Security Checklist 􏰀or a Go Developer – Elena Grahovac

Transcript

1. Security Checklist for a Go Developer Elena Grahovac GopherCon Russia

   2019

2. The role of Security in DevOps Stage Examples of Security

   Input Define Way of Working General Requirements, Policies Design Threat Modelling, Design Guidelines Code Coding Rules, Codereview, Tools Test Testing Plan, Toolkits Deploy Configuration, Checklists Monitor Incident Management, Scanning, Pen Test

3. Lead TechOps Automation Engineer @N26 DevOps Enthusiast [email protected] webdeva rumyantseva

4. Security Onion Model Data Code Container PaaS Cloud Dependencies

5. Security Onion Model Data Code Container Dependencies

6. Data

7. Data checklist 一 Passwords & sensitive data 一 Random data

   generation 一 Secrets 一 User data

8. Passwords -- PostgreSQL UPDATE credentials SET password = crypt('new-password', gen_salt('bf'));

9. math/rand package main import ( "fmt" "math/rand" ) func main()

   { rand.Seed(1) b := make([]byte, 4) _, err := rand.Read(b) if err != nil { fmt.Println("error: ", err) return } fmt.Println(b) }

10. math/rand + seed package main import ( "fmt" "math/rand" "time"

    ) func main() { rand.Seed(time.Now().Unix()) b := make([]byte, 4) _, err := rand.Read(b) if err != nil { fmt.Println("error: ", err) return } fmt.Println(b) }

11. crypto/rand package main import ( "crypto/rand" "fmt" ) func main()

    { b := make([]byte, 4) _, err := rand.Read(b) if err != nil { fmt.Println("error: ", err) return } fmt.Println(b) }

12. Secrets

13. Secrets

14. Secrets: Kubernetes case study 一 How the data of secrets

    are stored? 一 Who can access and modify secrets? 一 Do you use secrets as ENV parameters?

15. FROM busybox ENV HELLO world RUN mkdir /www && touch

    /www/index.html EXPOSE 8000 CMD httpd -p 8000 -h /www -f & wait # How to try: # docker build -t hello . # docker run hello # docker exec $(docker ps -q -l) cat /proc/1/environ

16. Secrets: Solutions 一 Hashicorp Vault https://www.vaultproject.io 一 Google Cloud: KMS,

    HMS https://cloud.google.com/solutions/secrets-management/#tools 一 Other cloud solutions

17. Data Code

18. Code checklist 一 Input validation & sanitizing 一 Error &

    panic handling 一 Diagnostics handlers visibility 一 Static code analysis 一 Fuzzy testing

19. Validate & sanitize input 一 SQL injections 一 XSS attacks

    一 Unexpected data

20. Additional examples. XSS 一 This code is not safe: https://github.com/rumyantseva/going-secure/blob

    /master/examples/xss/main.go 一 This code is almost the same but safe: https://github.com/rumyantseva/going-secure/blob /master/examples/xss-prevent/main.go

21. Additional examples. SQL injection 一 Here we might have an

    SQL injection: https://github.com/rumyantseva/going-secure/blob /master/examples/sql-injection/bulk.go 一 Luckily, gosec is able to catch it: https://github.com/rumyantseva/going-secure/blob /master/examples/gosec/output.log

22. Diagnostics handlers package pprofed import ( "net/http" _ "net/http/pprof" //

    add pprof handlers ) func serve(addr string) { http.HandleFunc( "/", func(w http.ResponseWriter, r *http.Request) { // provide some business logic }) http.ListenAndServe(addr, nil) }

23. Diagnostics handlers … r.HandleFunc("/diag/pprof", pprof.Index) r.HandleFunc("/diag/cmdline", pprof.Cmdline) r.HandleFunc("/diag/profile", pprof.Profile) r.HandleFunc("/diag/symbol",

    pprof.Symbol) r.HandleFunc("/diag/trace", pprof.Trace) r.Handle("/diag/goroutine", pprof.Handler("goroutine")) r.Handle("/diag/heap", pprof.Handler("heap")) r.Handle("/diag/threadcreate", pprof.Handler("threadcreate")) r.Handle("/diag/block", pprof.Handler("block")) http.ListenAndServe(addr, r) …

24. Static code analysis: gosec Results: [examples/random/math-seed-time/main.go:13] - G404: Use of

    weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) > rand.Read(b) [examples/sql-injection/main.go:14-17] - G201: SQL string formatting (Confidence: HIGH, Severity: MEDIUM) > fmt.Sprintf( "INSERT INTO users (name) VALUES %s", strings.Join(values, ","), ) Summary: Files: 10 Lines: 181 Issues: 11

25. Static code analysis: other tools 一 Golang CI 一 A

    long list of linters: https://github.com/golangci/golangci-lint#supported-linters

26. Fuzzy testing 一 My application works with a complex input

    一 I validate it 一 I want to make sure that my validation is good enough 一 https://github.com/dvyukov/go-fuzz

27. Vulnerabilities in Go?

28. Data Code Dependencies

29. Dependencies: problem definition 一 Design & quality 一 Testing 一

    Activity & maintenance 一 Licenses 一 Integrity & dependencies 一 Immutability & updates

30. Dependencies checklist 一 Description 一 Documentation 一 Go Report Card

    一 Issues & pull requests 一 Code coverage 一 Other reports 一 Repeat the same for dependencies of this dependency

31. GOPROXY: pros 一 Availability 一 Independency 一 Immutability 一 Archives

    are faster than git repos 一 Additional opportunities

32. GOPROXY: cons 一 Workflows around module management 一 Current implementations

33. Security Onion Model Data Code Container Dependencies

34. Container 一 Multi-staging builds 一 Separate containers for testing 一

    Security policies 一 OS-level dependencies 一 Runtime controls

35. Builds 一 Compile a binary on the CI/CD node &

    copy it 一 Multi-staging builds

36. Multi-staging builds: Stage 0 # Stage 0. Build the binary

    FROM artifactory/golang:1.12 # add a non-privileged user RUN useradd -u 10001 myapp RUN mkdir -p /go/src/github.com/rumyantseva/myapp ADD . /go/src/github.com/rumyantseva/myapp WORKDIR /go/src/github.com/rumyantseva/myapp # Build the binary with go build RUN CGO_ENABLED=0 go build \ -o bin/myapp github.com/rumyantseva/myapp/cmd/myapp # Stage 1. Run the binary …

37. Multi-staging builds: Stage 1 # Stage 1. Run the binary

    FROM scratch ENV PORT 8080 # certificates to interact with other services COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ # don't forget /etc/passwd from previous stage COPY --from=0 /etc/passwd /etc/passwd USER myapp # and finally the binary COPY --from=0 /go/src/github.com/rumyantseva/myapp/bin/myapp /myapp EXPOSE $PORT CMD ["myapp"]

38. Multi-staging builds: GOPROXY # Initial stage: download modules FROM artifactory/golang:1.12

    ADD go.mod go.sum /m/ RUN cd /m && go mod download

39. Base image for testing FROM artifactory/golang:1.12 # Change here to

    update ENV VERSION 1.12.3 ENV CHECKSUM c531688661b500d4c0c500fcf57f829388a4a9ba79697c2e134302aedef0cd46 # Make sure we have a fixed golangci-lint script with a chekcsum check RUN echo "${CHECKSUM} golangci-lint-${VERSION}-linux-amd64.tar.gz" > CHECKSUM # Download from Github the specified release and extract into the go/bin folder RUN curl -L "https://github.com/golangci/golangci-lint/ releases/download/v${VERSION}/golangci-lint-${VERSION}-linux-amd64.tar.gz" \ -o golangci-lint-${VERSION}-linux-amd64.tar.gz \ && shasum -a 256 -c CHECKSUM \ && tar xvzf golangci-lint-${VERSION}-linux-amd64.tar.gz \ --strip-components=1 \ -C ./bin \ golangci-lint-${VERSION}-linux-amd64/golangci-lint # Clean up RUN rm -rf CHECKSUM "golangci-lint-${VERSION}-linux-amd64.tar.gz"

40. Run linters and tests FROM artifactory/golang-linters RUN mkdir -p /go/src/github.com/rumyantseva/myapp

    ADD . /go/src/github.com/rumyantseva/myapp WORKDIR /go/src/github.com/rumyantseva/myapp # Run linters RUN golangci-lint run \ --no-config --issues-exit-code=1 \ --deadline=10m --exclude-use-default=false \ ./... # Run tests RUN go test -timeout=600s -v --race ./...

41. Operate containers 一 PodSecurityPolicies 一 Disable privileged containers 一 Consider

    MustRunAsNonRoot 一 Limit possible types of volumes

42. What we can learn? 一 Add security checks as early

    as possible 一 Automate as much as possible 一 Although, some steps have to be manual 一 Prepare a checklist to improve codereview experience 一 Contribute to the Go community

43. [email protected] webdeva rumyantseva These slides and additional examples: https://security.grahovac.pro

44. References and additional reading 一 Golang : Vulnerability Statistics 一

    OWASP Top 10 Security Risks 一 Go Report Card 一 Our Software Dependency Problem by Russ Cox 一 Goproxies: https://docs.gomods.io, https://gocenter.io, https://jfrog.com/integration/go-registry/ 一 Going Secure with Go