02 May 2017

To Be Continuous: When Toasters Broke The Internet

In the latest episode of To Be Continuous, Edith and Paul discuss the massive DDoS attack against Dyn, a major DNS provider, in late 2016. They examine the security flaw that enabled millions of IoT devices to be hijacked and discuss how it could have been avoided.

They conclude that to minimize such attacks, all devices that connect to the internet should have easily updatable firmware, and that the IoT industry needs greater regulation. This is episode #31 in the To Be Continuous podcast series all about continuous delivery and software development.

Continue reading “To Be Continuous: When Toasters Broke The Internet” »

04 Apr 2017

We got your RBAC

How LaunchDarkly gives teams granular access and security control for their feature flag management

Enterprise companies take security and privacy very seriously: risk must be mitigated, customer privacy must be protected, and software releases must be controlled.  Feature flags are essential tools to granularly control software releases, but with great power comes great responsibility.  When you have hundreds of stakeholders using a product, you need to make sure that every team member has the exact permissions they need: no more, no less.

Powerful tools demand powerful access controls.  This means that your demoing account executive should not be able to toggle off live production features unless they are explicitly allowed to enable for a customer.  Likewise, your developers should be able to use feature flags in their own environments, but might not have access to disable functionality that customers depend on.

Custom Roles

To make this a reality, LaunchDarkly has built an extremely powerful and granular access control system that we call custom roles.

Custom roles let you control access for every team member and every feature in LaunchDarkly, from a particular flag’s percentage rollout to the ability to toggle a flag on or off.  You can create a role using our custom roles builder.

Here are some possible custom roles:

  • Lock your production environment down to a small set of trusted users
  • Distinguish infrastructure-level feature flags (controlled by your devOps team) from experiments (controlled by product management or marketing)
  • Allow QA members to control feature flags on designated QA environments only
  • Allow your designers to add users to betas
  • Allow sales to turn a feature “on” for a user

Security

Equally essential for security is the ability to prevent nefarious access and brute force attacks.  Companies want to make sure that the platform controlling their feature releases conforms to security best practices.

As such, LaunchDarkly provides multi-factor authentication and session control for all customers.  Multi-factor authentication (MFA) improves the security of your account by requiring a second verification step in addition to your password to login. In LaunchDarkly, you can enable multi-factor authentication for your team’s account, which requires you to enter a verification passcode from a free authenticator application you install on your mobile device.  You can also require all team members to enable MFA before accessing their accounts.

Moreover, LaunchDarkly’s session control offers administrators a set of controls to manage how long users stay logged in to their account, and how often they need to re-authenticate.  This allows admins to take proactive measures when an account is compromised or a laptop is lost, providing full control over LaunchDarkly account access.

Summary

Feature flagging is increasingly becoming central to a company’s software development and release lifecycles.  As part of a company’s critical infrastructure, feature flag management platforms must have enterprise-grade security to ensure that customer data is safe and that every team member has the exact access they need.

28 Nov 2016

Launched: Multi-factor authentication

Our customers’ security has always been a top priority at LaunchDarkly. We’re excited to announce support for multi-factor authentication (MFA), which requires a second login verification step in addition to an account password.

LaunchDarkly multi factor authentication (MFA) feature flags feature toggle security

MFA works by requiring users to enter a verification passcode from any free authenticator application installed on your mobile device. If someone ever gained unauthorized access to your account password, then that person would not be able to log in without the MFA passcode.

LaunchDarkly account administrators can require all newly invited team members to enable MFA during their initial onboarding. Administrators can also see which team members have MFA enabled and send a reminder email or recovery code to assist.

We strongly recommend that all LaunchDarkly users enable MFA for their account, and that administrators enforce MFA for their entire team. If you have any questions or feedback, we would love to hear from you at support@launchdarkly.com.