Created
December 16, 2022 12:23
-
-
Save T0mmykn1fe/283aa5037ed5a51a83bff24f07ea368b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# DevSecOps (Security) | |
- Philosophy of integrating security practices within the DevOps process. | |
- Makes security a responsibility of everyone on the team | |
## Best Practices | |
- Provide training | |
- Define requirements | |
- Minimum-security baseline that takes account of both security and compliance controls | |
- Ensure these are baked into the DevOps process and pipeline | |
- Check at least for [OWASP Top 10](https://owasp.org/www-project-top-ten/), [SANS Top 25](https://www.sans.org/top25-software-errors) | |
- Top 5 from the Top 10 | |
1. Injection | |
- Never trust any user input | |
2. Broken authentication | |
- Use custom or own authentication system rather than well known authentication systems | |
3. Sensitive data exposure | |
4. XML external entities | |
5. Broken access control | |
- Roles and permission poorly implemented or not implemented at all | |
- Define metrics and compliance reporting | |
- Use software composition analysis (SCA) and governance | |
- Evaluate third party components for security & licensing | |
- Perform threat modeling | |
- Helps you to | |
- More effectively and less expensively identify security vulnerabilities | |
- Determine risks from those threats | |
- Make security feature selections and establish appropriate mitigations | |
- At the very least, threat modeling should be used in environments where there is meaningful security risk. | |
- Use tools and automation | |
- Integrate Static Application Security Testing (SAST) into your IDE | |
- Integrate Dynamic Analysis Security Testing (DAST) tools into CI/CD | |
- Choosing tools: | |
- Tools must be integrated into the CI/CD pipeline. | |
- Tools must not require security expertise. | |
- Tools must avoid a high false-positive rate of reporting issues. | |
- Keep credentials safe | |
- Do not store credentials in code | |
- Consider using a bring-your-own-key (BYOK) solution that generates keys using a hardware security module (HSM). | |
- Use continuous learning and monitoring | |
## Threat Modeling | |
- Do it as soon as and often as possible | |
- Not only when releasing a new feature because single line of code can change everything | |
- [Microsoft Threat Modeling](https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool) tools is a tool for threat modeling. | |
- Steps: | |
1. Defining security requirements. | |
2. Creating an application diagram. | |
3. Identifying threats. | |
4. Mitigating threats. | |
5. Validating that threats have been mitigated. | |
## Security tools | |
### Open source library vulnerabilities and license | |
- **[Whitesource](https://www.whitesourcesoftware.com/)** – Open source library vulnerabilities and license | |
- **[Black Duck](https://www.blackducksoftware.com/)** – Open source library vulnerabilities and license | |
### Static security testing | |
- **[Checkmarx](https://www.checkmarx.com/)** – Static Application Security Testing (SAST) tool | |
- **[BinSkim](https://github.com/microsoft/binskim)** – A binary static analysis tool that provides security and correctness results for Windows portable executables | |
### Penetration testing tools | |
- See also [penetration testing](#penetration-testing) | |
#### OWASP ZAP | |
- Full name: [OWASP Zed Attack Proxy (ZAP)](https://www.zaproxy.org/) | |
- Passive tests with CI and active tests with nightly build | |
- 💡 Better to use the [OWASP Zap/Weekly](https://hub.docker.com/r/owasp/zap2docker-weekly/) docker container within Azure Container Services to get latest updates. | |
#### Secure DevOps Kit for Azure (AzSK) | |
- ❗️ It's [replaced](https://github.com/azsk/DevOpsKit-docs/blob/3cd058045f629baa3ff40c121a63d062134fb6fc/ReleaseNotes/AzSKSunsetNotice.md) by [AzTS](#azure-tenant-security-solution-azts) as of 2021. | |
- PowerShell cmdlets and guidance for security best practices | |
- Scans Azure resources (run PowerShell command) and provide CSV file with the scan result and recommendations as fix script. | |
- Allows running the recommendation fix with command to automatically fix issues | |
- On Azure DevOps you can use [Secure DevOps Kit (AzSK) CICD Extensions for Azure](https://marketplace.visualstudio.com/items?itemName=azsdktm.AzSDK-task) | |
- Allows for scanning whitelisted/blacklisted ports. | |
- 👀 [Official page](https://azsk.azurewebsites.net/) | |
#### Azure Tenant Security Solution (AzTS) | |
- Cloud security and compliance solution using native security capabilities in Azure | |
- Scans Azure subscriptions and resource configurations across multiple subscriptions | |
- Next level [AzSK](#secure-devops-kit-for-azure-azsk), similar to AzSK Continuous Assurance (CA) in central-scan mode. | |
- Integrates with Azure/Azure Security Center policies | |
- Requires installation on Azure with a management identity with reader permissions | |
- Stores results in Log Analytics Workspace that can be sent to Power BI | |
### Secret management | |
- **[Azure Key Vault](./8.1.%20Azure%20Key%20Vault.md)** | |
### Governance & compliance | |
- **Azure policy** | |
- Natively create policies, e.g, you create a policy from Azure (portal/CLI/REST API) to prevent creation of VM with high cost or specific region | |
- **Azure Blueprints** (Polices, RBAC, ARM) | |
- Container above resource group / subscriptions. | |
- Helps to apply roles & ARM templates in a repeatable configuration manner | |
- [**Azure Artifacts**](./6.1.%20Azure%20Artifacts.md) to stay in control of the dependencies that are consumed | |
### Azure Security Center | |
- Centralizes security policy management | |
- Continuous security assessment | |
- Actionable recommendations | |
- Prioritized alerts and incidents | |
