DevSecOps: Establishing a culture

?Security is often seen as the biggest inhibitor to a cloud-first journey. If planed and imbibed into the culture, security, in reality, can be its most significant accelerator. DevSecOps is the driver of this acceleration.?

There are four key pillars that must be considered when looking to shift the DevSecOps culture of an organization:

Simply having the proper DevSecOps processes and technologies will not be enough to achieve anything if the company culture – embedded in people across all areas of the business – does not enable those processes and technologies to be properly utilized.

From the process point of view, DevSecOps is all about introducing security in the earlier phase of the application or software development cycle, which helps to minimize vulnerabilities and meet IT and business objectives related to security and compliance.

In other words, It is a way to see, CI-CD pipeline through the lens of security and break it up into key stages, Develop, Inherit, Build, Deploy, Monitor, Operate. From a Technology point of view, Each stage of the CI-CD pipeline will concentrate on security with the help of the following different types of tools.?

1. IDE Plugins — IDE extensions like?DevSkim,?JFrog Eclipse, and?Snyk. Those can work like spellcheck and help to avoid basic mistakes at the earliest stage of coding .
2. Pre-Commit Hooks — Open-source Tools like?git-hound,?git-secrets, and?repo-supervisor?can prevent you from committing sensitive information like credentials into your code management platform.
3. Cloud Secrets Management Tools allow you to control which service has access to what password specifically. Big players like AWS, Microsoft, and Google have their solutions in this space, but you should use cloud-provider-agnostic ones if you have multi-cloud or hybrid-cloud in place.
4. Static Application Security Testing (SAST) is about checking source code (when the app is not running). One of the common issues with these is, they often result in a lot of false positives and can’t be applied to all coding languages. However, It is essential to have SAST as a part of a pipeline.

An open-source option like For Ruby, there's "Brakeman" ,For PHP, there's "Phan". For Java Web Apps, there's "Find Security Bugs". Node has "NodeJsScan". And Golang or Go has "GoSec". There are also commercial options that span multiple languages and are more Enterprise friendly. A few to look at are "Veracode", "Checkmarx", and "Synopsis","SonarQube".They can be integrated easily into the CI/CD pipeline and provides the developers with security feedbacks about their codes.

5. Source Composition Analysis (SCA) tools are straightforward — they look at libraries you use in your project and flag the ones with known vulnerabilities.

The most popular tool in this category is,?OWASP Dependency-Check. Another tool is javascript called Retire.js. Both run in CI environments easily, so let's take them for a spin.

Several others are worth considering.?

Open-source option For Ruby - "Bundler-audit'' ,For PHP, there's "PHP Security Checker".??

There are also commercial options like "Sonatype", "Black Duck", "Veracode", and "WhiteSource".?

6. Rapid Risk Assessment- This is the answer to all the questions like what do you do when the app or service is under active development? What if you're making changes weekly or daily??

Rapid Risk Assessment from Mozilla is a great tool because it's quick. You'll keep the total assessment to about 30 minutes. It's also high-level. The goal here is within about 30 minutes to answer questions like, is there anything obvious we should look at fixing right now? Or, where should we focus our efforts to increase the security of the service significantly?

7. Dynamic Application Security Testing (DAST) is the next one in the security chain and the first one testing running applications. It provides fewer false positives than SAST but is similarly time-consuming. Here, one can see the high-level differences between both of them.

DAST runs on the philosophy of BDD (behavior-driven development) where we emulate user interactions with our software.?DAST can be categorised in different sub-sections from app scanning point of view, such as?

General-Purpose Scanners.?They do all sorts of things from cross-site scripting?to command execution.?

Include OWASP top 10 in your security testing and scanning. Open-source options like Arachni, Nikto, and Zap are great. Zap is the most fully-featured; it has roots at Mozilla and OWASP and has an API that makes it possible to integrate into CI systems.?

A commercial, though low cost, is "Burp". It has an API and can be scripted as well; out of all the tools I recommend for DAST I would say Burp is the most well-loved and full-featured.??

Tool for sequel injection- It is a vector of attack where attackers try to pass valid sequel through a web application or API and get a response from the database.?One of the recommendations here is the Swiss Army knife of SQLi, Sqlmap. It's open-source, constantly updated, and really powerful.?

SSL checkers- It makes sense to add a SSL scanner to the toolchain mix.?

There are two I recommend, SSLScan and SSLyze, for SSL checking.

8. Secure infrastructure as code/container security testing?— As containers are gaining popularity, they become an object of interest for malware producers. Therefore you need to scan Docker images that you download from public repositories, and tools like?Clair?will highlight any potential vulnerabilities.

One popular open-source option is "Clair".?It came from the Core OS team,?and it's built for the purpose of checking?what is getting built into the container.?

?There are two commercial Docker options in this space, "Aqua", and "Twistlock".?Both of these commercial offerings are more?for doing full container life cycle security.?

