Slide 1

Slide 1 text

qaware.de Time to Shift Left! Unkomplizierte Security Tools und Technologien für den Entwickleralltag Mario-Leander Reimer [email protected] @LeanderReimer Bild von H. Hach auf Pixabay

Slide 2

Slide 2 text

2 Mario-Leander Reimer Principal Software Architect @LeanderReimer #cloudnativenerd #qaware #gernperDude

Slide 3

Slide 3 text

Berücksichtigt ihr Sicherheit bereits während der Entwicklung? ⓘ Start presenting to display the poll results on this slide.

Slide 4

Slide 4 text

Security. Oft nur ein 2nd Class Citizen unter den anderen -illities. QAware | 4 Software Product Quality (ISO 25010) ● Modularity ● Reusability ● Analysability ● Modifiability ● Testability Maintainability ● Confidentiality ● Integrity ● Non-repudiation ● Authenticity ● Accountability Security ● Adaptability ● Installability ● Replaceability Portability ● Co-existence ● Interoperability Compatibility ● Maturity ● Availability ● Fault Tolerance ● Recoverability Reliability ● Time Behaviour ● Resource Utilization ● Capacity Efficiency ● Completeness ● Correctness ● Appropriateness Functional Suitability ● Operability ● Learnability ● UI Aesthetics ● Accessibility Usability

Slide 5

Slide 5 text

Meet … QAware | 5

Slide 6

Slide 6 text

“Too much cognitive load will become a bottleneck for fast flow and high productivity for many teams.” QAware | 6 ■ Intrinsic Cognitive Load Relates to fundamental aspects and knowledge in the problem space (e.g. used languages, APIs, frameworks) ■ Extraneous Cognitive Load Relates to the environment (e.g. console command, deployment, configuration) ■ Germane Cognitive Load Relates to specific aspects of the business domain (aka. „value added“ thinking)

Slide 7

Slide 7 text

Software wie vom Fließband. Shift Left heißt Sicherheit von Tag 1 an. Immer wieder auf’s Neue. QAware | 7 Sicherheitsanforderungen Sichere Komponenten Domain Driven Design Security Patterns OWASP Top 10 Defensive Programming Schutzbedarfsanalyse Angreifer-Analyse Dependencies Security Testing DAST + SAST Package Signing Container Security Infrastructure Deployment Certificates Secrets

Slide 8

Slide 8 text

221 Regeln für stabilen, sicheren und besseren Code. QAware | 8 Secure Coding Guidelines for Java SE Version: 9.1, Last updated: October 2022 https://www.oracle.com/java/technologies/javase/seccodeguide.html Java Coding Guidelines Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda The CERT™ Oracle™ Secure Coding Standard for Java Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda Rules are also available online at www.securecoding.cert.org

Slide 9

Slide 9 text

Software wie vom Fließband. QAware | 9

Slide 10

Slide 10 text

Software wie vom Fließband. QAware | 10 Clean Code and Defensive Programming

Slide 11

Slide 11 text

Software wie vom Fließband. QAware | 11 Concurrency & Thread Programming

Slide 12

Slide 12 text

Software wie vom Fließband. QAware | 12 Secure Programming

Slide 13

Slide 13 text

lreimer/secure-devex22

Slide 14

Slide 14 text

Google ErrorProne QAware | 14 plugins { id 'java' id "net.ltgt.errorprone" version "2.0.2" } dependencies { // dependency for the javac compiler plugin errorprone "com.google.errorprone:error_prone_core:2.15.0" } tasks.named("compileJava").configure { options.errorprone.enabled = true // and many other options } Find common programming mistakes early during development as part of the Java compile phase.

Slide 15

Slide 15 text

SonarCloud Security Analysis QAware | 15 plugins { id "jacoco" id "org.sonarqube" version "3.4.0.2513" } jacocoTestReport { reports { xml.enabled true } } sonarqube { properties { property "sonar.projectKey", "lreimer_secure-devex22" property "sonar.organization", "lreimer" property "sonar.host.url", "https://sonarcloud.io" } } Sonar can detect 54 security vulnerabilities and 38 security hotspots using static code analysis.

