MFA and supply chain security: It's no magic bullet

With attackers increasingly targeting developer accounts and using them to poison software builds, manipulate code, and access secrets and data, development teams are under pressure to lock down their development environments.
Attackers are targeting the extensive access that a typical developer has to source code, code reviews, code commits, code modification, and other privileged tasks.
In response to the rise in attacks on the SDLC, GitHub, which constitutes a central component of the software supply chain for many organizations, has begun mandating 2FA for all the 100 million users that submit code to the repository.
In the months since then, the Microsoft-owned organization has been moving users over to MFA in large numbers.
Eventually, developers who choose to not use MFA will be locked out of their accounts.
Many other code repositories and organizations have begun requiring the same or have implemented MFA for a while.
Examples include Apple and Google, which require MFA for all accounts in a developer program.
Earlier this year, Valve, the company behind the popular Steam video game platform, announced plans to require MFA for developers after an attacker compromised a developer's credentials and distributed malware to Steam's users.
Alex Ilgayev, head of security research at Cycode, said organizations need to make 2FA a mandatory requirement for every system in the development process, including code, build, package managers, and cloud.
The use case for MFA in the SDLC. Kyle Hankins, managing principal of application security at Coalfire, said MFA increases the likelihood that a developer accessing data or taking an action is who they say they are.
Potential use cases for MFA in the software development lifecycle include making it harder for attackers to use a developer's credentials to make unauthorized code changes, merges, and commits; stealing credentials and secrets; accessing data; pushing unauthorized infrastructure changes; and releasing software into the production environment.
Organizations can also use MFA to secure CI/CD consoles, log dashboards, and pipeline definition files, and they can require accounts with privileges to make major pipeline changes.
Scott Gerlach, co-founder and CSO of StackHawk, said it's important to put MFA into perspective.
Coalfire's Hankins said it's key for development teams to understand that MFA is not solving any core security issue.
MFA bolsters the efficacy of existing password and other single-factor authentication mechanisms, but it does not address insider risks.
Organizations use security tokens - such as OpenID Connect tokens and access tokens - as keys for granting developers access to the CI/CD pipelines, infrastructure, and secrets needed to build, test, and deploy applications.
Most security tokens can perform a range of privileged actions and can bypass MFA configured for that system because they are run through automation, Ilgayev said.
MFA is also a limited approach because it introduces a certain amount of friction into every login or activity that requires it, Hankins said.
For some tasks, such as commits to production, especially on publicly accessible sites such as GitHub, MFA is a valuable safeguard.
Matt Rose, Field CISO at ReversingLabs, said MFA is valuable in helping to ensure that developers are authenticated properly.


This Cyber News was published on securityboulevard.com. Publication date: Tue, 12 Dec 2023 13:43:58 +0000


Cyber News related to MFA and supply chain security: It's no magic bullet