integrating security with devops author vivek kumar singh · static analysis: start with sonarqube...
TRANSCRIPT
Copyright© 2019 Sogeti. All rights reserved.
Integrating security with DevOps
Author – Vivek Kumar Singh
DevSecOps
Copyright© 2019 Sogeti. All rights reserved.
Table of Contents
1.Inroduction
1.1 What they need
1.2What they want
1.3What we hear from client and product owners.
1.4What we can suggest to our client
2.CI/CD Pipelines
2.1So why Continuous Delivery.
2.2Ability to get changes of all types.
2.3Cycle of five
3 DevSecOps
3.1DevSecOps to match agile delivery.
3.2Pipelines defines delivery process.
3.3Essentials security tooling categories.
3.4Static application scanning.
3.5Static analysis: start with SonarQube (Open source)
3.6Dependency checks for supply chain.
3.7Container and platform scanning: Twistlock.
3.8Dynamic functional testing.
3.9Security pipelines with ZAP
Copyright© 2019 Sogeti. All rights reserved.
WHAT THEY NEED
Shorter Release Cycles
Continuous Integration
Quality Assurance
Security
WHAT THEY WANT
Fast Sellers
Best Sellers
WHAT WE HEAR FROM CLIENT AND PRODUCT OWNERS.
Too much leading time to go to production.
We have all the DevOps tools but still, we are not delivering fast enough?
We have been doing CI/CD for years, but why can’t we release when we
want?
Despite automated build and deploy why does it take so long to release?
Why do we still see production issues?
How can we reduce time to market?
WHAT WE CAN SUGGEST TO OUR CLIENT
One stop station for application lifecycle management and continuous
delivery of quality productions with a single pipeline which connects all
below the dots together.
All the below dots need to be well connected till the CD lifecycle of the
product.
CD should be connected in one single pipeline for proper traceability.
Each below component needs to be well defined.
Copyright© 2019 Sogeti. All rights reserved.
SO WHY CONTINUOUS DELIVERY
2. CI/CD Pipelines.
“Continuous Delivery is a software development discipline where you
build software in such a way that the software can be released to
production at any time” – Martin Fowler.
ABILITY TO GET CHANGES OF ALL TYPES
Into the hands of users, safety and quickly in a sustainable way &
Ensure our code is always in a deployable state.
CYCLE OF FIVE
Develop:
Everything should be version controlled.
Trunk based Development.
The Code should first go to the Dev branch before it goes to the Master
branch.
Every developer must commit to trunk/master at least once in a
daily basis.
MRs/PRs are peer review methods, not approval mechanism.
Hide unfinished code with feature toggles.
Trunk is always in a releasable stage.
Never check in on a broken trunk.
Copyright© 2019 Sogeti. All rights reserved.
Build
Think beyond localhost.
Build once deploy anywhere.
Centralized package store.
Semantic versioning for all packages
Apps, Configs, DB scripts etc.
CI pipeline for build, package, publish, version upgrades and build
promotion.
Test
TOP DOWN BUTTOM UP
Test-Driven Development.
When you fail fast and fail early you can fix early.
Continuous Integration leads to continuous testing and faster release to
production.
Parallel test pipelines.
Don’t wait till the final release.
Copyright© 2019 Sogeti. All rights reserved.
Deploy
Version Controlled Infrastructure as code.
One Design Multiple Implementation.
Scalable Environment on Demand.
Immutable Infrastructure.
Zero Downtime Deployments.
Release
Role-based Access Control for prod deployment pipelines.
End to End traceability - Code to customers.
Production Readiness Checkpoint.
Robust Monitoring, Logging and Alerting.
Always have Plan B.
DEVSECOPS
Copyright© 2019 Sogeti. All rights reserved.
What is DevSecOps?
Integrating DevOps + Security=DevSecOps.
The goal of DevOps is to give development teams more ownership in
deploying and monitoring their applications by automating infrastructure
provisioning and deployment of the application in a faster way and ship
higher quality product.
Adding security to this same automation is the goal of DevSecOps.
Companies should create strong
o Security policies and standards without slowing down the
development process.
