This is a guest piece for the Computer system Weekly Developer Network composed by Anna Belak in her ability as director of thought management at Sysdig – the corporation is recognized for its technology that allows IT groups to watch all method vulnerabilities, configuration challenges and suspicious activity by Sysdig’s unified cloud and container safety instruments system.
Belak tweets at @aabelak and writes as follows…
For developers, the cloud has opened up great opportunity and advantage with its elastic capabilities and API-based architecture.
Automation can make developers even additional effective, easing concerns like deployment and scaling. Even so, ease can direct to issues close to places like security if you really don’t collaborate with other teams.
Passwords for robots
A person of the challenges when making use of automatic techniques in the cloud is supplying all the different factors the obtain they need. Each individual action of the course of action usually requires some form of person credential, such as access to a GitHub repository, to the serverless features employed to bring about supplemental procedures, or to the compute circumstances that operate the software.
Every method may perhaps have a distinctive method of storing credentials and accomplishing authentication.
To make this do the job, you have to employ and manage your secrets properly. For case in point, containers are normally utilized for the reason that they make it quick to deploy and scale immutable software program packages. However, one particular of the most widespread ways to pass a container dynamic information, like qualifications, is via surroundings variables. If an attacker can get study obtain to the orchestration program (i.e. Kubernetes) they can also see and use all those credentials.
Including credentials and API keys inside of the containers on their own is a popular blunder developers make when they check out to automate these procedures.
It is trivial to unpack a container and retrieve the keys.
The trouble is not constrained to containers – sites like GitHub and Bitbucket are normally a beneficial resource of details for attackers mainly because of how usually credentials are still left there. Of training course, attackers also use automation themselves to harvest stray qualifications immediately and successfully, supplying themselves a lot more chances.
Communicate to every single other
In some cases, qualifications can be lying all-around in sites you wouldn’t at all assume. Infrastructure-as-code (IaC) offers a device-readable solution to defining and deploying automatic configuration at scale. IaC features many automation jobs that consistently recreate the identical infrastructure and verify that the configuration is right and protected.
Through a latest stability incident at a company that we work with, we found out an attacker named SCARLETEEL that took benefit of how the IaC machinery operates in apply in get to develop their attack.
In this scenario, the builders at the firm utilized Terraform, the most popular IaC remedy and stored a condition file in an S3 bucket. This file contained all the needed accessibility administration qualifications needed … but Terraform also stores almost everything in plaintext. For automation to get the job done, these resources will need simple entry to qualifications that make it possible for them to perform their responsibilities. The credentials have to be kept somewhere. But simply because the technological know-how is continue to fairly new, not everyone is aware of all of its nuances.
In this case, the dilemma was brought about by a combination of problems. Ideally, the attacker must have not been in a position to get in in the initial put, but they ended up in a position to exploit the deployment due to the fact the directors did not realize the statefile existed and the S3 bucket also had excessive permissions in place. This allowed the attacker to browse the file when they received entry and they utilized these qualifications to grant them plenty of obtain to steal some proprietary data.
Configuration problems
This state of affairs falls squarely into the ‘configuration mistakes’ pile, but it also supplies evidence that automation can be considerably a lot more complex than basically aligning your options with software package progress best procedures.
In get to make the most of automation in application advancement, we have to imagine about all the groups that may well be included about time. For example, infrastructure teams will need to know about how developer instruments like Terraform behave and protection groups then will need to know how to prevent or mitigate lousy procedures that might arrive up.
By doing the job collectively these groups can make certain that automation operates to everyone’s reward.
Regretably, attackers who goal cloud are discovering all of these tips fairly immediately due to the fact, in a unusual way, which is their work. The greatest bet for developers and defenders is to join forces and study from each other’s mistakes to keep up.