Oliver Gibbs

Edge Protection with AWS WAF

2019-04-24T00:00:00+00:00

AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.

With AWS WAF you pay only for what you use. AWS WAF pricing is based on how many rules you deploy and how many web requests your web application receives. There are no upfront commitments.

You can deploy AWS WAF on either Amazon CloudFront as part of your CDN solution, the Application Load Balancer (ALB) that fronts your web servers or origin servers running on EC2, or Amazon API Gateway for your APIs.

Introduction

Before we dive too deep, let’s cover some basics.

How WAFs Work

A Web Application Firewall, WAF, at a fundamental level will use a set of rules to distinguish between normal requests and malicious requests and will typically operate in one of three modes:

Negative Model (Blacklist) uses pre-set signatures to block web traffic that is clearly malicious, and signatures designed to prevent attacks which exploit certain website and web application vulnerabilities. Blacklisting model web application firewalls are a great choice for websites and web applications on the public internet, and are highly effective against an major types of DDoS attacks. Eg. Rule for blocking all <script>*</script> inputs.
Positive Model (Whitelist) only allows web traffic according to specifically configured criteria. For example, it can be configured to only allow HTTP GET requests from certain IP addresses. This model can be very effective for blocking possible cyber-attacks, but whitelisting will block a lot of legitimate traffic. Whitelisting model firewalls are probably best for web applications on an internal network that are designed to be used by only a limited group of people, such as employees.
Mixed/Hybrid Model (Inclusive Model) is one that blends both whitelisting and blacklisting. Depending on all sorts of configuration specifics, hybrid firewalls could be the best choice for both web applications on internal networks and web applications on the public internet.

Testing Methodology

Always look out for common ports that expose that a WAF, namely 80, 443, 8000, 8008, 8080 and 8088 ports. This can be automated easily via command line tooling like cURL.
Different WAFs are implemented differently and therefore exhibit different behaviours. AWS WAF exhibits the following:
AWS WAF associates itself with separate HTTP headers, allowing for moderate fingerprinting.

Detection / Fingerprinting

Manual

AWS WAF is considered to exhibit moderate detectability, if following this simple detection methodology.

Response headers might contain:

AWSALB cookie field value.
X-AMZ-ID header.
X-AMZ-REQUEST-ID header.

Response page may contain:

Access Denied in their keyword.
Request token ID with length from 20 to 25 between RequestId tag.
Server header field contains awselb/2.0 value.

Devsecops

2019-04-17T00:00:00+00:00

Principles

DevSecOps remains an ongoing journey, it is not an end destination
Small security teams can have a profound impact
Help teams how they can address security concerns
Organise around self-service and enablement
Translate security for the layperson
Perfection is the enemy… get Rugged

Adopting Cloud at Accelerated Speed

2019-03-20T00:00:00+00:00

When approaching the notion of adopting Cloud, it can be a daunting task. You’re faced with establishing a strategy, identifying your approach, commercials, governance, operational changes, people skills. Where do you begin?

Based on the numerous adoptions I’ve worked through, I recommend leveraging the AWS Cloud Adoption Framework as a guide to establishing a pathway through some of these decisions and realising business value, faster.

What is the AWS Cloud Adoption Framework?

The Amazon Web Services Cloud Adoption Framework (CAF) is a framework originally developed by AWS Professional Services (ProServ) to help organisations design and travel an accelerated path to successful cloud adoption. The guidance and best practices provided by the framework help you build a comprehensive approach to cloud computing across your organisation and throughout your IT lifecycle.

Using the AWS CAF helps you realise measurable business benefits from cloud adoption faster and with less risk.

We’ll first introduce how the CAF is organised, then focus in on our main area of focus, namely Security.

How is the AWS CAF organised?

The AWS Cloud Adoption Framework (AWS CAF) organises guidance into six areas of focus, called perspectives. Each perspective covers distinct responsibilities owned or managed by functionally related stakeholders. In general, the Business, People, and Governance Perspectives focus on business capabilities; while the Platform, Security, and Operations Perspectives focus on technical capabilities.

Let’s briefly introduce each of the six perspectives.

