#security (2020-02)

Archive: https://archive.sweetops.com/security/

2020-02-28

2020-02-21

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@scorebot can you keep tabs?

scorebot avatar
scorebot
05:21:37 PM

@scorebot has joined the channel

scorebot avatar
scorebot
05:21:38 PM

Thanks for adding me emojis used in this channel are now worth points.

scorebot avatar
scorebot
05:21:39 PM

Wondering what I can do? try @scorebot help

imiltchman avatar
imiltchman

Does nobody use change management? Or did I ask in the wrong channel?

Alex Siegman avatar
Alex Siegman

I mean, I have “change management.” All my infra which includes IAM policies, security groups, accounts, etc. is defined by code. That code can’t be rolled out except after reviewed PRs. So, I guess PRs are my change management. But nothing specific for the task, though I’d call that pretty light weight. It’s not all encompassing, and what you’re managing change on matters quite a bit too. I know nothing of specific change management tools.

imiltchman avatar
imiltchman

Thanks. I knew someone would mention infra-as-code, but I have doubts whether it’s sufficient

loren avatar
loren

I do the same. Git and PRs and required status checks, with a build system managing the deploy to controlled environments. Can be as lightweight or as complex as you like

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@imiltchman I whipped up some thoughts on this here: (draft)

https://cloudposse.com/change-management/

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

also welcome feedback from everyone. I’ll update it with your recommendations.

imiltchman avatar
imiltchman

@Erik Osterman (Cloud Posse) Thanks for that! So I assume (from #security perspective), there are literally no exceptions in this case. (i.e. If you urgently need to add a route to the ALB, it has to be done via TF.) In this case, shouldn’t all AWS IAM accounts for humans be strictly read-only?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yes, humans should only have read-only in all accounts other than some kind of sandbox

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

sandboxes are a free for all (and can be regularly nuked)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we want this:

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

not this

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
imiltchman avatar
imiltchman

chrism avatar
chrism

I’m def more the second one For now anyway. So if you bang this in to the setup make it an option

chrism avatar
chrism

More leg work when you’re doing things on private repos with private networked build systems (teamcity) than say hooking up codefresh($$$) for a public repo

chrism avatar
chrism

Applies also to github actions which fail spectacularly if you enable restrict to org as it cant even checkout the code

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

That’s a good real-world practical example.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@marcinw has an interesting solution for this in his product, basically a way to run audited ad-hoc commands.

:100:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I don’t know if there’s a general-catch-all solution to address this.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

For example, recorded session logs in teleport is one way

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

or recorded RDP sessions is another

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I think the key is to have traceability for changes in addition to the control. Obviously cloudtrails will give a precise log of what changed and by whom. But ideally, every change is traced back to source control and every change in source control is traced to some ticket/task.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

That way you can justify every change

loren avatar
loren

Also, if you implement IaC, you want drift detection of some kind, like with terraform plan. So even if you do allow someone to, say, manually add a route to the ALB in an emergency, it then starts causing your drift detection to fail until someone adds the route to the codebase also

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Good point.

marcinw avatar
marcinw

Technically speaking terraform plan doesn’t fail, it just shows outstanding changes.

loren avatar
loren

terraform plan -detailed-exitcode with exit code 2

loren avatar
loren
  -detailed-exitcode  Return detailed exit codes when the command exits. This
                      will change the meaning of exit codes to:
                      0 - Succeeded, diff is empty (no changes)
                      1 - Errored
                      2 - Succeeded, there is a diff
marcinw avatar
marcinw

I’m aware of that.

marcinw avatar
marcinw

Haven’t thought of using it to detect drift. I guess one would run it recurrently in CI?

loren avatar
loren

yep. on a schedule, or get fancy and run it in response to cloudtrail events

marcinw avatar
marcinw

Wouldn’t it keep throwing false positives all over the place?

marcinw avatar
marcinw

Like, you’re running your drift detection in the middle of a long apply?

loren avatar
loren

the lock should prevent that

marcinw avatar
marcinw

But your CI job would fail if it doesn’t acquire the lock, no?

marcinw avatar
marcinw

So you still get a false positive, but a wee bit earlier.

loren avatar
loren

you can test the exit code. if it’s not 2 then it’s not an error this CI job cares about

loren avatar
loren

or you can attempt to check the lock first, but that will be subject to a race condition

marcinw avatar
marcinw

What about changes waiting for human review? Or do you automatically apply everything that’s merged to your tracked branch?

loren avatar
loren

automatically apply on some condition, yes. it can be a merge to a tracked branch, or a tag, or… pick your condition

marcinw avatar
marcinw

OK, then that’s a bit unsafe, no? Because unless you actually apply from a saved and reviewed plan, there’s no guarantee that what you’re applying is what you saw?

loren avatar
loren

depends on the size of the config and the state, and how quickly everything is moving

marcinw avatar
marcinw

Yup, and how many people are contributing.

loren avatar
loren

you can generate a plan, store that as an artifact, and promote it through your pipeline

marcinw avatar
marcinw

Yup, but then you have to be very careful about mapping it between commits.

marcinw avatar
marcinw

Drift detection is something I’d probably want to have in Spacelift at some point.

:--1:1
loren avatar
loren

on merge, have the ci retrieve the plan and apply that specifically

loren avatar
loren

i don’t mean to say that terraform plan is a perfect answer, nor the right answer for everyone, but i think it’s a reasonable 80% answer that is low-drag and works for us

:--1:1

2020-02-20

imiltchman avatar
imiltchman

What lightweight process/tool do you guys use for Change Management, if any?

2020-02-19

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Latacora - Stop Using Encrypted Email

Email is unsafe and cannot be made safe. The tools we have today to encrypt email are badly flawed. Even if those flaws were fixed, email would remain unsafe. Its problems cannot plausibly be mitigated. Avoid encrypted email. Technologists hate this argument. Few of them specialize in cryptography or privacy, but all of them are interested in it, and many of them tinker with encrypted email tools. Most email encryption on the Internet is performative, done as a status signal or show of solidarity.

Meb avatar

still his main punch over PGP is totally flawed The issue was over rated and didn’t affect the algo it self.

Latacora - Stop Using Encrypted Email

Email is unsafe and cannot be made safe. The tools we have today to encrypt email are badly flawed. Even if those flaws were fixed, email would remain unsafe. Its problems cannot plausibly be mitigated. Avoid encrypted email. Technologists hate this argument. Few of them specialize in cryptography or privacy, but all of them are interested in it, and many of them tinker with encrypted email tools. Most email encryption on the Internet is performative, done as a status signal or show of solidarity.

lvh avatar

Thanks but that’s Thomas’ writing :)

2020-02-13

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
7 Open Source Cloud Security Tools You Should Know attachment image

Our favorite open source security tools, and a summary of how they help security teams detect anomalies and malicious activity

    keyboard_arrow_up