Catching Commits to Secure Infrastructure as Code

Transcript

1. 1

2. Catching Commits to Secure Infrastructure as Code May 23, 2023

   2

3. OWASP Secure Coding Practices • Input Validation • Output Encoding

   • Authentication and Password Management • Session Management • Access Control • Cryptographic Practices • Error Handling and Logging • Data Protection • Communication Security • System Configuration • Database Security • File Management • Memory Management • General Coding Practices https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/ 3

4. What about infrastructure as code? 4

5. Rosemary Wang Developer Advocate, HashiCorp joatmon08.github.io @joatmon08 5

6. How do you write secure infrastructure as code? 6

7. Security Testing Static Analysis • “Shift-left” security testing • Policy

   as code • Unit / contract testing for security Dynamic Analysis • Vulnerability scanning • Continuous validation • Security monitoring 7

8. Infrastructure as Code Infrastructure Environment FIX Allow traffic from database

   to DR site. RECONCILE Add rule to allow traffic from database to DR site. A region has an outage. 8

9. Static Analysis Dynamic Analysis For you to fix quickly and

   maintain security requirements For someone else to know what security requirements exist 9

10. Capture security knowledge as tests. 10

11. 11

12. What commits to catch? Static Analysis Dynamic Analysis Input Validation

    Data Protection System Configuration 12

13. Input Validation 13

14. Input Validation Verify… • Expected types • Expected values •

    Proper character sets • Potentially insecure values Static analysis 14

15. Input Validation Examples: • Password should have at least 1

    symbol and 1 uppercase character. • Region should be in United States. • Private CA certificate key should be marked as sensitive. • Names should include standard environment. 15

16. Input Validation Variable Validation Better for… • Team • Provider

    • Modules Unit Test Better for… • Multiple providers • Organizational policy • Dependencies 16

17. variable "region" { type = string description = "AWS Region"

    validation { condition = can(regex("^us-", var.region)) error_message = "AWS Region must be in United States" } } Variable Validation 17

18. resource "random_string" "boundary" { ## omitted lifecycle { precondition {

    condition = random_string.boundary.length > 3 error_message = "HCP Boundary requires username to be at least 3 characters in length" } } } Variable Validation, Inline with PreCondition 18

19. deny[msg] { r := tfplan.variables r.aws_secret_access_key msg := "do not

    define AWS secret access key as part of variables, use AWS_SECRET_ACCESS_KEY environment variable instead" } Unit Test with OPA 19

20. Data Protection 20

21. Data Protection • Implement access controls to state ◦ Data

    ◦ State • Encrypt in transit and at rest. • Sanitize sensitive values in logs or outputs • Ensure least privilege access to providers Static analysis Dynamic analysis 21

22. Data Protection Examples: • Database should be encrypted. • Password

    should not be printed in output. • Virtual machine resource should have attached IAM role. • Infrastructure state should be limited to owners of workspace. 22

23. Data Protection Static Analysis Better for… • Enforcement of secure

    practices • Testing valid dependencies Dynamic Analysis Better for… • Least-privilege API access • Continuous enforcement • Auditing data access 23

24. deny[msg] { r := resource_changes[_] r.type == "aws_db_instance" r.change.after.storage_encrypted ==

    "" msg := sprintf("%v should have encrypted storage", [r.address]) } Static Analysis of Attributes with OPA 24

25. deny[msg] { outputs := planned_values.outputs plaintext_password_outputs := [key | outputs[key]

    contains(key, "password") not outputs[key].sensitive ] count(plaintext_password_outputs) != 0 msg := sprintf("%v should be marked as sensitive outputs", [plaintext_password_outputs]) } Static Analysis of Practices with OPA25

26. resource "aws_db_instance" "products" { ## omitted storage_encrypted = true lifecycle

    { postcondition { condition = self.storage_encrypted error_message = "encrypt AWS RDS database storage" } } } Continuous Enforcement with PostCondition 26

27. System Configuration 27

28. System Configuration • Check versions or images • Ensure least

    privilege network access • Separate development and production • Analyze vulnerabilities and access • Assess drift • Remove idle / unused resources Need dynamic analysis 28

29. System Configuration Examples: • Separate state for development and production.

    • Verify network policies and secure versions. • Tags should include environment. • Image should include secure base. • Scan running infrastructure for new vulnerabilities. 29

30. System Configuration Static Analysis Better for… • Enforcement of secure

    practices • Complex logic for validation • Testing valid dependencies Dynamic Analysis Better for… • Network auditing • Continuous validation • Drift detection 30

31. deny[msg] { ## omitted logic to parse VPC private_subnets :=

    {r.values.id | r := vpc_modules[_].resources[_] r.type == "aws_subnet" not r.values.map_public_ip_on_launch } public_subnets := cluster_subnet_ids - private_subnets count(public_subnets) != 0 msg := sprintf("EKS cluster %v should be in private subnets (%v are public subnets)", [cluster_id, public_subnets]) } More Complex Static Analysis with OPA 31

32. 32

33. 33

34. There’s more! 34

35. How do I share tests? • Store tests in central

    location. • Tag / name / number tests for relevance. • Document secure configurations in tests. 35

36. How to catch commits? Plan Unit Test Apply Integration Test

    Static Analysis Dynamic Analysis Plan Unit Test Apply Integration Test Static Analysis Staging Production 36

37. Do I write them all myself? Use pre-written test suites

    or industry benchmarks. Infrastructure modules Production configuration 1 Create custom policy tests. Divide by… • Enforcement level • Business unit • Resource • Type 2 37

38. 38

39. What is important? • Prefer secure defaults over tests. •

    Choose a severity threshold. ◦ Identify mandatory rules. ◦ Use advisory as last resort. ◦ Try to enforce development environments. • Evaluate and make exceptions. 39

40. Conclusion 40

41. How do you write secure IaC? • Capture practices into

    tests • Share tests • Catch commits using a pipeline • Write what you must • Choose what is important 41

42. Iterate Static Analysis Dynamic Analysis Break glass / drift Reconcile

    to infrastructure as code 42

43. More secure infrastructure as code over time. 43

44. Thank you! @joatmon08 • github.com/joatmon08/hashicorp-stack-demoapp • developer.hashicorp.com/terraform/tutorials/cloud-get-started/policy-quickstart • openpolicyagent.org/docs/latest/terraform/ 44

45. 45