Security Checklist 􏰀or a Go Developer – Elena Grahovac

Security Checklist for a Go Developer Elena Grahovac GopherCon Russia
2019

The role of Security in DevOps Stage Examples of Security
Input Deﬁne Way of Working General Requirements, Policies Design Threat Modelling, Design Guidelines Code Coding Rules, Codereview, Tools Test Testing Plan, Toolkits Deploy Conﬁguration, Checklists Monitor Incident Management, Scanning, Pen Test

Lead TechOps Automation Engineer @N26 DevOps Enthusiast [email protected] webdeva rumyantseva

Security Onion Model Data Code Container PaaS Cloud Dependencies

Security Onion Model Data Code Container Dependencies

Data checklist 一 Passwords & sensitive data 一 Random data
generation 一 Secrets 一 User data

Passwords -- PostgreSQL UPDATE credentials SET password = crypt('new-password', gen_salt('bf'));

math/rand package main import ( "fmt" "math/rand" ) func main()
{ rand.Seed(1) b := make([]byte, 4) _, err := rand.Read(b) if err != nil { fmt.Println("error: ", err) return } fmt.Println(b) }

math/rand + seed package main import ( "fmt" "math/rand" "time"
) func main() { rand.Seed(time.Now().Unix()) b := make([]byte, 4) _, err := rand.Read(b) if err != nil { fmt.Println("error: ", err) return } fmt.Println(b) }

crypto/rand package main import ( "crypto/rand" "fmt" ) func main()
{ b := make([]byte, 4) _, err := rand.Read(b) if err != nil { fmt.Println("error: ", err) return } fmt.Println(b) }

Secrets

Secrets: Kubernetes case study 一 How the data of secrets
are stored? 一 Who can access and modify secrets? 一 Do you use secrets as ENV parameters?

FROM busybox ENV HELLO world RUN mkdir /www && touch
/www/index.html EXPOSE 8000 CMD httpd -p 8000 -h /www -f & wait # How to try: # docker build -t hello . # docker run hello # docker exec $(docker ps -q -l) cat /proc/1/environ

Secrets: Solutions 一 Hashicorp Vault https://www.vaultproject.io 一 Google Cloud: KMS,
HMS https://cloud.google.com/solutions/secrets-management/#tools 一 Other cloud solutions

Data Code

Code checklist 一 Input validation & sanitizing 一 Error &
panic handling 一 Diagnostics handlers visibility 一 Static code analysis 一 Fuzzy testing

Validate & sanitize input 一 SQL injections 一 XSS attacks
一 Unexpected data

Additional examples. XSS 一 This code is not safe: https://github.com/rumyantseva/going-secure/blob
/master/examples/xss/main.go 一 This code is almost the same but safe: https://github.com/rumyantseva/going-secure/blob /master/examples/xss-prevent/main.go

Additional examples. SQL injection 一 Here we might have an
SQL injection: https://github.com/rumyantseva/going-secure/blob /master/examples/sql-injection/bulk.go 一 Luckily, gosec is able to catch it: https://github.com/rumyantseva/going-secure/blob /master/examples/gosec/output.log

Diagnostics handlers package pprofed import ( "net/http" _ "net/http/pprof" //
add pprof handlers ) func serve(addr string) { http.HandleFunc( "/", func(w http.ResponseWriter, r *http.Request) { // provide some business logic }) http.ListenAndServe(addr, nil) }

Diagnostics handlers … r.HandleFunc("/diag/pprof", pprof.Index) r.HandleFunc("/diag/cmdline", pprof.Cmdline) r.HandleFunc("/diag/profile", pprof.Profile) r.HandleFunc("/diag/symbol",
pprof.Symbol) r.HandleFunc("/diag/trace", pprof.Trace) r.Handle("/diag/goroutine", pprof.Handler("goroutine")) r.Handle("/diag/heap", pprof.Handler("heap")) r.Handle("/diag/threadcreate", pprof.Handler("threadcreate")) r.Handle("/diag/block", pprof.Handler("block")) http.ListenAndServe(addr, r) …

Static code analysis: gosec Results: [examples/random/math-seed-time/main.go:13] - G404: Use of
weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) > rand.Read(b) [examples/sql-injection/main.go:14-17] - G201: SQL string formatting (Confidence: HIGH, Severity: MEDIUM) > fmt.Sprintf( "INSERT INTO users (name) VALUES %s", strings.Join(values, ","), ) Summary: Files: 10 Lines: 181 Issues: 11

Static code analysis: other tools 一 Golang CI 一 A
long list of linters: https://github.com/golangci/golangci-lint#supported-linters

Fuzzy testing 一 My application works with a complex input
一 I validate it 一 I want to make sure that my validation is good enough 一 https://github.com/dvyukov/go-fuzz

Vulnerabilities in Go?

Data Code Dependencies

Dependencies: problem deﬁnition 一 Design & quality 一 Testing 一
Activity & maintenance 一 Licenses 一 Integrity & dependencies 一 Immutability & updates

Dependencies checklist 一 Description 一 Documentation 一 Go Report Card
一 Issues & pull requests 一 Code coverage 一 Other reports 一 Repeat the same for dependencies of this dependency

GOPROXY: pros 一 Availability 一 Independency 一 Immutability 一 Archives
are faster than git repos 一 Additional opportunities

GOPROXY: cons 一 Workﬂows around module management 一 Current implementations

Security Onion Model Data Code Container Dependencies

Container 一 Multi-staging builds 一 Separate containers for testing 一
Security policies 一 OS-level dependencies 一 Runtime controls

Builds 一 Compile a binary on the CI/CD node &
copy it 一 Multi-staging builds

Multi-staging builds: Stage 0 # Stage 0. Build the binary
FROM artifactory/golang:1.12 # add a non-privileged user RUN useradd -u 10001 myapp RUN mkdir -p /go/src/github.com/rumyantseva/myapp ADD . /go/src/github.com/rumyantseva/myapp WORKDIR /go/src/github.com/rumyantseva/myapp # Build the binary with go build RUN CGO_ENABLED=0 go build \ -o bin/myapp github.com/rumyantseva/myapp/cmd/myapp # Stage 1. Run the binary …

Multi-staging builds: Stage 1 # Stage 1. Run the binary
FROM scratch ENV PORT 8080 # certificates to interact with other services COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ # don't forget /etc/passwd from previous stage COPY --from=0 /etc/passwd /etc/passwd USER myapp # and finally the binary COPY --from=0 /go/src/github.com/rumyantseva/myapp/bin/myapp /myapp EXPOSE $PORT CMD ["myapp"]

Multi-staging builds: GOPROXY # Initial stage: download modules FROM artifactory/golang:1.12
ADD go.mod go.sum /m/ RUN cd /m && go mod download

Base image for testing FROM artifactory/golang:1.12 # Change here to
update ENV VERSION 1.12.3 ENV CHECKSUM c531688661b500d4c0c500fcf57f829388a4a9ba79697c2e134302aedef0cd46 # Make sure we have a fixed golangci-lint script with a chekcsum check RUN echo "${CHECKSUM} golangci-lint-${VERSION}-linux-amd64.tar.gz" > CHECKSUM # Download from Github the specified release and extract into the go/bin folder RUN curl -L "https://github.com/golangci/golangci-lint/ releases/download/v${VERSION}/golangci-lint-${VERSION}-linux-amd64.tar.gz" \ -o golangci-lint-${VERSION}-linux-amd64.tar.gz \ && shasum -a 256 -c CHECKSUM \ && tar xvzf golangci-lint-${VERSION}-linux-amd64.tar.gz \ --strip-components=1 \ -C ./bin \ golangci-lint-${VERSION}-linux-amd64/golangci-lint # Clean up RUN rm -rf CHECKSUM "golangci-lint-${VERSION}-linux-amd64.tar.gz"

Run linters and tests FROM artifactory/golang-linters RUN mkdir -p /go/src/github.com/rumyantseva/myapp
ADD . /go/src/github.com/rumyantseva/myapp WORKDIR /go/src/github.com/rumyantseva/myapp # Run linters RUN golangci-lint run \ --no-config --issues-exit-code=1 \ --deadline=10m --exclude-use-default=false \ ./... # Run tests RUN go test -timeout=600s -v --race ./...

Operate containers 一 PodSecurityPolicies 一 Disable privileged containers 一 Consider
MustRunAsNonRoot 一 Limit possible types of volumes

What we can learn? 一 Add security checks as early
as possible 一 Automate as much as possible 一 Although, some steps have to be manual 一 Prepare a checklist to improve codereview experience 一 Contribute to the Go community

[email protected] webdeva rumyantseva These slides and additional examples: https://security.grahovac.pro

References and additional reading 一 Golang : Vulnerability Statistics 一
OWASP Top 10 Security Risks 一 Go Report Card 一 Our Software Dependency Problem by Russ Cox 一 Goproxies: https://docs.gomods.io, https://gocenter.io, https://jfrog.com/integration/go-registry/ 一 Going Secure with Go

Security Checklist 􏰀or a Go Developer – Elena G...

Security Checklist 􏰀or a Go Developer – Elena Grahovac

More Decks by GopherCon Russia

Other Decks in Programming

Featured

Transcript