This summer, I have been part of Viasat’s Security Engineering Intern Project (SEIP) team at the Austin, TX office. We have successfully developed a security pipeline for detecting vulnerabilities in code repositories and websites, and retrieving initial reconnaissance scans of targeted internal IP space. I worked on developing the front end of the web application, used offensive security tools to find open vulnerabilities, and also worked on a passion project – “Security Chatbot” to unleash the full potential of ChatOps using Amazon Web Services.
What makes ChatOps interesting?
ChatOps is part of the latest DevOps movement which is trying to amalgamate the roles of software and operations engineering. A trained chatbot can help in automating everyday operational tasks and enabling better information flow between teams.
Why is Serverless the future?
“Serverless” computing promises to save time and money by allowing developers to focus on creating robust applications instead of diverting time and resources to maintaining infrastructure. However, the term “Serverless” comes with some ambiguity; for our project, we defined it as those applications which wholly or significantly use Cloud Services (other than compute) for execution. It provides many advantages – seamless up-scaling, higher availability, and absolutely no requirement of server management.
How does it look from a 30,000-foot view?
When the chatbot gets assigned to a chatroom, the bot watches conversations within the room and responds to commands with the help of plugin scripts that perform the specific operations desired by the chatbot developer. The chatbot can notify the room about different tasks running in the project, track git commits, monitor health of services and apps, interactively provide data to the room from various sources, and even contribute to friendly discussions about daily life.
How can this bot help Cybersecurity?
The chatbot can be integrated further with monitoring tools, which can detect suspicious activities, and report them in the chat rooms. It can help in to identify security incidents as fast as possible.
Making the switch from Local to Cloud Containerization
Before integrating the chatbot with Amazon Web Services, we faced quite a few challenges. We had to deploy Redis as a separate running module to make the chatbot work. It took considerable time and troubleshooting to understand the intricacies of the chatbot and the chat infrastructure. After a lot of debugging, the bot was finally running successfully. To make life easier for the next developer to work on the bot, I decided to make the bot dockerized using AWS, and specifically, Elastic Container Services.
Understanding the Architecture
Docker is an excellent application packaging system for microservices. We created two docker images – a chatbot repository and a Redis instance – and added them to Docker containers. We ran the docker containers locally using docker-compose and checked if they could connect with each other. After successful local implementation, we pushed the two images to Amazon Elastic Container Service Repository.
Amazon Elastic Container Services (ECS) is an orchestration service which helps in running containerized applications. We created a task definition which uses AWS Fargate to add two docker containers using images from the ECS Repository. While creating the chatbot ECS container, we added the necessary environment variables for customization and HipChat authentication inside the AWS task definition form.
After creation of the task definition, we launched this new service as a cluster. The containers were launched inside Viasat’s own Amazon Virtual Private Cloud (VPC) to maintain data security and connectivity to the internal chat infrastructure.
How does the Chatbot work?
The SEIP (Security Engineering Intern Project) bot is a customized chatbot inheriting from Will, an open-source chatbot framework. The SEIP bot listens for and responds to simple commands. It inherits the original plugins in the Will chatbot framework, and teams can customize and add different DevOps functionality into plugin scripts to extend the chatbot.
The Right-Handed Brain of the Chatbot
Our SEIPbot can respond to things happening inside a connected chat room.
If you directly want to talk to the chatbot, you can use @SEIPbot to send him a message in a group chat room:
@respond_to(“hi”) def sayHello(self,message): self.say(“hello!”)
The bot hears conversations inside a room:
@hear(“?ip_address”) def send_image(self, message): self.say(“Check for vulnerability”)
How secure is the Chatbot?
As an intern working for the Security Engineering team, I tried to analyze the security posture of the serverless chatbot. Hackers generally attack the application through exposed services and infrastructure, and we need to ensure that the infrastructure has the right end-to-end security mechanisms. Are we giving the right access to the right people for the right job? Can we ensure that message transfers are all encrypted? Does it lack some security mechanisms that are necessary to protect it?
How secure is going serverless on AWS?
We had to consider how secure it is to host a chatbot on AWS. The AWS Infrastructure itself is highly secure and stores all information inside their private data centers. There are different ways in which AWS allows customers to secure applications and infrastructure running in their cloud space. We utilized Virtual Private Cloud, enabling us to deploy our containers on a virtual private network connected to Viasat directly. Additionally, we used security groups to control inbound and outbound traffic, further limiting exposure.
Do we need to secure containers on ECS?
The Amazon Elastic Container Service uses images and resources to run applications with the help of AWS Fargate. The Fargate service helps in launching containers and managing the container infrastructure. The ECS containers run on Linux LXC Containers which provide better security than regular VM’s. This combination has many security-related benefits such as immutable infrastructure, no SSH to containers, and no system users. To add more security best practices, developers can limit memory and networking, and set containers to run as a non-root user. In our case, the credentials – username, password, and a token – are passed on to the task definition while creating the chatbot container.
What is OAuth 2?
OAuth2 is an authentication framework which delegates user account controls using secure tokens to the service which is hosting applications. To know more about OAuth 2, this link (https://oauth.net/2/) is helpful.
How does chatbot authenticate itself to join a room?
The chatbot uses a username, password, and personal OAuth 2 token to join a room. There are various scopes of the OAuth2 chatbot token– administering group, viewing room, sending a message, viewing a message, and managing rooms. After successfully authenticating the correct credentials, the chatbot enters the allocated room.
Who else is allowed to join the room?
Presently, the bot gets allocated to a private chat room. Only assigned users can get access to that room. However, for future use, we would enable Role Based Access Control lists to more granularly define which users can trigger which commands and get notifications.
The short and long-term memory of Will (pub-sub and storage) is encrypted by AES. We have added validation methods to sanitize the input given by the team member. The bot only responds to the commands which are devised by the developer and doesn’t respond to other commands.
Thank you Viasat
I would like to take this opportunity to convey my gratitude to all the innovative people I have interacted with at Viasat. The Security Engineering Internship has helped me put on my Security Hat when analyzing things in daily and work life. It has certainly boosted my technical skills and I am more confident about how to design architectures on Cloud services. I would personally thank Mark Turner and the entire senior engineer crew, Gloria Chauskey and John Pope for their help and the belief that I could continue working with this passion project. Viasat’s culture is new and different, and new ideas are always welcome.
For more about how the SEIP bot is helping security teams at Viasat, check out my next article: How SEIP bot can help Network Vulnerability Analysis.