You Build It, You Secure It
Data became the new gold today, and securing it is crucial. For decades, security professionals struggled to win the cyberwar. With the rapid pace of the DevOps era, security has had to catchup. Security can’t be the final hurdle of the Software Development Life Cycle (SDLC) anymore. We should integrate it within the DevOps workflow. From this need, DevSecOps was born.
DevSecOps builds bridges between the development, operation, and security teams. DevSecOps also emphasizes learning by gathering feedback. As a result, we deliver faster and more secure systems. John Willis summaries this approach by introducing the “You build it, you secure it” mantra.
According to BSIMM11, we need to shift security everywhere, not only left as in the below diagram. Vulnerabilities can exist in any stage of SDLC. This approach promotes conducting the security practices as quickly as possible. We need to move some activities like code review to the left. For other activities like telemetries, move it to the post-deployment environment. Results from telemetries are passed between phases in a continuous security process.
DevSecOps is not only about automation, although this is a critical part of it. In a 2019 research, CSA defined six critical areas for DevSecOps integration:
- Collective responsibility: Security is everyone’s responsibility in the organization. Each one has their duties and must be aware of their contribution to the security stance.
- Collaboration and integration: Security awareness and collaborative culture are vital. This culture facilitates the report of potential anomalies.
- Pragmatic implementation: There is no one-size-fits-all set of tools for DevSecOps implementation. Organizations should choose solutions based on their security needs and the solution’s integrability.
- Bridging compliance and development: There is a gap between compliance and development. To address this gap, organizations should identify automated controls that can improve compliance.
- Automation: Automated security practices can increase efficiency, reduce rework and improve quality.
- Measure, monitor, report, and action: Successful DevSecOps implementation depends on actionable metrics. Critical metrics are vulnerability patch time and percentage of automatic tests. The results from these metrics should be measure, monitored, reported, and actioned.
Let’s see an example of how to integrate security with the DevOps pipeline. We will add a dependency scanning to the pipeline we created in a previous blog. This test will find and fix known vulnerabilities in the code dependencies.
- We will use Snyk to test for vulnerabilities in our code. If you don’t have an account, create a free account here. Login to your Snyk account and copy the API token to use in the job.
2. Log in to IBM Cloud; if you don’t have an account, click here to create a free one.
3. Select the demo toolchain.
4. Add Slack integration. Check this tutorial for detailed steps.
5. Click on the Delivery Pipeline to add a new stage.
6. Click on the build settings icon, and select Configure Stage.
7. Select “Environment properties” and click “Add property.” Select “Secure property.”
8. Add SNYK_TOKEN as the name and past the token from Step #1 as the secure property.
9. Add a new test stage.
10. Add the below code snippet to the test script.
export PATH=/opt/IBM/node-v6.7.0/bin:$PATH
npm install
npm install -g snyk
snyk monitor
snyk test11. Click save and rerun the build job to run this testing. Since the sample code is secure, the job will finish successfully.
12.To simulate dependency vulnerability, we will change the Express version. In the source code, modify the Express version in the package.json from ”4.17.*” to an older vulnerable version like “1.0.0”.
"dependencies": {"express": "1.0.0",
13. The change will trigger a new build. Once the test job fails, you will get an email and a Slack Notification.
14. Click on the “Snyk-Test” job to check the logs.
15. We can create a pull request to patch the vulnerability. Go to Snyk website and log in. Select the project.
16. Click on “Open a fix PR” to fix this vulnerability.
17. Snyk will show you a list of all the vulnerabilities. To solve these vulnerabilities, click on “Open a fix PR.”
18. You will be redirected to the Git website to view and merge the PR.
19. Once you merge the PR, the pipeline will restart automatically and you can confirm the issue is fixed. You can check this webinar with a demo of how to use Snyk within a pipeline.
This was a brief introduction to DevSecOps. A first step to embark on the DevSecOps adventure. In the above example, we integrated dependency scanning in the Delivery Pipeline. In my next blog, I will discuss how we can integrate security in each stage of the SLDC. To continue your learning journey, check LinkedIn Learning Path: Get Ahead in DevSecOps.
