M7 infracstructure as code (IAC)

This is the second to the last module in the ALAMOSE workshop

https://sites.google.com/view/alamose-v1/m7-iac?authuser=0

 

M7-SECURITY WEAKNESS IN INFRASTRUCTURE AS CODE (IAC) SCRIPTS

Infrastructure as code (IAC)

automated resource management

Common security weakness in IAC
  misconfigurations such as hard coded password
  hardcoded secrets such as API keys

 guessable user: admin, root, ubutnu
 parts are open (micro services API and search engine etc)

 resources (database) accessible from outside etc

 did not hide server and tech stack information

Glitch https://github.com/sr-lab/GLITCH 

Glitch is a framework which detects IAC smells automatically

detects different security smells written in Ansible, Puppert of Chef

M7-SECURITY WEAKNESS IN INFRASTRUCTURE AS CODE (IAC) SCRIPTS

Description

Identifying security weaknesses, such as hard-coded passwords, hard coded secrets, weak crypto, full permission in of files etc in chef, puppet, ansible, terraform, SaltStack scripts, which are used to automatically set up and manage the infrastructure of technology systems is called infrastructure as code (IaC).

Courses Where This Module Is Integrated

• Software Quality Assurance (Auburn University, Spring 2023, Fall 2023)

Activities 

Pre-lab Content Dissemination

A security weakness is an error, a flaw such as an insecure coding pattern that can lead to vulnerability. A security weakness, such as a hard-coded secret, can be propagated to other parts of the program. A flow analysis is a process to identify how security weaknesses, such as insecure coding patterns in a program, can propagate security weaknesses within a software system.

In-class Hands-on Experience(using Mac)

1. Install Python by brew install python if you have not installed it in your machine.

2. Download or clone the source code of GLITCH: https://github.com/sr-lab/GLITCH

3. Go to this directory via terminal

4. Install the tools using the commands as follows

brew install poetry

poetry install

5. Create an YAML file named test.yaml and paste the following source code in the file and save it.

---

- name: create an app with full permission

  file:

    path: /app

    owner: foo

    group: foo

    mode: "0777"

6. Run the tool using the command

poetry run glitch --tech ansible --csv test.yaml

Post Lab Experience

The use of specific keywords such as hack, fixme, todo, bug, later, and bug in comments can reveal missing security functionality and the presence of bugs (CWE-546). In the following figure, we demonstrated steps for automatically identifying suspicious comments in Ansible scripts.