlight scorecards.
