SlideShare a Scribd company logo

Popular GCP services security enhancements

Download as PPTX, PDF
Runcy Oommen
Runcy Oommen

My session from Google CloudNext, Bangalore about security enhancements for popular GCP services.pptx

Technology
1 of 32
Security enhancements Oct 12, 2022 Bangalore for popular GCP services
Runcy Oommen Director, Software Engineering SonicWall
01 Generic cloud security intro 02 Shared responsibility model Contents 03 Hardening of GCP services
Cloud Security refers to a broad set of policies, technologies, applications and controls utilized to protect virtualized IP, data, applications, services and infrastructure of cloud computing Let's define "cloud security" Reference: https://en.wikipedia.org/wiki/Cloud_computing_security
IT infrastructure & landscape has undergone a paradigm shift…
Traditional view
Modern view PaaS
Shouldn't cloud security differ from traditional network security?
Important facets of cloud Ubiquitous The cloud is always reachable from anywhere, any time, any device Scalable You can add features and thousands of users without breaking a sweat Integrated Security and other services talk to each other for full visibility
Shared Responsibility Model In Cloud
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hardening #1 Google Cloud Shell GCS is provisioned by default with OpenSSH v8.4 which is outdated and vulnerable to multiple attacks
What's the solution? Upgrade to OpenSSH v9.1 or later!
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SITUATION RIGHT NOW!
Default package managers from GCP does not even have a higher version of SSH!!! ● Install all the relevant dependencies ● Download the latest package from openbsd.org ● Extract the contents ● Install the compiled package to upgrade ● Compile package from source What to do now? Here's the elaborate way...
Get the scripts - https://tinyurl.com/cloudshellupdate
Hardening #2 DNS Security Certificates generated by Google Trust Services and managed by Cloud DNS does not force create a 'CAA' record to prevent re-issuance
What's the solution? Create an entry in Cloud DNS for CAA record Run a scan (Qualys online SSL should be sufficient)
YAYYY!!!
Hardening #3 Google App Engine Support for TLS 1.0/1.1 and TLS 1.2 with weak cipher suites by default to ensure backward compatibility with older clients
What's the solution? 1. Create a custom policy that supports just TLS 1.2 and strong cipher suites 2. Now, attach these withe cloud LB that will serve the traffic for the App Engine
Hardening #4 Google Cloud Functions Incorrect or non-existent input validations, might lead to elevated privileges in FaaS configuration ● Sub-process invocation at will from the execution context ● Access function handler of serverless function ● Execution of system commands at will ● Access to /tmp to manipulate contents during exec time ● Full internet access from within the FaaS environment
Exploit example Functionality Cv filtering app that accepts PDF file to perform text analysis Assumption Users will provide legitimate PDF filenames for processing Weakness Filename embedded into shell for direct shell command invocations
Sub-process invocation at will from the execution context Access to /tmp to manipulate contents during exec time
Let's do some "monkey patching" Why it's needed? Extend the behavior of modules, classes or methods without actual modification of source code What is it? Technique to dynamically update the behavior of a piece of code When to use? • Extend or modify behavior at runtime of librarires/methods • During testing of mock behavior of librarie, modules, objects • Quickly fix issues, if we don't have resources to roll proper fix
● Eclipsed the original definition of os.system() with a custom one ● Create a new safe_system which is known only by us ● Repeat this for other definitions that are not required to be supported for your FaaS
runcyoommen https://runcy.me Runcy Oommen

Recommended

Pivotal Cloud Foundry 2.3: A First Look
Pivotal Cloud Foundry 2.3: A First LookPivotal Cloud Foundry 2.3: A First Look
Pivotal Cloud Foundry 2.3: A First LookVMware Tanzu
 
Europe Cloud Summit - Security hardening of public cloud services
Europe Cloud Summit - Security hardening of public cloud servicesEurope Cloud Summit - Security hardening of public cloud services
Europe Cloud Summit - Security hardening of public cloud servicesRuncy Oommen
 
Hybridní cloud s F5 v prostředí kontejnerů
Hybridní cloud s F5 v prostředí kontejnerůHybridní cloud s F5 v prostředí kontejnerů
Hybridní cloud s F5 v prostředí kontejnerůMarketingArrowECS_CZ
 
stackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeestackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeeGaurav "GP" Pal
 
Serverless security for multi cloud workloads
Serverless security for multi cloud workloadsServerless security for multi cloud workloads
Serverless security for multi cloud workloadsRuncy Oommen
 
