What is DevSecOps? How to integrate it to Jenkins?
DevSecOps is a set of practices and principles that aim to integrate security into the DevOps (Development and Operations) process. The term itself is a combination of “Development” (Dev), “Security” (Sec), and “Operations” (Ops). The goal of DevSecOps is to embed security measures and processes throughout the software development lifecycle, ensuring that security is not a separate phase but an integral part of the entire development and deployment pipeline.
Key principles and components of DevSecOps:
1. Shift-Left Security:
The concept of moving security practices and testing to earlier stages in the development process, often referred to as “shifting left.” This helps in identifying and addressing security issues early in the development lifecycle.
2. Automation:
Automation of security processes and testing is a fundamental aspect of DevSecOps. Automated tools are integrated into the development pipeline to conduct security checks, vulnerability assessments, and compliance monitoring.
3. Collaboration and Communication:
DevSecOps emphasizes collaboration and communication between development, security, and operations teams. This ensures that security considerations are understood and addressed by all stakeholders.
4. Continuous Monitoring:
Continuous monitoring of applications and infrastructure is crucial for identifying and responding to security threats in real-time. This involves monitoring system logs, application performance, and security events.
5. Integration with CI/CD (Continuous Integration/Continuous Deployment):
DevSecOps integrates security into the CI/CD pipeline, enabling automated security testing at every stage of development. This ensures that security is not a bottleneck and doesn’t hinder the rapid delivery of software.
6. Security as Code:
Treating security configurations, policies, and controls as code allows for versioning, testing, and automation. This includes defining security requirements in code and managing them through version control systems.
7. Risk Management:
DevSecOps incorporates risk management practices to assess and prioritize security risks. This involves regular risk assessments, threat modeling, and the implementation of controls to mitigate identified risks.
8. Continuous Improvement:
DevSecOps promotes a culture of continuous improvement. Teams regularly review and refine their security practices, learn from incidents, and update security measures based on changing threats and technologies.
By integrating security into the DevOps workflow, DevSecOps aims to create a more proactive and collaborative approach to security, reducing the likelihood of vulnerabilities and security incidents in software deployments.
Let’s take a look at some tools and example:
1. OWASP ZAP (Zed Attack Proxy): ZAP is primarily a web application security scanner used for finding vulnerabilities in web applications and APIs.
Proxy Functionality: Acts as a proxy between the user’s browser and the web application, intercepting and analyzing requests and responses.
Automated Scanning: Identifies common vulnerabilities like SQL injection, XSS, CSRF through automated scans.
Manual Testing:Allows security professionals to actively explore and test an application manually.
Spidering and Crawling: Maps out the structure of the web application by crawling through its pages.
Session Management: Enables the testing of different authentication states and session management.
2. Trivy: Trivy is a container image vulnerability scanner, focusing on identifying security issues in Docker containers and container images.
CVE Database: Utilizes the Common Vulnerabilities and Exposures (CVE) database to identify vulnerabilities in container images.
Fast Scanning: Designed for quick and efficient scanning of container images during the development lifecycle.
Integration with CI/CD: Often used in CI/CD pipelines to ensure that only secure container images are deployed.
3. OWASP Dependency-Check: OWASP Dependency-Check is a software composition analysis tool designed to identify project dependencies and check if there are any known, publicly disclosed, vulnerabilities.
Dependency Analysis: Identifies and collects dependencies used in a software project.
CVE Database: Matches dependencies against the National Vulnerability Database (NVD) to find known vulnerabilities.
Integration with Build Tools: Can be integrated into build tools like Maven, Gradle, and others to automate the scanning process during the build phase.
Reports: Generates reports indicating vulnerable dependencies and their severity.
4. SonarQube: SonarQube is a platform for continuous inspection of code quality and security issues in source code.
Static Code Analysis: Analyzes source code for bugs, security vulnerabilities, and code smells.
Quality Gates: Defines and enforces quality gates to ensure code quality meets predefined criteria before deployment.
Integration with CI/CD: Can be integrated into CI/CD pipelines to automate code analysis during the build process.
Dashboard and Reporting: Provides dashboards and reports to track code quality metrics over time.
These tools cover different aspects of the software development lifecycle, focusing on security and code quality. OWASP ZAP and Trivy have a narrower focus on security testing, while OWASP Dependency-Check and SonarQube contribute to broader code quality and security analysis. Integrating these tools into your development and deployment processes helps ensure the creation of secure and high-quality software.
