Setup DevSecOps pipelines with open-source tools
DevSecOps is the methodology of integrating security tools within the DevOps process in an automated fashion. This multicultural, multi-disciplinary automated security environment makes security everyone’s concern and not just of a security team. Companies need to invest heavily in automated security tools to implement DevSecOps pipelines and at times they may not have the required budget to buy licenses for all these tools. If your organization is starting the DevSecOps journey then one of the recommendations is to try open-source tools to create POC and then move to the licensed version.
DevSecOps is not just about tooling but also having the required knowledge about using those tools. This leads to a cultural change in the normal functioning of DevOps and the staff needs to be trained and asked to upskill themselves on the same. This allows them to collaborate more efficiently, thereby creating a “security culture”. In this blog, I am going to list down open-source security tools which will help you to get started with your DevSecOps journey.
This is how a typical phases DevSecOps pipelines will look like
Now let's look at how to add security at each phase and make your pipeline as a DevSecOps pipeline.
Design phase
Threat modeling is a proactive strategy for evaluating risks. It involves identifying potential threats and developing tests or procedures to detect and respond to those threats. This involves understanding how threats may impact systems, classifying threats, and applying the appropriate security controls.
Threat modeling tools
· OWASP Threat Dragon
· Microsoft Threat Modeling Tool
· pytm: A Pythonic framework for threat modeling
Development phase
Pre-commit hooks — Sensitive information such as the access keys, access tokens, AWS keys, SSH keys, etc. are often erroneously leaked via the public source code repositories due to accidental git commits. This can be avoided by using pre-commit hooks which check for sensitive information in the files before commits or push activity. Developers can circumvent this step easily hence use it as a defense in depth but don’t fully rely on it.
Pre-commit hooks tools
· Talisman
· Crass
· Git Hooks
· Git Secrets
· Pre Commit
· Detect Secrets
· Git Hound
· Truffle Hog
Secrets Management — DevOps automation requires the storage of sensitive information like passwords, ssh keys, auth tokens, certificates, etc. in a configuration file which can lead to exposure of credentials to an unintended audience. Secrets management allows segregation of credentials on a separate level and every environment can pull credentials from a specific environment and use it programmatically.
Secrets management tools
· Hashicorp
· Torus
· Keywhiz
· EnvKey
· Confidant
· AWS Secrets Manager
Build phase
Software Composition Analysis (SCA) — identifies known vulnerabilities in 3rd party components, license risk, and out-of-date libraries with built-in support for the major package-management ecosystems.
SCA Tools
· Dependency Track
· Retire.js: Finds vulnerable JavaScript components+
· SonaType
· Snyk (Free for Open Source)
· Bunder Audit
· Rubysec
Static application security testing (SAST) — White-box security testing using automated tools to perform security code review which flushes out many low-hanging fruits like SQL injection, Cross-site scripting, Deserialization vulnerabilities, and many more. SAST tools by default are configured with generic settings and it may need manual oversight for managing false positives.
SAST Tools
· Semgrep
· SonarQube Community
· Graudit
· FindSecBugs for Java
· Bandit for Python
· OWASP also maintains a list of source-code analysis tools
Staging phase
Dynamic Analysis Security Testing (DAST) — Black-box/Grey-box security testing using automated tools. SAST may not get full picture without application deployment that’s why DAST comes handy in picking out deployment specific issues. Results from DAST and SAST can be compared to weed out false-positives. DAST tools may also need prior set of configuration settings to give good results
DAST Tools
· OWASP ZAP
· Arachni
· Nikto
Performance monitoring — When staging applications for testing, DevOps teams need to ensure that errors have not crept into their configuration and application performance have not degraded.
Performance monitoring tools
· Threat Mapper
· Anchore Engine
· Clair
Vulnerability Assessment (VA) — It’s a technique to identify various services running on a given server, probe the identified services to check if their are any vulnerabilities. It is a general practice to perform vulnerability assessment on the production systems to identify various services running in the environment and the associated vulnerabilities. But, I would recommend doing VA at staging to identify any vulnerabilities before pusing moving code to the production environment.
Production phase
Compliance as Code (CaC) — Organisations need to apply compliance controls to their IT infrastructure to abide by industry best practices and various regulations like PCI DSS, HIPAA, SOX etc. With “Infrastructure as Code” in DevOps, the production environment is never retained, it is always torn down and re-created again and hence it is strong requirement to test the updated/newly created environment after it has been setup.
CaC tools
· Inspec
· Serverspec
· DevSec Hardening Framework
· Kitchen CI
Vulnerability Management (VM) — The tools that we shall use to create a DevSecOps pipeline will generate plenty of vulnerabilities and each tool will have its own separate format. It becomes difficult to manage this data let alone track and remediate the vulnerabilities. Hence, vulnerability management solutions are at the core of a DevSecOps process where all tools are required to spool their data into those solutions so that it can be centrally managed, triaged, tracked and remediated.
VM tools
· ArcherySec
· DefectDojo
· Faraday
Monitoring phase
Altering & Monitoring — Production applications are always faced with new threats from unknown and unforeseen vectors. This can be mitigated by having an active intrusion monitoring and prevention solution. One such open-source solution is the Web Application Firewall (WAF) which detects OWASP Top 10 vulnerabilities like SQL injection,Cross-site scripting etc. being attempted against the application.
Monitoring tools
· ModSecurity
· Shadown Daemon
· NAXSI
· Ironbee
How far can open source go?
While some of these tools are not all strictly open-source, every tool does have a free version that can be used as-is or modified to use as per your specific requirements. Depending on your DevOps teams maturity and , open-source tools can serve many needs. But for teams that need support, deeper coverage of threats and vulnerabilities, or the ability to scale to thousands of systems, commercial security tools or the commercial versions of open-source products are a must. Open source can help you at a minimum, but when you are dealing with complexity and scale problems, that’s when you have to switch over.
👋 Join us today !!
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇
