Secure by Design Microservices & Integrations
•
0 likes•85 views
Security has become a top priority in cloud native, integration and microservices programing. Years of maintaining a good reputation could be irrecoverably damaged with a single security breach. Security is not an easy problem. It is easy to overlook something when attack patterns and security techniques evolve rapidly. What if the programming language you are using is aware of these security threats and keeps evolving along with new developments in the security landscape? The presentation discusses securing microservices and how Ballerina helps developers to write secure programs by providing inherent protection against threats listed in OWASP Top 10 Vulnerabilities and SANS Top 25 Software Errors. The session also includes demonstrations on the Ballerina compiler's security awareness features and how it prevents mistakes that could result in major security breaches.
More Related Content
What's hot
What's hot (20)
Similar to Secure by Design Microservices & Integrations
Similar to Secure by Design Microservices & Integrations (20)
More from Ballerina
More from Ballerina (20)
Recently uploaded
Recently uploaded (20)
Secure by Design Microservices & Integrations
- 1. Secure by Design Microservices & Integrations Ayoma Wijethunga Associate Technical Lead, WSO2
- 2. OWASP Top 10 Application Security Risks SANS TOP 25 Most Dangerous Software Errors A1:2017 - Injection Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') A2:2017 - Broken Authentication Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A3:2017 - Sensitive Data Exposure Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A4:2017 - XML External Entities (XXE) Unrestricted Upload of File with Dangerous Type A5:2017 - Broken Access Control Cross-Site Request Forgery (CSRF) A6:2017 - Security Misconfiguration URL Redirection to Untrusted Site ('Open Redirect') A7:2017 - Cross-Site Scripting (XSS) Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') A8:2017 - Insecure Deserialization Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') A9:2017 - Using Components with Known Vulnerabilities Download of Code Without Integrity Check A10:2017 - Insufficient Logging & Monitoring Inclusion of Functionality from Untrusted Control Sphere Use of Potentially Dangerous Function Incorrect Calculation of Buffer Size Uncontrolled Format String … 12 more to go Multitude of Application Security Risks & Growing
- 3. Security @ WSO2 - 1000 Foot View * https://wso2.com/technical-reports/wso2-secure-engineering-guidelines Security with Code & Design Reviews Static Code Analysis Dynamic Security Analysis IDE & Build Level Checks Secure Engineering Guidelines *
- 4. Security @ WSO2 - Pain Points ○ Multiple iterations of checks to identify security mistakes ○ Finding an issue towards the end of the process is costly ○ False positives ○ Suppression & vulnerability management ○ WSO2 uses DefectDojo (customized)
- 5. Making Ballerina security-aware ○ Make language compiler aware of security risks ○ Detect and prevent unintentional security mistakes ○ Essential security features built-in to the language
- 6. Security Vulnerability Prevention Taint Analysis
- 7. Every Function Has Security Information Attached public native function select (@sensitive string sqlQuery, typedesc? recordType, boolean loadToMemory = false, Param... parameters) returns @tainted table|error; @sensitive [parameter] Security Sensitive Parameters (Passing untrusted data to the parameter can lead to a security risk) returns @tainted Returns Untrusted Data Signature is derived if not explicitly mentioned. public native function read (@sensitive int numberOfChars) returns @tainted string|error; public function execute (@sensitive string httpVerb, @sensitive string path, Request|string|xml|json|byte[] |io:ByteChannel|mime:Entity[]|() message) returns Response|error; public native function getHeaders (@sensitive string headerName) returns @tainted string[]; ballerina/sql ballerina/io ballerina/http ballerina/mime
- 8. Derived Security Information public native function select (@sensitive string sqlQuery, typedesc? recordType, boolean loadToMemory = false, Param... parameters) returns @tainted table|error; baseSqlQuery and sortColumn derived to be "security sensitive" public function sortedSelect (string baseSqlQuery, string sortColumn) returns table|error { return dbclient->select(baseSqlQuery + " ORDER BY " + sortColumn, ()); }
- 9. Language Compiler Performs Taint Analysis Ballerina Compiler Taint Analyze Code Analyze Code Generation Desugar Type Check Compiler Plugin Ballerina can: Segregating untrusted data from trusted data Ballerina knows: Security sensitive areas Ballerina can: Accurately propagate tainted state across the program Evolves with the language
- 10. SQL Injection Prevention Demo sql:Parameter param_id = { sqlType: sql:TYPE_INTEGER, value: params.id }; var selectRet = testDB->select ("SELECT * FROM student WHERE id = ?", (), param_id); match selectRet { table tableReturned => { if (td.hasNext()) { res.setPayload("Found!"); } else { res.setPayload("Not Found!"); } td.close(); } error err => throw err; } var params = req.getQueryParams(); var selectRet = testDB->select ("SELECT * FROM student WHERE id = " + params.id, ()); match selectRet { table tableReturned => { if (td.hasNext()) { res.setPayload("Found!"); } else { res.setPayload("Not Found!"); } td.close(); } error err => throw err; } Correct Approach: error: ./sqli_fail.bal:23:40: tainted value passed to sensitive parameter 'sqlQuery'
- 11. Cross Site Scripting (XSS) Prevention Demo import ballerina/http; string regex = "[a-zA-Z]+"; service<http:Service> hello bind {port: 9090} { sayHello(endpoint c, http:Request req) { http:Response res = new; var params = req.getQueryParams(); if (check params.name.matches(regex)) { res.setPayload("Hello, " + untaint params.name + "!"); } else { res.setPayload("Name contains invalid data!"); } _ = c->respond(res); } } import ballerina/http; service<http:Service> hello bind {port: 9090} { sayHello(endpoint c, http:Request req) { var params = req.getQueryParams(); _ = c->respond("Hello, " + params.name ); } } error: ./http_fail.bal:9:25: tainted value passed to sensitive parameter 'message' Correct Approach:
- 12. Security Vulnerability Prevention Secure Defaults
- 13. XML External Entity Injection (XXE) Prevention Demo <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <foo>&xxe;</foo> This XML will expose the content of /etc/passwd file.
- 14. XML Entity Expansion Prevention <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> Parsing the XML will result in DoS attack, since parser will expand all the entities.
- 15. Securing Microservices Built-in Security Features
- 16. Built-in Security Features ○ OCSP validation for SSL/TLS certificates ○ CRL validation for SSL/TLS certificates ○ Config API reading encrypted passwords or secrets ○ Cryptographic operations ○ Authentication and authorization for services
- 17. Securing Microservices Authentication & Authorization
- 18. Inbound Authentication & Authorization Authentication Filter Authorization Filter Authentication Provider Resource Request Basic Auth OAuth JWT Certificate Response HTTP JMS Config File LDAP AD DB User Storage
- 19. Inbound Authentication & Authorization - Basic Auth import ballerina/http; endpoint http:SecureListener ep { port:9090 }; @http:ServiceConfig { basePath: "/hello", authConfig: { scopes: [ "hello" ] } } service<http:Service> helloWorld bind ep { @http:ResourceConfig { methods: [ "GET" ], path: "/" } sayHello (endpoint c, http:Request r) { _ = c -> respond("Hello!"); } } http:AuthProvider configured to use "config" file as the user store. Endpoint is configured to use the http:AuthProvider @http:ServiceConfig is configured to authorize users with scope "hello"
- 20. Inbound Authentication & Authorization - JWT Auth http:AuthProvider jwtAuthProvider = { scheme: "jwt", issuer: "ballerina", audience: "ballerina.io", clockSkew: 10, certificateAlias: "ballerina", trustStore: { path: "/home/ops/truststore.p12", password: "t4C3F5WrFbQn6h4S" } }; endpoint http:SecureListener ep { port:9090, authProviders: [ jwtAuthProvider ] }; http:AuthProvider configured to use enforce authentication using "jwt" scheme.
- 21. Outbound Authentication endpoint http:Client downstreamServiceEP { url: "https://localhost:9092", auth: { scheme: http:JWT_AUTH }, }; endpoint http:Client downstreamServiceEP { url: "https://localhost:9092", auth: { scheme: http:OAUTH2, accessToken: "34060588", refreshToken: "15160398", refreshUrl: "https://ballerina.io/ref" clientId: "rgfKVdnMQnJSSr", clientSecret: "BRebJ0aqfclQB9" }, } endpoint http:Client downstreamServiceEP { url: "https://localhost:9092", auth: { scheme: http:BASIC_AUTH, username: "downstreamServiceUser", password: "QK1eIWH5d6UaZXA3" } Client endpoint can be configured with the desired authentication scheme. JWT Authentication OAuth2 Authentication Basic Authentication
- 22. Summary ○ Taint Analysis ○ Secure Defaults ○ Security Features ○ Authentication and Authorization "How to Write Secure Ballerina Programs" https://ballerina.io/learn/how-to-write-secure-ballerina-code