Building Cloud capability for startups
Building Cloud capability for startupsBuilding Cloud capability for startups
Building Cloud capability for startupsSekhar Mohanty
 
Crossing the river by feeling the stones from legacy to cloud native applica...
Crossing the river by feeling the stones from legacy to cloud native applica...Crossing the river by feeling the stones from legacy to cloud native applica...
Crossing the river by feeling the stones from legacy to cloud native applica...OPNFV
 
Open Stack Cloud Services
Open Stack Cloud ServicesOpen Stack Cloud Services
Open Stack Cloud ServicesSaurabh Gupta
 

Recommended

Pivotal Cloud Foundry 2.3: A First Look
Pivotal Cloud Foundry 2.3: A First LookPivotal Cloud Foundry 2.3: A First Look
Pivotal Cloud Foundry 2.3: A First LookVMware Tanzu
 
Europe Cloud Summit - Security hardening of public cloud services
Europe Cloud Summit - Security hardening of public cloud servicesEurope Cloud Summit - Security hardening of public cloud services
Europe Cloud Summit - Security hardening of public cloud servicesRuncy Oommen
 
Hybridní cloud s F5 v prostředí kontejnerů
Hybridní cloud s F5 v prostředí kontejnerůHybridní cloud s F5 v prostředí kontejnerů
Hybridní cloud s F5 v prostředí kontejnerůMarketingArrowECS_CZ
 
stackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeestackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeeGaurav "GP" Pal
 
Serverless security for multi cloud workloads
Serverless security for multi cloud workloadsServerless security for multi cloud workloads
Serverless security for multi cloud workloadsRuncy Oommen
 
Building Cloud capability for startups
Building Cloud capability for startupsBuilding Cloud capability for startups
Building Cloud capability for startupsSekhar Mohanty
 
Crossing the river by feeling the stones from legacy to cloud native applica...
Crossing the river by feeling the stones from legacy to cloud native applica...Crossing the river by feeling the stones from legacy to cloud native applica...
Crossing the river by feeling the stones from legacy to cloud native applica...OPNFV
 
Open Stack Cloud Services
Open Stack Cloud ServicesOpen Stack Cloud Services
Open Stack Cloud ServicesSaurabh Gupta
 
Cloud security (domain6 10)
Cloud security (domain6 10)Cloud security (domain6 10)
Cloud security (domain6 10)Maganathin Veeraragaloo
 
Hybrid Cloud Approach for Secure Authorized Deduplication
Hybrid Cloud Approach for Secure Authorized DeduplicationHybrid Cloud Approach for Secure Authorized Deduplication
Hybrid Cloud Approach for Secure Authorized DeduplicationPrem Rao
 
Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Ashnikbiz
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera Technologies
 
Cloud capability for startups
Cloud capability for startupsCloud capability for startups
Cloud capability for startupsCloud and analytics Lab
 
Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...Claire Priester Papas
 
Accelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud PrivateAccelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud PrivateMichael Elder
 
Hacking DevOps
Hacking DevOpsHacking DevOps
Hacking DevOpsPhillip Marlow
 
Navigating the Cloud: Empowering Enterprises with Cloud Solutions
Navigating the Cloud: Empowering Enterprises with Cloud SolutionsNavigating the Cloud: Empowering Enterprises with Cloud Solutions
Navigating the Cloud: Empowering Enterprises with Cloud SolutionsMaryJWilliams2
 
Why Cloud Management Makes Sense
Why Cloud Management Makes SenseWhy Cloud Management Makes Sense
Why Cloud Management Makes SenseRightScale
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...
An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...
An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...cscpconf
 
DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps
DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps
DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps Docker, Inc.
 
Cloud Architect Company in India
Cloud Architect Company in IndiaCloud Architect Company in India
Cloud Architect Company in IndiaRegumsoft Technologies
 
Planning for MQ in the cloud MQTC 2017
Planning for MQ in the cloud MQTC 2017Planning for MQ in the cloud MQTC 2017
Planning for MQ in the cloud MQTC 2017Robert Parker
 
Modern application delivery with Consul
Modern application delivery with ConsulModern application delivery with Consul
Modern application delivery with ConsulMitchell Pronschinske
 
