amzn

This is an old revision of the document!

Amzn

This page provides some additional details for the things I talked about. This includes notes, diagrams, source code and videos.

sorcery

  • The sorcery solution is a CLI tool that provides supplemental functionality that is not built into a product to provide ways of automating what would otherwise be onerous manual, and error prone, tasks carried out by an administrator.
  • https://github.com/mgupton/sorcery

Ingress controller/friendly fire issue

  • This diagram illustrates a problematic scenario that resulted in many false positive security incidents being generated by the very product that is producing the incidents by its own vulnerability scans.
  • Because there was a ingress controller on the node with the application pod the vuln. scanner was scanning the application pod twice, once directly and once through the ingress controller.
  • And the source IP of the scans going through the ingress controller were obscure, so when the IDS saw the traffic it did not recognized it as its own traffic. Therefore the IDS generated many false positive incidents from its own scans.
  • Normally the x-forwarded-for (XFF) would prevent this issue, but for some reason the XFF was not always added to request going through the ingress controller and the IDS solution has limitations that results in it not correctly handling the XFF.
  • The solution I implemented is to use and undocumented API to whitelist the ingress controllers from vuln. scans. source code: al-exclude.py
    • Since this is in a k8s environment that tends to be dynamic the script can be ran periodically to continually update the whitelist with the IPs of the ingress controllers that are found in the environment.
    • The core functionality of the IDS/scan solution records metadata about the k8s environment, so I was able leverage this metadata to detect the ingress controllers and get their IP addresses.

Programmatic UI manipulation

  • This solution provides a way to programmatically manipulate a web UI to supplement the lack of an API for acquiring vulnerability data.
  • This solution was used to ingest vulnerability findings into an ITSM (e.g. ServiceNow) that was used for a partners workflow with their end customers.
  • aims-ui-access.py
  • customer-readme.pdf
  • Video demo of POC
  • amzn.1581513992.txt.gz
  • Last modified: 2020/02/12 13:26
  • by mmuze