integrating security with devops author vivek kumar singh · static analysis: start with sonarqube...

Copyright© 2019 Sogeti. All rights reserved.

Integrating security with DevOps

Author – Vivek Kumar Singh

DevSecOps


Table of Contents

1.Inroduction

1.1 What they need

1.2What they want

1.3What we hear from client and product owners.

1.4What we can suggest to our client

2.CI/CD Pipelines

2.1So why Continuous Delivery.

2.2Ability to get changes of all types.

2.3Cycle of five

3 DevSecOps

3.1DevSecOps to match agile delivery.

3.2Pipelines defines delivery process.

3.3Essentials security tooling categories.

3.4Static application scanning.

3.5Static analysis: start with SonarQube (Open source)

3.6Dependency checks for supply chain.

3.7Container and platform scanning: Twistlock.

3.8Dynamic functional testing.

3.9Security pipelines with ZAP


WHAT THEY NEED

Shorter Release Cycles

Continuous Integration

Quality Assurance

Security

WHAT THEY WANT

Fast Sellers

Best Sellers

WHAT WE HEAR FROM CLIENT AND PRODUCT OWNERS.

Too much leading time to go to production.

We have all the DevOps tools but still, we are not delivering fast enough?

We have been doing CI/CD for years, but why can’t we release when we

want?

Despite automated build and deploy why does it take so long to release?

Why do we still see production issues?

How can we reduce time to market?

WHAT WE CAN SUGGEST TO OUR CLIENT

One stop station for application lifecycle management and continuous

delivery of quality productions with a single pipeline which connects all

below the dots together.

All the below dots need to be well connected till the CD lifecycle of the

product.

CD should be connected in one single pipeline for proper traceability.

Each below component needs to be well defined.


SO WHY CONTINUOUS DELIVERY

2. CI/CD Pipelines.

“Continuous Delivery is a software development discipline where you

build software in such a way that the software can be released to

production at any time” – Martin Fowler.

ABILITY TO GET CHANGES OF ALL TYPES

Into the hands of users, safety and quickly in a sustainable way &

Ensure our code is always in a deployable state.

CYCLE OF FIVE

Develop:

Everything should be version controlled.

Trunk based Development.

The Code should first go to the Dev branch before it goes to the Master

branch.

Every developer must commit to trunk/master at least once in a

daily basis.

MRs/PRs are peer review methods, not approval mechanism.

Hide unfinished code with feature toggles.

Trunk is always in a releasable stage.

Never check in on a broken trunk.


Build

Think beyond localhost.

Build once deploy anywhere.

Centralized package store.

Semantic versioning for all packages

Apps, Configs, DB scripts etc.

CI pipeline for build, package, publish, version upgrades and build

promotion.

Test

TOP DOWN BUTTOM UP

Test-Driven Development.

When you fail fast and fail early you can fix early.

Continuous Integration leads to continuous testing and faster release to

production.

Parallel test pipelines.

Don’t wait till the final release.


Deploy

Version Controlled Infrastructure as code.

One Design Multiple Implementation.

Scalable Environment on Demand.

Immutable Infrastructure.

Zero Downtime Deployments.

Release

Role-based Access Control for prod deployment pipelines.

End to End traceability - Code to customers.

Production Readiness Checkpoint.

Robust Monitoring, Logging and Alerting.

Always have Plan B.

DEVSECOPS


What is DevSecOps?

Integrating DevOps + Security=DevSecOps.

The goal of DevOps is to give development teams more ownership in

deploying and monitoring their applications by automating infrastructure

provisioning and deployment of the application in a faster way and ship

higher quality product.

Adding security to this same automation is the goal of DevSecOps.

Companies should create strong

o Security policies and standards without slowing down the

development process.

Security has to be an integral part of the DevOps process and automated

to not slow down the DevOps process.

Implementing DevSecOps means creating a “security as code” culture,

where security is integrated within all phases of SDLC Lifecycle and

DevOps practices- Keeping regulations and security top of mind while

maintaining speed, agility and the innovation needed to stay ahead of

cyberattacks.

DEVSECOPS TO MATCH AGILE DELIVERY.

Modern Agile/DevOps software delivery is outpacing a compliance-driven, late-

lifecycle security process.

How do we solve the problem using Dev(Sec)Ops?

Integrate security actions into sprint delivery process.

Integrate security team members into development and operations.

Integrate “Quality Gates” (Security Gates!) into the CI/CD pipeline.

Goal: confident that software is “secure enough” to defend itself. Need

“continuous security” integrated into our delivery process.

Need “continuous security” integrate into our delivery process.


PIPELINES DEFINE THE DELIVERY PROCESS.

The software delivery process is automated through a CI/CD pipelines to deliver

application microservices into various tests (and eventually production)

environments.

ESSENTIALS SECURITY TOOLING CATEGORIES.

Static application scanning.

Analyse the source code, application structure, or platform as it built to

detect defects or vulnerabilities.

In security space: SAST, software composition analysis, vulnerability

scanning.

Non-functional testing

Verify software against sub-categories of cross-cutting, non-functional

requirements (security, performance, accessibilities.).

In security space: DAST (DYNAMIC APPLICATION SOFTWARE TESTING).

Real time monitoring

Once the software is operating, monitor its operation and look for issues.


STATIC APPLICATION SCANNING.

STATIC ANALYSIS: START WITH SONARQUBE (OPEN SOURCE)

If you have lots of JavaScript, cross site scripting and SQL injection we can use

SonarQube’s.

1) Code scanning and quality dashboards.

2) Includes quality, security and maintainability scan for many languages.

3) Continuous view of static code health, unit test, coverage.

4) Inexpensive alternative to commercial tools such as Fortify, Veracode, etc.

DEPENDENCY CHECKS FOR THE SUPPLY CHAIN.

1) Ensure that you aren’t using someone else’s vulnerable code.

To analysis such code we can use tools like NVD and CVE.

CONTAINER AND PLATFORM SCANNING: TWISTLOCK.


Ensure you scan your container for any vulnerabilities or behaviour.

Roles:

Scan newly build app container images for vulnerabilities.

Monitor running containers for compliances

DYNAMIC FUNCTIONAL TESTING.

Unit testing – verify that code functions properly in isolation during a

build (pre-deployment)

Health Tests – quick API health check endpoints pings to ensure

services are running.

API Testing – REST tests divided into smoke tests, functional tests,

regression tests, etc.

UI testing – Selenium tests for UI organized as smoke, functional, etc.

SECURITY PIPELINES WITH ZAP

OWASP Zed Attack Proxy (ZAP) is an easy to use, open-source web scanning

and penetration tool.

Two primary modes: Passive and Active.

Examine all the traffic coming from the browser (ex it tells if your token is

having issues etc. safeguard from SQL injection attack)


About Sogeti

Learn more about us at

www.sogeti.com

Sogeti is a leading provider of technology and engineering services. Sogeti delivers solutions that enable digital transformation and offers cutting-edge expertise in Cloud, Cybersecurity, Digital Manufacturing, Digital Assurance & Testing, and emerging technologies. Sogeti combines agility and speed of implementation with strong technology supplier partnerships, world class methodologies and its global delivery model, Rightshore®. Sogeti brings together more than 25,000 professionals in 15 countries, based in over 100 locations in Europe, USA and India. Sogeti is a wholly-owned subsidiary of Capgemini SE, listed on the Paris Stock Exchange.

https://www.sogeti.com/








integrating security with devops author vivek kumar singh · static analysis: start with sonarqube...

Documents