O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Secure DevOPS Implementation Guidance

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Carregando em…3
×

Confira estes a seguir

1 de 26 Anúncio

Secure DevOPS Implementation Guidance

Baixar para ler offline

Awareness and Guide to a Practical Implementation.
Discover how to automate security testing, and ensure every bit of code is scanned before it leaves the developer’s hands
https://bsidesdc2018.busyconf.com/schedule#day_5acff470ec4a15f24e000036

Awareness and Guide to a Practical Implementation.
Discover how to automate security testing, and ensure every bit of code is scanned before it leaves the developer’s hands
https://bsidesdc2018.busyconf.com/schedule#day_5acff470ec4a15f24e000036

Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Secure DevOPS Implementation Guidance (20)

Anúncio

Mais recentes (20)

Secure DevOPS Implementation Guidance

  1. 1. Secure DevOps Awareness & a Guide to Practical Implementation BSides 2018 01 June 30, 2019 Merlin International, Inc.
  2. 2. Merlin International June 30, 2019 2 Tej Luthra VP Engineering CyberSecurity and Security Analytics At Merlin International, Tej Luthra is building and leading a development team responsible for the integration of existing technologies and the development of new solutions that address organizations’ most pressing cybersecurity challenges. Devesh Arora Dir. Engineering Software Development & Web Services At Merlin International, Devesh Arora is leading a team responsible for development of front-end & microservices along with the secure DevOps strategy and implementation.
  3. 3. June 30, 2019 3 Agenda
  4. 4. Opportunity June 30, 2019 4 Secure DevOps Continuous Information Assurance Cloud native and rapid adoption of cloud platforms Use of CI/CD - Continuous Integration/Continuous Deployment Deliver secure code by integrating security practices into the pipeline Benefits Protect your systems, data and business Reputation, brand, profits Reduce Risk Customer Confidence Reduce Costs By 2019 only 10% of DevOps initiatives will have achieved the level of security automation required to be considered fully DevSecOps, up from less than 5% in 2017. By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.Opportunity January 16, 2019 4 Secure DevOps Continuous Information Assurance Cloud native and rapid adoption of cloud platforms Use of CI/CD - Continuous Integration/Continuous Deployment Deliver secure code by integrating security practices into the pipeline Benefits Protect your systems, data and business Reputation, brand, profits Reduce Risk Customer Confidence Reduce Costs By 2019 only 10% of DevOps initiatives will have achieved the level of security automation required to be considered fully DevSecOps, up from less than 5% in 2017. By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.
  5. 5. What is DevOPS June 30, 2019 5 Secure DevOps DevOps is agile on steroids As a methodology to build software fast Accelerates the velocity with which products are deployed to customers DevOps begins with all things continuous • Continuous Integration (CI) is the principle that code changes are checked into the source code repository in small batches • Continuous delivery and deployment are principles for how the results of testing are reviewed, and system automatically makes decision as to what to do with the build • Continuous Testing, Quality, Security, Governance, and so on …
  6. 6. Why DevOPS June 30, 2019 6 Secure DevOps Businesses need to accelerate the delivery of applications Focuses on quickly moving new features out to the customers Give Dev teams capability to deploy quickly and continuously … and the responsibility to support code in production Tear down the traditional silos of IT, namely between development and operations Puppet Labs 200x increase in speed from code commit to deploy 30x more frequent deployments 60% fewer production failures Bank of America 6x reduction in production defects Ticket Master Reduced Mean Time to Repair by 90% Source: https://www.slideshare.net/AndersLundsgrd/the-devops-journey-in-an-enterprise-scania-swisscom-software-day-2016
  7. 7. The Ying and the Yang June 30, 2019 7 Secure DevOps Challenges organizations face • Adoption of DevOps practices introduces complications • Auditing standardized security controls • Constantly changing assets with CD • Segregation of duties • Tracking cloud assets, extreme virtualization • DHCP logging or NAC/802,1x • Especially when controlled by 3rd party And there are opportunities • Focus on fast deployment, continual improvement, and automation • Naturally forces collaboration with teams • Avoids last-minute manual audits • Continuously TVM Shift Left • Security teams engaged early • Design, Deploy, Security Reviews • Ability to influence future heartburns • Deploy small changes • With reduced risk • Enforces standardized configurations • Logging, alerting and security metrics
  8. 8. The full end-to-end product lifecycle June 30, 2019 8 Secure DevOps
  9. 9. Build & Unit Tests Containerize Package Code Commit Code quality Scan Continuous Integration Frequent Code Check-ins Focus on Code Quality Automated Tests Find & Fix Bugs/Issues Soon Continuous Integration Secure DevOps June 30, 2019
  10. 10. Build & Unit Tests Container Package Code Commit Code quality Scan Continuous Integration git Artifact Repository Tests Functional | Integration | Performance | UAT | Smoke D e p l o y m e n t Test Staging Prod C o d e P r o m o t i o n Manual Continuous Delivery Release Management Logging & Monitoring Secure DevOps June 30, 2019