How to install all of them with docker compose?
version: '3'
services:
trivy:
image: aquasec/trivy
command: ["--auto-refresh", "--cache-dir", "/var/cache/trivy"]
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/cache/trivy
networks:
- scan-network
owasp-zap:
image: owasp/zap2docker-stable
command: ["zap.sh", "-daemon", "-host", "0.0.0.0", "-port", "8080", "-config", "api.disablekey=true"]
ports:
- "8080:8080"
networks:
- scan-network
sonarqube:
image: sonarqube:latest
environment:
- SONARQUBE_JDBC_URL=jdbc:postgresql://sonarqube-db:5432/sonar
- SONARQUBE_JDBC_USERNAME=sonar
- SONARQUBE_JDBC_PASSWORD=sonar
ports:
- "9000:9000"
networks:
- scan-network
depends_on:
- sonarqube-db
sonarqube-db:
image: postgres:alpine
environment:
- POSTGRES_USER=sonar
- POSTGRES_PASSWORD=sonar
- POSTGRES_DB=sonar
networks:
- scan-network
dependency-check:
image: owasp/dependency-check:latest
command: ["--project", "my-project", "--scan", "/app"]
volumes:
- .:/app
- dependency-check-data:/usr/share/dependency-check/data
networks:
- scan-network
volumes:
dependency-check-data:
scan-network:
driver: bridgeHow to integrate it to a Jenkinsfile:
Before we start to pipeline, please do not forget to install and integrate the plugins which are necessary.
pipeline {
agent linux
tools {
jdk 'jdk17'
}
environment {
SCANNER_HOME = tool 'sonar-scanner'
IMAGE_REG = 'your-docker-registry'
IMAGE_REPO = 'your-image-repository'
IMAGE_TAG = 'your-image-tag'
}
stages {
stage('Clean workspace') {
steps {
cleanWs()
}
// Clean the workspace before starting the pipeline
}
stage('Checkout from Git') {
steps {
git branch: 'main', url: 'https://github.com/*/*.git'
}
// Checkout the source code from Git repository
}
stage('SonarQube Analysis') {
steps {
withSonarQubeEnv('sonar-server') {
sh '''$SCANNER_HOME/bin/sonar-scanner -Dsonar.projectName=net-app \
-Dsonar.projectKey=net-app'''
}
}
// Run SonarQube analysis on the source code
}
stage('Quality Gate') {
steps {
script {
waitForQualityGate abortPipeline: false, credentialsId: 'Sonar-token'
}
}
// Wait for the SonarQube quality gate to pass
}
stage('Trivy File Scan') {
steps {
sh "trivy fs . > trivyfs.txt"
}
// Scan files using Trivy for vulnerabilities
}
stage('OWASP Dependency Check') {
steps {
dependencyCheck additionalArguments: '--scan ./ --format XML ', odcInstallation: 'DP-Check'
dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
}
// Run OWASP Dependency Check for security analysis
}
stage('Docker Build & Tag') {
steps {
script {
withDockerRegistry(credentialsId: 'docker', toolName: 'docker') {
sh "docker build . --file build/Dockerfile --tag $IMAGE_REG/$IMAGE_REPO:$IMAGE_TAG"
}
}
}
// Build and tag the Docker image
}
stage('Trivy Image Scan') {
steps {
sh "trivy image $IMAGE_REG/$IMAGE_REPO:$IMAGE_TAG > trivy.txt"
}
// Scan Docker image using Trivy for vulnerabilities
}
stage('Docker Push') {
steps {
script {
withDockerRegistry(credentialsId: 'docker', toolName: 'docker') {
sh "docker push $IMAGE_REG/$IMAGE_REPO:$IMAGE_TAG"
}
}
}
// Push Docker image to the Docker registry
}
stage('Deploy to Container') {
steps {
sh "docker run -d --name dotnet -p 5000:5000 $IMAGE_REG/$IMAGE_REPO:$IMAGE_TAG"
}
// Deploy the Docker image to a container
}
}
}If you want to use OWASP ZAP, please add below line to jenkinsfile.
stage('OWASP ZAP Scan') {
steps {
script {
// Assuming you have OWASP ZAP installed on the Jenkins agent
sh "zap-baseline.py -t <TARGET_URL> -r owasp-zap-report.html"
}
}Thank you for reading this article.
Sources:
https://socradar.io/what-are-devops-devsecops-and-rugged-devops/
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls
https://blog.devops.dev/devsecops-project-with-jenkins-ci-cd-dotnet-webapp-dce678bac835
