Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How do we make Rudder secure?

Rudder
February 06, 2023
Programming
0
79

How do we make Rudder secure?

🎥 https://youtu.be/WqLPZeO3Rtg
🧑 Alexis Mousset
📅 Configuration Management Camp 2023

Rudder is used in critical contexts and the focus on its security has increased over the years, along with the threats. This talk will give an overview of how security topics are handled by the Rudder team, how they have evolved over time and what are our plans to handle current challenges. We will expose:

- our recent features and architectural changes improving software security, especially in terms of node/server communication, user authentication and attack surface limitation.
- our process to handle vulnerabilities reported or discovered in Rudder.
- our efforts for software supply chain securitization, in particular regarding dependencies management and build infrastructure (dedicated signature server, ephemeral build environments, etc.)
- and finally how we try to steer the dev culture towards security topics awareness, through integration of security assessments to our specification processes, and regular training and discussions.

Rudder

February 06, 2023
Tweet

More Decks by Rudder

See All by Rudder
Hausse des cybermenaces lors des JO : êtes-vous suffisamment protégé ?
rudder
0
26
Adoptez une stratégie de patch management efficace adaptée à votre système d’information
rudder
0
48
Comment sécuriser son SI pour ne plus subir les attaques ?
rudder
0
50
Hardening systems: from a benchmark guide to meaningful compliance
rudder
0
26
Implementing configuration management primitives in 2024
rudder
0
20
Supply Chain Security in the Rust Ecosystem
rudder
0
16
Securing the software supply chain for infra management software
rudder
0
180
A journey from Configuration Management to Security of IT systems
rudder
0
50
Rudder: what is it and what makes it different?
rudder
0
130

Other Decks in Programming

See All in Programming
CSC509 Lecture 11
javiergs
PRO
0
180
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
距離関数を極める! / SESSIONS 2024
gam0022
0
280
「今のプロジェクトいろいろ大変なんですよ、app/services とかもあって……」/After Kaigi on Rails 2024 LT Night
junk0612
5
2.1k
Less waste, more joy, and a lot more green: How Quarkus makes Java better
hollycummins
0
100
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
140
初めてDefinitelyTypedにPRを出した話
syumai
0
400
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
9
3.3k
C++でシェーダを書く
fadis
6
4.1k
Contemporary Test Cases
maaretp
0
130
Compose 1.7のTextFieldはPOBox Plusで日本語変換できない
tomoya0x00
0
190
Duckdb-Wasmでローカルダッシュボードを作ってみた
nkforwork
0
120

Featured

See All Featured
Mobile First: as difficult as doing things right
swwweet
222
8.9k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Unsuck your backbone
ammeep
668
57k
Automating Front-end Workflow
addyosmani
1366
200k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Speed Design
sergeychernyshev
24
610
The Pragmatic Product Professional
lauravandoore
31
6.3k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
GraphQLとの向き合い方2022年版
quramy
43
13k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Raft: Consensus for Rubyists
vanstee
136
6.6k

Transcript

  1. How do we make Rudder secure? Security strategy for Rudder

    Alexis Mousset

  2. All rights reserved whoami • Alexis Mousset ◦ [email protected]

    twitter.com/AlexisMousset • Sysadmin background • Lead System Developer @Rudder ◦ Agent ◦ Configuration policies ◦ Security • Secure Code Working Group @Rust

  3. All rights reserved Agenda Overview of several security-related topics: •

    Rudder hardening • Vulnerabilities handling • Software supply chain security • Dev team culture & processes

  4. Rudder Server/Agent Security & Hardening

  5. All rights reserved In Rudder itself • Security of Rudder

    is (now) integrated as a source for the roadmap ◦ Prioritized independently • Regular integration of security items in releases

  6. All rights reserved In Rudder Node-server communication security cycle (since

    6.1) (but actually started back in 2015) • Recent TLS (1.2+) everywhere • Switch to a unique key for both communication protocols • Certificate verification everywhere (still TOFU by default) • Splittable virtual env for Web/API vs. node-server communication • Ports configuration allowing finer firewall rules

  7. All rights reserved In Rudder User authentication • No default

    password for admin account ◦ Especially in addition to the missing indexation configuration • Proper hash for local passwords (bcrypt) • Hide API tokens in UI • 2FA with OpenID Connect/OAUTH2

  8. All rights reserved In Rudder Services hardening (6.X) • relayd

    and slapd have a strict sandboxing policy ◦ Run as dedicated system user ◦ SELinux on RHEL ◦ systemd-based hardening ▪ ProtectSystem=strict + ReadWritePaths=... ▪ PrivateTmp=True

  9. All rights reserved In Rudder Compilation hardening options (7.0) •

    Follow best practices for C compilers ◦ -fstack-protector-strong ◦ -Wl,-z,relro -Wl,-z,now (full relro) ◦ -D_FORTIFY_SOURCE=2 ◦ -fPIE / -pie

  10. All rights reserved In Rudder Frontend side (7.3) • Proper

    session expiration • XSS hardening (CSP, etc.) • CSRF hardening (SameSite) • HSTS (built-in setting) • Package manager for JS/CSS dependencies (npm)

  11. All rights reserved In Rudder Identified next steps: • Replace

    usage of AngularJS • Don’t store clear-text API tokens on the server • Built-in 2FA (WebAuthn/TOTP) • Stop running services listening on the network as root (jetty, cf-serverd) • TLS 1.3 • etc.

  12. Vulnerability handling process

  13. All rights reserved Vulnerability handling process We now have defined

    a policy & process (before 2020: ad-hoc handling) • Centralized reporting at: [email protected] • Internal database which contains all data and actions taken • Embargo with private tickets and late code push • Communication ◦ Customer notice in advance ◦ Community notice a week after ◦ Low public communication, to avoid attracting The Eye of Sauron
  14. None

  15. Software supply chain security

  16. All rights reserved Context

  17. All rights reserved Context • Software supply chain risks ◦

    SolarWinds: Targeted attack against a critical supplier ◦ Log4shell: Known vulnerability in low level components • Will very likely continue to be an important topic in the coming years

  18. All rights reserved Context Rudder is a critical component with

    a lot of dependencies • Runs everywhere with admin rights • Talks on the network • Exposes interfaces to multiple systems and people • Rather complex piece of software with mixed technologies

  19. All rights reserved Context We need to: • Carefully manage

    our own dependencies • Apply good development practices regarding security • Ensure the security of our sources, build process and linked infrastructure • Provide the required information to our users (docs, advice, sbom, etc.) Ad: Tomorrow at 2 p.m., I will give a dedicated talk about software supply chain security in the security room.

  20. All rights reserved Software Supply Chain • Dependencies : various

    code ecosystems ◦ C (openssl, curl, CFEngine, etc.) ◦ Scala/Java ◦ Rust ◦ F# ◦ Elm ◦ Javascript ◦ Python ◦ Perl ◦ etc.

  21. All rights reserved Software Supply Chain Upgrade strategy (7.0+) •

    Stricter version of our previous workflow • Upgrade all our dependencies for every minor version (at least to a supported patch release) • In practice, every 6 months • This allows reacting faster to security problems (in addition to the bug fixes) • Document and study exceptions

  22. All rights reserved Software Supply Chain Upgrade strategy • Frontend

    code has been lacking in this regard • AngularJS is a good example • Starting from 7.3, proper package manager to improve upgrade process

  23. All rights reserved Software Supply Chain Known vulnerabilities monitoring •

    Started in 2020 • Incrementally extended • Now covers full scope

  24. All rights reserved Software Supply Chain Security monitoring • Manual

    (oss-security ML, etc.) • Automated when possible • Runs daily ◦ Evaluate every alert quickly ◦ Either: ▪ Ignore if not affected ▪ Upgrade and publish according to our standard patch releases ▪ Handle as Rudder vulnerability if serious • e.g. a serious vulnerability in local user authentication (bcrypt brute-forcing)

  25. All rights reserved Software Supply Chain Security monitoring • Dedicated

    tools for (almost) each ecosystem • Needs a specific integration

  26. All rights reserved Software Supply Chain Are we SBOM yet?

    Gives information to the end-user. • Automated SBOM or nothing • We have the required pieces ◦ All dependencies versions known at build time • A few tricky points ◦ Plugins ◦ Immature ecosystem in general

  27. All rights reserved Infrastructure • Bare-metal build systems • Cloud

    and specific (e.g. AIX) hosting • Ephemeral build environments • Docker containers ◦ Weekly upgrade, only official containers ◦ Set as many components versions as possible • Dedicated signature server (packages & plugins) • Improved credentials management

  28. All rights reserved Software Supply Chain Security monitoring & remediation

    • We need it for the build infra and tooling too!

  29. All rights reserved Documentation • Documentation should include best-practices ◦

    Avoid examples with a copy-paste command creating an “admin” user with the “admin” password • Hardening documentation ◦ Advice for stuff not includable in the default settings

  30. Dev Team Culture & Processes

  31. All rights reserved Team Culture • Regular internal training ◦

    In 2022: ▪ General code security best practices ▪ Frontend security • Raising security topics awareness • Systematic security assessment of new features/changes

  32. Questions?