GCP DevSecOps using Cloud Build, SAST, SCA & DAST Tools
What is DevSecOps ?
The integration of security practises into a DevOps software delivery model is referred to as DevSecOps. Its foundation is a culture in which development and operations are enabled to participate in a shared responsibility for delivering secure software through process and tooling.
What is SAST ?
Static Application Security Testing tools examine the codebase of applications while they are not running in order to identify vulnerabilities before the application is deployed. SAST is a subset of Application Security Testing, which is essential for ensuring the security of web and cloud-native applications.
SonarCloud is a code quality and security tool that performs static code analysis and SAST scanning to identify and eliminate bugs and vulnerabilities in code. SonarCloud is free for open-source projects and available on a paid subscription basis for private projects, with pricing based on lines of code.
What is SCA?
Software Composition Analysis tools manage open-source components by scanning an application's code base to identify them.
Snyk is a platform that allows you to scan, prioritize, and fix security vulnerabilities in your own code, open-source dependencies, container images, and Infrastructure as Code (IaC) configurations.
What is DAST ?
Dynamic Application Security Testing (DAST) is a technique for detecting security flaws in web applications and services while they are running. This phase does not necessitate access to the source code. Depending on the change / release cycle, a DAST can be run on the entire application or specific application journeys.
The Open Web Application Security Project Zed Attack Proxy (OWASP ZAP) is an intercepting proxy. When configured on the client side, such as a browser, it can intercept client requests as well as server responses. It has a variety of useful features and the ability to run Passive and Active scans. ZAP has restricted modes such as safe mode and protected mode, which means we cannot use all of ZAP's features in these modes.
Standard mode is used to access all of the tool's features, while Attack mode is used to scan live in scope applications as soon as (or as) they are intercepted.
DevSecOps Implementation in GCP -
In this article we will learn how to create a DevSecOps pipeline for java code using GCP cloudbuild CI/CD cloud native tool.
Steps –
1.?????Create a GitHub repo which has javacode
2.?????Sync GitHub repo with Google Source Code Repository
3.?????Create an account & token in SonarCloud
4.?????Create an account & token in Snyk
5.?????Create Google Cloud Storage bucket to store DAST reports generated by OWASP ZAP
6.?????Create CloudBuild trigger with SONAR and SYNK Token variables so that at git push devsecops pipeline runs
7.?????Review CloudBuild.yaml & pom.xml files for SonarCloud, Synk and OWASP ZAP integration
8.?????Push code & Review vulnerabilities?
Implementation -
1. Create GitHub Repo which has Vulnerable Java Code.
You can clone/fork repo - > https://github.com/prayag-sangode/java-vul-code
2. Sync GitHub repo with Google Source Code Repository
Connect external repo –
In this case we are cloning https://github.com/prayag-sangode/java-vul-code
We can see that repo is connected
3. Create an account & token in SonarCloud
Use this link to create an account https://sonarcloud.io/
Create organization
My Account > Organizations > Create Account
Create an organization manually
Note down organization name and key
Create a new project
We have created public project
Create Security Token
Profile > MyAccount > Security > Generate Token
_SONAR_TOKEN - note down this value
领英推荐
4. Create an account in Snyk
Create account using this link https://snyk.io/
Create an organization
Create Security Token
Profile > Account settings > Auth Token
_SNYK_TOKEN - note down this value
5.Create Google Cloud Storage bucket to store DAST reports generated by OWASP Zap
$ gsutil ls
$ gsutil mb gs://gcpdevsecops-reports
6. Review cloudbuild.yaml & pom.xml files for SonarCloud, Synk and OWASP Zap integration
steps:
Execute SAST Scan using SonarCloud in GCP DevSecOps Pipeline
? - name: maven:3-jdk-11
? ? entrypoint: mvn
? ? args: ['verify', 'sonar:sonar','-Dsonar.host.url=https://sonarcloud.io','-Dsonar.organization=gcpdevsecopsorgkey','-Dsonar.projectKey=gcpdevsecopsorgkey','-Dsonar.login=${_SONAR_TOKEN}']
? ? id: SAST Scan using SonarCloud in GCP DevSecOps Pipeline
Run Software Composition Analysis (SCA security scan) using Snyk in GCP DevSecOps Pipeline
? - name: 'ubuntu'
? ? entrypoint: bash
? ? args:?
? ? ? ? - '-c'
? ? ? ? - |-
? ? ? ? ? apt-get update
? ? ? ? ? apt-get -y install maven?
? ? ? ? ? SNYK_TOKEN=${_SNYK_TOKEN}
? ? ? ? ? export SNYK_TOKEN
? ? ? ? ? mvn snyk:test -fn?
? ? id: SCA Scan using Snyk in GCP DevSecOps Pipeline
Run DAST scan using OWASP ZAP in GCP DevSecOps Pipeline
? - name: 'ubuntu'
? ? entrypoint: bash
? ? args:?
? ? ? - '-c'
? ? ? - |-
? ? ? ? apt-get update
? ? ? ? apt-get -y install wget
? ? ? ? apt-get -y install default-jdk
? ? ? ? wget https://github.com/zaproxy/zaproxy/releases/download/v2.11.1/ZAP_2.11.1_Linux.tar.gz
? ? ? ? mkdir zap
? ? ? ? tar -xvf ZAP_2.11.1_Linux.tar.gz
? ? ? ? cd ZAP_2.11.1
? ? ? ? ./zap.sh -cmd -quickurl https://www.example.com -quickprogress -quickout ../zap_report.html?
? ? id: DAST Scan using OWASP ZAP in GCP DevSecOps Pipeline
Store Reports Generated by OWASP ZAP in GCP Cloud Bucket named gcpdevsecops-report
artifacts:
? objects:
? ? location: 'gs://gcpdevsecops-reports'
? ? paths:
? ? ? - zap_report.html?
