CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Episode 6: Securing the development environment with Laurent Balmelli

In this episode, we sit down with Laurent Balmelli, the CEO of Strong Network, to discuss why development environments are vulnerable to malicious actors and how we can move to a secure cloud IDE (Integrated Development Environment).

Video Transcript

uh we looked at what gitbart was doing and say oh that's cool but what's the point because why would I replace my laptop for this uh yeah it's cool because you get that thing online but to me that's not the Crux the Crux is that we need to provide some type of security on top of this let's try to get all this protection mechanism that you will get you know this place that companies are deploying take the data and I.T efficiency that is provided by this online containers and let's try to get the best support of this what we're doing that was Laurent Bell Milli a cyber security expert with a PhD talking about what the future of development environments could be Laurent was born in Switzerland but is truly a global citizen having lived in many places like New York and Tokyo Lauren's cyber security Journey started with IBM before he left to found his own company strong code strong code was a startup that worked on preventing people to be able to reverse engineer compiled applications by obfuscating and scrambling the source code that startup was actually acquired by Snapchat who Laurent worked for briefly before he left to create his own company again this time strong Network strong network is a cloud IDE but also so much more it's rethinking secure development environments for the modern era in this episode we get to sit down with Laurent and talk about development environments how is moving to the cloud and what are the security risks of this but before we get into that it's time now to have a look at our breach of the week in the theme of development companies today's breach we're looking at is atlassian because on Friday the 17th of February atlassian had reportedly suffered a fairly significant breach due to a third-party integration first reported on by cyberscoop employee credentials were stolen that gave access to a third party in this case Envoy now what is apparent is that all the data that was breached is actually from atlassian's own employees alessian has claimed to have about 8 000 employees although the breach has said to be concerning 13 000 different people this may be because atlasian actually has a lot more people working for them or the more likely scenario is that it contains records of employees that are no longer working with the company so how does all this actually happen well employee credentials are used all the time by attackers and there's numerous ways which they can get them of course the favorite is through a fishing Campaign which still is on Trend even in 2023 but there's also different ways that you can obtain a user's employee credential the dark web and more recently dark telegram channels are a favorite for attackers to be able to sell and also buy these types of credentials this has been an interesting separation of attackers in recent years you have some attackers that specializes in targeting campaigns like phishing to try and find employee credentials they will also search on public resources like Docker images other containers or through source code to be able to obtain this information and then if they don't want to use it they can on sell it to a new level of hackers who specializes in exploiting specific companies this Marketplace isn't entirely new but it's definitely growing and could possibly have been how our initial access was gained in here but it does show the trend in hacking activity that we're on right now and that is that credentials are nearly used in all attacks whether therefore initial access whether they're used to elevate Privileges and the other thing we know is that developer accounts for developer tooling are becoming increasingly hot Targets this is because developers devops teams and other Engineers are really the gatekeeper to the information that the attackers want so what does this mean for atlassian the biggest risk for atlassian is that the attackers use this employee information to launch more sophisticated sphere fishing and fishing campaigns on their employees to try and gain access deeper into their systems at the moment that seems fairly unlikely the reason being that the attacker has already announced that the breach has been made something that is typically done one once an attacker has really leveraged as far as they can go with the resources time or really commitment that they have the hacking group in question here named Sage sect seems to me reminiscent of other hacking groups like lapses with a younger following where the main goal seems to be notoriety rather than financial benefit but the one thing that we can all learn from these types of attacks is that we need to start implementing areas of zero trust around all segments of our infrastructure and third-party services this includes adding multi-factor authentication limiting IP addresses and access where possible and of course it may seem like an early 2000 techniques but using firewalls but even then we can't always be certain that our employees would do the right thing that is why this conversation with Lauren today is on such a good topic we're going to talk about securing the modern development environment we're used to our integrated development environments Ides like Visual Studio code or atom that combined various tools that allow developers to do their tasks in a more efficient way but like all things moving to the cloud and out of our control Ides are also heading that way big names like GitHub have launched their Cloud Ides like GitHub code spaces as well as various other vendors but what does this mean for security what Laurent is working on a lot more than just a cloud IDE strong network is looking at how they could make the entire development environment completely secure and also remote suitable for a modern startup where let's face it we're all continuing to be remote and outside a lot of the parameters that organizations can control so without further Ado here is the conversation between myself Laurent bellmelli and Dwayne McDaniel Laurent welcome to the show I I really want to dive straight into the topic today and I know Dwayne has some question who's here with me as well but I want to kick things off let's start with Cloud IDE so Cloud integrated development environments that's the idea that we're shifting our development process online through a browser uh how has this changed in general and how is this changing security for developers okay well