Securing the Agile Journey: A Guide to Successful DevSecOps Implementation Hands-On ( Part-1 )

Weaving security into every process.

A Guide to Successful DevSecOps Implementation

During the pandemic, DevOps gained widespread popularity as more and more businesses moved to the cloud to accommodate a growing user base. While this transition offered increased scalability and flexibility, it also increased the chances of potential cyber-attacks.

Therefore, it’s crucial to implement robust security measures throughout the SDLC to protect sensitive applications and user data. Mishandling security can result in devastating breaches that may cost organizations millions of dollars.

As DevSecOps professionals, our goal is to ensure that developers follow good and secure coding practices.

Let’s explore some of these DevSecOps best practices through a three-part series of blog posts:

• Part- 1 — Security Implementation in Development
• Part- 2 — Security Implementation in CI/CD Automation
• Part- 3 — Security Implementation in Deployed Application

This article, the first in the series, focuses on security implementation during the development phase.

Security Implementation in Development

Coding with security in mind!

1. Git Secrets

The Git Secret tool scans Git repositories for sensitive information and security issues using pre-commit hooks.

https://github.com/awslabs/git-secrets

It can scan commits, commit messages, and merge to prevent the accidental addition of sensitive data, such as secrets, into Git repositories. For example, if a commit, commit message, or any commit in a merge history matches one of your configured, prohibited regular expression patterns, the commit is rejected.

To install the tool, follow these steps based on your operating system:

1. We need to clone the GitHub repo which provides this feature:

git clone https://github.com/awslabs/git-secrets.git

2. Configure it for your OS.

Linux:

cd  git-secrets
make install

Windows:

cd git-secrets
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass
./install.ps1

MacOS:

cd git-secrets
brew install

Once the Git-Secret tool is configured, let’s see it in action.

Open any of your existing Git repo and configure this tool:

# Install for a single Repo
git secrets --install -f

# It Registers AWS Default Patterns as Prohibited
git secrets --register-aws 

# Add Custom Patterns in below file for other providers (It's regex)
touch .secret.patterns

# Register This file as the source of custom additional patterns (Test before commiting)
git secrets --add-provider -- cat .secret.patterns

You can configure it globally for multiple Git repositories too.

# Install Secrets Globally for a user
git secrets --install ~/.git-templates/git-secrets

# Configure Global template directory
git config --global init.templateDir ~/.git-templates/git-secrets

# Configure Global template store somewhere
git secrets --add-provider -- cat /path/to/secret/file/patterns

For a working demo, you can watch this video: https://youtu.be/htAVKml9hVs

Bonus: You can add many Regex from this location and add it to your custom patterns: https://github.com/l4yton/RegHex

An alternative to Git Secrets is Git Hound (Link).

2. Trivy: Comprehensive and Versatile SAST Scanner

Trivy is an OpenSource SAST tool that scans code against software dependencies, CVEs, a misconfiguration in IAC, sensitive info, and secrets.

https://github.com/aquasecurity/trivy

It supports scanning of the above issues on multiple platforms, like Container Images, Local Systems, Git Repos, VMs, Kubernetes Environments, and Cloud Environments (AWS).

It easily integrates with VS Code marketplace extension.

Trivy has good documentation for the installation of specific OS. Find the link here.

Once Trivy is installed successfully, it's very easy to use and operate in the local environment. We just need to build our code and scan the entire file solution.

Node JS example:

# Install the Packages First before Running Trivy Scanning
yarn install --production

# Scan yarn.lock file which has all the dependency written in it
trivy fs --scanners vuln yarn.lock

Scanning JavaScript-based Projects with Trivy Locally

.NET Core example:

# Restore .NET Packages
dotnet restore

# Generate Release Artifacts
dotnet publish -c Release

# Scan the Release. (Trivy finds *.deps.json file for .NET Vulnerabilities)
trivy fs --scanners vuln ./

Scanning .NET Core-based Projects with Trivy Locally

Trivy has the support of almost a dozen languages. Please check the compatibility matrix before implementing the list here.

Bonus: Some alternatives to Trivy are,

• Grype and Syft — A vulnerability scanner and Software Bill of Materials (SBOM) generator from container images and filesystems

3. Automated Security Helper (Ash) by AWS

Note: This tool works well with MacOS and Linux-based machines. To run in Windows, WSL2 is recommended since this tool heavily relies on bash scripts that are not natively supported by Windows.

https://github.com/aws-samples/automated-security-helper/tree/main

Installing ash:

# Set up some variables
REPO_DIR="${HOME}"/Documents/repos/reference
REPO_NAME=automated-security-helper

# Create a folder to hold reference git repositories
mkdir -p ${REPO_DIR}

# Clone the repository into the reference area
git clone https://github.com/aws-samples/automated-security-helper "${REPO_DIR}/${REPO_NAME}"

# Set the repo path in your shell for easier access
export PATH="${PATH}:${REPO_DIR}/${REPO_NAME}"

# Execute the ash tool
ash --version

To run the ash tool, run the following command from the directory of your code:

# Create Reports Directory before Scan execution
mkdir -p $(pwd)/code-scan-reports

# Run ash from source repo dorectory and store result in output directory
ash --source-dir . --output-dir $(pwd)/code-scan-reports

Have some patience because first time runs build some docker image to scan the code locally. This takes about 5–7 minutes. After the successful execution of the command, the report will look something like this:

ash command output

The report has some details like:

• Sensitive information in code
• External package listing
• Files per language details
• Code security issues (basic findings)
• Scan summary

This tool still needs to be more mature in terms of detecting more code security issues apart from very basic ones.

Bonus: Some alternatives to Automated Security Helper:

• SonarQube — It is an open-source platform for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs and code smells.
• Synopsys Coverity — It is a static code analysis tool that analyzes every line of code and potential execution path and produces a list of potential code defects.

Conclusion

A security-first development mindset emphasizes proactive measures to identify and mitigate vulnerabilities at every stage of the development process. By adopting this mindset, organizations can reduce the risk of security breaches, data leaks, and other cyber threats. DevSecOps encourages collaboration and communication between development, security, and operations teams, fostering a culture where security is a shared responsibility.

By leveraging tools like git-secrets, Trivy, and Ash, developers can embed security into their day-to-day activities rather than treating it as an afterthought. These tools promote a security-first mindset by automating security checks, identifying vulnerabilities, and providing actionable insights to remediate them. With a DevSecOps approach supported by these tools, organizations can strengthen their security posture, protect their applications, and build trust with their users in the public domain.

That’s it for Part-1. In Part-2, we’ll see more tools and hands-on that DevOps can implement in their CI/CD workflow.

For more updates on the latest tools and technologies, follow the Simform Engineering blog.

Follow Us: Twitter | LinkedIn