Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Hands-On Security in DevOps

You're reading from   Hands-On Security in DevOps Ensure continuous security, deployment, and delivery with DevSecOps

Arrow left icon
Product type Paperback
Published in Jul 2018
Publisher
ISBN-13 9781788995504
Length 356 pages
Edition 1st Edition
Concepts
Arrow right icon
Author (1):
Arrow left icon
Tony Hsiang-Chih Hsu Tony Hsiang-Chih Hsu
Author Profile Icon Tony Hsiang-Chih Hsu
Tony Hsiang-Chih Hsu
Arrow right icon
View More author details
Toc

Table of Contents (23) Chapters Close

Preface 1. DevSecOps Drivers and Challenges FREE CHAPTER 2. Security Goals and Metrics 3. Security Assurance Program and Organization 4. Security Requirements and Compliance 5. Case Study - Security Assurance Program 6. Security Architecture and Design Principles 7. Threat Modeling Practices and Secure Design 8. Secure Coding Best Practices 9. Case Study - Security and Privacy by Design 10. Security-Testing Plan and Practices 11. Whitebox Testing Tips 12. Security Testing Toolkits 13. Security Automation with the CI Pipeline 14. Incident Response 15. Security Monitoring 16. Security Assessment for New Releases 17. Threat Inspection and Intelligence 18. Business Fraud and Service Abuses 19. GDPR Compliance Case Study 20. DevSecOps - Challenges, Tips, and FAQs 21. Assessments 22. Other Books You May Enjoy

New technology (third-party, cloud, containers, and virtualization)

New technologies such as virtualization, Docker, and microservices introduce new methods of software delivery and speeds up application deployment, but also brings new security threats and risks. We will briefly discuss how these new technologies change the practices of security and DevOps.

Virtualization

It's very common to install application services on top of a virtualized OS. Virtualization technology helps to make the most physical machine resources such as the CPU, memory, and disks. However, virtualization is a shared OS technology. It also introduces security risks such as VM escape, information leakage, and denial-of-service for applications running on top of virtualization.

Security practices in guest OS virtualization are normally involved with both OS and virtualization hardening. Here are some key security configurations related to virtualization. Refer to CIS Benchmarks for details:

  • Limit informative messages from the VM to the VMX file
  • Limit sharing console connections
  • Disconnect unauthorized devices (USB, DVD, serial devices, and so on)
  • Disable BIOS Boot Specification (BBS)
  • Disable guest-host interaction protocol handler
  • Disable host guest filesystem server
  • Disable VM console paste operations
  • Disable virtual disk shrinking
  • Do not send host information to guests

The following diagram shows the adoption of virtualization. Virtualization adds a hypervisor layer on top of the physical server so that the virtualized guest OS can run on top of it:

In addition to the secure configuration of virtualization, applying a security patch to virtualization is also a must for operation or IT teams.

In addition, the following resources may help you to search for Common Vulnerabilities and Exposures (CVE) in vulnerability databases:

To search for the vulnerabilities of a specific product or vendor, refer to the URL search for VMware as following:

Dockers

The introduction of Docker provides software package delivery and installation with new choices and can be one of the best ways to isolate different applications without using a whole separate OS virtual machine. Software can be packaged into a container by Docker. A container, like a VM image, includes everything needed to run application services such as runtime, system libraries, and settings. The key difference between a virtual machine image and a container is that the container doesn't actually include the whole OS. The container only includes key necessary system libraries and every container shares the same OS kernel during runtime. Therefore, Docker containers can boot up within seconds and use much less memory or far fewer disks than virtualization images.

The use of Docker can also greatly help operation teams to do deployment and secure configuration since a Docker container includes every configuration and the settings you need to run. To understand Docker security practices, check out the CIS Docker Benchmark and Docker security in the Further reading section.

Key secure practices and configurations of Docker are listed here:

  • Separate partition for containers
  • Updated Linux kernel
  • Only allow trusted users to control the Docker daemon
  • Audit the Docker daemon, files, and directories
  • Restrict network traffic between containers
  • TLS authentication for the Docker daemon
  • Do not bind Docker to another IP/port or a Unix socket
  • Docker daemon configuration files permissions
  • Container runtime (Linux Kernel capabilities, SSH, ports, memory, CPU, IPC)

The following diagram shows the key difference between virtualization and Docker. Virtualization is a guest OS level while Docker is actually an application-level isolation and shares the same guest OS:

Here is a summary of the known security vulnerabilities identified in Docker.

CVE ID Related CWE ID Description
CVE-2014-5282 20

Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via Docker load.

CVE-2017-14992 20

Lack of content verification in Docker-CE (also known as Moby), and earlier allows a remote attacker to launch a Denial of Service attack via a crafted image layer payload; a.k.a Gzip bombing.

CVE-2017-7297 264

Rancher Labs rancher server 1.2.0+ is vulnerable to authenticated users disabling access control via an API call. This is fixed in versions rancher/server:v1.2.4, rancher/server:v1.3.5, rancher/server:v1.4.3, and rancher/server:v1.5.3.

CVE-2016-9962 362

RunC allowed additional container processes via runc exec to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.

CVE-2014-0047 n/a

Docker before 1.5 allows local users to have an unspecified impact via vectors involving unsafe /tmp usage.

Here is a tip to query a specific vulnerability. Take 'CVE-2014-0047' as an example; just replace the CVE ID number at the end of the following URL.

Infrastructure as Code (IaC)

Puppet, Chef, Ansible, and SaltStack are tools to apply IaC. The key advantage of using these tools is that any system configuration can be defined in a text file at the design stage and changes can be managed by versions. This will help both operation or development teams to build security configuration baselines such as file permissions, firewall rules, web configurations, or MySQL connections. Once the security configuration baseline is defined, the operation team can monitor any unauthorized changes or roll back the configuration to previous specific versions.

For example, we may have baseline security firewall rules for a web services environment to only allow ports 80 and 443. All an operation team needs to do is to define the firewall rules by using one of the tools (Puppet, Chef, Ansible, SaltStack), and the framework will apply the rules, audit, and even correct changes if other ports are opened by mistake or by other service deployments.

The DevSec Hardening Framework project available at https://github.com/dev-sec provides Ansible, Chef, and Puppet secure configuration baseline template scripts.

The following diagram shows how IaC (for example, Puppet) works:

You have been reading a chapter from
Hands-On Security in DevOps
Published in: Jul 2018
Publisher:
ISBN-13: 9781788995504
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime