CISSP Professional • What I do: • DevSecOps • Vulnerability management • Design architecture of infrastructure (AWS/Azure) • Development • Twitter: @alekseidremin About me
code • Know which libraries we’re using. Licensing issues? Vulnerabilities? • Find the problems as early as possible: shift left • Company is growing very quickly: this cannot be a manual process Why do we need security in our CI/CD pipeline?
audit • Snyk • Safety • RetireJS •Commercial: • WhiteHat • Veracode (https://www.sourceclear.com/) • Nexus-auditor • PT Application Inspector • and many others For most of commercial SAST that feature is already by default Dependency Checkers?
Python code third party libraries • Can be your database, or someone else’s (e.g., NIST NVD) • Get it here: https://github.com/pyupio/safety Internal vulnerability database dependency checker
specific dangerous words in code such as: • For Django - mark_safe(), extra(), RawSQL • For React – dangerouslySetInnerHTML() or innerHTML • Catch changes: • What and when it happened • Configuration files • requirements.txt/packages.lock Catch something dangerous
provide info about licenses of dependencies • ScanCode toolkit • Veracode/Whitehat and other commercial scanners • AquaSec checks licenses of libraries in docker images Check licenses of used dependencies?
But they can’t cover all situations • Use specialized tools like: • GitLeaks • TruffleHog • Gitrob • and many other clones. • User defined patterns • Look for the patterns in: • log aggregation tools (e.g., Splunk) • Messaging apps (e.g., Slack) • Ticket systems such as JIRA Hunt for leaked credentials: problems
running in Jenkins. • All results store in s3 bucket and specific vulnerability management db • Parametrized Jenkins jobs • Manage Jenkins from source code Jenkins
by default • Your own plugins for uploaded results of security tools • Equivalent findings get marked as duplicate Important things about Vulnerability management program
Similar findings are merged • Set and show remediation timeframes • Jira/Slack/Email for notification Important things about Vulnerability management program
reports about new findings every day. •Get information about which findings is old and doesn’t appear more. •Maybe problems was fixed or something was broken in your scans. Notifications
• Checkmarx • Start your internal guideline for developers: • Which libs should be used • Best security practice for frameworks • Make friends with the dev team who care about security • Transparency of your job for dev team. Do not only notify them, talk to them is not less important. Developer Education program