Best practices and Tools to master DevSecOps. What is DevSecOps? DevSecOps stands for Development, Security, and Operations. In the most basic meaning, it’s defined as an approach that in the SDLC (Software Development Life Cycle). promotes security The primary goal is shift-to-left the responsibility. Security tools are integrated in the development cycle, usually in , to let Devs find as early as possible, and fix them before reaching environments. early CI/CD pipelines vulnerabilities production I’m gonna explain what is , and which are the best practices to add security in the pipelines. Finally, I’ll show you some of the best open-source tools that you can use to automate and . DevSecOps vulnerability finding compliance checks DevSecOps vs DevOps DevOps add a lot of value to the company, increasing and , and it helps Devs to deploy faster, more often, and less risky. agility flexibility Thanks to DevOps culture, DevSecOps Engineers can achieve the same level of agility and automation, integrating Security controls and tools, inside the CI/CD pipelines, helping the company to find vulnerabilities faster and earlier. The are obvious, production systems will be more , and it also implies because it’s harder to fix production issues when they are found late. Usually, it involves a lot of work with multiple teams to fix them, and the Engineer’s time costs money to the company because they can use that time to develop new features instead of fixing vulns. benefits for the company secure fewer expenses Some time ago, when DevOps Engineers used to be SysAdmins, and Security was a police department inside the company, Security used to be . Vulnerabilities were found and fixed usually with scanners in the live servers, or with pentesting. Today we continue doing that, but most security issues don’t see production, thanks to automated controls in the entire SDLC. reactive instead of proactive Nowadays, Security is a to the entire organization, and the term is another fancy word, to emphasize the in the Software Lifecycle. shared responsibility DevSecOps importance of Security Shift-to-left Maybe you heard it, maybe not, let me explain what it means. Shifting security controls to left means putting the security tools more left in the pipelines, and by consequence, in the development process. The more left it’s, the better because remediation is easier and it’s done before reaching production. Let’s see an example: If you’re using your favorite IDE (My own is VS Code), and before you commit the changes an automated scan alerts you about an SQL injection you’re introducing in the project, it’d be for you to fix it because you’re with that piece of code right now. As a Dev, I don’t remember anything after I go to the bed and close my eyes, so if a security tool alerts me about a vulnerability when I’m coding, it’s really easy for me to change the code to avoid it. easy DevSecOps Best Practices : Automation is the key to successfully leveraging security in the pipelines. Automate as much as you can : If you have some must-pass security checks, define them in the CI/CD pipelines, especially for production. Define must-checks to deploy : Whenever is possible, promote security training to your Devs. They’ll be more motivated and with the knowledge to fix vulnerabilities, and avoid them in the future. Encourage and training The advantages are pretty clear, is the key like it’s in common practices, and we benefit from it adding the compliance checks in our . Some of those checks will be mandatory, so you’re gonna put your barriers of trust in the , ensuring that nothing will go through those unless it has the level of trust you’ve defined. automation DevOps pipelines automation controls For a better and smooth experience, you need to teach your staff what are the common vulnerabilities, which we’re doing, and how to fix them. Usually, at first you’ll need to do a lot of support to developers, to teach them how to avoid and fix issues, but once they learn, you’ll gain more time for you and your team, to put the efforts to solve bigger goals for the company. controls Open-Source Tools Let's deep dive into the best tooling for integrating with CI/CD processes, and tackle the different sides of Security across the entire ecosystem. Infrastructure-As-Code One of the best open-source tools to analyze IaC is . It’s a tool designed to find security vulnerabilities, compliance issues, and infrastructure misconfigurations. Kics It supports multiple platforms, such as Terraform, Kubernetes, Docker, Helm. It comes with a lot of predefined checks to assess your infrastructure, containers, and deployments. One of the key benefits of this tool is that’s designed to let you expand the analyzing capabilities, using the extensible query configuration you can create your checks, adapted to your staff and environment, and disable the ones that are less important to the company. Dependency Checks You didn’t write all the code of your applications, nobody does it in WebApps today. You use libraries, and probably a lot of them. Like any piece of code, it has its vulnerabilities, and you should check them. Dependency checking is the process of finding what vulnerable versions of third-party you’re using. Most tools do that by comparing the version with popular vuln databases, such as and . NIST CVE As the name suggests, it only works with javascript based projects. But it does a really good job finding vulnerable packages, and it’s well integrated with most javascript frameworks out there. RetireJs : OWASP tool for dependency scanning. It works with Ruby, Java, JavaScript, and .NET. It uses NIST Vuln Database to find vulnerable software in your libraries. Dependency-Check : Static Application Security Testing (SAST) These tools are designed to scan your code to find flaws in your project. It could help to find SQL Injection, Buffer Overflows, Memory Leaks, XSS (Cross-Site-Scripting), and more… SAST is known as white-box scanning because it works by analyzing your source code and finding vulnerabilities based on your implementation. The downside is that they aren’t perfect, they have a lot of false positives, and the worst: false negatives. Despite its shortcomings, it’s another layer of defense to add to our pipelines. : SAST tool for Python. Bandit : SAST tool for Ruby on Rails. BrakeMan : Another SAST tool for Ruby, but in this case with support for the most MVC frameworks, like Rails, Padrino, and Sinatra. It provides more than 150 security checks, with remediation suggestions. DawnScanner : SAST tool for Java code. Include 100 security checks and support all major Java frameworks. FindSecBugs : It supports multiple languages, and it has an extension for VSCode. Very interesting tool. You must give it a shot. HoruSec Dynamic Application Security Testing (DAST) In comparison with SAST, as its name suggests, it dynamically analyzes your live application and performs different types of attacks against it, to find vulnerabilities. It’s also known as black-box scanning, since it doesn’t analyze your code, it analyzes the live web server. The best way to integrate these kinds of tools in pipelines is after deployment in lower environments, like Dev or Stage. After the deployment step in the CD process, you should have another step to perform the scanning, and if the results are not good enough, revert the deployment and flag the artifact as vulnerable to prevent production deployments. (ZAP): It’s a well-known tool to do pentesting, but it also has a lot of automated scanning capabilities to test your app. It could be deployed using GithubActions too. ZedAttackProxy : DAST tool with high performance and multiple types of integrations, including a WebServer where you can check scanning results. Arachni Final Words This short tutorial should help you get started with DevSecOps, and comprehend the concepts behind it. is not hard if you know how to begin, follow the best practices, and use the right tools. DevSecOps Also Published Here

Different

2022 - HackerNoon Contributor of the Year - Devops

Connect with Me on LinkedIn!

Read My Stories

Newsletter

Hire Me

Nominated for 2022 - HackerNoon Contributor of the Year - Devops

Too Long; Didn't Read

Developers: Build Less. Deliver More. [Learn how]	

DevSecOps Deep Dive: CI/CD Pipeline Security

Too Long; Didn't Read

Company Mentioned

Leandro Mantovani

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

DevSecOps Deep Dive: CI/CD Pipeline Security

Too Long; Didn't Read

Company Mentioned

Leandro Mantovani

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES