DevSecOps

Integrating Security into your CI/CD Pipeline

 

  • Software Engineer @ codecentric AG
  • Consultant @ Styrascosoft GbR
  • Trainer @ bee42
  • Testcontainers Maintainer and Open Source Enthusiast
  • Oracle Developer Champion & Groundbreaker Amabassador
  • Organizer Software Craftsmanship Meetup Ruhr 

Kevin Wittek                            @kiview

Classic Development Pipeline

Excursion: Pentesting

  • Usually part of a quality gateway
  • Often missplaced in the classical development process:
    • Too early => Nothing productiv to test
    • Too late => Critical findings threaten release date
  • What is the motivation for a pentest?

Motivation

  • Integrate security into fast DevOps cycles
  • Find low hanging fruits by automated tools
  • Use pentests for more complex issues
  • Security awareness in developer context

Modern build pipeline

Stage Available Artifacts
Build Source Code
Byte Code
Dependencies
Docker build Container Image
Staging / Production Container Image
Configured Environment

Modern build pipeline

Dependency Check

Demo

Exkurs: CVE, CPE, GAV

  • CVE: Common Vulnerabilities and Exposures
  • CPE: Common Platform Enumeration
  • GAV: Maven Group:Artifact:Version

Exkurs: CVE, CPE, GAV

  <entry id="CVE-2012-5055">
  ...
    <vuln:vulnerable-software-list>
      <vuln:product>cpe:/a:vmware:springsource_spring_security:3.1.2</vuln:product>
      <vuln:product>cpe:/a:vmware:springsource_spring_security:2.0.4</vuln:product>
      <vuln:product>cpe:/a:vmware:springsource_spring_security:3.0.1</vuln:product>
    </vuln:vulnerable-software-list>
  ...
  </entry>

cpe:/[Entry Type]:[Vendor]:[Product]:[Version]:[Revision]:…

<!-- org.springframework.security:spring-security-core:3.0.1.RELEASE -->
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-core</artifactId>
    <version>3.0.1.RELEASE</version>
</dependency>

Static Code Analyis

https://www.veracode.com/

https://www.checkmarx.com/

https://www.microfocus.com/de-de/products/static-code-analysis-sast/overview

https://find-sec-bugs.github.io/

Demo

Image scanning

http://layeredinsight.com/

https://github.com/coreos/clair/

https://docs.docker.com/ee/dtr/user/manage-images/scan-images-for-vulnerabilities/

Dynamic Scanner

http://www.zaproxy.org/

https://portswigger.net/burp

ZAP + Docker/testcontainers

Excursion: OWASP Top 10

  • A1:2017-Injection (SQLi, ...)
  • A7:2017-Cross-Site Scripting (XSS)
    • Persistent XSS
    • (Reflected, DOM based, Mutation based)

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project

Demo

Gitlab-CI

Security Features

  • Container Scanning
  • Dependency Scanning
  • Static Application Security Testing
  • Dynamic Application Security Testing
    • OWASP ZAP
    • Kubernetes Deployment

Code checks

Container Scanning

Conclusion

  • Integration into build chain possible
  • Security insights for developers
    • Possible without security experts
  • Open Source tools can provide some security benefits
    • Commercial products might provide different results

Outlook

  • Increase security awareness inside developer community
  • Security and developer communities need to work together:
    • Shared goal: Better software
    • Shared language would help
  • CD Security is needed

Source: https://twitter.com/signalsciences/status/647533893617238016

Questions?

DevSecOps

By Kevin Wittek