Cloud Architect Company in India
Cloud Architect Company in IndiaCloud Architect Company in India
Cloud Architect Company in IndiaRegumsoft Technologies
 
stackconf 2023 | Bringing Order to Chaos: Make Your Systems More Resilient wi...
stackconf 2023 | Bringing Order to Chaos: Make Your Systems More Resilient wi...stackconf 2023 | Bringing Order to Chaos: Make Your Systems More Resilient wi...
stackconf 2023 | Bringing Order to Chaos: Make Your Systems More Resilient wi...NETWAYS
 
Cloud Computing Strategy and Architecture
Cloud Computing Strategy and ArchitectureCloud Computing Strategy and Architecture
Cloud Computing Strategy and ArchitectureHendrix Yapputro , Certified IT Architect
 
Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)Young Suk Ahn Park
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Designing A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemDesigning A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemRuncy Oommen
 

More Related Content

Similar to Popular GCP services security enhancements

Hybrid Cloud Approach for Secure Authorized Deduplication
Hybrid Cloud Approach for Secure Authorized DeduplicationHybrid Cloud Approach for Secure Authorized Deduplication
Hybrid Cloud Approach for Secure Authorized DeduplicationPrem Rao
 
Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Ashnikbiz
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera Technologies
 
Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...Claire Priester Papas
 
Accelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud PrivateAccelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud PrivateMichael Elder
 
Navigating the Cloud: Empowering Enterprises with Cloud Solutions
Navigating the Cloud: Empowering Enterprises with Cloud SolutionsNavigating the Cloud: Empowering Enterprises with Cloud Solutions
Navigating the Cloud: Empowering Enterprises with Cloud SolutionsMaryJWilliams2
 
Why Cloud Management Makes Sense
Why Cloud Management Makes SenseWhy Cloud Management Makes Sense
Why Cloud Management Makes SenseRightScale
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...
An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...
An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...cscpconf
 
DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps
DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps
DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps Docker, Inc.
 
Planning for MQ in the cloud MQTC 2017
Planning for MQ in the cloud MQTC 2017Planning for MQ in the cloud MQTC 2017
Planning for MQ in the cloud MQTC 2017Robert Parker
 
Modern application delivery with Consul
Modern application delivery with ConsulModern application delivery with Consul
Modern application delivery with ConsulMitchell Pronschinske
 
stackconf 2023 | Bringing Order to Chaos: Make Your Systems More Resilient wi...
stackconf 2023 | Bringing Order to Chaos: Make Your Systems More Resilient wi...stackconf 2023 | Bringing Order to Chaos: Make Your Systems More Resilient wi...
stackconf 2023 | Bringing Order to Chaos: Make Your Systems More Resilient wi...NETWAYS
 
Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)Young Suk Ahn Park
 

Similar to Popular GCP services security enhancements (20)

Cloud security (domain6 10)
Cloud security (domain6 10)Cloud security (domain6 10)
Cloud security (domain6 10)
 
Hybrid Cloud Approach for Secure Authorized Deduplication
Hybrid Cloud Approach for Secure Authorized DeduplicationHybrid Cloud Approach for Secure Authorized Deduplication
Hybrid Cloud Approach for Secure Authorized Deduplication
 
Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
 
Cloud capability for startups
Cloud capability for startupsCloud capability for startups
Cloud capability for startups
 
Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...
 
Accelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud PrivateAccelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud Private
 
Hacking DevOps
Hacking DevOpsHacking DevOps
Hacking DevOps
 
Navigating the Cloud: Empowering Enterprises with Cloud Solutions
Navigating the Cloud: Empowering Enterprises with Cloud SolutionsNavigating the Cloud: Empowering Enterprises with Cloud Solutions
Navigating the Cloud: Empowering Enterprises with Cloud Solutions
 
Why Cloud Management Makes Sense
Why Cloud Management Makes SenseWhy Cloud Management Makes Sense
Why Cloud Management Makes Sense
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...
An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...
An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...
 
DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps
DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps
DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps
 
Cloud Architect Company in India
Cloud Architect Company in IndiaCloud Architect Company in India
Cloud Architect Company in India
 
Planning for MQ in the cloud MQTC 2017
Planning for MQ in the cloud MQTC 2017Planning for MQ in the cloud MQTC 2017
Planning for MQ in the cloud MQTC 2017
 
Modern application delivery with Consul
Modern application delivery with ConsulModern application delivery with Consul
Modern application delivery with Consul
 
Cloud Architect Company in India
Cloud Architect Company in IndiaCloud Architect Company in India
Cloud Architect Company in India
 
stackconf 2023 | Bringing Order to Chaos: Make Your Systems More Resilient wi...
stackconf 2023 | Bringing Order to Chaos: Make Your Systems More Resilient wi...stackconf 2023 | Bringing Order to Chaos: Make Your Systems More Resilient wi...
stackconf 2023 | Bringing Order to Chaos: Make Your Systems More Resilient wi...
 
