M7-SECURITY WEAKNESS IN INFRASTRUCTURE AS CODE (IAC) SCRIPTS
Common security weakness in IAC
misconfigurations such as hard coded password
hardcoded secrets such as API keys
parts are open (micro services API and search engine etc)
M7-SECURITY WEAKNESS IN INFRASTRUCTURE AS CODE (IAC) SCRIPTS
Description
Identifying security weaknesses, such as hard-coded passwords, hard coded secrets, weak crypto, full permission in of files etc in chef, puppet, ansible, terraform, SaltStack scripts, which are used to automatically set up and manage the infrastructure of technology systems is called infrastructure as code (IaC).
Courses Where This Module Is Integrated
Software Quality Assurance (Auburn University, Spring 2023, Fall 2023)
Activities
Pre-lab Content Dissemination
A security weakness is an error, a flaw such as an insecure coding pattern that can lead to vulnerability. A security weakness, such as a hard-coded secret, can be propagated to other parts of the program. A flow analysis is a process to identify how security weaknesses, such as insecure coding patterns in a program, can propagate security weaknesses within a software system.
In-class Hands-on Experience(using Mac)
Install Python by brew install python if you have not installed it in your machine.
Download or clone the source code of GLITCH: https://github.com/sr-lab/GLITCH
Go to this directory via terminal
Install the tools using the commands as follows
brew install poetry
poetry install
Create an YAML file named test.yaml and paste the following source code in the file and save it.
---
- name: create an app with full permission
file:
path: /app
owner: foo
group: foo
mode: "0777"
Run the tool using the command
poetry run glitch --tech ansible --csv test.yaml
Post Lab Experience
The use of specific keywords such as hack, fixme, todo, bug, later, and bug in comments can reveal missing security functionality and the presence of bugs (CWE-546). In the following figure, we demonstrated steps for automatically identifying suspicious comments in Ansible scripts.
No comments:
Post a Comment