  11. 11. Build & Unit Tests Container Package Code Commit Code quality Scan Continuous Integration git Artifact Repository Tests Functional | Integration | Performance | UAT | Smoke D e p l o y m e n t Test Staging Prod A u t o m a t e d C o d e P r o m o t i o n Continuous Deployment Release Management Logging & Monitoring Secure DevOps June 30, 2019
  12. 12. Route to Secure DevOPS 6/30/2019 12 Secure DevOps Why • Criminals & hackers focus on weakness • A part of your security strategy • Constantly Evaluate Business Risks • Federal, State, Local, Regulatory Challenges • Believed too costly • Split between Functionality and Speed • Private / Behind a firewall • Find and Fix • Tools and Resources Considerations • Risk Assessments • Policy – Procedures – Processes • Regulatory – PCI, HIPAA, FISMA • Physical Infrastructure • Methodology • Data Strategy • Threat Modeling • Testing Source: https://www.cisecurity.org/webinar/foundations-of-an-application-security-program/
  13. 13. Security lifecycle in DevOPS June 30, 2019 14 Common action items including static & dynamic code analysis, vulnerability scanning, anti- virus scans, and other similar integrity functions The results from the security scans are provided to project management and the Chief Information Security Officer (CISO) within the organization Secure DevOps NIST 800-115: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
  14. 14. Common Requirements June 30, 2019 15 Access Control Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Security Assessment System & Comm. Protection System & Information Integrity Secure DevOps
  15. 15. Guidance June 30, 2019 16 Secure DevOps Refine information security objectives for adoption Integrate continuous security assurance seamlessly into CI/CD toolchain Perfect security is impossible. Zero risk is impossible The entire DevOps life cycle needs to be secured Address Risk with continuous run time assessment, augment with existing cybersecurity framework
  16. 16. June 30, 2019 17 Secure DevOps Identify known vulnerabilities Use of reusable libraries and frameworks The amount of custom code is reducing considerably Open-source software (OSS) presents a unique challenge
  17. 17. Secure Configurations for HW & SW June 30, 2019 18 Known vulnerabilities Use custom hardened system images Center for Internet Security (CIS) CICD Tools simplify process of rolling out Secure DevOps
  18. 18. Automated Deployment of Infrastructure and Software June 30, 2019 19 Use blue-green deployment scenario Same principles apply to “infrastructure as code” Early adopter scenarios Secure DevOps
  19. 19. Continuous Vulnerability Assessment and Remediation June 30, 2019 20 Secure DevOps Keep up with new Vulnerabilities Reuse of Automation Framework AB Testing and Blue Green Deployment Scanning during Development 37 Vulnerabilities Return time 15 ms # errros/1000: 300 Visits / user 50 2 Vulnerabil ities Return time 25 ms # errros/1000 : 100 Visits / user 150 Patch Set A: Patch Set B:
  20. 20. Application Software Security June 30, 2019 21 Vulnerabilities found in 98% of apps Security assessments CICD Tools Advantages Run Additional Test in Staging in parallel Secure DevOps Trustwave Global Security Report
  21. 21. Controlled Use of Administrative Privileges June 30, 2019 22 The DevOps model Controlling administrative credentials becomes even more important In an “infrastructure as code” environment, the code itself acts as a privileged user Other systems provide ways to manage their own secrets Lack more advanced features Secure DevOps
  22. 22. OWASP Top 10 Project Guidelines June 30, 2019 23 Secure DevOps •Threat modeling scenarios SQL injection Cross-site scripting Cross-site request forgery Broken authentication and session management Unsecure direct object references Security misconfiguration Foundational security hygiene Embedded keys or credentials in the application System patching Target high value assets
  23. 23. Tooling that can help June 30, 2019 24 Identify actual and potential coding issues, including those identified in OWASP YASCA, HP Fortify, IBM AppScan, VisualCodeGrepper, Nessus, OpenSCAP, Black Duck, SonarQube …. Secure DevOps BlackDuck • scans and manages opensource software • supports mixed LDAP/DB auth, • good UI LAPSE • OWASP Security Scanner • Java EE Nessus • system vulnerabilities • missing patches • non- compliant system configurations OpenScap • utilizes XCCDF • system configurations for the operating system against an established checklist profile ClamAV • antivirus scanner for Linux operating systems Windows Defender • antivirus scanner for Windows operating systems Note: This is not an endorsement of any tools. The reader is encouraged to evaluate each tool independently.
  24. 24. Recommendations June 30, 2019 25 Adopt an immutable Infrastructure Mindset Integrate security and compliance testing seamlessly into DevSecOps Scan for and remove known vulnerabilities and misconfigurations Scale your information security team into DevOps Treat all automation scripts, templates, images and blueprints with the same level of assurance Train individuals and establish good communication Identify and report on Business Risks Create a culture of Security, incorporate Static and Dynamic Testing Secure DevOps
  25. 25. Conclusion June 30, 2019 26 Security is not an afterthought Integrating security into DevOps requires changing mindsets Information security must adapt to development processes and tools Regulated environment, DevOPS needs to evolve quickly Host of new security tools adapted for DevOps environments There is need for Best Practices Secure DevOps
  26. 26. Thank You tluthra@merlin-intl.com darora@merlin-intl.com

