DevSecOps
Integrating Security into your CI/CD Pipeline
- Software Engineer @ codecentric AG
- Consultant @ Styrascosoft GbR
- Trainer @ bee42
- Testcontainers Maintainer and Open Source Enthusiast
- Oracle Developer Champion & Groundbreaker Amabassador
- Organizer Software Craftsmanship Meetup Ruhr
Kevin Wittek @kiview
Classic Development Pipeline
Excursion: Pentesting
- Usually part of a quality gateway
- Often missplaced in the classical development process:
- Too early => Nothing productiv to test
- Too late => Critical findings threaten release date
- What is the motivation for a pentest?
Motivation
- Integrate security into fast DevOps cycles
- Find low hanging fruits by automated tools
- Use pentests for more complex issues
- Security awareness in developer context
Modern build pipeline
Stage | Available Artifacts |
---|---|
Build | Source Code Byte Code Dependencies |
Docker build | Container Image |
Staging / Production | Container Image Configured Environment |
Modern build pipeline
Dependency Check
Demo
Exkurs: CVE, CPE, GAV
- CVE: Common Vulnerabilities and Exposures
- CPE: Common Platform Enumeration
- GAV: Maven Group:Artifact:Version
Exkurs: CVE, CPE, GAV
<entry id="CVE-2012-5055">
...
<vuln:vulnerable-software-list>
<vuln:product>cpe:/a:vmware:springsource_spring_security:3.1.2</vuln:product>
<vuln:product>cpe:/a:vmware:springsource_spring_security:2.0.4</vuln:product>
<vuln:product>cpe:/a:vmware:springsource_spring_security:3.0.1</vuln:product>
</vuln:vulnerable-software-list>
...
</entry>
cpe:/[Entry Type]:[Vendor]:[Product]:[Version]:[Revision]:…
<!-- org.springframework.security:spring-security-core:3.0.1.RELEASE -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.0.1.RELEASE</version>
</dependency>
Static Code Analyis
https://www.veracode.com/
https://www.checkmarx.com/
https://www.microfocus.com/de-de/products/static-code-analysis-sast/overview
https://find-sec-bugs.github.io/
Demo
Image scanning
http://layeredinsight.com/
https://github.com/coreos/clair/
https://docs.docker.com/ee/dtr/user/manage-images/scan-images-for-vulnerabilities/
Dynamic Scanner
http://www.zaproxy.org/
https://portswigger.net/burp
ZAP + Docker/testcontainers
Excursion: OWASP Top 10
- A1:2017-Injection (SQLi, ...)
- A7:2017-Cross-Site Scripting (XSS)
- Persistent XSS
- (Reflected, DOM based, Mutation based)
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project
Demo
Gitlab-CI
Security Features
- Container Scanning
- Dependency Scanning
- Static Application Security Testing
- Dynamic Application Security Testing
- OWASP ZAP
- Kubernetes Deployment
Code checks
Container Scanning
Conclusion
- Integration into build chain possible
- Security insights for developers
- Possible without security experts
- Open Source tools can provide some security benefits
- Commercial products might provide different results
Outlook
- Increase security awareness inside developer community
- Security and developer communities need to work together:
- Shared goal: Better software
- Shared language would help
- CD Security is needed
Source: https://twitter.com/signalsciences/status/647533893617238016
Questions?
DevSecOps
By Kevin Wittek
DevSecOps
- 1,836