Cloud Computing Strategy and Architecture
Cloud Computing Strategy and ArchitectureCloud Computing Strategy and Architecture
Cloud Computing Strategy and Architecture
 
Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)
 

More from Runcy Oommen

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Designing A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemDesigning A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemRuncy Oommen
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
Serverless solution architecture in AWS
Serverless solution architecture in AWSServerless solution architecture in AWS
Serverless solution architecture in AWSRuncy Oommen
 
Building AWS native serverless website
Building AWS native serverless websiteBuilding AWS native serverless website
Building AWS native serverless websiteRuncy Oommen
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS servicesRuncy Oommen
 
GCDC Bengaluru - Community Growth Hacking
GCDC Bengaluru - Community Growth HackingGCDC Bengaluru - Community Growth Hacking
GCDC Bengaluru - Community Growth HackingRuncy Oommen
 
Earth Engine on Google Cloud Platform (GCP)
Earth Engine on Google Cloud Platform (GCP)Earth Engine on Google Cloud Platform (GCP)
Earth Engine on Google Cloud Platform (GCP)Runcy Oommen
 
Get your Git on GitHub
Get your Git on GitHubGet your Git on GitHub
Get your Git on GitHubRuncy Oommen
 
Run C++ as serverless with GCP Cloud Functions
Run C++ as serverless with GCP Cloud FunctionsRun C++ as serverless with GCP Cloud Functions
Run C++ as serverless with GCP Cloud FunctionsRuncy Oommen
 
Effective Tech Community Engagement - Best Practices
Effective Tech Community Engagement - Best PracticesEffective Tech Community Engagement - Best Practices
Effective Tech Community Engagement - Best PracticesRuncy Oommen
 
Rajasthan IT Day Hackathon Finals
Rajasthan IT Day Hackathon FinalsRajasthan IT Day Hackathon Finals
Rajasthan IT Day Hackathon FinalsRuncy Oommen
 
Arvind Brands - Hackathon - Solution Idea
Arvind Brands - Hackathon - Solution IdeaArvind Brands - Hackathon - Solution Idea
Arvind Brands - Hackathon - Solution IdeaRuncy Oommen
 
Intro to Virtualization - 10000 feet view
Intro to Virtualization - 10000 feet viewIntro to Virtualization - 10000 feet view
Intro to Virtualization - 10000 feet viewRuncy Oommen
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshopRuncy Oommen
 
Accenture Hack Forward - Finals
Accenture Hack Forward - FinalsAccenture Hack Forward - Finals
Accenture Hack Forward - FinalsRuncy Oommen
 
Unilever Hackathon
Unilever HackathonUnilever Hackathon
Unilever HackathonRuncy Oommen
 
Hybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker SwarmHybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker SwarmRuncy Oommen
 

More from Runcy Oommen (20)

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Designing A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemDesigning A Platform Agnostic HA System
Designing A Platform Agnostic HA System
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Serverless solution architecture in AWS
Serverless solution architecture in AWSServerless solution architecture in AWS
Serverless solution architecture in AWS
 
Cloud & GCP 101
Cloud & GCP 101Cloud & GCP 101
Cloud & GCP 101
 
Building AWS native serverless website
Building AWS native serverless websiteBuilding AWS native serverless website
Building AWS native serverless website
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS services
 
Get to know Git
Get to know GitGet to know Git
Get to know Git
 
GCDC Bengaluru - Community Growth Hacking
GCDC Bengaluru - Community Growth HackingGCDC Bengaluru - Community Growth Hacking
GCDC Bengaluru - Community Growth Hacking
 
Earth Engine on Google Cloud Platform (GCP)
Earth Engine on Google Cloud Platform (GCP)Earth Engine on Google Cloud Platform (GCP)
Earth Engine on Google Cloud Platform (GCP)
 
Get your Git on GitHub
Get your Git on GitHubGet your Git on GitHub
Get your Git on GitHub
 
Run C++ as serverless with GCP Cloud Functions
Run C++ as serverless with GCP Cloud FunctionsRun C++ as serverless with GCP Cloud Functions
Run C++ as serverless with GCP Cloud Functions
 
Effective Tech Community Engagement - Best Practices
Effective Tech Community Engagement - Best PracticesEffective Tech Community Engagement - Best Practices
Effective Tech Community Engagement - Best Practices
 