Business Perspective

The Business Perspective helps you move from separate strategies for business and IT to a business model that integrates IT strategy. Agile IT strategies are aligned to support your business outcomes, and they can adjust to business needs or technical capabilities as they change.

Common Roles: Business Managers; Finance Managers; Budget Owners; Strategy Stakeholders.

Capabilities

IT Finance	addresses your capacity to plan, allocate, and manage the budget for IT expenses with the use-based cost model of cloud services.
IT Strategy	helps you take advantage of cloud-based IT approach to deliver value and end-user adoption.
Benefits Realisation	helps you to measure the benefits of your IT investments using methods for a cloud-based IT operating model.
Business Risk Management	helps you estimate the potential business impact of preventable, strategic, and/or external risks.

Resources

People Perspective

The People Perspective helps Human Resources (HR) and personnel management prepare their teams for cloud adoption by updating staff skills and organizational processes to include cloud-based competencies.

Common Roles: Human Resources; Staffing; People Managers.

Capabilities

Resource Management	helps you understand and forecast new personnel needs for a cloud-based model.
Incentive Management	helps you implement a compensation program that will attract and retain the personnel required to operate a cloud-based IT model.
Career Management	helps you identify, acquire, and retain the skills needed for your cloud migration and ongoing operating model.
Training Management	provides guidance on how to develop or acquire training for your employees so they can perform their roles in a cloud environment.
Organisational Change Management	helps you manage the impact of business, structural, and cultural changes caused by cloud adoption.

Resources

Governance Perspective

The Governance Perspective integrates IT Governance and Organizational Governance. It provides guidence on identifying and implementing best practices for IT Governance, and on supporting business processes with technology.

Common Roles: CIO; Program Managers; Project Managers; Enterprise Architects; Business Analysts; Portfolio Managers.

Capabilities

Portfolio Management	provides a mechanism to manage it based on desired business outcomes. It can help to determine cloud-eligibility for workloads when prioritizing which services to move to the cloud.
Program and Project Management	helps you manage technology projects using methodologies that take advantage of the agility and cost management benefits inherent to cloud services.
Business Performance Measurement	helps you measure the impact of the cloud on business objectives.
License Management	defines methods to procure, distribute, and manage the licenses needed for IT systems, services, and software.

Resources

Platform Perspective

The Platform Perspective helps you design, implement, and optimize the architecture of AWS technology based on business goals and objectives. It helps provide strategic guidance for the design, principles, tools, and policies you will use to define AWS infrastructure. The Platform perspective also includes principles and patterns for communicating your target state environment, implementing new solutions on the cloud, and migrating on-premises workloads to the cloud.

Common Roles: CTO; IT Managers; Solution Architects.

Capabilities

Systems and Solution Architecture	helps you define and describe the system design and your architectural standards.
Compute, Network, Storage, and Database Provisioning	helps you develop new processes for provisioning infrastructure in a cloud environment. Provisioning shifts from an operational focus aligning supply with demand, to an architectural focus aligning services with requirements.
Application Development	addresses your ability to support business goals with new or updated applications, and helps implement new skills and processes for software development that take advantage of the agility gained by cloud computing.

Resources

Operations Perspective

The Operations Perspective helps you to run, use, operate, and recover IT workloads to levels that meet the requirements of your business stakeholders. Insights gained through the Operations Perspective define your current operating procedures as well as process changes and training needed for successful cloud adoption. Well-managed IT operations support the operations of the business from planning and sustaining, through change and incident management.

Common Roles: IT Operations Managers; IT Support Managers.

Capabilities

Service Monitoring	focuses on detecting and responding to IT operations health indicators, to meet your service level agreements and operating level agreements.
Application Performance Monitoring (APM)	provides you with new approaches for monitoring application performance in a cloud environment to ensure that application health meets defined requirements.
Resource Inventory Management	helps you manage virtual IT assets to provide services that are both high performing and cost efficient.
Release/Change Management	helps your teams adopt software development best practices such as automation and Continuous Integration/Continuous Delivery (CI/CD) techniques, increasing the pace of your innovations.
Reporting and Analytics	helps you monitor the health of cloud assets and provide insights to help you reach the desired level of performance.
Business Continuity/Disaster Recovery	helps you implement processes to keep your business running during a catastrophic event.
IT Service Catalog	helps you to offer cloud services to the business using a model that can help to improve efficiency of providing IT services as well as the productivity of consuming them.

