Today, DevOps is enabling organisations to deploy changes to production environments at blazing speeds. For illustration purposes, we are going to use the effective tools to represent a typical DevOps process. The tools will vary for each organisation, but the process depicted here will be the same.
Sensitive information such as the AWS keys, access tokens, SSH keys etc. are often erroneously leaked via the public source code repositories due to accidental git commits. This can be avoided by using pre-commit hooks like “Talisman” which checks for sensitive information in the files before commits or push activity.
With automation, storing credentials in the files or configuration by developers and administrators can lead to exposure of credentials to an unintended audience. This can be segregated by leveraging secret management services like “Hashicorp vault”. This allows segregation of credentials on a separate level and every environment can pull credentials from a specific environment and use it programmatically.
- Software Composition Analysis
A lot of organisations make use of open source frameworks/solutions like WordPress, Magento, Drupal or even jQuery which are having new vulnerabilities being discovered every day. For these reasons, it is necessary to perform an analysis of all the dependencies being utilised in the application and check them for vulnerabilities arising from missing security patches and fix them. Below tools help to perform a software composition analysis for security vulnerabilities:
- Static Analysis Security Testing
Using automated tools to perform a security code review flushes out many low-hanging fruits like SQL injection, Cross-site scripting, Deserialization vulnerabilities and many more. For Java based applications we can make use of a tool called “FindSecBugs” which performs an in-depth analysis of the code and gives a comprehensive report for all the vulnerabilities that have been identified in the code. Below few open source tools that can be used for SAST purpose.
- Security in Infrastructure as Code
One solution which provides a good insight into the security stature of the Docker containers/images is “Clair”. Clair scans the raw docker images and gives an exhaustive report highlighting the vulnerabilities that exist in the image.
- Vulnerability Assessment (VA)
While pointing a VA tool on the servers that have been created using Docker, it would execute the scan only on the service that is being exposed on that host. However, if we attach the tool to the docker network and then execute the scan, then it would give us a good picture of services which are running. This can be done using various solutions like OpenVAS which can easily integrate into the pipeline.
Organisations need to apply compliance controls to their IT infrastructure to abide by industry best practices and various regulations like PCI DSS, HIPAA, SOX etc. “Inspec” is one such tool which can help us in performing these tests as we only need to supply a ruby file containing the tests to be conducted in a very simple and lucid manner which is easy for every audit professional to write and code.
Vulnerability management solutions are at the core of a DevSecOps process where all tools are required to spool their data into those solutions so that it can be centrally managed, triaged, tracked, and remediated. “ArcherySec” is one such tool which not only has good integration with most of the tools, but we can also initiate scans such as Zap and OpenVAS through ArcherySec.
Production applications are always faced with new threats from unknown and unforeseen vectors. This can be mitigated by having an active intrusion monitoring and prevention solution. One such opensource solution is the “ModSecurity WAF” which detects OWASP Top 10 vulnerabilities like SQL injection, Cross-site scripting etc. being attempted against the application.