A journey into DevSecOps - Scanning your source code as part of your CI pipeline

Brian Sodano
@codemouse

Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.

The real threats

One of the most problematic elements of cybersecurity is the quickly and constantly evolving nature of security risks. The traditional approach has been to focus most resources on the most crucial system components and protect against the biggest known threats, which necessitated leaving some less important system components undefended and some less dangerous risks not protected against. Such an approach is insufficient in the current environment.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

CVE-2017-5638

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.

PyPI Package Squatting

Fake packages (correct names in parenthesis):

 

acqusition (acquisition)
apidev-coop (apidev-coop_cms)
bzip (bz2file)
crypt (crypto)
django-server (django-server-guardian-api)
pwd (pwdhash)
setup-tools (setuptools)
telnet (telnetsrvlib)
urllib/urlib (urllib3)

request lib

Another way to look at this for anyone who got hit by this: your environment is fully exposed to the worse kind of DoS attack vector — operational incompetence.

I am being harsh here for a reason because you got lucky today and some of you still consider this to be someone else’s fault. This change caused your application to fail instead of leak data, lose money, or cause irreversible harm. What I hope you have learned today is that ANYONE with publish rights to ANY module you depends on, directly or indirectly, can shut down your entire environment. That is at best fucking ridiculous and at worst criminally negligent.

Think about what you are admitting to have created — an environment where hundreds (if not thousands) or people have the power, maliciously or innocently, to put you out of business (if only for a short period of time), without any accountability or recourse. Maybe open source isn’t for you.

- Eran Hammer

Blame Game

1. Open Source Library Maintainers

2. Security Team

3. Management

4. Developers

DevSecOps

"Shifting Left'

Manifest Scans

Signature Scans

Code Quality Analysis

Caveats

Takeaways:

1. It's your code

2. Check it every commit

3. Educate

https://github.com/codemouse/devsecops-demo

@codemouse

codemouse.com

https://cybric.io

Thanks!

DevSecOps

By Brian Sodano

Made with Slides.com

DevSecOps

  • 938

More from Brian Sodano