Notas do Editor

  • Ensuring the confidentiality, integrity and availability of digital assets in the cloud
  • DevOPS practices presents a unique opportunity to deliver more secure code by integrating security practices into the pipeline.
    There is a wide variety of open source and commercial tools that allow the creation Secure DevOps pipelines that assist with the security and information assurance function.
    By integrating the performance of security testing and scanning as part of the build and deploy process, Secure DevOps allows the ability to deliver Continuous Information Assurance

    In the past 12 months at Gartner, how to securely integrate security into DevOps — delivering DevSecOps — has been one of the fastest-growing areas of interest of clients, with more than 600 inquiries across multiple Gartner analysts in that time frame. From conversations with clients and by analyzing successful DevSecOps initiatives, we have seen what works, what doesn't and which approaches have the most success.
  • While DevOps may be overhyped, oversold, and oversubscribed right now, those who approach it as a journey, not a destination, are finding incredible business value.
    You’ve heard all the reasons why DevOps won’t work: issues with compliance, ITIL, security, production availability, architectural complexity, and so on.
    But the benefits it can deliver—faster delivery, quality, and security—are within reach. The question is, How do you start the move from silos to streamlined development pipelines?

    Application Packaging ensures that you have a trusted handoff between development teams and operations teams.  Developers can focus on what they do best, developing and maintaining their software. Operations can focus on what they do best, enforcing security and improving application deployment and management through orchestration and automation.  The Application Package ensures that you have a versionable, maintainable asset at the center of the process. Application Packaging is Application-Centric DevOps.

    Continuous Integration/Continuous Deployment (CI/CD)
    reducing the time and effort it takes to test and deploy code into production
    rapid automation enabled by cloud platforms and cloud native technologies
    Don’t forget Continuous [ Testing (CT), Quality (CQ), Delivery (CDe), Security (CS)]
    Secure DevOPS
    help address the needs of regulation and compliance
    integration of security scans and reviews as part of the CICD process
  • Businesses need to accelerate the delivery of applications
    Focuses on quickly moving new features out to the customers
    Not about specific tools, but improves adoption
    Bringing teams together, agile on steroids
    Organized not from a project delivery standpoint, but have a more product delivery focus
    Give Dev teams capability to deploy and the responsibility to support code in production
    Tear down the traditional silos of IT, namely between development and operations
    Aims at removing bottlenecks, conflicts, and risk from the lifecycle between business decision and customer outcome
    The 2015 Puppet Labs State of DevOps Report shows organizations achieving
    200x increase in speed from code commit to deploy
    30x more frequent deployments
    60% fewer production failures
    Bank of America cites
    6x reduction in production defects
    Ticketmaster
    Reduced their Mean Time to Repair by 90%

