OSS-based environmental investigations to enable vulnerability mitigation in DevSecOps schemes

Transcript

1. OSS-based environmental investigations to enable
   vulnerability mitigation in DevSecOps schemes
   Kentaro Mori
   

   View Slide

2. Table of contents
   1. Research Background
   2. Vulnerability reduction techniques
   3. Building a Verification Environment
   4. Discussion on verification results
   5. Contribution of this survey
   

   View Slide

3. Research Background
   

   View Slide

4. 1. Research Background (1)
   ・In recent years, the development method called DevOps has been attracting attention in software
   development
   ・DevOps is a development method that integrates development and operations teams
   to realize rapid implementation and operation.
   ・DevOps development has been pointed out to have the problem that security measures are not
   sufficiently implemented.
   Figure 1: What is DevOps ?
   

   View Slide

5. 1. Research Background (2)
   ・ DevSecOps development methods that incorporate security into DevOps
   ・ Aiming to ensure security throughout the entire application lifecycle
   ・ In DevSecOps development, not only developers and operators but also security personnel participate
   in development,Automate and perform security checks and vulnerability assessments of source code
   and infrastructure
   Figure 2: What is DevSecOps?
   security
   

   View Slide

6. 1. Research Background (3)
   ・In this research study, I investigated whether it is possible to reduce vulnerabilities by
   building an OSS-based development environment under a DevSecOps scheme that includes
   security measures in DevOps, and examined the survey results.
   

   View Slide

7. Vulnerability reduction techniques
   

   View Slide

8. 2. Vulnerability reduction method (1)
   A vulnerability is a security flaw or weakness in an application or system that can be exploited by an attacker.
   Vulnerability management in DevSecOps is implemented as a continuous, automated process.
   plan
   develo
   pment
   build
   release
   applicati
   on
   Vulnerab
   ility
   Manage
   ment
   Figure 3: DevSecOps lifecycle stages
   

   View Slide

9. 2. Vulnerability reduction methods (2)
   ・ Threat analysis: The process of identifying, assessing, and counteracting against potential threats and
   risks in applications and systems.
   ・Source code can: Detect credential information and vulnerabilities contained in source code.
   ・Vulnerability scanning: Scanning to detect known vulnerabilities.
   ・Policy checks: Checks and verifications against security requirements and standards to be met.
   ・Security testing: Penetration testing to detect vulnerabilities.
   

   View Slide

10. Building a Verification Environment
    

    View Slide

11. 3. Building a verification environment - (1)
    A sample app that builds a DevSecOps verification environment using OSS products on the public cloud
    service Azure, performs
    a five-step security check on the sample app, and confirms the number and type of vulnerabilities
    < Sample App >
    Languages: Python v3.9.6, Node.js v14.17.3, .NET v5.0.8
    DB: Redis v6.2.4, Postgres v13.3
    Container: Docker v20.10.7
    < Security Check>
    (1) Source Code Scanning
    (2) Container Image Scanning
    (3) Kubernetes Cluster Scan
    (4) Policy Check
    (5) Penetration Testing
    Figure 4: example-voting-app
    

    View Slide

12. 3. Building a verification environment - (1-)
    ①
    (2) Container image
    scanning
    (3) Kubernetes
    cluster scan
    (4) Policy check
    (5) Penetration test
    Source code
    scanning
    

    View Slide

13. 3. Building a verification environment - (2)
    Test Results
    ・GitHub Advanced Security Dependency Diagnosis Identifies Node.js Package Vulnerability
    ・ Trivy‘s image scan detects that security patches are missing from the host image
    and that there are security update issues in the language you are using.
    ・Kube-hunter's diagnosis detects vulnerabilities such as pod exposure and container exposure.
    ・OWASP ZAP vulnerability assessment detects session management issues and security header issues.
    

    View Slide

14. Discussion on verification results
    

    View Slide

15. 4. Consideration of verification results - (1) Consideration
    of construction results
    〇 Vulnerabilities found in conventional security tests can be detected at an early stage of development.
    △ Even if you build a DevSecOps environment, you cannot completely eliminate application vulnerabilities
    therefore, it is necessary to implement measures using SIEM and perform security triage (described later)
    △ DevSecOps takes time to build the environment itself In this survey, even if you have DevOps development
    experience, it takes about 40 hours to build this verification environment.
    

    View Slide

16. 4. Consideration of verification results - (2) Consideration of security
    measures
    < Test results, implement >
    ・ SIEM to monitor security events in real time and detect anomalous patterns.
    ・Prioritize security triage of vulnerabilities based on indicators such as urgency and importance.
    < Network >
    ・ It is possible to prevent external attacks by building the development environment in the intranet and installing
    WAF at the L7 level and FW at the L4 level at the boundary with the Internet.
    ・ Network-level segmentation by configuring a Hub&Spoke network.
    < Effective use of schemes >
    ・With the introduction of threat analysis, a team structure that considers system security from the planning stage is
    required.
    

    View Slide

17. Contribution of this survey
    

    View Slide

18. 5. Contribution of this survey
    ・Demonstrate that the construction of an OSS-based DevSecOps environment can reduce system
    vulnerabilities
    ・Clarified the cost, man-hour advantages, and disadvantages of the DevSecOps scheme using OSS.
    ・Presented a security countermeasure method that takes a bird's-eye view of the entire development and
    operation phases
    ・ Demonstrated methods to improve security skills within the team based on threat analysis
    

    View Slide

19. Image Reference
    Figure 1: What is DevOps ?
    https://www.dynatrace.com/news/blog/what-is-devops/
    Figure 2: What is DevSecOps?
    https://www.dynatrace.com/news/blog/what-is-devsecops/
    Figure 3: DevSecOps lifecycle stageshttps://learn.microsoft.com/en-
    us/azure/architecture/guide/devsecops/devsecops-on-aks#devsecops-lifecycle-stages
    Figure 4: example-voting-apphttps://github.com/dockersamples/example-voting-app#architecture
    

    View Slide