DevSecOps: what tools to apply good security practices

DevSecOps brings to light why security is vital in DevOps. You can go check out this article to learn more about DevSecOps.

DevSecOps revolves around empowering developers with the security issues of their code along 3 axes: people, process, and tooling. We are going to talk about tools and what are the main ones you need and why they are essential.

 

Tooling allows developers to left-shift security within a DevSecOps lifecycle.

Dependency check, one of the most critical DevSecOps tools

What is it?

One of the most critical tools in DevSecOps is a dependency checker. That is because most software projects include at least 80% external dependencies, and they can introduce security vulnerabilities to your codebase. A report from Snyk found that 78% of vulnerabilities are found in indirect dependencies.

You can check out their full report on ‘The state of open source security – 2019

 

How does it work?

A dependency check analyses the version of external dependencies installed in your codebase and looks them up in an external vulnerability database like the NVD https://nvd.nist.gov/ or https://cve.mitre.org/. If the version you have installed is linked to a CVE (Common Vulnerabilities and Exposures), depending on CVE score (0 for little to no impact and 10 being critical), the tool alerts your team.

These scans can be launched locally by a developer or by a CI/CD pipeline. Configure your pipeline to fail if the CVE score is too high.

The following article tells you everything you need to know about CI/CD pipeline.

 

Tools

The tools you can use for this depend on your codebase. Here are a few:

Static Application Security Testing

What is it?

Static application security testing or SAST is a core part of DevSecOps tooling. It allows developers to scan code while they work by identifying and remediating potential security vulnerabilities. These threats each have a level of severity to help determine the priority of the fix.

 

How does it work?

In CI/CD pipelines, SAST configuration contains ‘gates,’ which allow configuring how many vulnerabilities are allowed before having the pipeline fail.

 

Tools

These tools depend on the codebase:

For more tools and information, visit the OWASP website.

Image scanning

What is it?

Engineers deploy Docker images every day. In a DevSecOps environment, the main concern is identifying vulnerabilities within these images. Dependency checkers help remove security vulnerabilities from the codebase, but you still rely on the docker image to host your code, the ‘base images’ is what will define it. This base image a ready to use environment for your code to run on, but you need to upgrade frequently the version of the base image to make sure dependencies of this environment are not vulnerable.

 

How does it work?

Image scanning comes into play in DevSecOps during the CI/CD pipeline. The tools scan every layer from the image. If this doesn’t mean anything to you, you should read this article about containers.

 

Tools

For docker images, I find that Clair is one of the best products to scan your images. It integrates with container registries.

They scan your image as soon as they are uploaded

 

DevSecOps is getting ever more critical to maintain a secure codebase within your organization. Access management is an important aspect of DevSecOps check out the following article if you to learn more about how to use Terraform with AWS accounts.

Today we deploy multiple times a day, and security issues can sneak in at any time. These tools help developers visualize and take action on these vulnerabilities as soon as possible because knowing is half the battle. All these tools are white-box testing. If you want to go further, you can implement black-box testing with ZAP or Burp.

I’ll talk about them more in a future article.

Sanvoisin Benjamin

Sanvoisin Benjamin

Benjamin is a Site Reliability Engineer (SRE) in Padok. He is also our DevSecOps & Azure Cloud specialist. Security and infrastructure hold no secrets for him.

What do you think? Leave your comments here !