    Businesses are looking to accelerate the delivery of production quality software with fewer defects, and better security. Continuous Integration/Continuous Deployment (CI/CD) also known as DevOps is a rapidly maturing practice for reducing the time and effort it takes to test and deploy code into production. The rapid automation of the integration and deployment activities is common especially on cloud-based platforms. Adding security testing into the DevOps pipeline can help address the needs of regulated, compliance and public sector focused organizations. This white paper describes the use of open source technologies and commercial packages to design and deploy a Secure DevOps pipeline. Tools such as Yasca, SonarQube, and OpenSCAP amongst others when integrated with vulnerability scanners such as Tenable Nessus, HP Fortify and others provide a robust SecDevOps implementation.

    Since the first DevOps Days conference was held in 2009, adoption of DevOps strategies has been growing rapidly, with 25% of global IT companies predicted to have moved towards DevOps by 2016 (Gartner, 2015). The very definition of DevOps is still evolving, but most agree it encompasses a set of cultural values in addition to the tools and practices that enable continuous delivery (Loukides, 2015). Continuous delivery provides a competitive advantage to software companies (Humble, 2014) by lowering the risk and cost associated with releases. It also enables near-immediate feedback on new features; practicing continuous delivery requires collaboration and empathy amongst the teams involved in the delivery process (Fowler, 2013).

    Configuration management systems automate the provisioning of new systems, enforcing consistent application installation, system and application configuration across classes of servers. The configuration information lives in a source code repository, and systems such as Chef, Puppet, Salt, or Ansible allow developers to treat the configuration of the servers that will run application software as code. This “infrastructure as code” can itself be versioned and tested, providing assurances that identical configurations will be in place everywhere, and improving the odds that software that tested fine in the staging system will be fine in production as well (Riley, 2014). Finally, an automated system for reliably moving software through the build -> deploy -> test -> release process is the key component (Humble & Farley, 2010) in any DevOps system. Continuous integration tools such as Jenkins make a formerly slow and error-prone task easy and repeatable, enabling the deployment of small changes and giving fast feedback about how the code operates and what customers think about new features.

    DevOps is becoming the preferred approach for the rapid development and continuous delivery of these new IT-enabled capabilities. Implemented correctly, DevOps offers IT organizations improved speed of development by embracing a collaborative philosophy that tears down traditional silos of development and operations. However, in most cases, security and compliance have been afterthoughts to DevOps.
  • Challenges organizations face
    Adoption of DevOps practices introduces complications
    Implementing and auditing standardized security controls
    Presenting issues such as constantly changing assets, continuous deployment
    Breakdown in traditional segregation of duties
    Tracking cloud assets, extreme virtualization
    DHCP logging or NAC/802,1x
    Especially when controlled by 3rd party

    And there are opportunities
    Focus on fast deployment, continual improvement, and automation
    Naturally forces collaboration with security teams
    Avoid last-minute manual audits and reviews
    Review various threats & vulnerabilities continuously
    Shift Left
    Security teams engaged early in the design process to ensure ability to deploy continuously and securely
    Reduces risk by deploying small changes rather than large complex ones
    Enforces standardized configurations for logging, alerting and security metrics
  • Create the supporting CI pipeline to ensure that the necessary resources are in place before development begins. Include stakeholders from all the engineering disciplines such as development, test, data management, I&O and security as you develop each CI pipeline.
    Build a CI pipeline by specifying the desired outcomes to be achieved and the required artifacts to be generated. Assess and document current build processes and infrastructure. Periodically revisit these two steps to ensure that the CI pipeline continues to deliver the necessary results.
    Establish baseline metrics — such as frequency and execution time of application builds, build and deployment failures, and repeated errors — before integrating each application. Gather and monitor these metrics to evaluate the success of each change, and adapt when changes to the process don't deliver the expected benefits.
    Choose an application with established (but not yet automated) build and deployment processes as your pilot. As the process matures, review the application portfolio and expand the use of CI to applications that will benefit the most.
  • Begin each software development project by first creating the supporting CI pipeline to ensure that the necessary resources are in place before development begins.
    Begin the process of building your CI pipeline by specifying the desired outcomes to be achieved and the required artifacts to be generated. Next, assess and document your current build process and infrastructure. Use the first two steps to redesign your process to ensure that the CI pipeline delivers the necessary results.
    Establish baseline metrics — such as frequency and execution time of application builds, build and deployment failures, and repeated errors — before integrating each application, and monitor those metrics throughout the application life cycle. Use the baseline metrics to evaluate the success of each change, and adapt when changes to the process don't deliver the expected benefits.
    Choose an application with established (but not yet automated) build and deployment processes as your pilot. As the process matures, expand the process to other applications that are supported by your development organization.

