How to Build More Secure Service Brokers

How to Build More
Secure Service Brokers
Denise Yu @deniseyu21
Senior Software Engineer, Pivotal R&D
October 7–10, 2019
Austin Convention Center

Unless otherwise indicated, these slides are © 2013-2019 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Hello #s1p!
Senior Engineer @ Pivotal, currently
engineer on Concourse CI open source,
full-time YAML wrangler, distsys doodler,
storyteller, keynote-deliverer
Previously:
Product Manager for On-Demand Service
Broker SDK
Engineered on
➔ BOSH core
➔ Cloud Foundry Services API
➔ RabbitMQ for Pivotal Cloud Foundry
service
2
@deniseyu21 deniseyu.io
dyu@pivotal.io

What’s a service broker?

What problem do service brokers solve?
● Cloud Foundry, Knative, and other application platforms are great at managing
the deployment and lifecycle of stateless applications

● But applications need persistent data! (usually)

● Where do we get persistent services from, after cf push?

○ Host it yourself, with any number of “DevOps” tools (BOSH, Kubernetes,
Ansible, Chef, etc)
○ Pay someone else to host it, aka Software-as-a-Service (ex. AWS RDS,
Firebase)

○ Host it yourself, with any number of “DevOps” tools (BOSH, Kubernetes,
Ansible, Chef, etc)
○ Pay someone else to host it, aka Software-as-a-Service (ex. AWS RDS,
Firebase)
● How do we manage how & when applications use services?

A service broker is a
component that enables
application developers to
provision new instances
of a service for their
application, when they
need it, configured how
they need it

Service instances can be conceptualised in many ways

Specification that standardizes platform-to-broker, HTTP-based communication,
using “a simple set of API endpoints which can be used to provision, gain
access to and manage service offerings.”
https://www.openservicebrokerapi.org

Service brokers are chatty!
Service brokers have many
contact points with the outside
world and with their service
instances! It’s very common to
want to ship software-specific
management consoles with
brokers, instrument them for
operability, and so on.
We’ll come back to this later!

Service Broker Security
Part I:
Design & Deployment

Is the underlying software designed
for single or multiple tenants?
1
7

Single-tenant vs. Multitenancy
● Isolated software instance, using
virtual or hardware-based isolation
(or combination)
● Trade in favor of stronger, multi-
layered security gains at the
expense of lost utilization
● Multiple users and/or namespaces
on single software instance, isolated
by application logic
● Trade in favor of cost effectiveness
and higher utilization at the expense
of security only at the application
layer

● Isolated software instance, using virtual
or hardware-based isolation (or
combination)
● Multiple users and/or namespaces on
single software instance, isolated by
application logic (higher risk of noisy
neighbors)

combination)
● Higher likelihood of underutilization
neighbors)
● Lower likelihood of underutilization,
better “bin packing”

combination)
● Higher likelihood of underutilization
● Tends to have slower startup
neighbors)
● Lower likelihood of underutilization,
better “bin packing”
● Tends to be faster to spin up

Align your service instance delivery models
Some products lend themselves superbly to multitenancy, such as PostgresQL and
MySQL, which have supported multiple users at the software level for many years,
and run successfully as multi-tenant SaaS offerings (Heroku, DigitalOcean, Azure,
etc).

Align your service instance delivery models
Some products lend themselves superbly to multitenancy, such as PostgresQL and
MySQL, which have supported multiple users at the software level for many years,
and run successfully as multi-tenant SaaS offerings (Heroku, DigitalOcean, Azure,
etc).
Others are built with a strong “trusted workload” assumption that don’t translate well
to multitenant offerings. Trying to fight the software’s tenancy abstractions will make
life hard when you’re in the business of packaging software!

How and where will users run
your broker and service instances?
2
4

Platform security
How will your operator host the service broker and instances?
Google Kubernetes Engine (GKE):
“By default, nodes are given the Compute Engine default service account… This
account has broad access by default, making it useful to wide variety of
applications, but it has more permissions than are required to run your
Kubernetes Engine cluster. You should create and use a minimally privileged
service account to run your GKE cluster instead of using the Compute Engine
default service account.”
More at
cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster

The Principle of Least Privilege
“Every program and every user of the system
should operate using the least set of
privileges necessary to complete the job.”
Jerome Saltzer & Michael Schroeder, The
Protection of Information in Computer
Systems, 1975.
web.mit.edu/Saltzer/www/publications/protection

Part II:
“Easy wins” and best practices

Basic auth is not auth 🌶

● Use it for testing, but disable it on prod! Off by default!

● Industry best practice: OAuth 2.0
○ Recommended to use UAA client

○ Perform scope-checking against Cloud Controller if designing broker for
Cloud Foundry

Cloud Foundry
○ Don’t share UAA clients; issue one per service instance

Cloud Foundry
○ Response headers should follow RFC 6750 guidelines for displaying
bearer token validation outcome. tools.ietf.org/html/rfc6750

Cloud Foundry
○ Response headers should follow RFC 6750 guidelines for displaying
bearer token validation outcome. tools.ietf.org/html/rfc6750
○ Don’t permit “none” as an input for token validation method

Sanitize all user inputs
● Inputs to admin dashboards
● Beware SQL injections

● Service instance creation request accepts arbitrary configuration JSON
cf create-service mysql large mysql-staging -c ‘{“some”: “text”}’

● Service instance creation request accepts arbitrary configuration JSON
cf create-service mysql large mysql-staging -c ‘{“some”: “text”}’
● Don’t forget URI parameters!
Loggregator CVE-2016-2165:
GET
http://loggregator-controller-uri/
<script>window.alert(“yo”)</script>

Encryption at rest & in-flight
In-flight:
○ Use TLS for process-to-process
communication
○ Perform hostname verification
○ Be careful with proxies; use only one
localhost for each unencrypted
process

Encryption at rest & in-flight
At rest:
● Leverage encryption features that
ship with the underlying software
if possible
● Provide guidance for enabling
disk encryption
In-flight:
○ Use TLS for process-to-process
communication
○ Perform hostname verification
○ Be careful with proxies; use only one
localhost for each unencrypted
process

Service binding secrets management
Bindings contain lots of sensitive information that should never be persisted in
plaintext.

Service binding secrets management
Bindings contain lots of sensitive information that should never be persisted in
plaintext.
Store these credentials in secrets managers, and build your broker to handle
variable resolution when processing requests from the application platform.

Be aware of service binding side effects
When application developers remove bindings, don’t forget to clean up everything
that was created as part of issuing a new service binding.
Examples:
● Open database connections
● Temporary users and groups
● Temporary files, directories, mounts
● Credentials and configuration files left behind on disk
● Artifacts in external components like credential stores, Kubernetes, etc.

Use automation to fight leaky credentials

Use BOSH Process Manager (BPM)
BOSH processes are currently not containerized. The BPM release offers some
security improvements by wrapping each monit-managed process with namespace
isolation, so they at least can’t see each other while they’re living on the same VM.
This offers protection from malicious software packaged in releases that you don’t
author as well as unintended side effects between processes.
https://bosh.io/docs/bpm/bpm/
https://github.com/cloudfoundry/bpm-release

To share, or not to share? [Cloud Foundry]
Cloud Foundry optionally lets service authors indicate if instances created by their
brokers are shareable. This means users across different Cloud Foundry spaces can
have their applications read/write to the same service instance.
The amount of complexity involved in engineering for security when sharing
instances entirely depends on the software you are packaging. One way to mitigate
risk is to make shared bindings read-only.
https://docs.cloudfoundry.org/devguide/services/sharing-instances.html

Part III:
Processes & Practices

Continuous Delivery
4
8

Reduce your “time to market” for CVE response
● Building safe and sustainable processes for
delivering changes in your software to end
users

users
● Automate testing, deployment, and release
processes as much as possible

users
● Automate testing, deployment, and release
processes as much as possible
● Build and deploy constantly in small batches, so
“emergency patches” have the same cycle time
as your normal release process

Applying Continuous Delivery principles to your
release engineering processes ensures that
“CVE Patch Weeks” are no different from
normal weeks for your engineering teams.

Culture & education
5
3

Grow a healthy security-minded culture
Building a culture around good security practices requires psychological safety to
be curious and ask questions. Without a positive, growth-oriented mindset towards
security, many organisations will default to operating on fear and/or bureaucracy.

How do you start building this culture?

● Make it easy to contact the right people. Ex. security@pivotal.io

● Form a team to triage security issues and build shared tooling, and iteratively
evolve this team’s remit and responsibilities

● Form a team to triage security issues and build shared tooling, and iteratively
evolve this team’s remit and responsibilities
● Develop and socialize processes that promote security education at scale
Recommended viewing: Molly Crowther, “Healthy Agile Security Culture”, S1P 2017

Threat Modeling workshops
Hands-on workshops that involve a whole team are a great tool for continuous
education. One model is STRIDE, developed by Microsoft.
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege

Step One:
Team agrees on architectural diagram of
system under discussion. Decide any
components to descope, because the
team cannot directly influence near-term
development roadmap. One person
creates a clean visualisation.

Step Two:
Introduce (or review) what each letter of STRIDE stands for.
Resources:
● Adam Shostack, Microsoft
“Elevation of Privilege: The easy way to threat model.”
youtube.com/watch?v=vEqu5fk9rlE
● Nataliya Shevchenko, “Threat Modeling: 12 Available Methods”.
insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-
methods.html

Step Three:
Brainstorm specific scenarios that could
happen within each category of threats.
Discuss the viability of each one, and if it
seems high-risk and addressable, record
an action for the team to prioritize a fix
alongside regular backlog work.
(You can use premade scenarios if you’re
using STRIDE -- look up the “Elevation of
Privilege” card game!)
Art from MIcrosoft’s “Elevation of Privilege” threat modeling game:
https://www.microsoft.com/en-
ca/download/details.aspx?id=20303

In summary:
● Design and deploy brokers with security in mind
● Prioritize and implement “easy wins” for security best
practice
● Build a security-minded culture to keep improving and
learning

Thank you to…
Aram Price
Chris Brown
Molly Crowther
Emily Foster
Chris Piraino
Jatin Naik
Derik Evangelista
Raymond Lee
David Stevenson
Matt McNeeney

Stay Connected.
Slides: deniseyu.io/secure-brokers
@deniseyu21
#springone@s1p

How to Build More Secure Service Brokers

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to How to Build More Secure Service Brokers

Similar to How to Build More Secure Service Brokers (20)

More from VMware Tanzu

More from VMware Tanzu (20)

Recently uploaded

Recently uploaded (20)

How to Build More Secure Service Brokers