TCUP Security Suite

1. Introduction

TCUP Security Suite is a package of various security utility, developed to identify security threats and enhance the security of TCUP. The purpose of this packaged software is to help users of TCUP with respect to Review and Act to ensure the Application Security. This is a command line utility. Following are the features of this utility:

• Software Component Vulnerability Auditor

• Get Vulnerability by Component

• Certificate Management Utility

• AWS Security Group Assessment

• Software Component Version Checker

• File Permission Audit

• Kubernetes Pod Security Policy Assessment

• Deployment Checker

• OS Assessment

• DOCKER Assessment

• Security Wiki

• Kubernetes Environment Benchmarking

• Penetration test of K8

• Get vulnerabilities of last 3 months

1.1 Intended Audience

The intended audience of this document is anyone who wants to have an overview of TCUP Action Service. After going through this document, the user will understand the capability of TCUP Action Service in IoT platform.

2. Key Concepts

In order to use TCUP Security Suite Service, a user needs to understand some basic concepts and building blocks of the service. Please refer to the following section for the concepts:

2.1 Component Vulnerability

A weakness in the application is known as vulnerability. This can be a design flaw or an implementation bug which allows to cause harm to the stakeholders of an application by an attacker. The Stakeholders are the application owner, application users, and any other entities that rely on the application. The vulnerabilities, that were discovered in open source components and published in the NVD, security advisories or issue trackers are known vulnerabilities. From the moment of publication, a vulnerability can be exploited by hackers who find the documentation. The Vulnerability Auditor in TSS helps in identifying the known vulnerabilities associated with the open source components thus helping in mitigating them.

2.2 Kuberenetes Security

Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services that facilitates both configuration and automation. Kubernetes security is important throughout the container lifecycle due to the distributed, dynamic nature of a Kubernetes cluster. Different security approaches are required for each of the three phases of an application lifecycle: build, deploy, and runtime. TSS covers the following security assessment of Kubernetes:

• CIS benchmark assessment: For secure software development and maintenance, the Center for Internet Security (CIS) lays down guidelines and benchmarks. There are also guidelines and benchmark tests for securing Kubernetes and achieve a level of Hardening for the cluster.

• Kuberenetes penetration testing: A penetration test helps in evaluating the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment.

• Pod security policy assessment: Validation of the configuration files and manifest files used for Kubernetes deployments and operations.

2.3 Docker Assessment

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. These are all automated tests and CIS Docker Benchmark v1.2.0 guidelines are followed.

2.4 OS Assessment

OS assessment helps in identifying the security configuration in Operating Systems with respect to CIS guidelines. Assessment of the report and working on the mitigation steps will help in generating the golden image of the OS

2.5 AWS Security Group Assessment

A security group acts as a virtual firewall for the AWS instance to control inbound and outbound traffic. The security group assessment helps in analyzing if the security group is properly configured.

3. Functional Capabilities

The TCUP Security Suite provides the following functional capabilities:

• Software Component Vulnerability Auditor – TSS enables to generate a list of vulnerability associated with the components used in TCUP using an application called Software Component Vulnerability Auditor. The list is an excel report which contains details of the component used, CVE IDs associated with the vulnerability, details of the vulnerability, published date and update date. It also contains vulnerability details reported in the last 3 months of the components used in TCUP. The application uses Master Stack Report for input parameters. The Master Stack report contains the list of components used in TCUP, their Vendor Id and Product Id and Software Name

The output excel report has two sheets:

• Vulnerability list obtained from https://www.cvedetails.com/. is present in one sheet.

• Vulnerability list obtained from https://nvd.nist.gov/vuln.is present in another sheet.

• Both the sheet contains TCUP COMPONENT NAME, CVE IDs, and VULNERABILITY DETAILS.

• Get Vulnerability By Component - Get Vulnerability by Component is a utility which helps in gathering information about a component’s vulnerability. A list of components are there in a file, it checks for the component from the list and gather the information of the vulnerability (if any) associated with the component.

• Certificate Management Utility - An application for certificate management has been developed and can be used through various API. This utility has following three basic features:

  • Generate Root Certificate

  • Generate Self Signed Certificate

  • Revoke Certificate

• AWS Security Group Assessment - As a part of TCUP deployment on AWS cloud and based on the anomalies of ports closure and open, this utility has been developed. It takes AWS zone and security group id as input and returns the configured security group. The response will help in analyzing whether the security group is properly configured. Based on the analysis a report will be generated. This report will contain all possible ports that can be exposed, TCUP assigned ports and the ports that has been assessed.

• Software Component Version Checker - Software Component Version Checker will help in checking the software version compatibility with suggested versions of approved tech stack of TCUP. This will generate a file containing the version of various components deployed.

• File Permission Audit - The file permission check utility will help in checking the list of permissions of each file and directory with respect to the user and generate a csv file. The checking is done recursively traversing all the directories in the path.

• Kubernetes Pod Security Policy Assessment - Kubernetes Pod Security Policy Assessment is a utility which will analyze the yaml files and generate a report. The scan will analyze the yaml file to check if the yaml file is configured with kubernetes security best practices.

• Deployment Checker - This utility helps in post deployments checks after an application is deployed. This includes the following checks: - helps in ensuring that only root user has superuser privilege and no other user has this privilege. This means only root user should have read/write/execute privileges in the system. - helps in checking if the database is configured with a password. It also checks and reports if the database is configured with a default password.

• OS Assessment – OS hardening is a process where we can upgrade the security of the operating system by creating and updating certain rules and removing unnecessary application and services. OS Assessment Utility will help in assessing the OS to generate a report containing a score percentage based on the vulnerabilities associated with the OS. The report contains suggestions and steps for mitigating the vulnerabilities.

• DOCKER Assessment - Docker Assessment helps in assessment of Docker environment. This utility can be run in each docker node for generating output result. The utility follows CIS Docker Community Edition Benchmark v1.1.0 guideline for assessment.

• Security Wiki - Security Wiki is a chatbot where user can ask any security related questions and get the desired answers.

• Kubernetes Environment Benchmarking - This will help in analysis the Kubernetes Environment based on CIS guidelines.

• Penetration test of K8 - This will help in performing the penetration testing of the Kubernetes Cluster remotely by providing ip address.

4. Purpose/Usage

TSS is guided and built with the principal of OWASP, CIS Benchmark and TCUP Security principal of STAY LATEST AND STAY MINIMUM. The result output of TSS is expected to be reviewed and assessed by TCUP Security Engineer to take further action to mitigate the vulnerabilities and strengthen the security of the application.

5. Examples

TSS can be used by users as well as developers for assessing any vulnerabilities and security risk. This is command line based and can be installed independently and used for security assessment. Consider an example where an enterprise application is deployed in the customer environment and post deployment checklist is required to be done. Post deployment includes checking if the database password if configured. This can be done with the help of the utility “Deployment Checker” from TSS. This utility will check if the database password is configured or not. Consider another example where a developer is working on open source components, but he is not aware of the version of the component which is non vulnerable. The developer can use “Get Vulnerability By Component” which will take the name of the component and will print any vulnerability associated with the component and it’s version. This will help in analyzing the vulnerability related to the open source component. Thus, they will be aware of the version of the components which are vulnerable and thus can use the non-vulnerable version of the components. This will help in making the application more secured.