Security has to be an integral part of the DevOps process and automated
to not slow down the DevOps process.
Implementing DevSecOps means creating a “security as code” culture,
where security is integrated within all phases of SDLC Lifecycle and
DevOps practices- Keeping regulations and security top of mind while
maintaining speed, agility and the innovation needed to stay ahead of
cyberattacks.
DEVSECOPS TO MATCH AGILE DELIVERY.
Modern Agile/DevOps software delivery is outpacing a compliance-driven, late-
lifecycle security process.
How do we solve the problem using Dev(Sec)Ops?
Integrate security actions into sprint delivery process.
Integrate security team members into development and operations.
Integrate “Quality Gates” (Security Gates!) into the CI/CD pipeline.
Goal: confident that software is “secure enough” to defend itself. Need
“continuous security” integrated into our delivery process.
Need “continuous security” integrate into our delivery process.
Copyright© 2019 Sogeti. All rights reserved.
PIPELINES DEFINE THE DELIVERY PROCESS.
The software delivery process is automated through a CI/CD pipelines to deliver
application microservices into various tests (and eventually production)
environments.
ESSENTIALS SECURITY TOOLING CATEGORIES.
Static application scanning.
Analyse the source code, application structure, or platform as it built to
detect defects or vulnerabilities.
In security space: SAST, software composition analysis, vulnerability
scanning.
Non-functional testing
Verify software against sub-categories of cross-cutting, non-functional
requirements (security, performance, accessibilities.).
In security space: DAST (DYNAMIC APPLICATION SOFTWARE TESTING).
Real time monitoring
Once the software is operating, monitor its operation and look for issues.
Copyright© 2019 Sogeti. All rights reserved.
STATIC APPLICATION SCANNING.
STATIC ANALYSIS: START WITH SONARQUBE (OPEN SOURCE)
If you have lots of JavaScript, cross site scripting and SQL injection we can use
SonarQube’s.
1) Code scanning and quality dashboards.
2) Includes quality, security and maintainability scan for many languages.
3) Continuous view of static code health, unit test, coverage.
4) Inexpensive alternative to commercial tools such as Fortify, Veracode, etc.
DEPENDENCY CHECKS FOR THE SUPPLY CHAIN.
1) Ensure that you aren’t using someone else’s vulnerable code.
To analysis such code we can use tools like NVD and CVE.
CONTAINER AND PLATFORM SCANNING: TWISTLOCK.
Copyright© 2019 Sogeti. All rights reserved.
Ensure you scan your container for any vulnerabilities or behaviour.
Roles:
Scan newly build app container images for vulnerabilities.
Monitor running containers for compliances
DYNAMIC FUNCTIONAL TESTING.
Unit testing – verify that code functions properly in isolation during a
build (pre-deployment)
Health Tests – quick API health check endpoints pings to ensure
services are running.
API Testing – REST tests divided into smoke tests, functional tests,
regression tests, etc.
UI testing – Selenium tests for UI organized as smoke, functional, etc.
SECURITY PIPELINES WITH ZAP
OWASP Zed Attack Proxy (ZAP) is an easy to use, open-source web scanning
and penetration tool.
Two primary modes: Passive and Active.
Examine all the traffic coming from the browser (ex it tells if your token is
having issues etc. safeguard from SQL injection attack)
Copyright© 2019 Sogeti. All rights reserved.
Copyright© 2019 Sogeti. All rights reserved.
About Sogeti
Learn more about us at
www.sogeti.com
Sogeti is a leading provider of technology and engineering services. Sogeti delivers solutions that enable digital transformation and offers cutting-edge expertise in Cloud, Cybersecurity, Digital Manufacturing, Digital Assurance & Testing, and emerging technologies. Sogeti combines agility and speed of implementation with strong technology supplier partnerships, world class methodologies and its global delivery model, Rightshore®. Sogeti brings together more than 25,000 professionals in 15 countries, based in over 100 locations in Europe, USA and India. Sogeti is a wholly-owned subsidiary of Capgemini SE, listed on the Paris Stock Exchange.