  • Why
    Criminals & hackers focus on weakness
    Leads to breaches
    A part of your security strategy
    Constantly Evaluate Business Risks
    Federal, State, Local, Regulatory
    Challenges
    Believed too costly
    Split between Functionality and Speed
    Private / Behind a firewall
    Find and Fix
    Tools and Resources
    Considerations
    Risk Assessments
    Policy – Procedures – Processes
    Regulatory – PCI, HIPAA, FISMA
    Physical Infrastructure
    Methodology
    Data Strategy
    Mapping, Collection, Storage, Cleaning
    Decommissioning and Retention
    Threat Modeling
    Testing


  • Challenges
    audit of a security program
    relative immaturity and lack of corporate backing
    Tools new to the market or are open-sourced
    reliance on IaaS and PaaS reduces control and visibility at the hardware and network layer
    the flexibility of Cloud providers to quickly scale up and down
    Make them attractive in DevOps environments

    The CI/CD or DevOps Security lifecycle begins with code development and integration. As the code is
    committed for deployment, the CI/CD security processes are activated. Common action items
    including static code analysis, vulnerability scanning, anti-virus scans and other similar integrity
    functions. The results from the security scans are provided to project management and the Chief
    Information Security Officer (CISO) within the organization.

    In order to comply with NIST requirements for applying secure engineering principles, application developers should utilize code analysis utilities to ensure safe coding practices are followed. Project teams should leverage code analysis utilities as early as possible in the development lifecycle.
    the project will experience fewer delays and incidents of rework due to flaws and other security concerns
    At a minimum, code analysis should be performed as code modules are completed, but it is not necessary for modules to be completely finished for code review to be useful.

    Commit Code to CI/CD
    s application code is committed to the CI/CD branch in the git repository CI/CD performs a security review utilizing automated static code analysis tools.

  • Compliant Architecture
    Identify compliance & requirements first
    Select eligible services through trusted sources and suppliers
    Create cloud-native solution architecture

    Continuous Monitoring and Management
    Implement tools for governance, security and cloud operations
    Define processes and assign roles
    Define artifacts and operate against SLA’s

    Accreditations and Authorization
    Document system security plan
    Create security backlog in plan of actions and milestones
    Incident response plan
  • Refine information security objectives for adoption
    Integrate continuous security assurance seamlessly into CI/CD toolchain
    Perfect security is impossible. Zero risk is impossible
    Bring continuous risk- and trust- based assessment
    Bring prioritization of application vulnerabilities
    The entire DevOps life cycle needs to be secured
    Including when new services are deployed into runtime operation
    Address Risk with continuous run time assessment, augment with
    Network- and host-based intrusion prevention systems (IPS)
    Web application firewalls (WAF) for protection against known vulnerabilities
    Runtime application self-protection
    Application monitoring and protection
    Botnet mitigation
    In-depth defense at the application layer
  • Use of reusable libraries and frameworks
    This leads to a shift in focus for security scanning
    Majority risk can be addressed by identifying known vulnerabilities & misconfiguration
    Vulnerability assessment vendors are adapting their scanning capabilities
    Some toolchain element vendors like Docker are integrating this capability
    The importance of this best practice cannot be understated
    Breach at Equifax may have had a root cause of a known vulnerability issue in Apache Struts, as stated by Equifax. Likewise OpenSSL's Heartbleed
    Open-source software (OSS) presents a unique challenge
    The developer may simply cut and paste source code

