VULNVISION INSTALLER

Project Title: Vulnvision On-Premise Installer

Summary/Introduction

This is a secure, self-contained installer for the Vulnvision system, designed for on-premise deployment. Built with Go, it automates the entire installation process, ensuring high-level security through strong encryption and secure configuration management. The installer guarantees a consistent and secure setup on diverse host environments, from a single command.

Problem Statement

On-premise software deployment is often a complex and error-prone process, requiring manual configuration of sensitive data like API keys and database credentials. This can expose secrets and lead to misconfigurations that create security vulnerabilities. The goal was to develop a single, highly secure, and automated installer that simplifies this process for the end-user while maintaining the highest level of encryption for all sensitive information.

Technologies Used

• Language: Go (Golang)

• Cryptography: Go's crypto standard library, leveraging packages like crypto/aes for symmetric encryption and crypto/rsa for key management.

• User Interface: A command-line interface (CLI) with user prompts for input, built with a Go library like cobra or urfave/cli.

• Networking: Go's net/http package to securely fetch necessary files or contact the License Guard system over HTTPS.

• File System: Go's os and io packages for handling file and directory creation, permissions, and file content.

Key Features

• Self-Contained Single Binary: The entire installer is a single executable file, eliminating dependency hell and simplifying distribution.

• High-Level Encryption: All sensitive configuration data, such as database passwords and API keys, is encrypted at rest using AES-256 with a key derived from a strong passphrase provided by the user during installation.

• Secure License Verification: The installer securely communicates with the cloud-based License Guard system to validate the installation license using HTTPS and a unique installation token.

• Automated Configuration: The script prompts the user for necessary inputs (e.g., database connection details, license key) and then programmatically generates and encrypts the configuration files.

• Robust Error Handling: The installer includes comprehensive error checking for every step, from file permissions to network connectivity, providing clear feedback to the user if something goes wrong.

• Cross-Platform Compatibility: Go's cross-compilation capabilities allow the installer to be built for Windows, macOS, and Linux from the same codebase.

Challenges & Solutions

• Challenge: Securely handling and storing the encryption key for configuration files on the user's machine. Simply embedding the key in the binary is a major security risk.

• Solution: Instead of a hardcoded key, the installer asks the user for a strong passphrase during initial setup. This passphrase is then used with a key derivation function

• Challenge: Ensuring the integrity and authenticity of the software packages downloaded by the installer. An attacker could tamper with the packages in transit.

• Solution: The installer verifies the cryptographic hash (e.g., SHA-256) of all downloaded files against a known good hash list, which is signed with a private key. This ensures that the downloaded files haven't been modified and are truly from a trusted source.

What I Learned

This project provided a deep dive into the practical application of cryptography and security principles in a real-world scenario. I gained extensive experience with Go's standard crypto libraries, secure key management, and building robust, user-friendly command-line applications. It also highlighted the critical differences between cloud-based and on-premise software delivery and the unique security considerations each requires.

This video on writing secure Go code might be a helpful resource for this kind of project. Eight Best Practices for Writing Secure Go Code.