The world of cloud based platform-as-a-service (PaaS) is about accelerating time to market for applications. With a PaaS, organizations can get up and running the cloud quickly, but one security researcher is warning that there may be an element of risk with that speed as well.
eSecurity Planet met up with Nicholas Percoco, senior VP at Trustwave SpiderlLabs, during the RSA conference last week to discuss the state of PaaS security. Percoco specifically took aim at the Red Hat OpenShift PaaS in his demo, though he cautioned that OpenShift is not necessarily vulnerable.
He noted that his team's exploration into PaaS security did not discover or report any particular CVE-type vulnerability in OpenShift itself. But he argued that PaaS is sold and marketed to users as if they don't have to worry about security -- and that simply isn't the case.
Trustwave found that users can go to the OpenShift github repository and get quick starts for popular apps such as the WordPress and Joomla content management systems. The versions that were publicly available to users were actually older outdated versions that had already been patched for vulnerabilities by the upstream projects, but not for OpenShift, Percoco said.
In Percoco's view, there is a question about who audits or polices the code that is available for PaaS users to use.
In a session he delivered at the RSA Security Conference last week, he and a co-presenter demonstrated just how easy it is for an evil application to end up in an OpenShift PaaS deployment.
Percoco explained that in the demo, Trustwave set up a scenario in which a chat server needed to be deployed quickly. The researcher then went to Github, found a tech support chat server application, logged into his OpenShift account, downloaded the chat server code and got it up and running on an OpenShift cloud instance.
"It was actually code that we planted in Github that had a fake vulnerability in it, that triggered a Web shell," Percoco explained. "What we wanted to show is that if a person was under pressure to get something up and running really quick and they just go and grab an application, they don't look at the code, they just install it."
Percoco argued that PaaS is being marketed to individuals that may not have the ability to review code.
The version of OpenShift that Trustwave tested is the freely available OpenShift online service. Red Hat also has the OpenShift Origin open source project, as well as OpenShift Enterprise for onsite enterprise deployments.
In the mobile app store model, both Apple and Google scan code in their respective marketplaces for security risks. In the PaaS model, the same is not necessarily true today.
Percoco stressed that Trustwave was focusing on the application layer and was working under the assumption that Red Hat is doing the right thing at the operating system level in terms of security.
"We're focusing on what we have control over in platform-as-a-service. This is what we can touch, this is what we can do, and these are the bad things that can happen," Percoco said.
Though Trustwave demonstrated its attack against Red Hat's OpenShift, the same threat could well apply to other PaaS services as well. The reason why Trustwave started with OpenShift is because it is free and easy to get up and running rapidly.
Risk of Third-party Apps
Though Trustwave demonstrated alleged insecurity with how the OpenShift PaaS works, Percoco said the vulnerability is actually a process-related issue. "Anybody can go and write their own software that can run on the platform," he said.
He added that the problem he is showcasing is similar to the one that Google Android has with third-party app stores. In that model, the user has chosen to download an app from a place other than Google Play, where Google scans code.
An official store where a subset of packages are available and audited by a trusted source is a potential solution.
In an email statement sent to eSecurity Planet, the Red Hat OpenShift team stated that one of the powerful aspects of the OpenShift PaaS is the ability for users and communities to be able to contribute and maintain their own cartridges or software. Red Hat has a core suite of cartridges that it supports and maintains along with its standard support lifecycles. Examples of these include the PHP, Perl, Python, Ruby and JBoss EAP cartridges. At the same time, OpenShift does support an ever-growing amount of user-contributed content.
"Whenever you are consuming software (open source or not) you have to choose carefully as to whether you trust the origin of that software," Red Hat stated. "However, we firmly believe in allowing our users to make that choice as they are in the best position to make that decision."
Red Hat added that if users want to consume software from a trusted vendor, OpenShift provides that option. Those cartridges and the underlying software are rigorously vetted for security and stability.
"At the same time, OpenShift also enables users to choose to use our platform with community software," Red Hat stated. "Along with that choice comes the risk and expectation that users are comfortable with the community behind that software or comfortable with the maintenance themselves."
In Percoco's view some of the cloud providers are marketing their services toward people that don't really understand technology and its security implications.
"They are really gearing for people where it's their first foray into cloud-based application development or maybe application development in general, so that's where dangerous things can happen," Percoco said.