Resources

Security Perspective

The Security Perspective helps you structure the selection and implementation of controls. Following this guidance can make it easier to identify areas of non-compliance and plan ongoing security initiatives.

Common Roles: CISO; IT Security Managers; IT Security Analysts.

Capabilities

Identity and Access Management (IAM)	helps you integrate AWS into your identity management lifecycle, and sources of authentication and authorization.
Detective Control	provides guidance to help identify potential security incidents within your AWS environment.
Infrastructure Security	helps you implement control methodologies necessary to comply with best practices as well as meet industry or regulatory obligations.
Data Protection	helps you to implement appropriate safeguards that protect data in transit and at rest.
Incident Response	helps you define and execute a response to security incidents.

Resources

Bourne Again, uplifting the macOS bash shell

2019-01-04T00:00:00+00:00

Apple laptops and desktops have remained a popular choice for developers. Being based on the BSD kernel, Apple macOS is easily able to offer a familiar UNIX experience when using the command line. The macOS operating system has come with the bash shell for a number of years now, so why is this post even required?

This is a valid question to ask and you may be extremely comfortable with the stock version of bash that is installed by default with macOS. In the current macOS Mojave (10.14.5), the version of bash is:

$ /bin/bash --version
GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin18)
Copyright (C) 2007 Free Software Foundation, Inc.

As you can see from the output, the version installed is GNU bash v.3.2.57(1)-release. As the copyright clearly states, this version of GNU bash dates back to 2007. As it’s currently 2019, a lot can happen in 12 years, especially in computing and security patching.

The reasoning behind why GNU bash on macOS boils down to good old licensing. GNU bash v3.2 was released under the GNU General Public License v2 (GPLv2). The successor to GNU bash v3.2 is v4.0 and it was this release when GNU bash moved to the GNU General Public License v3 (GPLv3). Unfortunately for macOS users, Apple does not (currently) support the GPLv3 licensing terms, for whatever their reasons may be. Put another way, the version of GNU bash has remained at GNU bash 3.2 since Mac OS X 10.2 (Jaguar). So, now we know why macOS does not ship with any later releases of GNU bash. What can we do?

Luckily, upgrading is fairly straightforward and you can run multiple versions of GNU bash with no impact to an otherwise stock macOS installation. Later version of GNU bash for Darwin are available from MacPorts, Homebrew or Fink. Alternatively, precompiled macOS packages are available from various websites or can be built directly from source if required.

Why bother upgrading?

I’ve been running later GNU bash releases on my various Mac’s that I’ve owned over the last decade, the motivation behind this post was a recent change of employment and receiving a brand new Apple Macbook Pro 15 forced me to go through the set up. Shortly after, a colleague asked how to upgrade, so I thought I’d throw this post together.

GNU bash v3.2.57 probably works just fine for most people. For me, the main reason to upgrade was to keep my “dot files” operable and in-sync with my Linux and UNIX environments all running current version of GNU bash. At time of writing, the latest release is GNU bash v5.0.7 release. Whilst there’s nothing particularly special about my “dot files”, I do like to modify the shell behaviour using shopt built-ins that remain unavailable in GNU bash v3.2. Whilst the scripts handle the version avoiding the unsupported shopt built-ins, I found it lacking these remained unavailable on my macOS. Another common reason is newer releases of GNU bash support programmable tab auto-completion.

Do not worry, upgrading is simple and smooth sailing.

Installing GNU bash v5.0 on macOS

To install, you will first need to decide whether you are going to install GNU bash via a package or compile from source. In the interest of time and simplicity, I will discuss installing GNU bash v5.0 using Homebrew, which you’re probably already using.

$ brew install bash

…and you’re done! Well, kind of but not quite. Let’s look at what’s happened.

