On Wednesday, August 8, 2018 IBM hosted a meetup on DevSecOps @DubizzleHQ. The main agenda for this meetup was introduce security in CI/CD pipieline and show the importance of security in cloud native application and DevOps practices.
IBM Cloud Developer, Saif Rehman kicked off the session with a introduction to basics of Kubernetes and Docker. He gave a high level explanation on both Kubernetes and Docker. Later, he explained why security is important, and gave some famous attack which happened in recent years on famous cooperation. Then, he explained DevOps lifecycle and importance of having security in DevOps pipeline. After that, he explained top security concerns and how that could be avoided by DevSecOps practices. The key point Saif wanted to elaborate on the meetup was to avoid known vulnerabilities in your software application by automating security tests.
He then introduced OwaspZap which is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. He tested one of his cloud native application manually to find out vulnerabilities in it.
After explaining OwaspZap, he introduced Jenkins, which is a is an open source automation tool written in Java with plugins built for Continuous Integration purpose. Jenkins is used to build and test your software projects continuously making it easier for developers to integrate changes to the project, and making it easier for users to obtain a fresh build. He quickly demonstrated to create a simple CI/CD pipeline with the integration of Github with Jenkins using webhooks and Jenkin’s git plugin.
Lastly, he introduced a opensource tool called Clair. Clair is an open source project for the static analysis of vulnerabilities in application containers. He conveyed the importance of having security in containers as well as there can be vulnerabilities in the container itself. He demonstrated Clair by scanning one of his docker images with clair-scan tool.