Save 37% off PRO during our Black Friday Sale! »

Practical DevSecOps Pipelines

Practical DevSecOps Pipelines

A Practical View of Security Toolchains for DevSecOps

Several organizations are seeing the need to embed security into their Software Development Lifecycle. This has largely been necessitated by Agile and DevOps transformation projects within engineering teams. However, there are several challenges with DevSecOps implementations in the real-world.

This talk will explore different types of DevSecOps toolchains. The talk is based on real-world projects, from which we will identify patterns that work. Throughout the talk, we use demos to demonstrate pipelines and tool orchestration possibilities (including parameterized DAST and IAST).

8827303f1dc2bd94af6a68a258ef9fd4?s=128

Abhay Bhargav

May 26, 2020
Tweet

Transcript

  1. Copyright © we45 2020 abhaybhargav Practical DevSecOps Pipelines Abhay Bhargav,

    we45
  2. Copyright © we45 2020 abhaybhargav Yours Truly • Founder @

    we45 • Chief Architect - Orchestron • Avid Pythonista and AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide
  3. Copyright © we45 2020 abhaybhargav Virtual Training • DevSecOps MasterClass

    => 1 & 2 July 2020 • Attacking and Defending Containers, Kubernetes and Serverless => June 22-25 2020 • Significant Discount on all courses • URL: store.we45.com • Get Live Training + Access to Labs + Access to Videos + Certification =
  4. Copyright © we45 2020 abhaybhargav Conference Training

  5. abhaybhargav we45 Community Initiatives Youtube Channel: youtube.com/we45-appsec Blog: we45.com/blog Talks/Workshops

    at several OWASP Events
  6. Copyright © we45 2020 abhaybhargav Agenda • CI Problems with

    Security Tools • Security Problems with CI Tools • Developments in Static Analysis • Cloud-Native Pipelines - A New Hope • Demos • FIN
  7. Copyright © we45 2020 abhaybhargav Pray to the Demo Gods

  8. Copyright © we45 2020 abhaybhargav CI Problems with Security Tools

    • “Run MY tool. See MY Dashboard” • Inconsistent APIs • Long-running jobs
  9. Copyright © we45 2020 abhaybhargav Security Tools - Its all

    about me!
  10. Copyright © we45 2020 abhaybhargav Security Tool Narcissism

  11. Copyright © we45 2020 abhaybhargav Long-running jobs

  12. Copyright © we45 2020 abhaybhargav Blocking Good Feedback a.k.a Security(-Usability)

    Issues with CI Tools
  13. Copyright © we45 2020 abhaybhargav –Several unsung security heroes “Jenkins

    is the Wordpress of CI”
  14. Copyright © we45 2020 abhaybhargav –Abhay Bhargav “There’s something very

    ironic about finding RCEs in a RCE platform”
  15. Copyright © we45 2020 abhaybhargav Let’s play Outcome Jeopardy! •

    Authentication Bypass => RCE! • AuthZ Bypass => RCE! • XSS => RCE! • RCE => RCE!
  16. Copyright © we45 2020 abhaybhargav On top of that… •

    Not very CD friendly - Especially for “born in cloud” services • Not very cloud/container-native friendly • Not very micro-services friendly
  17. Copyright © we45 2020 abhaybhargav And in many cases ….

  18. Copyright © we45 2020 abhaybhargav Better (more Practical) DevSecOps Pipelines

  19. Copyright © we45 2020 abhaybhargav Areas of Focus • A

    More effective world of Static Analysis • Test Automation weds DAST/IAST • Cloud-Native DevOps Pipelines
  20. Copyright © we45 2020 abhaybhargav SAST Tools •Multi-Language (Typically Commercial)

    SAST Tools •Multi-Language and Platform •Combination of AST and Regex •Source-Sink and linked usage functionality •Single Language/Platform (Typically OSS) SAST Tools •Single Language or Platform •Typically AST based Scanning Tools •No Source-Sink. Typically File and Line-based analysis •Semantic Grep/QL Tools •New Category of SAST Analysis •Semantic Grep or Queries against Source Code (like SQL) •Aims at uncovering flaws at scale
  21. Copyright © we45 2020 abhaybhargav SAST Test Approaches •Good ol’