Rajasthan IT Day Hackathon Finals
Rajasthan IT Day Hackathon FinalsRajasthan IT Day Hackathon Finals
Rajasthan IT Day Hackathon Finals
 
Arvind Brands - Hackathon - Solution Idea
Arvind Brands - Hackathon - Solution IdeaArvind Brands - Hackathon - Solution Idea
Arvind Brands - Hackathon - Solution Idea
 
Intro to Virtualization - 10000 feet view
Intro to Virtualization - 10000 feet viewIntro to Virtualization - 10000 feet view
Intro to Virtualization - 10000 feet view
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
 
Accenture Hack Forward - Finals
Accenture Hack Forward - FinalsAccenture Hack Forward - Finals
Accenture Hack Forward - Finals
 
Unilever Hackathon
Unilever HackathonUnilever Hackathon
Unilever Hackathon
 
Hybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker SwarmHybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker Swarm
 

Recently uploaded

costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Recently uploaded (20)

costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 

Popular GCP services security enhancements

  • 1. Security enhancements Oct 12, 2022 Bangalore for popular GCP services
  • 2. Runcy Oommen Director, Software Engineering SonicWall
  • 3. 01 Generic cloud security intro 02 Shared responsibility model Contents 03 Hardening of GCP services
  • 4. Cloud Security refers to a broad set of policies, technologies, applications and controls utilized to protect virtualized IP, data, applications, services and infrastructure of cloud computing Let's define "cloud security" Reference: https://en.wikipedia.org/wiki/Cloud_computing_security
  • 5. IT infrastructure & landscape has undergone a paradigm shift…
  • 8. Shouldn't cloud security differ from traditional network security?
  • 9. Important facets of cloud Ubiquitous The cloud is always reachable from anywhere, any time, any device Scalable You can add features and thousands of users without breaking a sweat Integrated Security and other services talk to each other for full visibility
  • 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 12. Hardening #1 Google Cloud Shell GCS is provisioned by default with OpenSSH v8.4 which is outdated and vulnerable to multiple attacks
  • 13. What's the solution? Upgrade to OpenSSH v9.1 or later!
  • 14.
  • 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SITUATION RIGHT NOW!
  • 16. Default package managers from GCP does not even have a higher version of SSH!!! ● Install all the relevant dependencies ● Download the latest package from openbsd.org ● Extract the contents ● Install the compiled package to upgrade ● Compile package from source What to do now? Here's the elaborate way...
  • 17. Get the scripts - https://tinyurl.com/cloudshellupdate
  • 18.
  • 19. Hardening #2 DNS Security Certificates generated by Google Trust Services and managed by Cloud DNS does not force create a 'CAA' record to prevent re-issuance
  • 20. What's the solution? Create an entry in Cloud DNS for CAA record Run a scan (Qualys online SSL should be sufficient)
  • 22. Hardening #3 Google App Engine Support for TLS 1.0/1.1 and TLS 1.2 with weak cipher suites by default to ensure backward compatibility with older clients
  • 23. What's the solution? 1. Create a custom policy that supports just TLS 1.2 and strong cipher suites 2. Now, attach these withe cloud LB that will serve the traffic for the App Engine
  • 24.
  • 25. Hardening #4 Google Cloud Functions Incorrect or non-existent input validations, might lead to elevated privileges in FaaS configuration ● Sub-process invocation at will from the execution context ● Access function handler of serverless function ● Execution of system commands at will ● Access to /tmp to manipulate contents during exec time ● Full internet access from within the FaaS environment
  • 26.
  • 27. Exploit example Functionality Cv filtering app that accepts PDF file to perform text analysis Assumption Users will provide legitimate PDF filenames for processing Weakness Filename embedded into shell for direct shell command invocations
  • 28. Sub-process invocation at will from the execution context Access to /tmp to manipulate contents during exec time
  • 29. Let's do some "monkey patching" Why it's needed? Extend the behavior of modules, classes or methods without actual modification of source code What is it? Technique to dynamically update the behavior of a piece of code When to use? • Extend or modify behavior at runtime of librarires/methods • During testing of mock behavior of librarie, modules, objects • Quickly fix issues, if we don't have resources to roll proper fix
  • 30. ● Eclipsed the original definition of os.system() with a custom one ● Create a new safe_system which is known only by us ● Repeat this for other definitions that are not required to be supported for your FaaS
  • 31.