  • Once hardened configurations for operating systems and application components are developed, DevOps deployment tools and configuration management services like Puppet, Chef, Ansible and Salt greatly simplify the process of rolling these out to all systems and keeping the configurations in sync over time
    Docker and other container technologies are increasingly popular methods for deploying applications in DevOps environments, due to advantages in portability, efficiency in resource sharing and speed of deployment
    Docker also offers some security advantages, in the form of increased isolation of applications, particularly in multiWtenant environments
    Docker images, however, cannot be patched and updated or have running configuration changed on the fly; updated software or secure configuration must be baked in as part of the image build and new containers Deployed leading to situations where multiple container versions of varying security may be running
    https://www.cisecurity.org/benchmark/docker/
  • Use blue-green deployment scenario
    Test and cutover with no downtime
    Subset of traffic may move to the green deployment
    Once traffic is fully cut over, the blue deployment gets decommissioned, or rollback
    Same principles apply to “infrastructure as code”
    Early adopter scenarios
    Used to turn new features on for particular sets of users
    Allow analysis of system or user behavior
  • Continuous Vulnerability Assessment and Remediation
    Challenge: Keeping up with relentless pace of newlyWannounced vulnerabilities
    however, the focus on automation, testing, and continuous monitoring in DevOps environments can be advantageous; the same systems that allow automated deployments of new application code via thorough unit and functional testing provide a strong foundation for testing new patches
    Deployment strategies for BlueWGreen deployments and AWB testing allow gradual rollout and immediate feedback regarding issues and changes in system behavior
    Security scans that happen as part of the deployment process provide verification that updates address known issues and reach all intended targets
  • Trustwave Global Security Report
    Vulnerabilities were found in 98% of the applications scanned
    Data leakage, cross-site scripting, SQL injection and authorization, among others
    Security assessments - PenTesting
    CICD Tools Advantages
    Jenkins, Hudson and similar tools provide easy support via plugins
    Code review and for running static analysis as part of the pipeline
    These acceptance tests should be designed to complete quickly and can be run before new code is even deployed to the integration/staging environment
    Further security testing, such as tests of security related functionality, vulnerability scanning, and application security scans can then be run in parallel to other acceptance testing within the staging environment
  • In the DevOps model everyone has the potential to administer systems and debug production issues, controlling administrative credentials becomes even more important
    In a continuous deployment, “infrastructure as code” environment, the code itself acts as a privileged user
    These credential “secrets” must be used by the orchestration systems
    Secrets Management systems aim to role based access control and auditability to the DevOps system
    Configuration management systems like Chef and Puppet provide their own solutions for protecting secrets stored within the infrastructure code using public key encryption
    Kack more advanced features such as role based controlled access to the secrets, or full featured support for rotating passwords and SSH keys
    Secrets management systems like Hashicorp’s Vault and Conjur’s SSH Management solution provide methods to automatically provision temporary access via one-time passwords or SSH keys and to enable SSH key rotation for service accounts.
  • When code has been committed to the CI/CD Git repository the associated Jenkins job builds the code base. The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca report in HTML format as well as CSV format. The Yasca results CSV file is further processed and formatted into an xml document. After the Yasca file is processed, Sonar Scanner is invoked to analyze the created XML file using custom rules to map the Yasca results into the SonarQube dashboard.

    The OWASP Top 10 Project and similar publicly available guidelines are a great start.3 The training should include:
    How to build and maintain simple threat modeling scenarios (thinking like a bad guy) Input whitelisting, filtering and sanitization for user input and files
    SQL injection Cross-site scripting Cross-site request forgery
    Broken authentication and session management
    Unsecure direct object references
    Security misconfiguration
    Foundational security hygiene
    Why not to embed keys or credentials in the application code or scripts
    The importance of patching
    How and why hackers will target admins for credential theft and how to avoid this

    Plugins
    Grep Plugin. Uses external GREPfiles to scan target files for simple patterns.
    PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues.
    JLint Plugin. Uses J-Lint to scan Java .class files for issues.
    antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues.
    FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues.
    Lint4J Plugin. Uses Lint4J to scan Java .class files for issues.



    Yasca plugins implement five (5) severity levels:
    1 – Critical, 2–High, 3 – Warning, 4–Low, 5 – Informational
    SonarQube implements five (5) severity levels:
    • Blocker • Critical • Major • Minor • Info
  • https://www.checkmarx.com/2014/11/13/the-ultimate-list-of-open-source-static-code-analysis-security-tools/
    When code has been committed to the CI/CD Git repository the associated Jenkins job builds the code base. The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca report in HTML format as well as CSV format. The Yasca results CSV file is further processed and formatted into an xml document. After the Yasca file is processed, Sonar Scanner is invoked to analyze the created XML file using custom rules to map the Yasca results into the SonarQube dashboard.

