2021 has been a record year for cybersecurity in terms of vulnerabilities discovered and media exposure. Fortunately, the team at AViSTO has been working all year long to create content and put together resources to help improve our practices and harden our projects. Philippe Arnaud, the AViSTO Rhône-Alpes Business Unit Manager, tells us more about it.

Where to start as a developer?

As a developer, your goal in the area of cybersecurity is to write secure code. To help you in this journey we have put together with Ayan and Quentin a great document called ”Security as Code”.

This document is an awareness module that takes 20 minutes to read and gives you some of the basics such as ”What is a secure development lifecycle?”, the most common vulnerabilities for web apps (OWASP top 10), presents some famous hacks, explains how attacks are performed and gives you five rules you can implement today to become a ”rugged developer”. Go check it out!

Specifically for C/C++ developers interested in cybersecurity, we suggest you take a look at RUST (the most loved programming language by developers since 2016 according to Stackoverflow).

RUST is now used by many organizations such as the Linux Foundation, Google and Microsoft to rewrite parts of their OS to address memory leak issues and vulnerabilities.

We started gaining experience in RUST a few years ago during a project for an industrial client. Last year, Kevin, Laurent and Xuan Sang wrote a white paper to introduce RUST to developers and organizations. They also held an internal technical meeting in September.

Next up: securing your pipeline

Once everyone in your team has taken the awareness module and is writing secure code, the next step would be to work on your Continuous Integration and Continuous Delivery (CI/CD) to shift left vulnerability detection.

Last summer, our DevOps team has updated its DevSecOps Roadmap to the V1.1 version.
This document helps teams implement a security stage in the pipeline with steps such as static code analysis (look for known vulnerabilities in the code), components analysis (look for known vulnerabilities in frameworks, libraries used) and secret detection (look for passwords, credentials,…).

As there are many tools available on the market we ran some benchmarks with Tamara, Julien and Quentin to select the right tools for our organization.

We then created a template (Gitlab-ci.yml) we can easily implement in our projects to secure our pipelines and have such steps.

Our employees can check the Confluence DevOps support page to know more about it and our DevOps group on Gitlab to get the template.

Last but not least on DevSecOps, we also worked on security monitoring in order to be notified immediately in case a newly discovered vulnerability is impacting one of our projects deployed in production.

On this topic, Quentin has developed a watcher bot that runs directly in your CI on a dedicated branch and as a weekly pipeline.

The watcher takes as input the inventory of your asset (programming languages, framework, libraries, DB, server,..) and compares it with the latest feed from the NIST (National Institute of Standards and Technology).

In case of a match, the watcher bot notifies a dedicated channel on our Zulip internal tool with details on the CVE (Common Vulnerabilities and Exposures) found. With such alert, the team can react quickly to assess the threat and use the provided directions to patch the vulnerability.

The watcher takes 15 minutes to set up for your project. More info on Confluence and the template is available for our teams in Gitlab.

For embedded developers

As an embedded developer, you will most likely be interested in the white paper written by Wahid on ”How to Secure a Linux Distribution?”.

Wahid has been working for several years on an embedded Linux platform for industrial IoT. He has implemented features such as secure boot, secure uploader, chain of trust, and more…

In this document Wahid takes you through the steps and the solutions he implemented during this work.

Thanks again to Philippe, Benoit and Xavier for their reviews.

Offensive security

For our employees interested in offensive security, they can assess their current level with our very own virtual pentest lab (accessible only from the ADVANS network).

It is a web app developed last summer by Antoine that facilitates the creation of a lab and that keeps track of your training activity.

The Lab is made of 2 VMs, one to attack (Kali Linux) and one to exploit as a typical ”Capture the Flag” exercise.

The library is 20 machines strong and there is a special reward for people breaking all 20 of them.

Finally, on pentest activity, our team has been conducting several pentests last year for customers and internal projects.

One major highlight of 2021 for our offensive team was the pentest of a passenger transport system done in Germany that included physical inspections as well as pentest of 3 different networks.

That’s all for last year, but as it is an ongoing topic, you can expect more from us in the coming year!