In DAST section we are scanning example.com. In production we need to replace it with live website.
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="https://maven.apache.org/POM/4.0.0"
? ? ? ? ?xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
? ? ? ? ?xsi:schemaLocation="https://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
? ? <modelVersion>4.0.0</modelVersion>
? ? <groupId>org.example</groupId>
? ? <artifactId>gcpdevsecopsproject</artifactId>
? ? <version>1.0-SNAPSHOT</version>
? ? <properties>
? ? ? ? <maven.compiler.source>1.8</maven.compiler.source>
? ? ? ? <maven.compiler.target>1.8</maven.compiler.target>
? ? </properties>
? ? <dependencies>
? ? ? ? <dependency>
? ? ? ? ? ? <groupId>commons-collections</groupId>
? ? ? ? ? ? <artifactId>commons-collections</artifactId>
? ? ? ? ? ? <version>3.2.1</version>
? ? ? ? </dependency>
? ? ? ? <dependency>
? ? ? ? ? ? <groupId>org.nd4j</groupId>
? ? ? ? ? ? <artifactId>nd4j-common</artifactId>
? ? ? ? ? ? <version>1.0.0-beta2</version>
? ? ? ? </dependency>
<!--Change 1 - Changes for Unit Test Coverage Percentage Update on SonarCloud Dashboard
Default Location of CodeCoverage File is target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
-->
<dependency>
? ? <groupId>junit</groupId>
? ? <artifactId>junit</artifactId>
? ? <version>4.12</version>
? ? <scope>test</scope>
</dependency>
</dependencies>
? ? <build>
? ? ? ? <plugins>
<!--Change 2 - Changes for Unit Test Coverage Percentage Update on SonarCloud Dashboard
Default Location of CodeCoverage File is target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
-->
? ? ? ? ? ? <plugin>
? ? ? ? ? ? ? ? <groupId>org.jacoco</groupId>
? ? ? ? ? ? ? ?<artifactId>jacoco-maven-plugin</artifactId>
? ? ? ? ? ? ? ? <version>0.8.7</version>
? ? ? ? ? ? ? ? <executions>
? ? ? ? ? ? ? ? ? <execution>
? ? ? ? ? ? ? ? ? ? <id>prepare-agent</id>
? ? ? ? ? ? ? ? ? ? <goals>
? ? ? ? ? ? ? ? ? ? ? <goal>prepare-agent</goal>
? ? ? ? ? ? ? ? ? ? </goals>
? ? ? ? ? ? ? ? ? </execution>
? ? ? ? ? ? ? ? ? <execution>
? ? ? ? ? ? ? ? ? ? <id>report</id>
? ? ? ? ? ? ? ? ? ? <goals>
? ? ? ? ? ? ? ? ? ? ? <goal>report</goal>
? ? ? ? ? ? ? ? ? ? </goals>
? ? ? ? ? ? ? ? ? ? <configuration>
? ? ? ? ? ? ? ? ? ? ? <formats>
? ? ? ? ? ? ? ? ? ? ? ? <format>XML</format>
? ? ? ? ? ? ? ? ? ? ? </formats>
? ? ? ? ? ? ? ? ? ? </configuration>
? ? ? ? ? ? ? ? ? </execution>
? ? ? ? ? ? ? ? </executions>
? ? ? ? ? ? ? </plugin>
<!--Changes for Software Composition Analysis Scan using Snyk
-->
? ? ? ? <plugin>
? ? ? ? ? <groupId>io.snyk</groupId>
? ? ? ? ? <artifactId>snyk-maven-plugin</artifactId>
? ? ? ? ? <version>2.0.0</version>
? ? ? ? ? <inherited>false</inherited>
? ? ? ? ? <configuration>
? ? ? ? ? ? <org>gcpdevsecopsorg</org>
? ? ? ? ? </configuration>
? ? ? ? </plugin>
? ? ? ?</plugins>
? ? ? ?</build>
</project>
6. Create CloudBuild trigger with SONAR and SYNK Token variables so that on git push devsecops pipeline runs
?Add variables – _SONAR_TOKEN & _SNYK_TOKEN?
8. Push code & Review vulnerabilities
When we push the code cloud build trigger is executed and SAST, SCA and DAST scans are executed.
Successful Run shows status in green check mark
Below is the result of successful SAST Scan -
We can review SonarCloud for results
We can see in results Bugs, Vulnerabilities, Hotspots, Code Smells, Coverage and Duplications
Bug -?An issue that represents something wrong in the code. If this has not broken yet, it will, and probably at the worst possible moment. This needs to be fixed.
Vulnerability - A security-related issue that represents a backdoor for attackers.
Security Hotspot - A security-sensitive section of code that needs to be manually reviewed. Upon review, you will find either that there is no threat or that there is vulnerable code that needs to be fixed.
Code Smell - A maintainability-related issue in the code. Leaving it as-is means that, at best, the person maintaining the code will have a harder time than they should when making changes. At worst, they'll be so confused by the state of the code that they'll introduce additional errors as they make changes.
?Below is the result of successful SCA Scan -
?We can see the list of vulnerablities
?Issues with a fix
Below is the result of successful DAST Scan -
Get the result of DAST Scan in GCS bucket
DAST scan result - OWASP ZAP Report -
DAST scan result and remediation solution?-
Conclusion: We have created a GCP DevSecOps pipeline using GCP native tool cloud build. We can check the results of scan with remediation suggestions, on web portal of SAST, SCA and DAST tools.
I hope you found this to be useful in some way. I’ll be back with some more interesting new DevOps and DevSecOps articles soon.