The agile development methodology has now been widely adopted, making development more iterative, releases more frequent, and causing bottlenecks to appear in the rest of the application deployment and support processes. This became a driver of the DevOps movement that has allowed teams to automate the process of software integration, testing and deployment so software can be released rapidly, frequently and reliably.
A big part of DevOps is the cultural change and collaboration. This collaboration happens through various tools that include messaging platforms such as Slack. These tools help to improve working together with minimal barriers, and bring all the pieces people need to collaborate into one location. This is called ChatOps, a collaboration model that connects people, tools, process, and automation into a transparent workflow.
Since DevOps can rapidly speed up the pace at which software is developed and deployed, the integration of proper security thinking and processes is needed or this method of rapid development can introduce security flaws.
In the movie RoboCop, RoboCop is given three primary directives: "Serve the public trust, Protect the innocent, and Uphold the law". In DevOps, security teams combine automated tools along with some human oversight to achieve directives at scale. Security can be thought of as putting the cops in DevOps.
To increase integration and adoption of security tools and testing:
- Tools need to be easy to use
- Available as "Security as a Service"
RoboBot was built to bring law and order to DevOps by providing a conversational bot that is easy to use, offers security as a service, and is integrated with the Slack messaging platform.
What it does
It does the following security tests:
- Heartbleed - A test to determine if a system is vulnerable to the Heartbleed bug, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read. See CVE-2014-0160.
- WannaCry/Petya - A test to determine if a system or network is vulnerable to the WannaCry or Petya ransomware attacks that take advantage of the Remote Code Execution Vulnerability in Microsoft SMBv1 servers (MS17-010). See CVE-2017-0143 and MS17-010.
- Double Pulsar SMB Backdoor - A test that is run on an system found to be vulnerable to WannaCry or Petya to check if it has been compromised with a covert command and control channel post exploitation. See Detecting SMB Covert Channel ("Double Pulsar").
- SSL/TLS Configuration - In the OWASP Top Ten Project Security Misconfiguration is always a web application security risk. This test will check the SSL/TLS settings for vulnerabilities and best practices.
- Certificate Validation - A test that shows basic server certicate information and does trust validation of the certificate.
- Ping Sweep - A test to audit a network for live hosts.
- Ability to ask for help
- View test history
- View a single test report in the history
- Saves the last test target to auto-populate it on the next test
How I built it
The following Amazon resources are used in this project:
- Amazon Lex
- AWS Lambda (Python 3.6 runtime)
- Amazon DynamoDB
- Amazon ElastiCache
- Amazon EC2
- Amazon VPC
In addition I used the serverless.com framework for building out my architecture and deploying it.
Challenges I ran into
I ran into many different challenges in this competition:
How to test my Lambda functions locally in a simulated Lambda environment with DynamoDB. I came up with a method using the docker-lambda project and DynamoDB local.
How to run an executable on Lambda. I need to be able to run some executables for my security tests. I ended up deploying them with my Lambda functions, and set the path to the executable using the
Accomplishments that I'm proud of
Too many to say. ;-)
What I learned
I learned the ease of building a bot with Amazon Lex and how easy it is use Lambda functions.
What's next for RoboBot
You'll have to wait and see...