9. Web Application Firewall (WAF) lets you define specific network rules for a web application and filter, monitor, and block HTTP traffic to and from a web service when it corresponds to known patterns of attacks like, e.g.?SQL injection. All big cloud providers like?Google,?AWS, and?Microsoft?have got their WAF, but there are also specialized companies like Cloudflare, Imperva, and Wallarm, for example.

10. Vulnerability management — These tools help you identify the holes in your security systems. They classify weaknesses by the potential impact of malicious attacks taking advantage of them so that you can focus on fixing the most dangerous ones. Some of the tools might come with addons automatically fixing found bugs. This category is full of open source solutions, and?here you can find the top 20.

11. Runtime application self-protection (RASP)?allows applications to run continuous security checks and react to attacks in real-time by getting rid of the attacker (e.g. closing his session) and alerting your team about the attack. Some of the popular tools in this space are Fortify, Signal Sciences, Jscrambler etc.

Incident management

The last stage of the DevSecOps pipeline is Operation; here, incident management would play a vital role.?In order to tackle Security, It is essential to have fundamentals right and have a process to tackle security-related issues. One of the core aspects is Incident Response Hierarchy.

The Incident Response Hierarchy is modeled after Maslow's Hierarchy of Needs. It describes the capabilities that organizations must build to defend their business assets. Bottom capabilities are prerequisites for successful execution of the capabilities above them:

From the architectural point of view as well, one needs to look at things closely and make sure that the solution is having the required capability. In the case of the cloud, one can use different services for tackling each level.

So many cloud-based tools can be utilized in the combination of observability aspects like Logging, Monitoring, tracing.

Observability-Logging:

In the era of modern applications, "Observability" has become one of the most critical aspects specifically for cloud-native and microservices-based implementations. One of the main aspects of Observability is logging and directly related to DevSecOps as we need to make sure log are secure and can help systems find issues.

Cloud-native patterns and Kubernetes have caused significant changes in the way we handle logs. Traditional approaches to logging that were appropriate for virtual and physical machines, like writing logs to a file, are ill-suited to containerized applications where the file system doesn't outlast an application.

In a cloud-native environment, one must use log-collection tools. There are so many players ( as shown in the image, open-source and not open-sourced) in this space, like "Fluentd" that runs alongside application containers and collects messages directly from the applications. Messages are then forwarded on to a central log store to be aggregated and analyzed.

Observability-Monitoring:

One of the essential pillars of "Observability" is Monitoring. Good monitoring allows the system to respond quickly and potentially automatically when an incident arises. It provides insights into the current health of a system by checking whether the system or application is responding correctly and on time. It enables businesses to know if the system is working correctly, securely, and cost-effectively.

Monitoring in a cloud-native/container-based microservices implementation played a vital role and required specific tools/solutions like "Prometheus" as shown in the image(open source/not open source.). These tools help in watching disk space, CPU usage, Memory consumption on individual nodes, and so many other business and technical aspects.

DevSecOps and Cloud -

In Cloud, security follows the shared responsibility model. Therefore, for IAAS, application-level security is the accountability of the application, and infrastructure security is the responsibility of CSP. However, every CSPs provides different services as shown in the image, these services must be used in solutions as those can be helpful for end-to-end security—

Cloud helps in the following aspects of security operations.

• The pace of innovation by means of Security Automation
• Effective security validation of instance deployments
• Risk-based timely actions
• Automated incident response and remediation

Reference architecture of AWS-based DevSecOps Pipeline- Here it has used mostly AWS services. In the same way, we can design AZure and GCP-based pipelines as well.

Summing -up-

Like DevOps, DevSecOps is not just about tools; it is culture and people. Tools can only help in orchestration; ultimately, this culture needs to be established. It has to be understood that DevSecOps in Cloud is beyond managing CI/CD cycles (as in DevOps) and is majorly about ‘Security Automation" and people.

References-

https://www.csoonline.com/article/3245748/what-is-devsecops-developing-more-secure-applications.html

https://awesomeopensource.com/projects/vulnerability-management?__cf_chl_captcha_tk__=pmd_Ok8QFbmGHDpiDSm3ZXpE9T.Q7mqBoar4MxRopk2HsDE-1631723151-0-gqNtZGzNAxCjcnBszQk9

https://www.synopsys.com/blogs/software-security/sast-iast-dast-rasp-differences/

https://medium.com/inside-inovo/devsecops-explained-venture-capital-perspective-cb5593c85b4e

https://devops.com/the-basics-devsecops-adoption/

https://acloudguru.com/blog/business/sharing-data-in-the-cloud-four-patterns-everyone-should-know

https://www.dhirubhai.net/learning/devsecops-building-a-secure-continuous-delivery-pipeline/securing-your-ci-cd-pipeline

https://www.veritis.com/blog/devsecops-solution-to-cloud-security-challenge/

https://medium.com/@cybersiftIO/we-are-failing-at-the-cyber-security-hierarchy-of-needs-95f511a54cd7

https://aws.amazon.com/blogs/devops/building-end-to-end-aws-devsecops-ci-cd-pipeline-with-open-source-sca-sast-and-dast-tools/