first let's uh let's explain to you simply what a cloud ID is just simply basically an ID that will run in the browser but I think this is really limiting uh to describing really the solution that we and other vendors are providing right if you look at what our solution compared to what GitHub code spaces or gitpod.coder of the people are providing is really it's more than a cloud ID it's really a container a set of a way to manage containers online right so let's say yo everybody's buying devops today uh as perhaps the best process to run your development uh process application process right and uh for that matter basically you need to have an efficient way to manage containers and these containers you know I'm gonna if you're a coder you know I'm recorder myself so I mean initially you know you would install Docker on your on your computer and you will create some files you would be able to contain you run Equity locally and this is I mean the benefits is that you can isolate dependencies for your development environment it's really the key of uh benefit of such a technology but but a better way to do this instead of managing these containers on your laptop you can actually put them online and accessing them remotely right so what's the benefit of this first of all that this actually less you know like uh messing around with like doing Dr Bill the Quran and all this local commands and stuff like that and the second thing is that instead of having all this data on your computer it will be online at this additional benefit that's not going to go too much in detail right now but like a lot of benefit that will come one of them is sold from a security standpoint is also to remove the data from the developers laptop to pretty long line so first of all you need to put this thing online and then meet your access the container with a way to author information inside the container and in this case it will be source code right source code will be the information that will be authored by the developer inside the container and there will be you know basically run inside the container in order to create your application so so the first step is to put these containers online and this is what you know I mentioned these other vendors are doing they put this online like we do and that usually will be a kubernetes application that will run on some cloud and you have like a way to manage those containers and then the cloud IDE this is where we come to that cloud ID won't be basically the mechanism to access this container remotely and to author information but there's alternatives to this as well for instance what you can do you can say well then you actually use my local IDE not a cloud ID and have a message connection that will connect to that container online and that that is referred to as like a remote development this actually you can if you look at vs code you can Google vs code remote development as you can see actually it's a local vs code actually is enabled to actually create that sh connection and that will give you access and let you author information directly in that container to get the benefit I was mentioning before is if you look at jetbrain they have this uh this mechanism called Gateway which is exactly that same principle right basically the look The Eid would be local but it would give it connections to are remote containers and then you will get that benefit so overall when you talk about Cloud AE I think it's very liberating because it's really more about a platform to manage containers right but this is just the beginning so so the first thing the first step is doing doing this that you basically you do this because you want to accelerate your devops process you basically I buy this what you want to do is that you want to take these containers uh and sometimes I think a good way to name that is CDE where it stands for containerized development environments okay and you take this CDs and you work into them you work directly inside this this series with your Cloud IDE and then it will be easier to bring these containers into testing into release and production so what you want to do what you want to basically diminish the friction across all these uh you know this like this infinity sign which is which is not one good way to represent the DeVos process and what you want to do is to limit the friction across the stages for your containers so that you can basically replicate the environment that you have for development into testing into production so you know you have fewer you have fewer bugs you have your like uh changes to do so that's the first step so the first thing where we started that Adventure like two years ago with the microphone osrenko uh we looked at what gitpad was doing and I said oh that's cool but what's the point because why would I replace my laptop for this uh yeah it's cool because you get that that thing online but to me that's not the Crux the Crux is that we need to provide some type of security on top of this because if you want to deploy this uh as as a mechanism or uh you know managing your developers and look at what would be the typical alternative that you will have in a company right it would be like a video it would be like a desktop as a service you know this all this mechanism that provides some kind of security regarding like data protection right they will provide some kind of that application mechanism that say okay uh I'm actually gonna award my developers quickly on this type of infrastructure but my goal is to do this because I want to protect my data right and guess what oh yeah it aligns with devops so it's very cool because I will get efficiency but it's really a a an argument there to uh uh you know do this for for the sake of protecting your data so this is where basically we come in right so we said okay let's look at what vdi is doing and that's and all those things in like AWS workspaces let's look at GitHub code spaces we are doing and let's do something in between let's do something in the middle let's try to get all this protection mechanism that you will get from from this you know this place that companies are deploying to protect the data and I.T efficiency that is provided by these online containers and let's try to get the best support of this one we're doing that's that's a lot to unpack there uh but thank you very much no no this is absolutely fine um one of the big things I've seen from the adoption of things like code spaces and gitpod is people chasing that forever dream of stop the problem of it worked on my machine I mean that was the idea of talkers hey we'll just ship your machine um and now we've moved into the cloud somewhat um but it's interesting to hear a security perspective on that um when