Skip to main content

Snyk in a galaxy far away

Written by:
wordpress-sync/feature-may-4th-patch-wing

May 4, 2023

0 mins read

In honor of May the 4th, we’re featuring a narrative from an Imperial trooper in a faraway galaxy as he reflects on his organization’s worst day and how it could’ve gone differently.

Don’t get me wrong. I’m still proud to work for one of the most formidable organizations in the galaxy. But as most of you probably know, we’ve recently hit quite a setback. 

Our higher-ups decided to build a space station. Not just any space station — a planet-destroying, moon-sized space station that would carry our team to victory. I thought it was the coolest idea since sliced nerf bread. In fact, we had high hopes for this super weapon. Boy, were we wrong. 

A rebellion had been growing under our noses for a while, but we didn’t think anything of it because of our brand-new space station weapon. We didn’t count on a random bad actor from the countryside finding a huge weakness in the ship and using it to blow up the entire thing. Luckily, I wasn’t assigned to work on the space station that fateful night. But I can’t stop asking myself, what if we’d done things differently? 

So much went wrong, even before we officially launched this space station. And if we’d just had some way of finding its vulnerabilities before the fact, then everything would be different. 

Doomed from the start

The roots of this failure started long before the ship was even built. A group of engineers designed it. One of these engineers was a defector who sabotaged the entire operation by purposely adding an exploitable flaw. My colleagues gripe about this guy, saying, “If it weren’t for him, then everything would’ve turned out fine.”

But here’s what I think. Didn’t that defector work with other engineers?! And shouldn’t they have found a way to double-check his designs before adding them to the final product? Their security measures in the beginning stages of development were lacking, to say the least.

blog-lego-star-wars-gif

And even if that flaw wasn’t our downfall, I’ll bet there were other vulnerabilities that could’ve been exploited by the rebellion. The space station plans came from several places — they weren’t just created by the defector. The original idea for the space station actually came from some old designs that our organization acquired a long time ago. Plus, several other engineers worked on the project, and they could’ve written flaws into the design by accident. After all, they were only human (or alien).

We know no one checked the design thoroughly enough to find the defector’s intentional flaw. So any number of other components could’ve also been vulnerable. 

With all that in mind, I can’t help but wonder what would’ve happened if someone had checked the space station for vulnerabilities right from the start. What if we had objectively checked all parts of the space station blueprints — the 1st party work by the engineers (including the defector’s work), those 3rd party designs, and everything in between? And what if our organization used this intel to fix vulnerabilities right when they started building? Things would’ve turned out differently.

How did they miss the vulnerability of all vulnerabilities?! 

Most people know this next part of the story. Thanks to poor design, the final build of the space station had a huge flaw — an overexposed thermal exhaust port. That farmer guy shot a laser into this one vulnerability, and it was all over from there.

blog-star-wars-battle-gif

This glaring flaw should have been addressed long before the exploitation. Even if the exposed thermal exhaust port made it through the space station’s design phase, shouldn’t someone have picked up on the flaw once it launched — someone smart enough to put extra security measures over the area? This thermal exhaust port’s infrastructure misconfiguration was our downfall, and we have no one but ourselves to blame.

You might not be building a galactic space station. But, those techniques—scanning 1st-party code and 3rd-party components/container images and checking for misconfigurations in the cloud and IaC—can also secure your applications. Snyk’s application security platform empowers developers to find and fix vulnerabilities in their own code. Check out our developer-friendly security resources to learn more.

blog-doge-rocket-gif

Posted in:
wordpress-sync/feature-may-4th-patch-wing

How to Build a Security Champions Program

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.