    Regular Expressions •Abstract Syntax Trees •Semantic Grep or QL
  22. Copyright © we45 2020 abhaybhargav Errors Code Comments: # Don’t

    use this!! jwt.decode(something, secret, verify=False)
  23. Copyright © we45 2020 abhaybhargav SAST with AST

  24. Copyright © we45 2020 abhaybhargav AST example with Python call

    nil jwt.decode args local “verify”
  25. Copyright © we45 2020 abhaybhargav Semgrep and CodeQL

  26. Copyright © we45 2020 abhaybhargav Demo

  27. Copyright © we45 2020 abhaybhargav A New Hope

  28. Copyright © we45 2020 abhaybhargav A (Better) alternative? • No

    Persistent Compute => Typically with Orchestration (Container) • Cloud-Native: • Integrated Secrets Management • Centralized IAM Implementation • Object Storage • Query Tools (Athena)
  29. Copyright © we45 2020 abhaybhargav In addition… • Closer to

    developer workflows => Github, Gitlab, AWS • Container-Native workflows
  30. Copyright © we45 2020 abhaybhargav Existing Options

  31. Copyright © we45 2020 abhaybhargav Some unconventional approaches • Test

    Automation Frameworks for Security Workflows • Step Functions (State Machines) • Flows with Container Orchestration
  32. Copyright © we45 2020 abhaybhargav Test Automation Driven Workflows •

    Test Automation Frameworks can be used to trigger all kinds of security workflows • Frameworks like Robot Framework and Gauge are low-maintenance and low- code • Much more suited to developer and QA workflows
  33. Copyright © we45 2020 abhaybhargav Robot Framework *** Test Cases

    *** Clone repo from Github clone repository from url ${GIT_URL} ${TO_PATH} Run NodeJSScanner run nodejsscan against source ${TO_PATH} ${RESULTS_PATH} nodejsscan write to orchy ${RESULTS_PATH}/nodejsscan.json ${SECRET} ${ACCESS} ${HOOK} Run NPM Audit against packageJSON run npmaudit against source ${TO_PATH} ${RESULTS_PATH} npmaudit write to orchy ${RESULTS_PATH}/npm_audit.json ${SECRET} ${ACCESS} ${HOOK} Initialize ZAP [Tags] zap_init start gui zap ${ZAP_PATH} sleep 10 zap open url http://${TARGET_URI} Authenticate to Cut the Funds as Admin [Tags] walk_web_service &{res}= POST /users/login {"email": "andy.roberts@widget.co", "password": "spiderman"} Integer response status 200 Boolean response body auth true set suite variable ${TOKEN} ${res.body["token"]} log ${TOKEN}
  34. Copyright © we45 2020 abhaybhargav Gauge Demo

  35. Copyright © we45 2020 abhaybhargav Github Actions

  36. Copyright © we45 2020 abhaybhargav Step Functions • Coordinate AWS

    services into Serverless Workflows • Can be used for: • AWS Lambda • Fargate • Sagemaker
  37. Copyright © we45 2020 abhaybhargav Step Functions States • Task

    • Choice • Fail/Succeed • Pass • Wait • Parallel • Map
  38. Copyright © we45 2020 abhaybhargav Benefits • Modeling complex workflows

    • Event-driven => Invoked only as required • No Persistent Compute/Service • Engineering/Developer-first workflow
  39. Copyright © we45 2020 abhaybhargav

  40. Copyright © we45 2020 abhaybhargav Demo

  41. Copyright © we45 2020 abhaybhargav DAST/IAST Workflows

  42. Copyright © we45 2020 abhaybhargav Data Consumption Possibilities • Orchestron/Other

    Vulnerability Management tool • Athena (equivalent) to query and render results • Slack/JIRA push, etc
  43. Copyright © we45 2020 abhaybhargav Conclusions • Think Feedback more

    than force-fitting into Pipelines • Think beyond CI tools to run CIs. There are some significant constraints • Speed and High Signal Ratio is very important for you to be more effective • Leverage Cloud-Native tooling for “born in cloud/ container-dependent” services abhaybhargav we45