Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical DevSecOps Pipelines

Practical DevSecOps Pipelines

A Practical View of Security Toolchains for DevSecOps

Several organizations are seeing the need to embed security into their Software Development Lifecycle. This has largely been necessitated by Agile and DevOps transformation projects within engineering teams. However, there are several challenges with DevSecOps implementations in the real-world.

This talk will explore different types of DevSecOps toolchains. The talk is based on real-world projects, from which we will identify patterns that work. Throughout the talk, we use demos to demonstrate pipelines and tool orchestration possibilities (including parameterized DAST and IAST).

Abhay Bhargav

May 26, 2020
Tweet

More Decks by Abhay Bhargav

Other Decks in Technology

Transcript

  1. Copyright © we45 2020
    abhaybhargav
    Practical DevSecOps Pipelines
    Abhay Bhargav, we45

    View full-size slide

  2. Copyright © we45 2020
    abhaybhargav
    Yours Truly
    • Founder @ we45
    • Chief Architect - Orchestron
    • Avid Pythonista and AppSec Automation Junkie
    • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide
    • Lead Trainer - we45 Training and Workshops
    • Co-author of Secure Java For Web Application Development
    • Author of PCI Compliance: A Definitive Guide

    View full-size slide

  3. Copyright © we45 2020
    abhaybhargav
    Virtual Training
    • DevSecOps MasterClass => 1 & 2 July 2020
    • Attacking and Defending Containers, Kubernetes and Serverless => June 22-25 2020
    • Significant Discount on all courses
    • URL: store.we45.com
    • Get Live Training + Access to Labs + Access to Videos + Certification =

    View full-size slide

  4. Copyright © we45 2020
    abhaybhargav
    Conference Training

    View full-size slide

  5. abhaybhargav we45
    Community Initiatives
    Youtube Channel: youtube.com/we45-appsec
    Blog: we45.com/blog
    Talks/Workshops at several OWASP Events

    View full-size slide

  6. Copyright © we45 2020
    abhaybhargav
    Agenda
    • CI Problems with Security Tools
    • Security Problems with CI Tools
    • Developments in Static Analysis
    • Cloud-Native Pipelines - A New Hope
    • Demos
    • FIN

    View full-size slide

  7. Copyright © we45 2020
    abhaybhargav
    Pray to the Demo Gods

    View full-size slide

  8. Copyright © we45 2020
    abhaybhargav
    CI Problems with Security Tools
    • “Run MY tool. See MY Dashboard”
    • Inconsistent APIs
    • Long-running jobs

    View full-size slide

  9. Copyright © we45 2020
    abhaybhargav
    Security Tools - Its all about me!

    View full-size slide

  10. Copyright © we45 2020
    abhaybhargav
    Security Tool Narcissism

    View full-size slide

  11. Copyright © we45 2020
    abhaybhargav
    Long-running jobs

    View full-size slide

  12. Copyright © we45 2020
    abhaybhargav
    Blocking Good Feedback a.k.a
    Security(-Usability) Issues with CI
    Tools

    View full-size slide

  13. Copyright © we45 2020
    abhaybhargav
    –Several unsung security heroes
    “Jenkins is the Wordpress of CI”

    View full-size slide

  14. Copyright © we45 2020
    abhaybhargav
    –Abhay Bhargav
    “There’s something very ironic about finding RCEs in a RCE
    platform”

    View full-size slide

  15. Copyright © we45 2020
    abhaybhargav
    Let’s play Outcome Jeopardy!
    • Authentication Bypass => RCE!
    • AuthZ Bypass => RCE!
    • XSS => RCE!
    • RCE => RCE!

    View full-size slide

  16. Copyright © we45 2020
    abhaybhargav
    On top of that…
    • Not very CD friendly - Especially
    for “born in cloud” services
    • Not very cloud/container-native
    friendly
    • Not very micro-services friendly

    View full-size slide

  17. Copyright © we45 2020
    abhaybhargav
    And in many cases ….

    View full-size slide

  18. Copyright © we45 2020
    abhaybhargav
    Better (more Practical)
    DevSecOps Pipelines

    View full-size slide

  19. Copyright © we45 2020
    abhaybhargav
    Areas of Focus
    • A More effective world of Static Analysis
    • Test Automation weds DAST/IAST
    • Cloud-Native DevOps Pipelines

    View full-size slide

  20. Copyright © we45 2020
    abhaybhargav
    SAST Tools
    •Multi-Language (Typically
    Commercial) SAST Tools
    •Multi-Language and Platform
    •Combination of AST and
    Regex
    •Source-Sink and linked usage
    functionality
    •Single Language/Platform
    (Typically OSS) SAST Tools
    •Single Language or
    Platform
    •Typically AST based
    Scanning Tools
    •No Source-Sink. Typically
    File and Line-based analysis
    •Semantic Grep/QL Tools
    •New Category of SAST
    Analysis
    •Semantic Grep or Queries
    against Source Code (like
    SQL)
    •Aims at uncovering flaws at
    scale

