DoD systems hacked in 4 minutes by outsiders and the DevSecOps open-source effort to remedy it

The entire PlatformONE stack and entire DevSecOps stack is based on open source software. I think there were two different stories. Some companies saw open source as a business risk, not so much as a cyber risk. They like to pretend it was for cyber reasons but in fact they were afraid that those open source projects were going to cannibalize their business sales and revenue. At some point, those projects became so big that there was no denying that they had to participate… Microsoft is now completely embracing the open source community and collaborating natively with those members. We’ve done the same thing.

 

… Anyone can go and see the code, containers, and work we’re doing because we know that by having more eyes on the code we’re more secure. It’s actually a mess to think that obfuscation can bring any security. In fact, when we’ve done a test including the more recent ones organized by Dr. Roper at DefCon last year, white hat hackers managed to get into a DoD system they’ve never seen before and they managed to get complete admin access within four minutes, including sometimes dozens of exploits to get in the same system in different ways. That demonstrated to the world that obfuscation and closed source code doesn’t bring any security. At best, it brings faith when in fact there’s no evidence. It’s actually counter-productive to be hiding it. If you actually trust it, you have no problem open sourcing it and getting feedback, very much like anything else in life.

That was the excellent Nicholas Chaillan, Air Force Chief Software Officer, on Dover Air Force Base’s BEDROCK podcast. It’s hard to disagree with Chaillan that agile development and open source can actually lead to more secure systems. Obfuscation and long processes to get software authorized can leave DoD systems far behind the state-of-the-act, which is actually presents more risks for hacking. Chaillan says that outdated software, even if built in a closed system, becomes easier to breach.

I suspect the same is true of hardware as well. The DoD classifies so much and puts hardware through this waterfall process to assure specifications. In reality, the outcome is that what is classified is often behind the state-of-the-art and DoD systems are not subjected to enough real-world testing until it comes in contact with the enemy. Software is more cybersecure with agile/open source/devsecops, and hardware may be physically more resilient through similar methods.

Be the first to comment

Leave a Reply