Slide 16

Slide 16 text

Dependency Vulnerability Scanning QAware | 16 plugins { id "org.owasp.dependencycheck" version "7.2.1" } dependencyCheck { cveValidForHours=24 failOnError=true } The compile time and runtime dependencies of your applications and services can be checked for CVEs regularly using the OWASP dependency check plugin.

Slide 17

Slide 17 text

Docker Image Vulnerability Scanning QAware | 17 # Installation and usage instructions for Docker Lint # https://github.com/projectatomic/dockerfile_lint dockerfile_lint -f Dockerfile -r src/test/docker/basic_rules.yaml dockerfile_lint -f Dockerfile -r src/test/docker/security_rules.yaml # Installation and usage instructions for Trivy # https://github.com/aquasecurity/trivy trivy image -s HIGH,CRITICAL secure-devex22:1.0.0 # Installation and usage instructions for Snyk # https://docs.snyk.io/snyk-cli/install-the-snyk-cli snyk container test --file=Dockerfile secure-devex22:1.0.0 Several suitable tools can be used to scan your Docker images for vulnerable OS packages and other software components.

Slide 18

Slide 18 text

Kubernetes Security Scanning QAware | 18 # see https://github.com/zegl/kube-score kubectl score k8s/base/microservice-deployment.yaml # Checkov, see https://github.com/bridgecrewio/checkov checkov --directory k8s/base checkov --directory k8s/overlays/int # Snyk, see https://docs.snyk.io/snyk-cli/install-the-snyk-cli snyk iac test k8s/base snyk iac test k8s/overlays/int # Trivy, see https://github.com/aquasecurity/trivy trivy k8s -n default --report summary all trivy k8s -n default --report all all Many security misconfigurations are possible when deploying Kubernetes workloads. Most can be found easily via static code analysis using different tools.

Slide 19

Slide 19 text

Terraform Security Scanning QAware | 19 # TFLint und Rule Sets # see https://github.com/terraform-linters/tflint # see https://github.com/terraform-linters/tflint-ruleset-aws terraform init terraform plan tflint # Checkov # see https://github.com/bridgecrewio/checkov checkov --directory aws # Snyk # https://docs.snyk.io/snyk-cli/install-the-snyk-cli snyk iac test aws/ Many security misconfigurations of your cloud infrastructure are possible when working with Terraform. Most can be found easily via static code analysis using different tools.

Slide 20

Slide 20 text

Continuous Developer Experience QAware | 20 # see https://github.com/pre-commit/pre-commit brew install pre-commit # see https://pre-commit.com/hooks.html # see https://github.com/gruntwork-io/pre-commit # see https://github.com/antonbabenko/pre-commit-terraform # install the Git hook scripts pre-commit install pre-commit run --all-files # see https://github.com/lreimer/secure-devex22/actions # see https://github.com/lreimer/secure-devex22/actions/new?category=security The linters and static analysis tools are ideally run before and with every Git commit and push. Also GitHub and many other platforms provide CI and security integration functionality that can be used.

Slide 21

Slide 21 text

Continuous Security Scanning QAware | 21 # installing the Starboard Operator and CLI # see https://aquasecurity.github.io/starboard/ helm repo add aqua https://aquasecurity.github.io/helm-charts/ helm repo update helm install starboard-operator aqua/starboard-operator \ --namespace starboard-system --create-namespace \ --set="trivy.ignoreUnfixed=true" --version 0.10.8 kubectl get vulnerabilityreports --all-namespaces -o wide kubectl krew install starboard kubectl starboard install kubectl starboard scan vulnerabilityreports deployment.apps/nginx-deployment kubectl starboard get vulnerabilityreports deployment/nginx-deployment -o yaml # see https://github.com/lreimer/continuous-zapk8s # see https://www.zaproxy.org/getting-started/ # see https://www.zaproxy.org/docs/docker/api-scan/

Slide 22

Slide 22 text

There is no 100% security! Incorporate security into your daily development process.

Slide 23

Slide 23 text

Pay your Devs well! Cater for a productive and secure work environment.

Slide 24

Slide 24 text

qaware.de QAware GmbH Aschauer Straße 32 81549 München Tel. +49 89 232315-0 [email protected] twitter.com/qaware linkedin.com/company/qaware-gmbh xing.com/companies/qawaregmbh slideshare.net/qaware github.com/qaware