In the
DevOps one-stack mode of development and launch, it is necessary to perform security upgrades on Devops and conduct security checks and rectifications at each stage of the full stack. It is imperative to build a secure stack DevSecOps. In this article, I will talk to you about the security practices and tools that DevSecOps carries out at all stages.
DevSecOps is basically based on
DevOps practices, and security checks are added at the corresponding stage, and integrated into the CI/CD pipeline to expand the existing devops tools and practices.
Add a safety cover to Pipeline
Security is not easy! When integrating
security features into DevOps, it is easiest to become overwhelmed and lost! Understanding the current workflow and tools is the key to integrating safety inspection and safety control into the pipeline. Generally speaking, DevOps continuous integration (CI), continuous delivery and continuous deployment (CD) pipelines are divided into 6 stages:
Coding: During the development phase, before the code enters the source code repository.
Build: Build and execute basic automated testing of the system.
Test: After a successful build, the artifact will be deployed to a temporary and test environment.
Host operation: This stage involves configuration and version updates that need to be applied to the infrastructure.
Running: If the host runs successfully, it indicates that the application is ready to be deployed in the production environment, and can be released and upgraded in grayscale.
Monitoring: Continuously measure and monitor production activities.
In this article, we conduct security integration practice and exploration based on the above 6 stages.
development stage
DevOps practice emphasizes writing good code. The code runs well and is easy to change and understand. DevSecOps extends these practices by adding security checks for writing good and secure code.
Traditional unit testing, static code analysis, code review, pre-commit Hooks (git client hooks) and other practices can be extended to the security check at this stage. In order not to affect the efficiency of developers, you can find and fix common security issues before submitting the code to the source code repository.
Code review
Code review is an important means to improve code security. It can increase the developer's sense of responsibility and transparency, and reduce the risk of internal threats (such as poisoning in someone's code, hiding backdoors, and logic bombs, etc.), while code review also helps improve code quality. In addition to the code, some key configuration files such as Puppet lists, Ansible playbooks, Dockerfiles, .gitlab-ci.yml, etc. also need to be included in the code review category.
Static analysis tools
There are a lot of
static analysis on the market, including open source and commercial tools, which can be integrated into our favorite IDE to help us check the consistency, maintainability, clarity, error mode, etc. of the code. You can also add basic Rules (tools for this language) to identify basic security vulnerabilities.
Tool list
The list of non-exhaustive tools that can be used at this stage include:
Gerrit, Phabricator, SpotBugs, PMD, CheckStyle, Find Security Bugs, etc.
Project construction
After the code is submitted to the source repository (such as gitlab), application building and basic automated testing will be performed to ensure that the code is always compilable and buildable.
Similarly, checks need to be added at this stage to detect serious and high-risk security issues. If serious problems are found, security control is required, the configuration is set to fail and an alert notification is sent.
Dependency component security analysis
According to Sonatype's 2018 software supply chain report, developers downloaded and used more than 300 billion open source components in that year, and one-eighth of them contained known vulnerabilities. Moreover, security incidents in which Trojans were injected into the base library occurred frequently this year. The previous article of this worm was specifically introduced. You can search for historical articles.
Using dependency component security analysis, you can discover whether the dependent open source component (class library) contains known security vulnerabilities. Running SCA tools helps identify outdated libraries and frameworks with known security vulnerabilities.
SAST (Static Analysis Safety Test)
Another effective way to increase security at this stage and provide quick feedback to the team is to run static analysis software tests. These tools can find hidden errors missed by reviewers. Such errors are often difficult to find through other types of tests.
unit test
When refactoring code or making other changes, unit testing is very important to catch regression vulnerabilities. It is necessary to add unit safety test to each function block.
Tool list
Tools that can be used at this stage include: the well-known Sonarqube, OWASP dependency check, sourceclear, Retire.js and snyk, etc.
Test phase
After a successful build, the test phase is triggered by selecting the generated artifacts and deploying them to a container or test environment. These tests include functional tests, integration tests, performance tests, advanced SAST, security and DAST.
This stage usually requires more time and resources to execute, and follows the principle of fast failure method priority, that is, more laborious and time-consuming tests should be delayed as far as possible, and only executed when all other tests pass.
Targeted dynamic scanning
Once deployed, the application will be exposed to various types of possible attacks, such as cross-site scripting, SQL injection, or authentication bypass, etc. And these are where Dynamic Application Security Testing (DAST) comes into play. The currently tested applications can be analyzed based on the common high-risk vulnerabilities summarized in OWASP Top 10.
Fuzzy test (Fuzzy)
Fuzz testing is a black box testing, brute-force reliability
testing technology, which mainly includes testing methods that use unexpected data test results to discover vulnerabilities in an
automated manner.
Automatic attack
As part of the automated testing cycle, we can further try to simulate attacks on running applications and perform basic targeted automated penetration tests on the system.
Tool list
Tools available at this stage (open source and commercial) include: Acunetix Web Vulnerability Scanner, BDD Security, JBroFuzz, Boofuzz, OWASP ZAP, Arachi, IBM AppScan, Mittn, GAUNTLT, SecApp suite, etc.
Host running (stand-alone)
In the host operating phase, it is mainly based on protecting the runtime environment and protecting the applications running on it. Over the years, the industry has proposed many best security practices, models, guidelines, and tools to help strengthen the infrastructure and make it more resilient.
Reduced authority, minimum authority
PoLP states that each module (eg process, user or program, depending on the subject) must only have access to the information and resources necessary for its legitimate use.
Configuration automation
Configuration management tools can easily repeatedly deploy large-scale and create security infrastructure. Through standardized configuration, CM tools can reduce issues related to patch management, minimize the risk that hackers can take advantage of unpatched servers, and help reduce the differences between different environments. It is worth mentioning that the use of CM tools can track configuration information under a central repository and version control.
Immutable infrastructure
Using an immutable infrastructure, once an artifact is created in the system, it will not change through user modification, and there will be no incremental changes: create a new server instance and replace the old server instance instead of a series of incremental updates and changes . One.
safety standard
Many communities have provided guidance and suggestions for infrastructure enhancement. These standards include Internet Security Center (CIS) benchmark tests and NIST configuration lists.
Tool list
Tools available at this stage include: Ansible, Puppet, (R)?ex, HashiCorp Terraform, Chef, Docker, etc.
Operation phase
If all the above phases are running successfully, you need to be ready to put them into production environment. The goal of this stage is to verify whether there are any errors during the configuration or deployment time, whether these errors will reduce the reliability and resilience of the system, and whether they can be attacked through these failure conditions.
This stage uses areas where automated runtime inspection and testing play an important role, especially security issues that detect security violations and vulnerabilities, and highlight risks such as changes in access control policies or firewall rules.
Tool list
In this regard, we particularly need to mention a Netflix open source tool chaosmonkey, using chaos theory to conduct experiments on distributed systems, the purpose is to establish the system's ability to withstand the out-of-control conditions and confidence in the production environment.
Monitoring phase
After the system is put into production, security does not end, but actually begins. In DevSecOps, automatic safety inspection and monitoring feedback loop iterations are an essential part of production operations.
Continuous monitoring provides insight into the type of traffic the application is receiving and helps identify malicious users' attack patterns.
Application security at runtime
RASP technology can identify and block application security threats in real time. By adding detection and protection capabilities to the application runtime environment, RASP enables applications to "self-protect" through automatic reconfiguration without manual intervention in response to certain conditions.
Security Monitoring
The first is the process of automatically collecting and analyzing potential security threat indicators, defining the types of behavior that should trigger an alert, and taking serious measures for the alert. Such as IDS, host process monitoring, working directory change monitoring, traffic monitoring, etc.
Bug bounty
Through the loophole bounty program, with the help of third-party power, in-depth digging loopholes, fully understand the actual risk level, system weaknesses and loopholes. They can usually move freely without disrupting the system or destroying or leaking sensitive data.
Tool list
There are many runtime defense tools on the market: Prevoty, Alert Logic, HALO, EVIDENT, etc.
