DevSecOps implementation and related open source tools

DevSecOps is a way to automate the integration of security tools into DevOps processes. DevSecOps does more than just introduce new security tools, it also includes the necessary knowledge to use them. This will require an improvement in the DevOps culture, training and requiring employees to improve their skills. This allows them to collaborate more effectively, creating a “safety culture”. This multicultural, multidisciplinary, automated security environment enables everyone to focus on security, not just a single team, which is one of the main drivers of DevSecOps.

Pre-commit Hooks

Sensitive information such as AWS keys, access tokens, AND SSH keys can often be mistakenly leaked through public source repositories due to accidental Git commits. This can be avoided by using a pre-commit hook like “Talisman”, which checks for sensitive information in a file before committing or pushing an activity.

  • Talisman – https://github.com/thoughtworks/talisman
  • Crass – https://github.com/floyd-fuh/crass
  • Git Hooks – https://githooks.com/
  • Git Secrets – https://gitsecret.io/
  • The Pre – Commit – https://precommit.com/
  • Detect Secrets – https://github.com/Yelp/detect-secrets
  • Git Hound – https://github.com/ezekg/git-hound
  • Truffle Hog – https://github.com/dxa4481/truffleHog

Secrets Management

For automation, developers and administrators typically store credentials in configuration files, environment variables, and so on to access various services. Storing credentials in files or configurations can result in exposing credentials to unexpected users. This can be isolated by utilizing a secret management service such as the “Hashicorp Vault”. This allows credentials to be isolated at a separate level, and each environment can get the credentials from a particular environment and use them programmatically.

  • Hashicorp Vault – https://www.vaultproject.io/
  • Torus – https://www.torus.sh/
  • Keywhiz – https://square.github.io/keywhiz/
  • EnvKey – https://www.envkey.com/
  • Confidant – https://github.com/lyft/confidant
  • AWS Secrets Manager – https://aws.amazon.com/secrets-manager/

Software Composition Analysis

It is necessary to analyze all the dependencies used in the application and check them for any vulnerabilities caused by the lack of security patches. For Java and. Net applications, we can use a tool called “dependency checking”, which can be run before the build is created to determine if any vulnerable software is being used in the application. The number and severity of the vulnerabilities can determine whether to continue running the pipeline or fail to fix the vulnerabilities. Here are some tools that perform software portfolio analysis for security vulnerabilities:

  • OWASP Dependency Check – https://www.owasp.org/index.php/OWASP_Dependency_Check
  • SonaType (Free for Open Source) – https://ossindex.sonatype.org/
  • Snyk (Free for Open Source) — https://snyk.io/
  • Bunder Audit – https://github.com/rubysec/bundler-audit
  • Rubysec – https://rubysec.com/
  • Retire JS – https://github.com/RetireJS/retire.js

Static Analysis Security Testing

Cicdops, a continuously integrated wechat official account, uses automated tools to perform secure code reviews that can clean up many easily discovered vulnerabilities, such as SQL injection, cross-site scripting, deserialization vulnerabilities, and more. For Java-based applications, we can use a tool called “FindSecBugs” that does an in-depth analysis of the code (without giving too many false positives) and provides a comprehensive report on any identified vulnerabilities in the code. The number and severity of the vulnerabilities can be used to determine whether to continue running the pipeline or fix the vulnerabilities before they continue to operate. Below is a list of some open source tools available for SAST purposes.

Dynamic Analysis Security Testing

Web application scanner is an important part of vulnerability assessment for Web applications. Most of these scanners have API endpoints or CLI access that can be used to initiate a scan of the target application. One such tool is OWASP ZAP, which can be used to launch Web application security scans of applications in a QA/Staging environment to eliminate a number of security misconfigurations, such as leaking sensitive information in backup files, insecure HTTP headers, and so on.

  • OWASP ZAP – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
  • Arachni Scanner – http://www.arachni-scanner.com/
  • Nikto – https://cirt.net/Nikto2

Security in Infrastructure as Code

Containerized solutions like Docker are popular when it comes to building infrastructure with a few simple lines of code. “Docker Hub” is a very popular public Docker repository from which Docker images can be pulled to the running container. There have been various examples of these Docker images with malware or riddled with various vulnerabilities as shown in the image below. Therefore, it is important to scan these Docker images extracted from the public repository.

One solution that gives good insight into the security of Docker containers/images is “Clair”. Clair scans the original Docker image and gives a detailed report highlighting vulnerabilities in the image. Therefore, it is important to run tools such as Clair on production Docker images before deploying them to the infrastructure. Other tools to consider at this stage of DevSecOps are:

  • Clair – https://github.com/coreos/clair
  • Anchore Engine – https://github.com/anchore/anchore-engine
  • Dagda – https://github.com/eliasgranderubio/dagda
  • The Open – Scap – https://www.open-scap.org/getting-started/
  • Docksan – https://github.com/kost/dockscan

Vulnerability Assessment (VA)

The usual practice of cicdOPS, the continuous integration wechat official account, is to perform vulnerability assessments on production systems to identify the various services running in the environment and related vulnerabilities. When a VA tool is pointed at a server created using Docker, it will only perform scans on services exposed on that host. However, if we attach the tool to the Docker network and then perform the scan, then it will give us a good image of the service actually running. This can be achieved using various solutions, such as OpenVAS, which can be easily integrated into the pipeline.

  • OpenVAS – http://openvas.org/
  • DockScan – https://github.com/kost/dockscan

Compliance As Code

Organizations need to apply compliance controls to their IT infrastructure to comply with industry best practices and various regulations, such as PCI DSS, HIPAA, SOX, and more. In DevOps, with “infrastructure as code”, the production environment is never retained, it is always taken down and recreated, so it is essential to test the updated/newly created environment after installation. “Inspec” is one such tool that helps us execute these tests because we only need to provide a Ruby file that contains the tests executed in a very simple and clean way that is easy for every audit professional to write and write code for.

  • Inspec – https://www.inspec.io/
  • Serverspec – https://serverspec.org/
  • DevSec Hardening Framework – https://dev-sec.io/
  • Kitchen CI – https://kitchen.ci/

Vulnerability Management

The tools we use to create the DevSecOps pipeline create a number of bugs, and each tool has its own independent format. It becomes very difficult to manage this data, let alone track and fix these vulnerabilities. Vulnerability management solutions are therefore central to the DevSecOps process, and all tools need to pool their data into these solutions for centralized management, sorting, tracking, and remediation. “ArcherySec” is one such tool, not only does it integrate well with most of the tools mentioned above, but we can also start Zap and OpenVAS scans with ArcherySec.

Other tools for vulnerability management are

  • ArcherySec – https://github.com/archerysec/archerysec
  • DefectDojo – https://www.defectdojo.org/
  • JackHammer – https://github.com/olacabs/jackhammer

Alerting and Monitoring

Production applications are always facing new threats from unknown and unforeseen sources. This can be mitigated by an aggressive intrusion monitoring and prevention solution. One such open source solution is ModSecurity WAF(Web Application Firewall), which detects the top ten vulnerabilities of OWASP, such as SQL injection, cross-site scripting, etc.

  • ModSecurity WAF – https://modsecurity.org/

So far, we’ve learned the technical knowledge of how DevSecOps works in an environment, but having the tools and techniques is not enough. DevSecOps requires a cultural change that promotes a “default security” culture. This can be done by creating security champions within each domain, increasing collaboration with security teams, and so on. Finally, DevSecOps is important to your DevOps model because it is the only way to handle “large-scale security.”

Thanks, Claranet has provided a full day seminar for developers on DevSecOps and AppSec, giving attendees a comprehensive overview of DevSecOps practices. If you would like to attend a workshop, or would like us to help you implement security in your existing DevOps pipeline by providing you with a customized solution, please contact us.

The original link: https://www.notsosecure.com/achieving-devsecops-with-open-source-tools/