Voiced by Amazon Polly |
Software and Data Integrity
Introduction
The new category for 2023 mostly focuses on assumptions related to critical data, software updates, and Continuous Integration with Continuous Deployment (CI/CD) pipelines without integrity verification.
The Software and Data integrity failures related to the code and infrastructure do not protect against integrity violations.
How to prevent it?
Use digital signatures or similar mechanisms.
Ensure that the libraries and other dependencies, like NPM or Maven, are available in trusted repositories.
Ensure a review process is always completed for the code and configuration changes.
Ensuring the CI/CD pipeline has a proper configuration, segregation, and access control.
Ensuring that unencrypted and unsigned serialized data is only sent to untrusted clients after the integrity check process is completed.
Example scenarios
Update without signing: Unsigned firmware like network routers and set-top boxes is a growing target day by day for attackers and is expected to get worse even further.
Insecure Deserialization: Unknown or untrusted data is used to inflict DoS attacks or DDoS attacks.
Infrastructure as Code
Allows the configuration and deployment of infrastructure.
Components are created faster with consistency by allowing them to be defined as code.
Enables repeatable deployments across environments.
Security Best Practices for IaC:
Deployment
Version control is the practice of tracking and managing changes to software code. Ensure all the changes to the IaC are tracked with the right set of information that helps in any revert operation.
The principle of least privilege defines access management policies based on the principle of least privilege.
Open-Source dependency check – Analyzes the open-source dependencies, such as OS packages, libraries, etc., to identify potential risks.
Managing secrets – Secrets are confidential data and information such as application tokens required for authentication, passwords, and SSH (Secure Shell) keys.
Threat modeling – Build the threat modeling landscape earlier in the development cycle.
IDE plug-ins – Leverage standard security plug-ins in the integrated development environment (IDE).
Commissioning – whenever a resource is deployed, ensure the resource is labeled, tracked, and logged as part of the inventory management.
Decommissioning – Ensure the underlying configurations are erased, data is securely deleted, and the resource is completely removed from the runtime and inventory management.
Tagging -During IaC operations, untagged assets are most likely to result in ghost resources that make detecting, visualizing, and gaining observability difficult.
Runtime
Immutability of infrastructure – The idea behind immutable infrastructure is to build the infrastructure components to an exact set of specifications.
Logging – Both security logs and audit logs – while provisioning infrastructure, as they help assess the security risks related to sensitive assets.
Monitoring – Continuous monitoring assists in looking out for security and compliance violations, helps identify attacks, and provides alerts upon such incidents.
AWS Partner – DevOps Services Competency
- Reduced time to market
- Rapid deployment
- Zero downtime
Security Logging and Monitoring Failures
Introduction
Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and other active response that occurs at any time.
Warnings and errors generate inadequate or unclear log messages.
The applications cannot detect, alert, or escalate active attacks in real-time or near real-time.
How to prevent it?
Ensuring the logs are generated in such a format that the log management solutions can be easily consumed.
Ensuring the log data is properly encoded to prevent injections or attacks over the monitoring or logging systems.
DevSecOps teams should ensure effective alerting and monitoring such that suspicious activities are identified and responded to quickly.
Example Scenarios
An Indian Airline suffered a data breach that involved more than ten years’ worth of personal data of millions of passengers, which included passport and credit card data. The data breach that occurred at the third-party cloud hosting provider notified about the breach to Airline after some time.
Implementation of Security Logging and Monitoring
Most developers use logging for debugging and diagnostic purposes. Security logging is to log security information during the operation runtime of an application.
Benefits of Security Logging
Security logging may be used:
For forensic analysis and applications.
For regulatory compliance requirements.
Best Practices
Follow a specific logging format within and across the system, such as Apache Framework, which helps provide logging consistency among C++, JAVA, and .NET PHP.
We must not log too much information or too little information.
Logging for Intrusion Detection and Response
We must use logging to identify activities when a user is behaving maliciously. Some of the malicious activity scenarios include:
- The submitted data may be outside some numeric range.
- Some requests violate the server-side access rules.
The applications in such use cases must log the activity and mark it as a severe issue. At the same time, the application must respond to a possible identifiable attack by either locking the account or invalidating the user’s session.
Design Approach for Secure Logging Design
Secure Logging can be implemented in the following ways.
- Validate and encode any dangerous characters before logging to prevent Log Injection attacks.
- Prevent logging sensitive information – like passwords, social security numbers, and credit cards.
- Protecting logs integrity – An intruder may tamper with logs; therefore, the permissions for accessing log files must be restricted.
- Migrate the logs from distributed system to a central and secure logging service. This will ensure that log data can be prevented from being lost if one node is compromised.
Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.
- Cloud Training
- Customized Training
- Experiential Learning
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.
WRITTEN BY Veeranna Gatate
Comments