    The OWASP Top 10 Project and similar publicly available guidelines are a great start.3 The training should include:
    How to build and maintain simple threat modeling scenarios (thinking like a bad guy) Input whitelisting, filtering and sanitization for user input and files
    SQL injection Cross-site scripting Cross-site request forgery
    Injection
    Broken authentication and session management
    Unsecure direct object references
    Security misconfiguration
    Foundational security hygiene
    Why not to embed keys or credentials in the application code or scripts
    The importance of patching
    How and why hackers will target admins for credential theft and how to avoid this

    Plugins
    Grep Plugin. Uses external GREPfiles to scan target files for simple patterns.
    PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues.
    JLint Plugin. Uses J-Lint to scan Java .class files for issues.
    antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues.
    FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues.
    Lint4J Plugin. Uses Lint4J to scan Java .class files for issues.



    Yasca plugins implement five (5) severity levels:
    1 – Critical, 2–High, 3 – Warning, 4–Low, 5 – Informational
    SonarQube implements five (5) severity levels:
    • Blocker • Critical • Major • Minor • Info
  • Adapt Your Security Testing Tools and Processes to the Developers, Not the Other Way Around
    Quit Trying to Eliminate All Vulnerabilities During Development
    Focus First on Identifying and Removing the Known Critical Vulnerabilities
    Don't Expect to Use Traditional DAST/SAST Without Changes
    Train All Developers on the Basics of Secure Coding, but Don't Expect Them to Become Security Experts
    Adopt a Security Champion Model and Implement a Simple Security Requirements Gathering Tool
    Eliminate the Use of Known Vulnerable Components at the Source
    Secure and Apply Operational Discipline to Automation Scripts
    Implement Strong Version Control on All Code and Components
    Adopt an Immutable Infrastructure Mindset

    Integrate security and compliance testing seamlessly into DevSecOps so that developers never have to leave their continuous integration or continuous deployment toolchain environment.
    Scan for known vulnerabilities and misconfigurations in all open-source and third-party components. Ideally, build out a complete bill of materials using software composition analysis.
    Trying to remove all unknown vulnerabilities in custom code, which increases false positives
    Scale your information security team into DevOps by using a security champion model.
    Treat all automation scripts, templates, images and blueprints with the same level of assurance that you would treat any source code.

  • Integrating security into DevOps to deliver "DevSecOps" requires changing mindsets, processes and technology
    Security and risk management leaders must adhere to the collaborative, agile nature of DevOps to be seamless and transparent in the development process, making the Sec in DevSecOps silent.
    If adopting a DevOPS framework, Information security must adapt to development processes and tools, not the other way around. But it doesn’t mean
    Organizations producing new applications and services using DevOps have the same responsibility to produce secure and compliant code as required by any other application.
    The success of the DevOps movement means that DevOps practices are being adopted by diverse organizations, from small startups to Fortune 500 companies. As the movement matures, security is no longer an afterthought and consensus is building about the right ways to integrate security best practices into the DevOps cultural and technical evolution.
    explosion in the numbers of tools available to help secure DevOps environments, from repository firewalls (Weeks, 2015) to new application scanners and security functional test infrastructures (DeVries, 2015), to new SSH Management solutions and the ability to scan Docker containers (Doran, 2015).
    DevOps philosophy and the typical microservices architecture is the freedom to choose the tools that are best for a particular culture and environment
    In a regulated environment, DevOps teams will need to involve security early in the process to ensure a smooth deployment for new features
    the opportunity for greater collaboration with security teams can only be a positive Step
    The glut of new security tools adapted for DevOps environments has the ability to provide new levels of visibility and automation for implementing security controls.
    Such new tools may not be fully mature, however, and may have flaws or lack features present in more established products. There is also a lack of precedent when it comes to using such tools for audit against security standards. As the shift towards DevOps continues, we can expect increased maturity for DevOps security tools and best practices that should make implementation of these important controls easier in the future.
    from a security perspective, this mindset can be advanced and has the potential to radically improve security by proactively "killing" workloads and replacing them with versions from a known good state

×