I think of security for these environments I'm more thinking from the developer's seat like um and especially get Guardian uh thinking about um Secrets management throughout that process but imagine here you talk on the uh data security element so what specifically are you doing on top of just the containerization yeah absolutely so so and this is really good because uh it's very important to differentiate uh code security from what we do which is really infrastructure security so so this is where basically it's an interesting pickup thing that happens between the hardware that is used to run your DeVos process and basically the you know the the the the the environments that basically uh it needs to to be uh enabled will notice for the developers to create their applications so what we don't do is code security we don't basically you know and often like if you look at that secops all right is this often referred to practices for code security removing what git guidance is doing is you're removing like token from from your code making sure that you know you have you have like your code is I mean like many other vendors like for instance to make sure that the code is uh it doesn't have vulnerabilities and these type of things so here we're really talking about infrastructure security so what do you need you need basically first of all to uh data removing the location I mean removing data from the developer laptops is basically something that is given by Design as a solution but then you can see what vdi and Das is doing which is Dallas prevention so then you would basically need to prevent that expectation or active that as filtration or like you know it could be not necessarily malicious right but it can also be like in tax which is like coming from a malware or something like that so you need to prevent that type of things you need to control the network like you would do with some firewall rules that you would get if you look at what you can do on on the cloud provider like you look at uh what Google can do with Google workstation right which is something extremely similar it's not exactly the same as guitar and and code and GitHub code spaces right but it plus basically they can control the network because they have this uh uh this mechanism that lets you define firewall rules which is exactly what we do as well right so we add basically this type of security right and other Securities basically that will allow you to control data flow but what I always give the the references that data in that are out what you allow to put in what are they allowed to take out and this is now it becomes use case specific like if my customers are developing application that you know that basically they don't want people to be able to extract any of the code or have any copy of the code or even like having a binary locally on on the laptop then this is data out you have to prevent this type of this type of information to leak out of the container and data in well this is mostly to prevent some kind of malware right if you want people basically to update to upload yeah they could be known as similacious but you have built uh malware of malicious information inside the continuous also to be able to filter this type of things actually we have requirements like this where you work with some of the clients because they they want to have some kind of malware prevention uh mechanism so this is so this is basically the so you have to see this as infrastructure security and this is where basically we need to be clear when we explained our technology to customers is that some customers are asking about how different are you from you know this it's a thing that allows me to to make sure that my code doesn't have vulnerability I say we do we don't do we don't do any of that so so so this is not what we do we're actually doing infrastructure security and uh and so you have to see this in a way that uh I think the best way to say it's really a big app replacement yeah I I get it or at least I I think I get it one of the questions that immediately comes up for me uh is why now no no why as in why do we need to secure our infrastructure and and I understand a little bit at least of how you're you're doing that but what are the risks that are involved and what why why are we needing to make this change so so I agree I think have to take an issue in the industry perspective right I mean in the technology industry uh you know might not be very important or or perhaps anecdotal if you can do this but if you look if you're the finance industry ancients in this room we have regulation you have compliance and we'll think that becomes really the name of the game right so it's really an industry play so that's what I think you know we have to pick our battles and to take a market that I think is really can benefit from our solution so this is really where it becomes interesting so if you're aware of kind of constraints they have some companies have you know because of Regulation because of compliance and so that becomes very relevant it's interesting going into the compliance area I just got back from Australia and there's been some massive breaches uh with large telecoms and also a bank in Australia and everyone's at the moment taking action to think how is new regulations and new laws going to affect change and how do we need to keep up with this so this leads me into kind of talking about what we are do we have the knowledge or the understanding in the industry about the risks that are associated with you know code sprawling it being on developers machines it's being outside of control and is this something that we need to well partially solve by introducing governance legislation to be able that will kind of that I guess will will force large organizations into this I I think this is a really a really good debate because if you look and you talk at this question to uh Bankers like financial institution you say well this is we need to do this because otherwise we get grilled by the the you know the the CIO or like a compliance successor but then you look recently at what happens uh to some companies like Nvidia or like EA or this type of stuff there's been so many so many like a breach of source code and and why this is important because uh what is an IP concern right and especially I think in certain industries like I don't know if you if you're aware of how Ubisoft that this gaming companies are working but it completely paranoid but people look at the source code or gain access to this right because of Ip perspective but there's other Industries it's like let's say if I see your source code and then I can see your vulnerabilities and if there's a way for me to get access to this way to exploit this vulnerabilities then am I actually able to reach a system lick your entire customer data right I think this is what it becomes interesting because uh you know for some time and this is good to to your point is that uh people will say yeah you know we just need to have medical source code that Navy develop a laptop because that's the way it is there's no other way to do it and the financing to say yeah you know there's another way but it's very expensive it's very heavy and it's really annoying this complex is the vdi stuff right so so so so for the sake of like perhaps being a agile like a technology company say well let's take the risk but then recently if you look at all the uh uh source code hacked that happens in the beginning of the year uh we had like a laundry list because we put this in the charts when we talked you know the technical company we saw them examples and uh and I think this is where it becomes interesting because people realize that yeah it's actually not completely blind information we need to protect it that's really interesting that you bring up you know the the breaches that were done by by those lapsis groups I remember following on from that when you first hear about it you you want to oh my God how did these massive companies you know Nvidia you talked about Microsoft and other areas how these massive companies get their source code breached and you're kind of expecting perhaps even State actors and then you find out that this group of teenagers that are doing doing this and then the immediate net question is all right how how do these group of teenagers penetrate companies that you assume have great security posture and and I think they do um and then I went on to the italogram channel and they're literally just buying access into source code into development environments they literally said on their telegram Channel here's a list of companies we want to breach or at least it was kind of Industries types of companies we want to breach if you work from there contact us we'll give you you know several thousand dollars if you grant us access to your development environment so that's crazy and you know that's that's a total change and it just shows uh you know we may trust all of our employees but it just takes one person to have a bad day to be in in trouble to to find that appealing and when you don't have control over your development environment you know that becomes a risk this kind of brings up an interesting debate right because when we when we're generally talking about security we're talking about preventing the Bad actors from from getting in you know they're external threats but now we've kind of crossed this line of internal threats where all right we we have to start thinking about perhaps insiders working with with Outsiders in your perspective right where are we at on on this debate How concerned how restrictive should we D be uh when dealing with our employees as potential threats yeah I I think this is really a very interesting debate and it took like an interesting shape because you know the pandemic and how people start at work and and that's like you know there's High turnover at some companies they could be grudges anything like they should know but but I think most importantly uh it's about hygiene right I mean they just want to have like a governance over your process know where your assets are I mean at the end of the day you know it's like being uh diligent about uh your your money that will trusted you by investors and they say you know this is how we manage things we manage our process week if there's a way to get more governance more visibility why not right there's a way to and again here this is where I'm getting at the point the important things like we associating two things the efficiency of containers online for being a very efficient devops and security if we can do these two things which might be conflicting at first use like well you know if you had security it might be in the way developers no actually it's just what we did is that we showed actually these things can live together this thing could be coexist and give you like The Best of Both Worlds so if you can bring some hygiene to your to your your code is a good thing and uh you know recording inside the threats you know it might you know might be that yeah maybe some people might be uh you know not willing tension but also something this things like because we know we have relationship with people working in Eastern Europe and we have lots of friends like on the side of Poland and and the last time I was saying thanks for conference and um you know one of the what a worries I heard from many people was that they had this remote developers that have multiple jobs when I say multiples it's more than two or three that's not like a big thing for school and stuff so so this is also interesting right that you to uh but I think these are like most anecdotes because I think it's generalized I think it's just that they have some people that really you know not very respectful but most most of the kids not it's not the case but I think it's mostly about hygiene and if you can get the best of both worlds why not so it's interesting to bring up um governance there because that is definitely something I don't see you know the code spaces or get pods or coders of the world talking about so I really is your solution fitting into the larger security organization and the larger devops organization I really this is my personal take after doing a lot of exploration of these Solutions it seems like code spaces and gitpod not to pick on those two just they're the prime examples really are things that hey the developers are doing that over there that's great they're still feeding code into our pipelines they're still accessing data the same way they would have if it was on their local developer concern good for them um this really feels like you're having a broader conversation with the org and I at least for me governance isn't something that I take into my day-to-day concerns it's no you absolutely agree and I think one of the key points you're bringing here is a horse concern is this right and who should be concerned by governance right and I think I developer most of my life and I love it actually you know I'm actually still developing you know in hiding from my teams but I really like to watch some code when they have time and to tell you this this is um yeah I think I think uh when you developer it's not pretty much you know you want to have something comfortable you have to have something that we need is fast you know that you work they be productive like you be creative and I think that's cool right I mean this is something I don't want you to limit any of those things but at the same time when you become a manager or become like uh you know like not myself like an entrepreneur when you start creating a company I think it's good to get some visibility of what's happening in governance right so so it's a multi-stakeholder cell when we do this and we need to talk to multiple stakeholders and but I think it's good that uh we always want to be a developer first solution which I think is really important because you want people to be happy and comfortable and and you know we we develop our solution with our solution right since the beginning this actually initially we thought we were developing this for ourselves right I'm not kidding actually initially you say like you know we want to hire people abroad and stuff like we should really have some kind of good mechanism and stuff so we started with us and I are working on that but because this is for yourself but we just kept developing the platform and uh but but uh but you know where we can have that conversation where you know with the CTO and the CIO and say like this is something that kind of made you sleep at night and and what not getting the way of secret that doesn't get in the way of the developers I think it's important so it's really I think the way we we named this when I was working with uh uh launch companies like it's really a context of where security is security that basically is in context that knows the context that is not something that is generic and that for that reason it can be really adapted it doesn't get in the way the developer it's not even slowing down it's actually making more happier because for instance uh you know if the developers have to manage tokens uh himself like uh keys and credentials and this is all about foreign right so to be accelerated what if you are something that does that for you it's definitely one of the Great Hopes of art environments is making Security even easier yeah I think it's important to have to have these our platforms that enable secure development because I mean we've just brought up so many things governance and compliance and legislation and other areas and like I'm being vigil now and you know I'm taking notes of this conversation and and getting into it but man when I'm a developer like there's no way that I've I've engaged in that kind of conversations right yeah exactly I agree you know but like I got older you know I got yes I was like I know but no not too big on this is really something where we get to I think I mean why because I have people have to report you right and my investors you know have my stakeholders at some point you know if I need to uh to get some some my house in order it's easier if I get some tools to do that I don't want to do it by myself so if I can automation for that is good and if it doesn't affect my job as a developer like why like as you say like why not like that that's you know I mean yeah they're not to worry about right it's something that is transparent and by the way and by the way from that thing we did not invent anything because like if you look at how GitHub is working there's also a lot of things that will give you information about your process right where people check in uh they push they pull uh they they do full requests this is all captured somewhere in the logs of GitHub right so this is something else so that it's it's governance is is not one thing it's actually a a a a amalgamation of a bunch of different tools and the kid Guardians kids covenants as well right what's happening on your process right so I think it's not something that we invented but you know something that can be you know accelerated if you have the right environment well we're wrapping up the the conversation now and it's been really interesting I I think this is probably a continued conversation I I think we're gonna need to revisit this uh again but before we formally wrap up uh I know that strong Network I also know that yourself uh you you're quite prolific at writing articles at contributing to the security conversation where can the audience go to to follow you to maybe read some of those articles and to keep it yeah kind of keep it up to date so so we're uh the website is a good resource uh strong.network is a good resource uh for uh blogs and for you know webinars are actually uh wrote a series of four webinars that goes on to several topics and I will give them again starting I think uh this month I guess because I give a few I mean there's like a last month and a half and we're going to do a new series now uh that's one thing also have a medium account what I'll really like to write uh and security generally but also what we do as strong networks so I have a I also have a publication just for store Network so you can go to medium.com and look for my for my name responsibility thing and uh yeah and then I think perhaps one of the recent articles that I wrote which is called the virtual secure developer laptop uh it's something that gives kind of a you know what I talked today is that I see this platform really as a way to replace this secure environment that let's say like if you know companies wants to give a a secure devop laptop to developer this is a virtual way to do this stuff look at this concept here on my medium blog yeah that article's a great article there's actually an illustration in there that I that absolutely loved it's a timeline of the computer Evolution and it's just one of those things like when you look on Wayback machine where you could look at something and and think to yourself oh my God I get it now this makes so much sense of where we've come thank you thank you and you can see it is not even long ago right that was 10 years ago I think how about how far we came in 10 years right from like having like very very precious like information on laptop because there was no really cloud application to everything migrated to the cloud and The Last Mile there is really the developers information my developers Source couldn't data but everything else already went to the cloud CRM data you know those things like well seriously that's like in 2018 this crazy nobody's going to put their data on the clouds here you know customer there but guess what everybody's done that so it's interesting well Laurent I just want to take the opportunity One Last Time thank you for coming on the secure repo it's been a fascinating conversation and I I really hope that we can revisit it again in the future and to the audience uh thank you for tuning in and make sure you check out some of those articles that Laurent mentioned uh they're they're really fascinating and going to help you understand where we're heading in this direction so Lauren thank you again and I'll see you all next time foreign