Our Engineering Team leverages lot of Open Source Technologies when building production grade platform stack for internal use or for our partners. Before an Open Source Software makes it to the technology stack we do our due diligence by undertaking a trade study to determine the best fit, feature rich, ease of maintenance, community involvement, and user base among multiple similar projects.

In an era where web/tv/mobile applications dominate our daily lives, the need for a secure online access has become a biggest security concern that can no longer be ignored. Single Sign-On (SSO) technologies along with MFA (Multi-Factor Authentication) have emerged as secure solutions for simplifying the user experience and enhancing security. In this blog we will showcase some of the comparative study we undertake as a team in exploring the intricacies, functionalities, benefits, transformative impact, ease of use and maintenance when analyzing selected the best suited open source single sign-on technology. These following Open Source Projects have successfully made it to our shortlist for analysis:

• KeyCloak: a Cloud Native Computing Foundation incubation project (at the time of writing)
• Apereo CAS: from the Apereo Foundation
• Authelia: not a company, no affiliation to any type of incorporated entity
• Authentik: backed by Authentik Security Inc
• Zitadel: backed by Zitadel

Comparative Study:

KeyCloak vs. Apereo CAS vs. Authentik vs. Authelia vs. Zitadel

Disclaimer:

The information for this comparison was first retrieved on November 27, 2023. The article was last updated on December 5, 2023.

Found this useful:

Follow our page on LinkedIn

Trivy is an open source single binary application written in Go and designed to find vulnerabilities, misconfigurations, secrets, SBOMs (Software Bill of Materials) in Container Images and Virtual Machine Images. It is a versatile security utility tool with built-in scanners that can look for security issues on a number of targets such as:

• Container Images
• Container Registries
• Virtual Machine Images
• Kubernetes
• Files System
• Software Licenses
• Software Bill of Material
• Amazon Cloud

A best use of Trivy is for scanning container images to ensure:

• They are safe
• They do not contain vulnerabilities
• They do not bring in security risks
• They do not violate any licensing
• There is a generated SBOMs for all the packages installed

How To Install Trivy?

It is a straight forward process. Start by downloading and extracting the single binary application:

$ sudo wget https://github.com/aquasecurity/trivy/releases/download/v0.47.0/trivy_0.47.0_Linux-64bit.tar.gz
$ sudo tar xvzf trivy_0.47.0_Linux-64bit.tar.gz -C /usr/local/bin

Ensuring the executable flag is set on the application:

$ sudo chmod +x /usr/local/bin/trivy

Let's run the help command to validate the installation was successful:

$ trivy --help

Using Trivy to Scan a Container Images:

Trivy can scan container images for:

• Vulnerabilities
• Misconfigurations
• Secrets
• Licenses
• SBOMs generation

By default, vulnerability and secret scanning are enabled and here is the command to run:

$ trivy image alpine:3.15

To scan a container image for vulnerabilities only run:

$ trivy image --scanners vuln alpine:3.15

To scan a container image for misconfigurations only run:

$ trivy image --scanners config alpine:3.15

To scan for licensing issues only run:

$ trivy image --scanners license alpine:3.15

To generate SBOM, you can use the --format to specify between cyclonedx or spdx-json format:

$ trivy image --format spdx-json --output result.json alpine:3.15

$ trivy image --format cyclonedx --output result.json alpine:3.15

Trivy Vulnerability Database:

When trivy is installed on a system that has access to the Internet, it will automatically download the latest vulnerability database during execution. In air-gapped environments (no access to the Internet) trivy's vulnerability database has to be updated manually and here is the process to do so:

1.) Download the vulnerability database:

$ mkdir /tmp/trivy-vul-db
$ trivy --cache-dir /tmp/trivy-vul-db image --download-db-only
$ ls -la /tmp/trivy-vul-db/db

There should be two files: trivy.db, and metadata.json. In the next step we will copy those files to Trivy's DB cache directory in the air-gapped environment.

2.) Put the DB file in the cache directory: The DB cache folder is usually located in /home/myuser/.cache/trivy/db. Here we will use scp for remote copy (rsync could also be used).

$ scp /tmp/trivy-vul-db/db/trivy.db  /tmp/trivy-vul-db/db/metadata.json myuser@remotehost:/home/myuser/.cache/trivy/db/

Note: If the /home/myuser/.cache/trivy/db/ folder does not exist you will have to create it before migrating the database.

3.) Now we have to run trivy with specific flags: In an air-gapped environment, you have to specify --skip-db-update and --skip-java-db-update so that Trivy doesn't attempt to download the latest database files. In addition, if you want to scan pom.xml dependencies, you need to specify --offline-scan. Here is an example:

$ trivy image --skip-db-update --skip-java-db-update --offline-scan alpine:3.12

For more on how to manage air-gapped deployment of Trivy refer to this link in the official documentation: trivy-in-air-gapped-environments

Extending Trivy's Vulnerability Database:

The Trivy Vulnerability Database has vulnerability information from NVD, Red Hat, Debian, etc. If you are one those power users who would like to extend trivy's vulnerabilities database and bring in your own, the trivy-db CLI utility is a tool used internally by the Trivy team to build and update vulnerability DBs. To learn more on how to use this tool to bring in your own curated list of vulnerabilities refer to the link: Trivy-DB-Utility

Found this useful, follow our page on: https://www.linkedin.com/company/geanttechnology

If you have been writing Infrastructure as Code using frameworks like Terraform and Kubernetes, you know how painful it was to not have a proper testing framework to test the code before deploying. Resulting in dev teams hacking their way in and out to provide a somewhat testing framework to increase trust in their code.

