Meltdown and Spectre chip flaws highlight pressing need for DevSecOps
There’s nothing quite as rude an awakening than discovering after a long holiday break that researchers have discovered not one, but two major security flaws in widely employed processors that affect every major operating system and possibly millions of applications.
The most series of these two security flaws is Meltdown, which impacts operating systems running on every Intel processor employed in a system over a 20-year period starting in 1995. That flaw allows applications accessing kernel memory to potentially discover the content in another application, including, for example, passwords. Hackers could, in theory, develop malware to exploit that flaw.
[clickToTweet tweet="Meltdown and Spectre are the best examples to date why organizations need to embrace #DevSecOps by @mvizard" quote="Meltdown and Spectre are the best examples to date why organizations need to embrace DevSecOps"]
The second flaw is known as Spectre, which also, in theory, allows hackers to trick processors from Intel, ARM and Advanced Micro Devices (AMD) widely used in smartphones and tablets into running speculative processes that would reveal secret data such as what processes are scheduled to run next.
Neither flaw appears to have been exploited by cybercriminals yet. But Microsoft, Apple, and the Linux community have either created patches or are in the process, to eliminate or mitigate both flaws. Some security researchers, however, say the only way to definitively eliminate these vulnerabilities is to buy systems based on the latest generation of processors. Those systems are based on different microprocessor designs that don’t incorporate these flaws.
Alas, upgrading every system in an enterprise is a proposition that would prove prohibitively expensive. Most IT organizations will opt to upgrade operating systems to mitigate these vulnerabilities. They will then also need to determine which applications in their portfolio directly access kernel memory. Once the operating system patches are installed, however, some applications may experience some degradation in performance. Applications that directly access processor memory could be impacted to a much higher degree.
The great Oscar Wilde once said a thoroughly modern intellect learns to expect the unexpected. Meltdown and Spectre are the best examples to date why organizations need to embrace DevSecOps. IT organizations can assume that there are going to other unexpected security vulnerabilities. They may not have the same impact as Meltdown and Spectre. But regardless of the severity of the vulnerability, once it’s disclosed the race is on to remediate the issue before cybercriminals figure out how to exploit it. You can bet hackers are delving with glee into all the nuances of Meltdown and Spectre in anticipation of the fact that some IT team or lone end user somewhere will forget to update their operating environment.
Unfortunately, most developers and IT operations teams do not work in a hand in glove fashion, and in organizations that have embraced DevOps the degree to which those processes are implemented is inconsistent. Very few of the organizations that have embraced DevOps have extended the reach of the processes to include security. But those that have are much more likely to be able to deal with surprises such as Meltdown and Spectre with greater alacrity.
DevSecOps in of itself will not prevent bad things from happening. But it does mitigate their impact. Applications developed employing DevSecOps processes will tend to be more secure. More importantly, organizations that have DevSecOps processing in place are better prepared to update their IT environments whenever necessary. It’s safe to assume there are more nasty cybersecurity surprises on the way. The measure of any IT organization now is not so much how many of those vulnerabilities it can avoid, but rather how well it responds to cybersecurity attacks looking to exploit those vulnerabilities that will inevitably be encountered.