| Developers: | Angara Security (Angara Technologies Group, AT Group) formerly Angara Technologies Group |
| Date of the premiere of the system: | 2024/02/27 |
| Branches: | Information security |
| Technology: | IT outsourcing |
Main article: IT outsourcing
2024: Launch of trusted repository implementation service based on customer IT infrastructure
On February 27, 2024, Angara Security announced the launch of a service for implementing a trusted repository based on customer IT infrastructure.
As reported, according to experts, from 50 to 85% of IT solutions in the register of domestic software are developed using open source code. At the same time, by 2026, up to 90% of companies plan to increase the volume of open-source libraries used in IT development. Since 2022, the use of unverified open source code from available international libraries (for example, GitHub) in client financial, banking and e-commerce applications has risks for users and customers of IT developments. As an example of the first vector of attacks, attacks through a Log4Shell vulnerability identified in the free log4j2 library.
The next vector is geopolitical, or Protestware, - adding malicious functionality to the open code, which is activated only in the Russian domain zone. For example, the es5-ext package on GitHub can be used to optimize the functionality and performance of JavaScript code. Usually es5-ext is included in the project through the NPM package manager (from Node.js) or YARN (from Facebook is recognized as an extremist and banned in the Russian Federation) and is used in the code through the Import or Require () directive. Russian experts have found that the package determines the time zone in which it works. As soon as he understands that he got into the Russian time zone, he displays slogans of a political nature.
The third vector of open-source attacks is supply chain attacks. When using the software, the client can receive an update or any software from the developer with malicious software or a backdoor included in it. The practice of attacks through supply chains is only increasing: if in 2022 the number of incidents of hacking through contractors was about 20%, then in the first half of 2023 this tactic was recorded already in 30% of cases.
To reduce risks when working with open-source, Angara Security recommends creating a local trusted repository for the development team based on its own IT infrastructure, which allows you to identify exploitable vulnerabilities in the early stages and increase the level of trust in the software being created.
The work of such a trusted repository is built according to the following. to algorithm When developers request code from an open external repository, the specialists cyber security receive an exhaustive version of information this software using multi-level verification by specialized OSA and SCA scanners. If the checks pass successfully, the code enters the local repository and at the next stages of development, additional SAST and DAST tools can be connected to it. At all stages of software assembly and acquisition, a search for errors and potential security problems is organized, taking into account current data on. to vulnerabilities
 | We use a phased code verification approach from publicly available sources and use tools from companies in the Russian information security market. We check both the quality of the code and the possible dependence on other open-source software. What is important for the company: the repository and the entire process of its work is seamlessly integrated into the existing development processes and actions of IT and information security teams. We are implementing a security algorithm so that this does not interfere with already configured processes. told Andrey Makarenko, Head of Business Development at Angara Security |  |
During the implementation of the repository, Angara Security experts develop regulations for the interaction of departments and configure scanning rules taking into account the characteristics of customer applications. If the developer makes changes to the code, the code is automatically re-checked.
| | During the development process, it is important that errors and vulnerabilities are identified as early as possible and do not affect the next sprints. If, on the eve of the release, a vulnerability is discovered that will make it easy to hack the system, which will bring reputational and financial damage to the company, then the developers will have to postpone the release date of the application. emphasized Andrey Makarenko | |
To ensure the functioning of the software development infrastructure, Russian information protection tools certified by FSTEC are used. The solution stack includes commercial scanners of Russian developers, specialized solutions for DevSecOps, solutions for protecting microservice architecture.
As a result of the integration of the trusted repository in a number of projects in the financial sector, it was possible to reduce the development time of business applications and microservices by reducing the amount of code that was returned for revision. Another additional effect is to reduce the time and working resource of IT specialists to correct previously made mistakes in development.
The format of the trusted repository complements other IT security solutions: auditing the security of the DevOps infrastructure, code analysis, adapting point open-source tools and implementing security tools on platforms for managing containerized environments.
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |