đŸ„‹

Software Vulnerability Management in Cloud

image

COMPANY

Revenera (formerly Palamida), San Francisco, United States

PROJECT

Software Vulnerability Management (SVM) is one of the product offerings at Revenera to helps its enterprise customers build software with reduced security and licensing risk. It is offered as Cloud and an On-Premise Edition. Using this solution, companies assess, prioritize, and fix vulnerabilities in their codebases before the risk increases. Both Cloud and On-Premise editions of SVM are available to customers with built-in modules for the following.

  • Initial configuration to set up the account, account directories, password policies and disk partitions.
  • Code scanning using either installable agent or remote scan using Cloud Edition.
  • Assessment of Vulnerability Priorities
  • Patching via Vendor Path Module
  • Policy Manager to configure internal Compliance Policy Rules to associate with customer account
  • Extensive Reporting with Dashboards for threat intelligence and maintenance.

TECHNOLOGY STACK

  • Node.js
  • Docker
  • AWS Cloud
  • Apache Solr
  • Apache Solr Cloud
  • Micro Services Design and Implementation
  • OAuth2.0
  • MySQL
  • Java/Groovy

GOALS

  • The enterprise customers should be able to use Cloud Edition of SVM product, perform code scanning and get the actionable reports. These reports should clearly indicate the the information about third party libraries used in the codebase, their license and vulnerabilities if any.
  • To access cloud edition of SVM, there should be mechanisms in place for target hosts to be authenticated for automated remote scanning in an agent-less manner.
  • SVM product should be able to send requests to the internal services, get the information for the various open source software components, their digest files, versions, licenses, and vulnerabilities.
  • Revenera needed a design and implemented solution that consists of microservices to handle client requests from within the SVM product.
  • The solution should be fast and secure. It should provide accurate results to the code scanning queries.

APPROACH

I worked as a full-time engineer with the team for 11 months. During this period, my role was to research and prototype a production-grade cloud solution to offer data as a service. I later transitioned to a remote engineer role to support the cloud SVM product's development and maintenance. To achieve the goals that were outlined, I performed the following tasks.

  • Researched distributive indexing and search capacities for the vulnerability data in the cloud using SolrCloud.
  • Explored the authentication mechanisms to keep the microservices secure and available for authorized users.
  • De-normalized the data from SQL databases and tokenized them into documents that could be searched using Apache Solr.
  • Worked on configuration, setup and generation of Solr indexes for open source software components and their metadata. This helped achieve fast search capabilities over millions of documents in the collections.
  • Developed Node.js based services for authentication and querying so they could serve as an entry point for customers to leverage Vulnerability Management Solution.
  • Investigated and modeled service discovery and registration on AWS cloud with the use of open source library Eureka from Netflix and deployed Eureka servers on AWS EC2 machines.
  • Created docker images and leveraged docker containers to run microservices on limited EC2 machines to reduce the hardware and deployment cost.
  • Implemented load balancing strategies with the use of proxy services.
  • Used AWS for deployments, CodeCommit source control service to push and collaborate on code, CloudWatch for Service monitoring, Amazon S3 and EBS
  • Collaborated remotely with teams based out of San Francisco during the development and maintenance of Cloud infrastructure.

RESULTS

  • This solution was successfully developed and deployed on Cloud.
  • The solution turned out be cost effective since multiple services could run inside docker containers on a single EC2 machine and the testing did not need dedicated EC2 instances either.
  • The company is offering Cloud edition of SVM product to its enterprise customers.