    View full-size slide

  21. Copyright © we45 2020
    abhaybhargav
    SAST Test Approaches
    •Good ol’ Regular Expressions
    •Abstract Syntax Trees
    •Semantic Grep or QL

    View full-size slide

  22. Copyright © we45 2020
    abhaybhargav
    Errors
    Code Comments:
    # Don’t use this!! jwt.decode(something, secret,
    verify=False)

    View full-size slide

  23. Copyright © we45 2020
    abhaybhargav
    SAST with AST

    View full-size slide

  24. Copyright © we45 2020
    abhaybhargav
    AST example with Python
    call
    nil
    jwt.decode
    args
    local
    “verify”

    View full-size slide

  25. Copyright © we45 2020
    abhaybhargav
    Semgrep and CodeQL

    View full-size slide

  26. Copyright © we45 2020
    abhaybhargav
    Demo

    View full-size slide

  27. Copyright © we45 2020
    abhaybhargav
    A New Hope

    View full-size slide

  28. Copyright © we45 2020
    abhaybhargav
    A (Better) alternative?
    • No Persistent Compute => Typically with Orchestration (Container)
    • Cloud-Native:
    • Integrated Secrets Management
    • Centralized IAM Implementation
    • Object Storage
    • Query Tools (Athena)

    View full-size slide

  29. Copyright © we45 2020
    abhaybhargav
    In addition…
    • Closer to developer workflows => Github, Gitlab, AWS
    • Container-Native workflows

    View full-size slide

  30. Copyright © we45 2020
    abhaybhargav
    Existing Options

    View full-size slide

  31. Copyright © we45 2020
    abhaybhargav
    Some unconventional approaches
    • Test Automation Frameworks for Security Workflows
    • Step Functions (State Machines)
    • Flows with Container Orchestration

    View full-size slide

  32. Copyright © we45 2020
    abhaybhargav
    Test Automation Driven Workflows
    • Test Automation Frameworks can be used to trigger all kinds of security
    workflows
    • Frameworks like Robot Framework and Gauge are low-maintenance and low-
    code
    • Much more suited to developer and QA workflows

    View full-size slide

  33. Copyright © we45 2020
    abhaybhargav
    Robot Framework
    *** Test Cases ***
    Clone repo from Github
    clone repository from url ${GIT_URL} ${TO_PATH}
    Run NodeJSScanner
    run nodejsscan against source ${TO_PATH} ${RESULTS_PATH}
    nodejsscan write to orchy ${RESULTS_PATH}/nodejsscan.json ${SECRET} ${ACCESS} ${HOOK}
    Run NPM Audit against packageJSON
    run npmaudit against source ${TO_PATH} ${RESULTS_PATH}
    npmaudit write to orchy ${RESULTS_PATH}/npm_audit.json ${SECRET} ${ACCESS} ${HOOK}
    Initialize ZAP
    [Tags] zap_init
    start gui zap ${ZAP_PATH}
    sleep 10
    zap open url http://${TARGET_URI}
    Authenticate to Cut the Funds as Admin
    [Tags] walk_web_service
    &{res}= POST /users/login {"email": "[email protected]", "password": "spiderman"}
    Integer response status 200
    Boolean response body auth true
    set suite variable ${TOKEN} ${res.body["token"]}
    log ${TOKEN}

    View full-size slide

  34. Copyright © we45 2020
    abhaybhargav
    Gauge Demo

    View full-size slide

  35. Copyright © we45 2020
    abhaybhargav
    Github Actions

    View full-size slide

  36. Copyright © we45 2020
    abhaybhargav
    Step Functions
    • Coordinate AWS services into Serverless Workflows
    • Can be used for:
    • AWS Lambda
    • Fargate
    • Sagemaker

    View full-size slide

  37. Copyright © we45 2020
    abhaybhargav
    Step Functions States
    • Task
    • Choice
    • Fail/Succeed
    • Pass
    • Wait
    • Parallel
    • Map

    View full-size slide

  38. Copyright © we45 2020
    abhaybhargav
    Benefits
    • Modeling complex workflows
    • Event-driven => Invoked only as required
    • No Persistent Compute/Service
    • Engineering/Developer-first workflow

    View full-size slide

  39. Copyright © we45 2020
    abhaybhargav

    View full-size slide

  40. Copyright © we45 2020
    abhaybhargav
    Demo

    View full-size slide

  41. Copyright © we45 2020
    abhaybhargav
    DAST/IAST Workflows

    View full-size slide

  42. Copyright © we45 2020
    abhaybhargav
    Data Consumption Possibilities
    • Orchestron/Other Vulnerability Management tool
    • Athena (equivalent) to query and render results
    • Slack/JIRA push, etc

    View full-size slide

  43. Copyright © we45 2020
    abhaybhargav
    Conclusions
    • Think Feedback more than force-fitting into Pipelines
    • Think beyond CI tools to run CIs. There are some
    significant constraints
    • Speed and High Signal Ratio is very important for
    you to be more effective
    • Leverage Cloud-Native tooling for “born in cloud/
    container-dependent” services
    abhaybhargav
    we45

    View full-size slide