Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OSS-based environmental investigations to enable vulnerability mitigation in DevSecOps schemes

OSS-based environmental investigations to enable vulnerability mitigation in DevSecOps schemes

SeaOtter (Kentaro Mori)

August 29, 2023
Tweet

More Decks by SeaOtter (Kentaro Mori)

Other Decks in Science

Transcript

  1. OSS-based environmental investigations to enable
    vulnerability mitigation in DevSecOps schemes
    Kentaro Mori

    View full-size slide

  2. Table of contents
    1. Research Background
    2. Vulnerability reduction techniques
    3. Building a Verification Environment
    4. Discussion on verification results
    5. Contribution of this survey

    View full-size slide

  3. Research Background

    View full-size slide

  4. 1. Research Background (1)
    ・In recent years, the development method called DevOps has been attracting attention in software
    development
    ・DevOps is a development method that integrates development and operations teams
    to realize rapid implementation and operation.
    ・DevOps development has been pointed out to have the problem that security measures are not
    sufficiently implemented.
    Figure 1: What is DevOps ?

    View full-size slide

  5. 1. Research Background (2)
    ・ DevSecOps development methods that incorporate security into DevOps
    ・ Aiming to ensure security throughout the entire application lifecycle
    ・ In DevSecOps development, not only developers and operators but also security personnel participate
    in development,Automate and perform security checks and vulnerability assessments of source code
    and infrastructure
    Figure 2: What is DevSecOps?
    security

    View full-size slide

  6. 1. Research Background (3)
    ・In this research study, I investigated whether it is possible to reduce vulnerabilities by
    building an OSS-based development environment under a DevSecOps scheme that includes
    security measures in DevOps, and examined the survey results.

    View full-size slide

  7. Vulnerability reduction techniques

    View full-size slide

  8. 2. Vulnerability reduction method (1)
    A vulnerability is a security flaw or weakness in an application or system that can be exploited by an attacker.
    Vulnerability management in DevSecOps is implemented as a continuous, automated process.
    plan
    develo
    pment
    build
    release
    applicati
    on
    Vulnerab
    ility
    Manage
    ment
    Figure 3: DevSecOps lifecycle stages

    View full-size slide

  9. 2. Vulnerability reduction methods (2)
    ・ Threat analysis: The process of identifying, assessing, and counteracting against potential threats and
    risks in applications and systems.
    ・Source code can: Detect credential information and vulnerabilities contained in source code.
    ・Vulnerability scanning: Scanning to detect known vulnerabilities.
    ・Policy checks: Checks and verifications against security requirements and standards to be met.
    ・Security testing: Penetration testing to detect vulnerabilities.

    View full-size slide

  10. Building a Verification Environment

    View full-size slide

  11. 3. Building a verification environment - (1)
    A sample app that builds a DevSecOps verification environment using OSS products on the public cloud
    service Azure, performs
    a five-step security check on the sample app, and confirms the number and type of vulnerabilities
    < Sample App >
    Languages: Python v3.9.6, Node.js v14.17.3, .NET v5.0.8
    DB: Redis v6.2.4, Postgres v13.3
    Container: Docker v20.10.7
    < Security Check>
    (1) Source Code Scanning
    (2) Container Image Scanning
    (3) Kubernetes Cluster Scan
    (4) Policy Check
    (5) Penetration Testing
    Figure 4: example-voting-app

    View full-size slide

  12. 3. Building a verification environment - (1-)

    (2) Container image
    scanning
    (3) Kubernetes
    cluster scan
    (4) Policy check
    (5) Penetration test
    Source code
    scanning

    View full-size slide

  13. 3. Building a verification environment - (2)
    Test Results
    ・GitHub Advanced Security Dependency Diagnosis Identifies Node.js Package Vulnerability
    ・ Trivy‘s image scan detects that security patches are missing from the host image
    and that there are security update issues in the language you are using.
    ・Kube-hunter's diagnosis detects vulnerabilities such as pod exposure and container exposure.
    ・OWASP ZAP vulnerability assessment detects session management issues and security header issues.

    View full-size slide

  14. Discussion on verification results

    View full-size slide

  15. 4. Consideration of verification results - (1) Consideration
    of construction results
    〇 Vulnerabilities found in conventional security tests can be detected at an early stage of development.
    △ Even if you build a DevSecOps environment, you cannot completely eliminate application vulnerabilities
    therefore, it is necessary to implement measures using SIEM and perform security triage (described later)
    △ DevSecOps takes time to build the environment itself In this survey, even if you have DevOps development
    experience, it takes about 40 hours to build this verification environment.

    View full-size slide

  16. 4. Consideration of verification results - (2) Consideration of security
    measures
    < Test results, implement >
    ・ SIEM to monitor security events in real time and detect anomalous patterns.
    ・Prioritize security triage of vulnerabilities based on indicators such as urgency and importance.
    < Network >
    ・ It is possible to prevent external attacks by building the development environment in the intranet and installing
    WAF at the L7 level and FW at the L4 level at the boundary with the Internet.
    ・ Network-level segmentation by configuring a Hub&Spoke network.
    < Effective use of schemes >
    ・With the introduction of threat analysis, a team structure that considers system security from the planning stage is
    required.

    View full-size slide

  17. Contribution of this survey

    View full-size slide

  18. 5. Contribution of this survey
    ・Demonstrate that the construction of an OSS-based DevSecOps environment can reduce system
    vulnerabilities
    ・Clarified the cost, man-hour advantages, and disadvantages of the DevSecOps scheme using OSS.
    ・Presented a security countermeasure method that takes a bird's-eye view of the entire development and
    operation phases
    ・ Demonstrated methods to improve security skills within the team based on threat analysis

    View full-size slide

  19. Image Reference
    Figure 1: What is DevOps ?
    https://www.dynatrace.com/news/blog/what-is-devops/
    Figure 2: What is DevSecOps?
    https://www.dynatrace.com/news/blog/what-is-devsecops/
    Figure 3: DevSecOps lifecycle stageshttps://learn.microsoft.com/en-
    us/azure/architecture/guide/devsecops/devsecops-on-aks#devsecops-lifecycle-stages
    Figure 4: example-voting-apphttps://github.com/dockersamples/example-voting-app#architecture

    View full-size slide