According to Gartner’s Information Technology glossary, Shadow IT refers “to IT devices, software and services outside the ownership or control of IT organizations.” More generally, shadow IT was a visibility problem. The adoption of cloud and software as a service applications made it easy for anyone to use applications without the knowledge of IT. These apps might include productivity software like Evernote, Dropbox, Gmail; entertainment services like Youtube and Spotify; or hundreds of others applications. The problem isn’t necessarily the use of the apps themselves; the problem is that without knowledge of what apps are in use, IT and security teams have little ability to apply security controls and policies to them in order to ensure they are used safely. This creates risk for the business.
“Shadow Dev” and AppSec’s Visibility Gap
Parallel to the explosive growth of cloud applications and software as a service solutions we experienced in the ‘10s, the development tooling and processes that fueled those applications also saw rapid innovation and growth. Development shifted from waterfall to agile within DevOps. Architectures evolved to include containers and micro-services. And, a whole new set of technology was adopted including Git-based SCMs, CI/CD tools, Infrastructure as code, and more.
Engineering teams typically pick the tools they need to effectively and efficiently develop their applications based on their challenges they face and the experience and skill sets of their team members. Different teams use different tools. These tools are purchased, implemented, and run by engineering, usually without the involvement of security teams. Sound familiar? The tooling which supports the modern DevOps approach to development is a perfect analog to Shadow IT; it is in use “outside of the ownership or control of IT and security organizations,” thus creating the same visibility gap as Shadow IT.
George Santayana, the famous poet and philosopher, once aptly stated that “those who cannot remember the past are condemned to repeat it.” That is where we are with AppSec; failing to recognize the visibility problems of shadow IT re-emerging under the guise of “Shadow Dev”, and thus condemning us to relive them.
Restoring Visibility to the SDLC
Fortunately, like Shadow IT, this is a solvable problem. AppSec teams can overcome their DevOps tools and infrastructure blindspots by implementing tooling that enables them to:
- See and understand what’s’ happening in the various tools being used by engineering throughout the SDLC
- Connect the dots between the phases of the SDLC
Modern software supply chain (SSC) security tools accomplish both of these items by integrating with all of the tools in use by your engineering teams and taking an accurate inventory of your DevOps environment. This inventory spans all tools in the SLDC and includes all of the repos which exist, the access privileges and usage patterns of users, behavioral baselines, and even the security settings of the tools themselves.
Armed with a comprehensive view of your software delivery pipeline, SSC security tools also connect the dots between the phases of the SDLC to track how entities in one phase relate to those on other phases. This is important because a cross-phase view of your SDLC enables these solutions to identify things like code tampering, and to understand how vulnerabilities, misconfigurations, user activity, etc., relate to each other and might result in exploitable breach paths. The visibility and context afforded by complete visibility across the SDLC also makes it the perfect platform to ingest and make sense of data from other Appsec tools like security scanners, software composition analysis tools and more. All of which helps restore visibility to security teams.
Cycode is a complete software supply chain security solution that provides visibility, security, and integrity across all phases of the SDLC. Cycode integrates with DevOps tools and infrastructure providers, hardens their security postures by implementing consistent governance, and reduces the risk of breaches with a series of scanning engines that look for issues like hardcoded secrets, infrastructure as code misconfigurations, code leaks and more. Cycode’s knowledge graph tracks code integrity, user activity, and events across the SDLC to prioritize risk, find anomalies, and prevent code tampering.