Worry no more, Terrascan is here to save the day. Developed by Tenable (the leading Cybersecurity Exposure Management Company), Terrascan is an open-source static code analysis tool designed for Infrastructure as Code. It helps developers and DevOps teams ensure their infrastructure code adheres to best practices, security standards, and compliance requirements. Terrascan provides 500+ out-of-the-box policies so that you can scan your IaC code against common policy standards such as the CIS Benchmark.

Initializing Terrascan:

Once terrascan is installed, the first command to run is:

$ terrascan init

This command initializes and downloads the latest policies from the repository into ~/.terrascan. By default the policies are installed here: ~/.terrascan/pkg/policies/opa/rego and are fetched while scanning and performing code analysis. It leverages the Open Policy Agent (OPA) engine so that you can easily create your own custom policies using the Rego query language.

Scanning IaC Code with Terrascan

After initializing terrascan, the next command to run is with the option scan to scan the IaC code for compliance requirements, best practices, and security standards.

$ terrascan scan -c /directory/with/iac/code

The scan command also supports the following flags:

1. --config-path Specifies a directory to be scanned
2. --iac-file Specifies path to a single IaC file to be scanned
3. --iac-type Specifies IaC provider type (arm, cft, docker, helm, k8s, kustomize, terraform, or tfplan)
4. --policy-type Specifies policy type (all, aws, azure, docker, gcp, github, k8s) (default to all)
5. --remote-type Specifies type of remote backend where the IaC code resides (git, s3, gcs, http, terraform-registry)
6. --remote-url Specifies the url pointing to remote IaC repository

The full list of flags for the scan command can be found by running: terrascan scan -h

Scanning Terragrunt Code with Terrascan

Terragrunt is a thin wrapper that provides extra tools for running Terraform in a DRY (Do Not Repeat Yourself) fashion and for managing Terraform remote state. Here is how Terrascan can be used to scan Terragrunt IaC code:

1.) Inside the folder containing the terragrunt.hcl file, run the following to convert the terragrunt plan into tfplan format:

terragrunt plan -out $(pwd)/plan.tfplan

2.) Next, we will convert the tfplan file into json formatted output which will be used by terrascan:

terragrunt show -json $(pwd)/plan.tfplan > plan.json

3.) There is a small bug (at the time of writing this blog post) that prevents terrascan from reading tfplan json content formatted in format_version 1.1. To resolve the issue we will have to edit plan.json and update the format_version to 0.2.

vi plan.json

Change format_version from 1.1 to 0.2

4.) Run terrascan to scan the plan.json file

terrascan scan --iac-type tfplan --iac-file plan.json

And there you have it, Here is a sample output of a scan performed:

Found this useful, follow our page on: https://www.linkedin.com/company/geanttechnology

1. Modify the default configuration of applications and appliances before going live in production environment.

2. Change or disable vendor-supplied default usernames and passwords of services, software and hardware equipment.

3. If not required disable LLMNR and NetBIOS on WINDOWS Systems

Mitigate Improper Separation of User and Administrator Privileges

1. Implement Authentication, Authorization, Accountability, and Auditing system for non-repudiation.

2. Audit user accounts and remove those that are inactive or unnecessary. Limit the number of users with identity and access management privileges.

3. Restrict the use of privileged accounts to perform general tasks. Only use service accounts with the permissions necessary for the services they need access.

4. Implement time-based access for privileged accounts. Disable unused services and implement ACLs and RBACs to protect services and applications.

5. Implement a Security Information and Event Management System for log aggregation, correlation, visualization, and alerting.

Lack of Network Segmentation

1. Leverage next-gen firewalls to perform deep packet filtering, stateful packet inspection, and application level packet inspection.

2. Setup network segmentation to isolate critical systems, functions, and resources.

3. Create Virtually Private Cloud instances to isolate essential cloud systems.

Poor Patch Management

1. Implement and maintain an efficient patch management process. Update software and firmware regularly.

2. Automate the update process as much as possible.

3. Use the Common Vulnerability Scoring System for a qualitative measure of severity.

4. Evaluate the use of unsupported hardware and software. Discontinue or isolate legacy systems that are outdated.

Bypassing of System Access Control

1. Limit credential overlap across systems.

2. Deny domain users the ability to be in the local administrator group on multiple systems.

3. Use service accounts for system to system communication.

Weak or Misconfigured Multifactor Authentication

1. Disable the use of New Technology LAN Manager (NTLM) and other legacy authentication protocols on Windows systems.

2. Implement cloud-primary authentication solution using modern open standards such OpenID Connect.

3. Enforce phising-resitant Multifactor Authentication (MFA)

Insufficient ACLs on Network Shares and Services

1. Implement secure access for all storage devices and network shares.

2. Apply the principle if least privilege on users, groups, and roles.

3. Apply restrictive permissions to files, shares, and directories.

Unrestricted Code Execution

1. Implement system settings that prevent the ability to run applications downloaded from untrusted sources.

2. Use application control tools that restrict program execution by default; also known as allowlisting.

3. Block or prevent the execution of known vulnerability drives. Use read-only and minimal images for containers.

4. Constrain scripting languages from auto-executing to prevent malicious activities.

Found this useful, follow our page on: https://www.linkedin.com/company/geanttechnology