DevSecOps and its tooling are a subject one can write tomes on. One blog post could not possibly do that. But a series of posts just might. So, hopefully, the creative juices will stick with me long enough to write a few posts like this one on topics that I think are of vital importance to anyone (individual or company) that wants to call themselves and their software “professional”.
MFA crash course
Multi-Factor Authentication (MFA) is an authentication method in which a user is granted access to a resource only after successfully identifying himself with multiple evidence (factors). Examples of such evidence would be:
- App Generated Codes
- Hardware token devices
- Fingerprint scanner
- Facial Recognition
- Answers to Personal Security Questions
- Codes sent to email/phone
- IP Whitelisting
A software can utilize any combination of such factors to authenticate its users.
The most common subset of MFA is Two-factor Authentication (2FA) where the user needs to provide just two pieces of evidence to successfully authenticate. The easiest way to put 2FA in place is to simply enable it in the application that you want to harden, such as your GitHub, Facebook, OneDrive, is to download a 2FA application on your smartphone (Authy, Google Authenticator; there’s a ton of them out there, take your pick) and simply enable the feature in your account settings. Most web applications these days support 2FA without much hassle around it.
The first line of defense
So, where am I going with all this?! There’s a point to it, I promise. I realize that in this day and age we’ve become too used to the convenience of the Internet and the ease of access to everything. Most of us have the “Remember me” checkbox clicked by default simply because we can’t be bothered to log into the same portal more than once. Imagine having to put in your username and password every time you want to check your social media (Facebook, Twitter, etc.), you’d go crazy. But in software development, it’s a whole different story. MFA should be your first roadblock for anyone wishing to access any part of your software. Just some examples of places where MFA should be mandatory but it is often overlooked:
- Source code repository hosting (e.g. Github, Bitbucket, Gitlab, etc.)
- Issue tracking systems (e.g. JIRA, Redmine, Trello, etc.)
- Cloud providers (e.g. AWS, GCP, Azure, DigitalOcean, etc.)
- External artifact repositories
For the first two points it’s quite simple, just go and enable it in your settings. Do that and you can sleep just a tad bit easier than you reused that super difficult and complex password you came up with for your production root account to also log in to that bee-keeping forum because you wanted to post a question if you could keep a single bee as a pet. You should not re-use any passwords ever, but that’s a whole different blog post. Also, that bee-keeping forum could have military-grade security implemented in the background, you never know who built it.
2FA in this case provided you with the second step of authentication (like the name suggests) that is not static. While your password doesn’t really change between logins, your 2FA token changes every 60 seconds or so, no matter if you used it or not.
Do you even MFA?
In the world of DevSecOps MFA becomes especially crucial when you want to protect “The Precious” which is your cloud provider account. It goes without saying that if an unwanted person gains access to your AWS account there’s going to be some damage. More or less, it depends on how well your IAM policies are defined, but there’s bound to be some panic around the office as soon as someone realizes this. The damage could range from just looking at your logs and see who your clients are, to destroying your infrastructure, to finding your “secret” passwords file on S3, to bringing up 1000 instances to mine cryptocurrencies. There’s a saying out there (not sure if it comes by an old, wise man): It’s better to prevent it than to treat it. This is a saying from way before Covid-19 I swear.
So, the point I promised I had a while back:
Make MFA mandatory for any action inside your cloud!
Doing this is simple enough. You need a single statement in your base IAM policy:
{
"Sid": "DenyActionWhenMFAIsNotPresent",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": false
}
}
}
The example above is a CloudFormation snippet for AWS but rephrase it a bit and it can be applied to virtually any cloud provider out there.
I’m not saying this will solve all your security problems but it will solve for sure the most common one: accidentally pushing your AWS credentials to a public git repo.
Conclusion
Some might see MFA as a disruption to their speed and way of working, because who wants to take their phone out to check a code every time they need to log in anywhere, but it is a necessary disruption. MFA (or 2FA) makes the marvel that is the Internet just a teensy bit more secure than it normally is. It takes virtually no time to enforce it and only just a few meetings and discussions to get everyone to understand why they need to use it when their passwords are some combination of their birthday and kid name which is of course “uncrackable”.
Final Note
What staggers me most about the world of 2FA and the broad spectrum of apps out there available is how none that I’ve found so far has the simple feature to organize your 2FA tokens into folders. Is it too much to ask that I want my list of tokens a bit organized and not having to feel like I’m playing a slot machine, just doing a fast scroll and hoping my muscle memory is good enough that it will stop somewhere near the token I need (that is if I remember its place in the list). If you know a 2FA app that has this feature shoot me a message, a round of beers is in it for you.