Let’s first verify what version of GNU bash has been installed:

$ which -a bash
/usr/local/bin/bash
/bin/bash

Here we see we have two bash binaries, so let’s see what’s happening.

$ /usr/local/bin/bash --version
GNU bash, version 5.0.7(1)-release (x86_64-apple-darwin18.5.0)
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

and

$ /bin/bash --version
GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin18)
Copyright (C) 2007 Free Software Foundation, Inc.

So it’s clear here that /bin/bash is our stock version of GNU bash, supplied by Apple macOS. The version installed by brew is /usr/local/bin/bash.

By default, /usr/local/bin will feature earlier in your PATH environment variable, so whenever you execute a bash --version, you will always get the latest version. As such, this new version of GNU bash is now the default.

So it’s installed?

Yes, congratulations. You’ll probably log out and log back in and realise your shell is still the old version of GNU bash. Why?

UNIX provides a security feature that restricts the shells that can be used by users to a trusted, known list of login shells. As everything in UNIX is a file, the root-owned file in question is the /etc/shells file. To add the new version of GNU bash as your login shell, you must update this file.

$ sudo echo "/usr/local/bin/bash" >> /etc/shells

Now that this file has been updated, you’ll soon realise that /bin/bash is still your default shell, not the new version installed. This is because your user profile needs to be updated to use the new shell.

$ chsh -s /usr/local/bin/bash

The shell used by your user profile has now been updated to /usr/local/bin/bash which is the new GNU bash release installed. Note that this change is only for your current user profile and will takes effect once you end your current session.

If you close your Terminal or iTerm session and reopen, you’ll now notice that you’re running the later GNU bash release.

Great, well done!

Things to note

As we’ve seen, you have two versions of GNU bash installed and these will happily coexist without any real issues.

Shell Scripts

When you write shell scripts, bare in mind you have two versions of bash installed and which version is which. In particular, keep close attention to the shebang of bash scripts:

#!/bin/bash
echo $BASH_VERSION

The above script looks basic enough but the shebang explicitly requests the stock version of GNU bash installed on macOS. This can be easily ovrercome by specifying /usr/local/bin/bash instead. However, a more elegant way is using the /usr/bin/env binary.

#!/usr/bin/env bash
echo $BASH_VERSION

This version of the same script leverages /usr/bin/env and requests the bash shell, which inspects the PATH environment variable and, as mentioned earlier, will find /usr/local/bin/bash before /bin/bash.

Delete old, Symlink new?

I recall a colleague of mine once suggesting to delete the stock version of bash and symlink the new. This might look something like the below (please do not execute the below).

$ sudo rm /bin/bash
$ sudo ln -s /usr/local/bin/bash /bin/bash

Whilst this idea attempts to remove the multiple version of GNU bash installed and shell scripts would in theory leverage a newer GNU bash, it presents another problem.

Apple macOS provides a built-in security feature called the System Integrity Protection (SIP). What this feature does is it stops write access to specific directories within macOS even for the root user. This includes the /bin directory.

Of course SIP can be disabled, changes in /bin directory can then be made and SIP can then be enabled again. Apple even describe how to do it here. It’s up to you, but I personally prefer to leave the stock version present to prevent any Apple macOS update issues.

Whichever you decide, enjoy using a recent GNU bash release on your macOS! You’ll feel Bourne Again …

Update - June 2019

During WWDC Developer Conference in June 2019, Apple announced its next version of macOS (v.10.15, codename: Catalina). This beta version will introduce numerous changes but of interest to this article is Apple will be changing the macOS default shell from GNU bash 3.2 to the Z shell (zsh).

Zsh is an extended Bourne shell with a large number of exhancements, including numerous features from bash, Korne shell (ksh) and tcsh. One of the best known features is its various compatibility modes which allow zsh to pretend to be the Bourne shell when executed as /bin/sh. As zsh is licensed under the MIT license, it avoids the controversial language surrounding patents and Tivoization that is speculated to be the disagreement with the GPLv3 license.

If you’re wanting GNU bash instead of zsh, you can use the above instruction to set bash as your default shell on the new macOS 10.15 Catalina beta.