Blog

Coders Conquer Security Infrastructure as Code Series: Security Misconfiguration - Improper Permissions

Matias Madou, Ph.D.
Published Jun 08, 2020

Threats to cybersecurity these days are ubiquitous and relentless. It's gotten so bad that trying to keep up with them after programs are deployed has become almost impossible. Instead, shrewd organizations are embracing the concept of infrastructure as code, whereby developers contribute to crafting secure applications while they are still being created. This series is all about getting you security-ready, so you can understand steps you can take as a developer to begin deploying secure infrastructure as code in your own organization.

Security misconfigurations, especially those of the improper permissions variety, most often happen whenever a developer creates a new user or grants permission for an application as a tool in order to accomplish a task. For example, this could be done to collect information from a database. But if the permissions for the new user are set too high, or not configured by default for the task at hand, it can introduce a serious vulnerability into the code.

Before we get into it, why not test your skills right now? Try to find and fix some improper permission vulnerabilities:

How did you do? Let's dig a little deeper:

Giving a user or application full permissions, or simply never bothering to define what the new user should be able to accomplish and what behaviors are restricted, is certainly the fastest way to get new code in place. And if all goes perfectly well, the application will make use of those permissions to accomplish its assigned task. The danger is that a hacker will discover this process and then compromise that user. Even though the user was created to accomplish a specific function for a particular application, if compromised it can allow an attacker to endanger other applications, data or even the network.

How are security misconfigurations exploited?

To visualize the danger, let's take a look at how a common task is sometimes coded within the Docker cloud environment. Let's say that a developer is using the Prometheus MySQL Exporter service to collect information from a database. The easiest way to allow that to happen is to grant the exporter permission to access the database. So the code might be something like:

FROM mysql:latest
   COPY ./scripts/create_users.sh /docker-entrypoint-initdb.d/
   USER 999
     CREATE USER exporter@% IDENTIFIED BY $EXPORTER_PASSWORD;
       GRANT ALL ON *.* TO exporter@%;
       GRANT SELECT ON performance_schema.* TO exporter@%;

This would certainly make it so that the exporter could accomplish its task. However, because the permissions are not defined, the exporter actually has the ability to do almost anything. Obviously, the exporter itself would never act outside of its programmed behaviors. But what would happen if an attacker were able to compromise the exporter service? In that case, because it was given full permissions, the attacker could perform all kinds of unauthorized tasks with the SQL service.

Securing and eliminating improper permissions

Here again, we turn to the concept of infrastructure as code. If you code security into your applications as they are being created, then the network is always going to be on a much better overall footing when it comes to cybersecurity.

In the Docker example from above, if a developer wants the Prometheus MySQL Exporter to be able to query a database, they can make that happen more safely by defining what it should be allowed to accomplish. A good example of this would be:


FROM mysql:latest
COPY ./scripts/create_users.sh /docker-entrypoint-initdb.d/
USER 999
   CREATE USER exporter@% IDENTIFIED BY $EXPORTER_PASSWORD;
   GRANT PROCESS, REPLICATION CLIENT ON *.* TO exporter@%;
   GRANT SELECT ON performance_schema.* TO exporter@%;

In this case, the MySQL user configured for the Prometheus MySQL Exporter service only has restricted permissions over the MySQL service. Specifically, only PROCESS and REPLICATION CLIENT privileges are allowed. This would prevent a malicious user from taking advantage of a compromised Prometheus MySQL exporter service.

Restricting permissions at the code level can ensure that users and applications only have enough permissions for the task at hand. And that can go a long way to securing your networks and embracing the concept of infrastructure as code.

Check out the Secure Code Warrior blog pages for more insight about this vulnerability and how to protect your organization and customers from the ravages of other security flaws. You can also try our showcase of the Secure Code Warrior training platform to keep all your cybersecurity skills honed and up-to-date.

View Resource
View Resource

Security misconfigurations, especially those of the improper permissions variety, most often happen whenever a developer creates a new user or grants permission for an application as a tool in order to accomplish a task.

Interested in more?

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demo
Share on:
Author
Matias Madou, Ph.D.
Published Jun 08, 2020

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

Share on:

Threats to cybersecurity these days are ubiquitous and relentless. It's gotten so bad that trying to keep up with them after programs are deployed has become almost impossible. Instead, shrewd organizations are embracing the concept of infrastructure as code, whereby developers contribute to crafting secure applications while they are still being created. This series is all about getting you security-ready, so you can understand steps you can take as a developer to begin deploying secure infrastructure as code in your own organization.

Security misconfigurations, especially those of the improper permissions variety, most often happen whenever a developer creates a new user or grants permission for an application as a tool in order to accomplish a task. For example, this could be done to collect information from a database. But if the permissions for the new user are set too high, or not configured by default for the task at hand, it can introduce a serious vulnerability into the code.

Before we get into it, why not test your skills right now? Try to find and fix some improper permission vulnerabilities:

How did you do? Let's dig a little deeper:

Giving a user or application full permissions, or simply never bothering to define what the new user should be able to accomplish and what behaviors are restricted, is certainly the fastest way to get new code in place. And if all goes perfectly well, the application will make use of those permissions to accomplish its assigned task. The danger is that a hacker will discover this process and then compromise that user. Even though the user was created to accomplish a specific function for a particular application, if compromised it can allow an attacker to endanger other applications, data or even the network.

How are security misconfigurations exploited?

To visualize the danger, let's take a look at how a common task is sometimes coded within the Docker cloud environment. Let's say that a developer is using the Prometheus MySQL Exporter service to collect information from a database. The easiest way to allow that to happen is to grant the exporter permission to access the database. So the code might be something like:

FROM mysql:latest
   COPY ./scripts/create_users.sh /docker-entrypoint-initdb.d/
   USER 999
     CREATE USER exporter@% IDENTIFIED BY $EXPORTER_PASSWORD;
       GRANT ALL ON *.* TO exporter@%;
       GRANT SELECT ON performance_schema.* TO exporter@%;

This would certainly make it so that the exporter could accomplish its task. However, because the permissions are not defined, the exporter actually has the ability to do almost anything. Obviously, the exporter itself would never act outside of its programmed behaviors. But what would happen if an attacker were able to compromise the exporter service? In that case, because it was given full permissions, the attacker could perform all kinds of unauthorized tasks with the SQL service.

Securing and eliminating improper permissions

Here again, we turn to the concept of infrastructure as code. If you code security into your applications as they are being created, then the network is always going to be on a much better overall footing when it comes to cybersecurity.

In the Docker example from above, if a developer wants the Prometheus MySQL Exporter to be able to query a database, they can make that happen more safely by defining what it should be allowed to accomplish. A good example of this would be:


FROM mysql:latest
COPY ./scripts/create_users.sh /docker-entrypoint-initdb.d/
USER 999
   CREATE USER exporter@% IDENTIFIED BY $EXPORTER_PASSWORD;
   GRANT PROCESS, REPLICATION CLIENT ON *.* TO exporter@%;
   GRANT SELECT ON performance_schema.* TO exporter@%;

In this case, the MySQL user configured for the Prometheus MySQL Exporter service only has restricted permissions over the MySQL service. Specifically, only PROCESS and REPLICATION CLIENT privileges are allowed. This would prevent a malicious user from taking advantage of a compromised Prometheus MySQL exporter service.

Restricting permissions at the code level can ensure that users and applications only have enough permissions for the task at hand. And that can go a long way to securing your networks and embracing the concept of infrastructure as code.

Check out the Secure Code Warrior blog pages for more insight about this vulnerability and how to protect your organization and customers from the ravages of other security flaws. You can also try our showcase of the Secure Code Warrior training platform to keep all your cybersecurity skills honed and up-to-date.

View Resource
View Resource

Fill out the form below to download the report

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

Submit
To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.

Threats to cybersecurity these days are ubiquitous and relentless. It's gotten so bad that trying to keep up with them after programs are deployed has become almost impossible. Instead, shrewd organizations are embracing the concept of infrastructure as code, whereby developers contribute to crafting secure applications while they are still being created. This series is all about getting you security-ready, so you can understand steps you can take as a developer to begin deploying secure infrastructure as code in your own organization.

Security misconfigurations, especially those of the improper permissions variety, most often happen whenever a developer creates a new user or grants permission for an application as a tool in order to accomplish a task. For example, this could be done to collect information from a database. But if the permissions for the new user are set too high, or not configured by default for the task at hand, it can introduce a serious vulnerability into the code.

Before we get into it, why not test your skills right now? Try to find and fix some improper permission vulnerabilities:

How did you do? Let's dig a little deeper:

Giving a user or application full permissions, or simply never bothering to define what the new user should be able to accomplish and what behaviors are restricted, is certainly the fastest way to get new code in place. And if all goes perfectly well, the application will make use of those permissions to accomplish its assigned task. The danger is that a hacker will discover this process and then compromise that user. Even though the user was created to accomplish a specific function for a particular application, if compromised it can allow an attacker to endanger other applications, data or even the network.

How are security misconfigurations exploited?

To visualize the danger, let's take a look at how a common task is sometimes coded within the Docker cloud environment. Let's say that a developer is using the Prometheus MySQL Exporter service to collect information from a database. The easiest way to allow that to happen is to grant the exporter permission to access the database. So the code might be something like:

FROM mysql:latest
   COPY ./scripts/create_users.sh /docker-entrypoint-initdb.d/
   USER 999
     CREATE USER exporter@% IDENTIFIED BY $EXPORTER_PASSWORD;
       GRANT ALL ON *.* TO exporter@%;
       GRANT SELECT ON performance_schema.* TO exporter@%;

This would certainly make it so that the exporter could accomplish its task. However, because the permissions are not defined, the exporter actually has the ability to do almost anything. Obviously, the exporter itself would never act outside of its programmed behaviors. But what would happen if an attacker were able to compromise the exporter service? In that case, because it was given full permissions, the attacker could perform all kinds of unauthorized tasks with the SQL service.

Securing and eliminating improper permissions

Here again, we turn to the concept of infrastructure as code. If you code security into your applications as they are being created, then the network is always going to be on a much better overall footing when it comes to cybersecurity.

In the Docker example from above, if a developer wants the Prometheus MySQL Exporter to be able to query a database, they can make that happen more safely by defining what it should be allowed to accomplish. A good example of this would be:


FROM mysql:latest
COPY ./scripts/create_users.sh /docker-entrypoint-initdb.d/
USER 999
   CREATE USER exporter@% IDENTIFIED BY $EXPORTER_PASSWORD;
   GRANT PROCESS, REPLICATION CLIENT ON *.* TO exporter@%;
   GRANT SELECT ON performance_schema.* TO exporter@%;

In this case, the MySQL user configured for the Prometheus MySQL Exporter service only has restricted permissions over the MySQL service. Specifically, only PROCESS and REPLICATION CLIENT privileges are allowed. This would prevent a malicious user from taking advantage of a compromised Prometheus MySQL exporter service.

Restricting permissions at the code level can ensure that users and applications only have enough permissions for the task at hand. And that can go a long way to securing your networks and embracing the concept of infrastructure as code.

Check out the Secure Code Warrior blog pages for more insight about this vulnerability and how to protect your organization and customers from the ravages of other security flaws. You can also try our showcase of the Secure Code Warrior training platform to keep all your cybersecurity skills honed and up-to-date.

Get Started

Click on the link below and download the PDF of this resource.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

View reportBook a demo
View Resource
Share on:
Interested in more?

Share on:
Author
Matias Madou, Ph.D.
Published Jun 08, 2020

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

Share on:

Threats to cybersecurity these days are ubiquitous and relentless. It's gotten so bad that trying to keep up with them after programs are deployed has become almost impossible. Instead, shrewd organizations are embracing the concept of infrastructure as code, whereby developers contribute to crafting secure applications while they are still being created. This series is all about getting you security-ready, so you can understand steps you can take as a developer to begin deploying secure infrastructure as code in your own organization.

Security misconfigurations, especially those of the improper permissions variety, most often happen whenever a developer creates a new user or grants permission for an application as a tool in order to accomplish a task. For example, this could be done to collect information from a database. But if the permissions for the new user are set too high, or not configured by default for the task at hand, it can introduce a serious vulnerability into the code.

Before we get into it, why not test your skills right now? Try to find and fix some improper permission vulnerabilities:

How did you do? Let's dig a little deeper:

Giving a user or application full permissions, or simply never bothering to define what the new user should be able to accomplish and what behaviors are restricted, is certainly the fastest way to get new code in place. And if all goes perfectly well, the application will make use of those permissions to accomplish its assigned task. The danger is that a hacker will discover this process and then compromise that user. Even though the user was created to accomplish a specific function for a particular application, if compromised it can allow an attacker to endanger other applications, data or even the network.

How are security misconfigurations exploited?

To visualize the danger, let's take a look at how a common task is sometimes coded within the Docker cloud environment. Let's say that a developer is using the Prometheus MySQL Exporter service to collect information from a database. The easiest way to allow that to happen is to grant the exporter permission to access the database. So the code might be something like:

FROM mysql:latest
   COPY ./scripts/create_users.sh /docker-entrypoint-initdb.d/
   USER 999
     CREATE USER exporter@% IDENTIFIED BY $EXPORTER_PASSWORD;
       GRANT ALL ON *.* TO exporter@%;
       GRANT SELECT ON performance_schema.* TO exporter@%;

This would certainly make it so that the exporter could accomplish its task. However, because the permissions are not defined, the exporter actually has the ability to do almost anything. Obviously, the exporter itself would never act outside of its programmed behaviors. But what would happen if an attacker were able to compromise the exporter service? In that case, because it was given full permissions, the attacker could perform all kinds of unauthorized tasks with the SQL service.

Securing and eliminating improper permissions

Here again, we turn to the concept of infrastructure as code. If you code security into your applications as they are being created, then the network is always going to be on a much better overall footing when it comes to cybersecurity.

In the Docker example from above, if a developer wants the Prometheus MySQL Exporter to be able to query a database, they can make that happen more safely by defining what it should be allowed to accomplish. A good example of this would be:


FROM mysql:latest
COPY ./scripts/create_users.sh /docker-entrypoint-initdb.d/
USER 999
   CREATE USER exporter@% IDENTIFIED BY $EXPORTER_PASSWORD;
   GRANT PROCESS, REPLICATION CLIENT ON *.* TO exporter@%;
   GRANT SELECT ON performance_schema.* TO exporter@%;

In this case, the MySQL user configured for the Prometheus MySQL Exporter service only has restricted permissions over the MySQL service. Specifically, only PROCESS and REPLICATION CLIENT privileges are allowed. This would prevent a malicious user from taking advantage of a compromised Prometheus MySQL exporter service.

Restricting permissions at the code level can ensure that users and applications only have enough permissions for the task at hand. And that can go a long way to securing your networks and embracing the concept of infrastructure as code.

Check out the Secure Code Warrior blog pages for more insight about this vulnerability and how to protect your organization and customers from the ravages of other security flaws. You can also try our showcase of the Secure Code Warrior training platform to keep all your cybersecurity skills honed and up-to-date.

Table of contents

Download PDF
View Resource
Interested in more?

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demoDownload
Share on:
Resource hub

Resources to get you started

More posts
Resource hub

Resources to get you started

More posts