Open services leave business networks exposed
As cloud environments become more and more common the extra risks are mostly well understood but a new blog from Orca Security shows that businesses could be leaving their networks open via common configuration errors.
The use of external CI/CD (continuous integration/continuous delivery) services means access control lists (ACLs) are often changed but this can inadvertently leave internal services open to the world argues Avi Shua, CEO and co-founder of Orca Security.
Although your CI/CD vendor may be reputable, opening them up on your ACL though may mean implicitly trusting all their customers too.
The Atlassian Bitbucket service, for example, points out the risks in its knowledgebase, "You can use these IP ranges to allowlist requests made from your build environments. SSH keyscans are also performed from within the build environment. Note that Bitbucket Pipelines is a shared service and the IP addresses below are used for builds configured by all of our customers. In addition to IP allowlisting, you should use a secure means of authentication for any services exposed to Bitbucket Pipelines."
However, as Shua points out on the blog it's easy for busy DevOps teams to overlook this with potentially disastrous consequences.
Shua says, "Yet again, we see that the combination of a few mistakes of human error and misconfigurations, can be easily overlooked and have catastrophic implications. Mistakes will happen -- and organizations need to make sure that they have the proper tools and processes in place to detect, verify, and fix them before they are being abused by bad actors."
You can find out more with a full technical description of the issue on the Orca blog.