### Penetration testing | |
- To find out weaknesses in the system | |
- **Passive Tests** or **Passive Scan** | |
- Scan the target site as is but don't try to manipulate the requests to expose additional vulnerabilities. | |
- Runs fast and good candidate for CI as they complete in minutes | |
- **Active Tests** or **Active Scan** | |
- Also called as dynamic or fuzz tests because | |
- Used to simulate many techniques that hackers commonly use to attack websites | |
- Tries a large number of different combinations to see how the site reacts to verify that it doesn't reveal any information | |
- CI/CD pipeline should run within a few minutes, so you don't want to include any long-running processes. | |
- Nightly tests are a good idea. | |
- [OWASP ZAP](https://github.com/deliveron/owasp-zap-vsts-extension) is a free penetration testing tool for beginners to professionals | |
- OWASP Zap/Weekly docker container within Azure Container Services ensures the image is always updated. | |
- Example pipelines: | |
- Application CI/CD: | |
1. Build | |
2. Static Security Scan | |
3. Package | |
4. Deploy | |
5. **Passive Pentest**: Pull OWASP Zap Weekly => Start Container => Run Baseline (1 to 2 min) => Report Results => High alerts - Fail, Release, All Alerts - Create bugs | |
- Nightly OWASP ZAP Pipeline | |
- Nightly Schedule | |
- **Application Full Active Scan**: Pull OWASP Zap Weekly => Start Container => Spider Site => Run Active Scan => Report Results => High Alerts - Fail, Release, All Alerts - Create Bugs | |
- See also [penetration testing tools](#penetration-testing-tools) | |
## Continuous Security Validation | |
- Should be done at every point in application lifecycle: | |
| Stage | Application CI / CD | Feedback | Nightly Test Runs | | |
| ----- | ------------------- | -------- | ------------ | | |
| **IDE / Pull request** | • Static Code Analysis • Code Review • Work Item Linking | • Code Review Comments • Static Code Rule Warnings | - | | |
| **CI** | • Static Code Analysis • OSS Vulnerability Scan • Unit Tests • Code Metrics | • OSS Library Vulnerabilities • OSS License Violations • Failed Unit Tests • Static Code Rule warnings | - | | |
| **Dev** | • Passive Pen Test • SSL Scanner • Infrastructure Scan | • Pen Test Issues • SSL Issues • Performance Issues • Regression Bugs | • Load and Performance Testing • Automated Regression Testing • Infrastructure Scan | | |
| **Test** | • Infrastructure Scan | • Pen Test Issues • Infrastructure Issues | • Active Pen Test • Infrastructure Scan | | |
- CI/CD steps: | |
1. When interacting with `master` branch. | |
- Can be pull request / code commits / code merges... | |
- PR to `master` should require a code review | |
- Possible with a **branch policy** in Azure Repos | |
- Commits should be linked to work items for auditing why the code change was made and require a CI. | |
- Should have a PR-CI (Pull Request Continuous Integration) | |
- 💡 You can use ***Static Code Analysis Code Review tools*** | |
- Highlights any security / vulnerability issues in code | |
2. Continues integration through e.g. Jenkins | |
- Difference from PR-CI => it does packaging also. | |
- Should do Static Code Analysis with e.g. | |
- [Visual Studio Code Analysis and the Roslyn Security Analyzers](https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool) | |
- [Checkmarx](https://www.checkmarx.com/) - A Static Application Security Testing (SAST) tool | |
- [BinSkim](https://github.com/Microsoft/binskim) - Binary static analysis tool that provides security and correctness results for Windows portable executables | |
- See [other tools](https://blogs.msdn.microsoft.com/devops/2016/10/11/team-services-october-extensions-roundup-rugged-devops/) | |
- Many tools integrate into the Azure Pipelines build process. | |
- Scan for 3rd party packages for vulnerabilities & OSS (open-source) license usage | |
- See [WhiteSource](https://www.whitesourcesoftware.com/), [Black Duck](https://www.blackducksoftware.com/) | |
- Also run unit tests & report code metrics | |
3. Promoting to development & test (QA) stage | |
- Verify that there are not any security vulnerabilities in the running application | |
- = Automated Penetration testing | |
- Infrastructure scanning | |
- Is your hardware up-to-date? Are all tools installed on development machine? Are all tools patched with latest security patches? | |
- E.g. Azure Security Center to report and Azure Policies to prevent. | |
- E.g. Both immediate & nightly runs of port scanning to check against blacklisted/whitelisted ports | |
- Load and Performance testing, Automated Regression Testing | |
## Container Security | |
- Container security best-practices: ([whitepaper](https://azure.microsoft.com/en-us/resources/container-security-in-microsoft-azure/en-us/)) | |
- Scan for vulnerabilities before pushing images to registry. | |
- Continue scanning in the registry because new vulnerabilities are discovered all the time. | |
## Continuous Assurance | |
- Tracks configuration drift | |
- Checks for "drift" from what is considered a secure snapshot of a system | |
- Treat security truly as a 'state' as opposed to a 'point in time' achievement | |
- important in today's context when 'continuous change' has become a norm. | |
- 2 types of drift: | |
- Drift involving 'baseline' configuration | |
- Often pre-defined/statically determined ones | |
- E.g. SQL DB can have TDE encryption turned ON or OFF | |
- Drift involving 'stateful' configuration | |
- Cannot be constrained within a finite set of well-known states. | |
- E.g. the IP addresses configured to have access to a SQL DB | |
- For more info & scripts, [see Secure DevOps Kit for Azure](https://azsk.azurewebsites.net/04-Continous-Assurance/Readme.html#continuous-assurance---how-it-works-under-the-covers) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment