How We Secure The Gojek App With 241 Benchmarks
Our Product Security team is tasked with securing our 18+ products. Here's how we implement CIS benchmarks on hosts at scale.
By Alisha Gupta
Building product security assurance at scale in an organisation requires securing each level of the infrastructure. Securing every feature of 18+ products used by millions every day comes with an immense responsibility. To achieve this, securing each layer is crucial. 🛡
Here’s where our ProdSec team steps in
The Product Security (ProdSec) team works with various teams within Gojek and does an internal security audit. Every single feature going into production is scrutinised. The team ensures hardening the security of infrastructure and hosts can be accomplished with CIS Benchmarks.
Hardening is the process of limiting potential weaknesses that make systems vulnerable to cyber attacks.
CIS Benchmarks are a collection of best practices for securely configuring IT systems, software, networks, and cloud infrastructure which are developed by a global community of cybersecurity professionals. These are a set of vendor agnostic, internationally recognised secure configuration guidelines and provide users a secure, on-demand, and scalable computing environment. It implements 241 security controls, divided among 6 categories:
- Initial Setup
- Services
- Network Configuration
- Logging and Monitoring
- Access Authentication
- Authorisation and System Maintenance
Implementing the CIS benchmarks really comes down to two things: First, bringing all the existing assets in line with the relevant benchmarks. Second, making sure the benchmarks stay that way. To implement CIS Benchmarks at scale in Gojek, a single approach is not sufficient due to agile environment in cloud infrastructure.
Enter: CureCIS
The ProdSec team have opted for a multi-strategy approach, named as CureCIS to cover all the edge cases in the implementation of CIS benchmarks recommendations.
CureCIS is an automated, efficient, repeatable, and scalable solution for rapid implementation of CIS Benchmark on hosts.
It ensure that the VMs are secured according to consensus-based best practice standards.
This multi-strategy solution comprises of the following approaches:
1. Chef Cookbook
2. CIS Hardened Golden image
3. CIS Benchmark Hardening script
Chef Infra automates how infrastructure is configured, deployed, and managed across the network, regardless of its size and whether it is operated in the cloud, on-premise or in a hybrid environment. Chef cookbooks are uploaded to Chef server which includes custom as well as community cookbooks.
CIS-Hardened Chef Cookbook contains all the benchmarks to be implemented and is centrally managed by the chef server. The moment the machine is spun up on cloud, CIS Benchmarks’ script will run automatically on new machines as part of configuration. For existing machines, the benchmarks will be applied on the chef-client run.
This chef cookbook will implement the security benchmarks as suggested by CIS, which are divided into multiple categories. The recipe is written for individual benchmarks in the cookbook. For example, system admins are required to disallow SSH root logins and to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident. To achieve this, recipe has been added in the cookbook.
MaxAuthTries parameter can be set to a low number as it can minimise the risk of successful brute force attacks to the SSH server.
LoginGraceTime parameter is set to a low number as it can minimise the risk of successful brute force attacks to the SSH server and also it can limit the number of concurrent unauthenticated connections.
Local attack surface of the system can be reduced by removing support for unneeded filesystem. Disable the filesystem types that are not needed.
Compromised host can be used by attacker to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system. As a host itself does not act as a router, packet redirect can be disabled.
The use of telnet protocol could allow an unauthorized user to steal credentials as it is insecure and unencrypted. SSH package can be used as it is encrypted and more secure.
Teams that wants to procure a VM via console can choose a CIS-Hardened custom image developed by ProdSec team. CIS-Hardened Images are virtual machine images pre-configured in line with the relevant CIS benchmark. It is more secure than a standard image, hardened virtual images reduce system vulnerabilities to help protect against denial of service, unauthorised data access, and other cyber threats.
For existing VMs which are not registered on proctor, the ProdSec team has made the CIS benchmark hardening script. It is developed to help different teams and developers to secure these hosts in which they have deployed any web application or services. It automates the process of Hardening a server with little interaction from the user.
This multi-strategy approach helps to achieve the larger footprint in achieving the secure hosts in cloud with little intervention from developer side. The benchmarks can be applied on VMs specific to the cloud environment. Implementing these benchmarks helps to control security vulnerabilities in the new and exiting VMs & the CureCIS is a scalable way to do so.
Click here to read more stories about how we do what we do.
And we’re hiring! Check out the link below: