DEV Community: Dori_an

Steps for Conducting a Kubernetes Security AssessmentSteps for Conducting a Kubernetes Security Assessment

Dori_an — Wed, 23 Feb 2022 07:57:53 +0000

Kubernetes has been widely adopted due to its flexibility and lack of fragmentation. The fact that Kubernetes orchestrates more than three-quarters of containerized applications proves that people indeed love Kubernetes. As a result, Kubernetes is becoming one of the most crucial parts of the ecosystem of most IT organizations.

While Kubernetes is widely applicable, it also introduces new attack surfaces as it is often misconfigured. According to a research report by Trend Micro, TeamTNT conducted a targeted attack on Kubernetes and managed to compromise nearly 50,000 IP addresses. In this paper, we will go through several steps and methods to conduct a Kubernetes security assessment.

1. Securing Kubernetes Hosts

Kubernetes provides various options for deploying Kubernetes on your infrastructure: on-premise, on bare metal, on the public cloud. Kubernetes was designed to be highly portable and to facilitate multiple configurations and changes. While this flexibility is helpful in certain scenarios, it also introduces various possible attack vectors. To make sure that all the hosts you run on Kubernetes are secure, ensure the operating systems (OS) are secured by installing their latest versions, implementing OS hardening, and implementing patch management and essential firewall rules.

2. Kubernetes Version Control

The open source community is constantly coming up with new features and bug fixes for Kubernetes in newer versions. So, it becomes arduous to keep track of all versions and potential attack vectors. The best way to prevent most attacks is to always keep the Kubernetes version updated to the latest version available.

3. Kubernetes Components

As Kubernetes is a labyrinth of various features and numerous configurations, it is critical to make sure all components of Kubernetes are secure.

4. Sensitive Ports

Kubernetes typically listens on a variety of ports. If you leave Kubernetes with its default configurations, it is easy for attackers to identify which port is running what service and attack them. Thus, it is critical to configure authentication and authorization on the main cluster and the cluster nodes.

To ensure that ports on your nodes are configured correctly, it is critical to follow K8s best practices. Ideally, in Kubernetes security assessment, the auditor should test if sensitive ports are left with their default configurations and if authentication and authorization on the main cluster is well configured or not.

5. Direct Access to Kubernetes API

Kubernetes API is one of the most critical components of any Kubernetes infrastructure. The whole Kubernetes platform can be controlled using various API requests, so if the API is compromised, it could compromise the entire platform. Therefore, it is important to control access to the Kubernetes API. More instructions on controlling access can be found in the documentation.

6. Test Direct SSH Access to Kubernetes Nodes

If enabled, SSH (secure shell) introduces additional attack surfaces for attackers to exploit. Therefore, in security assessment, it should be tested whether direct SSH access to Kubernetes nodes is possible or not.

To reduce the risk of attackers performing brute force attacks or SSH exploits, SSH should be disabled, and users should use "kubectl exec" instead to get direct access to the Kubernetes container.

7. Test if TLS (Transport Layer Security) Is Implemented

In most cases, system administrators do not implement TLS even though communications in the cluster between services should be handled using TLS while encrypting all traffic by default. If TLS is not configured, attackers in the network can sniff for packets and capture sensitive communications between services. So, Kubernetes expects every API call and communication in the cluster to be encrypted with TLS.

By default, most Kubernetes installation methods provide users with the option to install and create necessary certificates and distribute them to the cluster components to implement TLS. More details about how TLS can be used in a Kubernetes cluster can be found in the documentation.

8. Kubernetes Dashboard

Source

In addition to the command line and API, Kubernetes allows users to manage clusters with a Kubernetes web app called Kubernetes Dashboard. While it is not installed by default, it can be installed by system administrators of the cluster.

Generally, most installations consist of creating a service account with high privileges. Unfortunately, this can result in a poorly configured Kubernetes Dashboard with the possibility of getting hacked. Even big companies like Tesla are not exempt from making this mistake. In 2018, Tesla's Kubernetes resources got hacked to run crypto-mining malware.

To configure Kubernetes Dashboard properly, make sure that dashboards are not exposed to the public without proper authentication. It should not be possible to access the dashboard from outside the LAN. You can also limit the number of service accounts with RBAC. Additionally, make sure the service account of the dashboard is not given high privileges. Finally, deploy authenticating reverse proxy on the dashboard and enable multi-factor authentication.

Conclusion

As your Kubernetes infrastructure deals with vast amounts of computing resources, it is critical to protect those resources from attackers. The best way to prevent attackers from gaining unauthorized access to your Kubernetes infrastructure is to conduct regular manual security pentests and automated assessments with tools such as kubescape.

How to Improve Your Solidity Smart Contract Programming Skills

Dori_an — Tue, 12 Oct 2021 21:05:48 +0000

Blockchain-based smart contracts allow developers to program complex business logic into software applications in a seamless manner. Smart contract programming is expected to be a highly sought-after skill as we head into 2022 and beyond. That's because writing Web 3.0 apps is well on its way to becoming a global standard and smart contracts are set to play a key role in the development of decentralized finance (DeFi) platforms.

Ethereum (ETH) has emerged as the dominant blockchain for creating DeFi applications which serve a wide range of use-cases. For the first time in history, complex financial transactions can be executed without requiring costly intermediaries that may take a long time to settle transactions between different parties.

While there are many so-called Ethereum competitors in the market, they don't benefit from nearly the same networking effects and large developer community. For this reason alone, Ethereum's native Solidity smart contract programming language has become an industry standard. While other software development environments are also being widely-adopted, there's no denying that Solidity is among the most popular languages for programming smart contracts.

So how does one go about learning Solidity? Well, you have to practice a lot and pay attention to details. In addition to that, here are four great ways to really sharpen your Solidity coding skills.

1. Reviewing Source Code Written by Other Programmers

University professors in the computer science department will tell you always to read and seriously study source code written by skilled programmers. Oftentimes, the best way to learn how to program in a certain language requires carefully studying, line by line, how other developers have written their code.

Writing code in Solidity is no exception, because one can only acquire the best smart contract programming skills by reading the code authored by other experienced software architects. When you read through large libraries of source-code, you will begin to learn how to properly program basic commands and tasks. For instance, there could be a standard or highly effective way to create a certain type of business application using smart contracts.

By learning how this is done in a standardized, routine, and efficient manner, programmers will become experts. But of course, there's more to it than just reviewing code authored by others. So let's go over some other great ways to become a better Solidity coder.

2. Taking Solidity Programming Courses Online

In the digital world, online computer programming courses are becoming highly popular amongst teenagers or older programmers who may be in University, working in an Internship, or even a seasoned developer trying to learn a new coding language.

In some ways, learning Solidity is like learning a new natural language. You know, the kind humans speak such as English or Mandarin. You have to learn the syntax and all the semantics (meaning behind the code). Youtube is a free and highly-recommended platform for learning all things related to Solidity. One of the best things about YouTube is that it's free, so you don't pay anything to learn. Then there's also Udemy and other online learning portals like Khan Academy where people can go to learn new skills, including Solidity code, of course.

3. Hackathons

But what could be better than learning for free? There's only one thing better, which is to potentially earn large rewards for getting better at Solidity coding. A great example for such a hackathon is the Metis hackathon. The developers of the Metis Layer-2, Optimum Rollup solutions for Ethereum have announced an exciting hackathon event that will allow participants to earn a share of $1 million in digital tokens.

Metis is a great initiative because they provide opportunities to build cutting-edge dApps as well as a chance to participate in charitable projects.

By competing in this hackathon event, you should be able to really sharpen those Solidity coding skills. For more information on this event, check here.

4. Software Testing, Debugging

Another great way to get better at Solidity coding is to test programs and identify bugs or other issues. This will really teach you how to write programs in the right manner. You can also practice debugging code, by using special tools to run programs line by line, while studying and monitoring the changing values of program variables, and also check for other details.

This is a good way to learn how programs actually work, so that you get a better idea of how to code smart contracts effectively.

Cover Photo by Glenn Carstens-Peters on Unsplash

Introduction to Remote Java Debugging for Beginners

Dori_an — Tue, 21 Sep 2021 01:44:27 +0000

Introduction

Most of us developers use our trusty print statements to debug the application, but analyzing the program over and over, adding/removing a bunch of print statements can be time consuming as well as exhausting. So, a debugger lies on the top of any developer's toolbox

Debugging has come a long way with time. From Admiral Grace Hopper finding a moth in her system impacting her program in the 1940s and coining the term "Debugging", computer programs nowadays are more complicated. And with complexity, it becomes even much harder to find bugs in a huge codebase.

This makes the need more pressing for a robust debugger which not only helps developers find bugs, but also perform debugging without affecting deployed running programs on remote systems.

With debugging, it becomes easier to understand someone else's code.

In 2020, total spending on cloud services by end-users was $270 billion. With so many people adopting the cloud for its convenience, it is not surprising to know that developers are now developing their applications remotely on cloud servers.

Though there are many benefits to developing Java applications remotely on cloud servers, the question of efficiently and correctly debugging arises. This is where remote debugging comes.

In this article, we will take a look at remote debugging Java projects using Lightrun's remote debugging tool, Lightrun Cloud.

Setting up IntelliJ IDEA

According to the annual JVM ecosystem report by Snyk, 62% of developers use IntelliJ IDE as their main IDE (integrated development environment). IntelliJ provides higher developer productivity as well as increased testing and debugging productivity with improved testing plans.

Therefore, we will be using a free-to-use production debugger called Lightrun Cloud. It has logging capabilities and staging environments and operates on the IntelliJ IDE for Java applications. It is great for Monolith, microservices, Kubernetes, Docker Swarm, ECS, Big Data workers, serverless, and more such applications.

There are multiple ways to set up Lightrun in your environment. The best way is to install it directly from the IntelliJ marketplace.

Go to File > Settings.

In settings, go to Plugins > Marketplace.

Here, search for Lightrun to Install.

After a restart, Lightrun will be set up in your environment.

Creating Demo Code

To add demo code, create a new java class file under src.

Here, add the following demo code to debug.

public static void main(String[] args) {
    System.out.println("Starting");
    for (char c = 'A'; c < 'Z'; c++) {
        try {
            Thread.sleep(2500);
        } catch (InterruptedException e) {
            e.printStackTrace();
        }
        System.out.println(c);
    }
    System.out.println("Complete");
}

This code simply prints alphabets, but it is enough to demonstrate debugging.

Configuring Lightrun

Now, we will need to add a new run configuration to properly run our debugger on the code.

Navigate to Run > Edit Configuration. That should open a new window.

Click on the + icon to create a new configuration and choose remote JVM Debug.

Now, fill in the details as follows:

Assign a name to the configuration. In this case, we have called it "lightrun-test".

The host and port sections are the most important part of the configuration as they tell your IDE where to connect for the remote debug.

Add the IP address of your remote system in the host section as well as the port of the service listening for remote debugging. Here, for the testing, we are putting localhost to specify we are connecting to localhost. You can keep command line arguments to default or change as needed. Copy the command line to a file for later use.

Packaging the code in a JAR file

Now that Lightrun is configured, we need to create a JAR file to run remotely. Open File > Project Structure and click on Artifacts.

Click on +, click on JAR, and click "from the module with dependencies".

On the right side of the screen, click on the icon and select the class name, apply changes, and close.

Now, you can build by going to Build and clicking on Build Artifacts. Next, click on "Create JAR" and click on Build. Now, you should have a JAR file in the out/artifacts folder.

Now, you can directly run the JAR using a command line with the string we copied before:

Adding Configuration for The Running Application

The next step is adding a new configuration for the application.

Go to Run > Edit Configuration and add a new configuration under Application.

Click on Modify Options and ADD VM options.

Later, in the field of VM options, paste the string containing arguments.

Now, you can directly run the application as well as debug it remotely by adding breakpoints.

Cover Photo by AltumCode on Unsplash