What do out-of-date or vulnerable developer access services mean and why should I be concerned?
Developer access services enable a direct connection to the computer systems running your business. Running any software that is out of date or with a known vulnerability makes this service extremely vulnerable to attack and service failure. Newly discovered software vulnerabilities are disclosed publicly to warn all users of the vulnerable products and as part of the resolution process for software developers. Unfortunately, attackers also share tools and techniques that can be used to exploit these weaknesses as soon as they are publicly disclosed.
How do I resolve this?
KYND will flag a "Developer Access" instance as a risk when a known vulnerability exists in the version being used, or if the instance is visible externally when it shouldn't be. For these risks the advice is the following 2 mitigating steps:
1) Make sure the service is updated to the latest stable version (For OpenSSH the latest version can always be found here: https://www.openssh.com/releasenotes.html)
2) The use of firewalls and placing the port (or the whole host) behind a VPN configured to only allow authorised users to access it, and using an allow list/firewall rules to limit connectivity.
KYND performs an external, non-intrusive scan. These actions will also prevent the open port from being flagged in a KYND scan.
If these actions aren't possible, you should take alternative steps to mitigate the issue.
This could include adding extra layers of authentication, including MFA or PKI certificates to ensure that only authenticated users and services are able to connect.
If none of these are possible, or if you are using these services as honeypots, then these services should be entirely separated from the rest of your organisation's infrastructure, ensuring that there is no way an attacker could traverse from an attack on this service to gain access to sensitive data, services, networks or infrastructure.