Brad Causey, CEO, Zero Day Consulting

August 12, 2019

1 Min Read

Question: What threats to developers and development environments should I know about, and how do I defend against them?

Brad Causey, CEO at Zero Day Consulting: Developers should be on the lookout for several threats. First, be wary of what libraries and thirty-party code you integrate into your applications. Aside from the obvious older and vulnerable versions out there, many companies are seeing supply chain attacks. This is where the attacker compromises an application or library in use by the organization but hosted and provided by a vendor. Recently, for example, a Chinese hacker group, Wicked Panda, has been compromising system admin tools and vendor update repositories in order to gain footholds into their consumer networks. The takeaway? Make sure anything you bundle into your software is vetted and safe. Also, take a close look at your integrated development environment (IDE) and other development tools.

Development environments pose a few unique risks to the organization. First, the security of these environments is generally lacking. Often, they will have weak permissions or poor/reused credentials. Additionally, they often have production data used for testing. This combination can often lead to production data being exposed to an attacker who homes in on the weaker security of a development environment.

Another common mistake is to use production credentials and configurations in both development and production environments. For example, if the username and password for a system administrator is the same for both production and development databases, attackers can pivot from one to the other more easily. Always segment out and protect your production environment from any attacks on dev.

What do you advise? Let us know in the Comments section, below.

Do you have questions you'd like answered? Send them to [email protected].

About the Author(s)

Brad Causey

CEO, Zero Day Consulting

Brad Causey is an active member of the security and forensics community worldwide. Brad tends to focus his time on Web Application security as it applies to global and enterprise arenas. He is a member of the OWASP Global Projects Committee and the President of the International Information Systems Forensics Association chapter in Alabama. Brad is an avid author and writer with hundreds of publications and several books. Brad also holds dozens of industry recognized certificates such as CISSP, MCSE, C|EH, CIFI, and CGSP.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights