Secure Development Operations Week 1
Secure Development Operations Week 1
Cloud Service Models
- Infrastructure as a Service (IaaS): This model provides users with a set of virtualized computing resources over the internet. With IaaS, you rent hardware such as servers, storage, and networking technology from a provider. You have control over the infrastructure in terms of the operating systems, applications, and development frameworks that you wish to use. You do not, however, need to worry about the physical maintenance of the hardware. This gives you more control over IT resources than the other models but also means more management responsibilities. Examples include Amazon Web Services (AWS), Google Compute Engine, and Microsoft Azure.
- Platform as a Service (PaaS): PaaS is a model where a provider delivers platforms to clients, allowing them to develop, run, and manage business applications without needing to build and maintain the infrastructure such software development requires. This eliminates the need to deal with server-side aspects such as system software and database management, leaving you free to focus on the development of your application. The level of control over IT resources is less than with IaaS but more than with SaaS. Examples include Google App Engine, Microsoft Azure App Services, and Heroku.
- Software as a Service (SaaS): In this model, users connect to and use cloud-based apps over the internet. The underlying infrastructure, app software, and app data are all maintained by the service provider, freeing users from hardware management and software upgrades. The level of control over IT resources is the least with SaaS as the service provider manages everything, including the applications themselves. Examples include Gmail, Microsoft 365, and Salesforce.
Heartbleed vulnerability
- The Heartbleed Bug is a severe vulnerability in the OpenSSL cryptographic software library, which provides communication security and privacy over the internet for applications such as web, email, and instant messaging. Discovered in 2014, it was an error in the implementation of the Heartbeat Extension for the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols.
This vulnerability allowed attackers to:- Compromise secret keys used to identify service providers and encrypt traffic, allowing attackers to decrypt and eavesdrop on SSL/TLS encrypted communications.
- Steal data directly from the services and users, potentially leading to identity theft and other fraudulent activities.
- Impersonate services and users, leading to breaches of trust and privacy.
The bug persisted in the wild until a fix was released by OpenSSL and deployed by service providers and users. Operating system vendors, distribution and appliance vendors, and independent software vendors needed to adopt the fix and notify their users. It was then up to service providers and users to install the fix as it became available for the operating systems, networked appliances, and software they use. It was a critical reminder of the importance of regular patching, upgrading, and security auditing.
- Easier Explanation: Think of the internet as a massive city, and every website you visit is like a different building in that city. Just like in a city, there are good places and bad places. We can protect ourselves from the bad places by using locks on our doors, security systems, and so on. OpenSSL is like one of these security systems that protects a lot of buildings (websites) in this city (internet).
Now, imagine there was a popular brand of lock that many buildings were using, and someone discovered that these locks had a flaw (the Heartbleed bug) which allowed thieves to unlock the door, without leaving any trace. The thieves could then go in, steal valuable information, and even pretend to be the building’s owner.
Here, the ‘thieves’ represent hackers, and the ‘buildings’ are servers (machines that hold website data). The Heartbleed bug essentially allowed hackers to exploit a flaw in the OpenSSL security system to access secure data without anyone noticing.
The good news is that once this flaw was discovered, it was like sending out a massive recall on these faulty locks to replace them with secure ones. This involved updating the OpenSSL system to fix the Heartbleed bug. However, it was also important that everyone using this system had to take action to replace their own faulty locks, meaning they had to apply the update to their servers.
In summary, the Heartbleed vulnerability was a serious security flaw in a widely used internet security system (OpenSSL), which, once discovered, required immediate action to fix and prevent potential information theft. - OpenSSL: OpenSSL is a software toolkit or a library containing a set of tools and techniques that are used for securing communications over computer networks. These tools help to ensure that the data you send and receive remains confidential (hidden from those who shouldn’t see it) and hasn’t been tampered with (maintaining integrity). OpenSSL is widely used across the internet to secure our communications.
Here are some key aspects of OpenSSL:- Encryption: One of the primary functions of OpenSSL is encryption. This is like translating information into a secret code. If you have ever seen a spy movie, you might have seen scenes where people send coded messages that only the recipient can understand – encryption works in a similar way. It turns readable data (plaintext) into a coded form (ciphertext) that looks like a bunch of random characters.
- Decryption: This is the reverse process of encryption. It takes that secret code and turns it back into its original form so that the recipient can understand it.
- Certificates and Keys: OpenSSL also helps to create digital certificates and keys. These work like digital passports, providing a way to verify someone’s identity online. The keys are like digital versions of a handwritten signature and a matching seal.
- SSL/TLS Protocols: OpenSSL implements the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols. These are the rules for how computers should share data when using OpenSSL. They’re like the grammar rules for a language, telling computers how they should format and transmit the data to make sure that it remains secure.
Overall, OpenSSL is a fundamental part of how we keep information secure on the internet, helping to ensure that when you send an email, or buy something online, your sensitive data is kept safe.
- The cause of the Heartbleed vulnerability: The Heartbleed vulnerability was caused by a programming mistake in the OpenSSL library, specifically in the implementation of a feature known as the Heartbeat Extension for the Transport Layer Security (TLS) protocol.
The Heartbeat Extension is used to keep connections open, even when data isn’t being transmitted. It does this by sending “heartbeat requests,” which are like little pings or nudges, and then receiving “heartbeat responses” in return.
Here’s where the problem occurred: when a system sends a heartbeat request, it specifies how much data it’s sending, and expects to get the same amount of data back. However, due to a programming error, it was possible for a malicious heartbeat request to lie about how much data it was sending.
For example, it could say “I’m sending 64 kilobytes of data” but only send 1 kilobyte. The system on the receiving end would then send back 64 kilobytes of data anyway, the 1 kilobyte that it received plus 63 kilobytes of other data from its memory to make up the difference.
This extra 63 kilobytes could contain sensitive information, like passwords or encryption keys. An attacker could keep sending these malicious heartbeat requests and collect lots of potentially sensitive data from the system’s memory.
This is why it was called “Heartbleed,” because the bug was in the heartbeat feature and it led to data “bleeding” out.