qaware.de Time to Shift Left! Unkomplizierte Security Tools und Technologien für den Entwickleralltag Mario-Leander Reimer mario-leander.reimer@qaware.de @LeanderReimer Bild von H. Hach auf Pixabay

2 Mario-Leander Reimer Principal Software Architect @LeanderReimer #cloudnativenerd #qaware #gernperDude

Berücksichtigt ihr Sicherheit bereits während der Entwicklung? ⓘ Start presenting to display the poll results on this slide.

Security. Oft nur ein 2nd Class Citizen unter den anderen -illities. QAware | 4 Software Product Quality (ISO 25010) ● Modularity ● Reusability ● Analysability ● Modifiability ● Testability Maintainability ● Confidentiality ● Integrity ● Non-repudiation ● Authenticity ● Accountability Security ● Adaptability ● Installability ● Replaceability Portability ● Co-existence ● Interoperability Compatibility ● Maturity ● Availability ● Fault Tolerance ● Recoverability Reliability ● Time Behaviour ● Resource Utilization ● Capacity Efficiency ● Completeness ● Correctness ● Appropriateness Functional Suitability ● Operability ● Learnability ● UI Aesthetics ● Accessibility Usability

Meet … QAware | 5

“Too much cognitive load will become a bottleneck for fast flow and high productivity for many teams.” QAware | 6 ■ Intrinsic Cognitive Load Relates to fundamental aspects and knowledge in the problem space (e.g. used languages, APIs, frameworks) ■ Extraneous Cognitive Load Relates to the environment (e.g. console command, deployment, configuration) ■ Germane Cognitive Load Relates to specific aspects of the business domain (aka. „value added“ thinking)

Software wie vom Fließband. Shift Left heißt Sicherheit von Tag 1 an. Immer wieder auf’s Neue. QAware | 7 Sicherheitsanforderungen Sichere Komponenten Domain Driven Design Security Patterns OWASP Top 10 Defensive Programming Schutzbedarfsanalyse Angreifer-Analyse Dependencies Security Testing DAST + SAST Package Signing Container Security Infrastructure Deployment Certificates Secrets

221 Regeln für stabilen, sicheren und besseren Code. QAware | 8 Secure Coding Guidelines for Java SE Version: 9.1, Last updated: October 2022 https://www.oracle.com/java/technologies/javase/seccodeguide.html Java Coding Guidelines Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda The CERT™ Oracle™ Secure Coding Standard for Java Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda Rules are also available online at www.securecoding.cert.org

Software wie vom Fließband. QAware | 9

Software wie vom Fließband. QAware | 10 Clean Code and Defensive Programming

Software wie vom Fließband. QAware | 11 Concurrency & Thread Programming

Software wie vom Fließband. QAware | 12 Secure Programming

lreimer/secure-devex22

Google ErrorProne QAware | 14 plugins { id 'java' id "net.ltgt.errorprone" version "2.0.2" } dependencies { // dependency for the javac compiler plugin errorprone "com.google.errorprone:error_prone_core:2.15.0" } tasks.named("compileJava").configure { options.errorprone.enabled = true // and many other options } Find common programming mistakes early during development as part of the Java compile phase.

SonarCloud Security Analysis QAware | 15 plugins { id "jacoco" id "org.sonarqube" version "3.4.0.2513" } jacocoTestReport { reports { xml.enabled true } } sonarqube { properties { property "sonar.projectKey", "lreimer_secure-devex22" property "sonar.organization", "lreimer" property "sonar.host.url", "https://sonarcloud.io" } } Sonar can detect 54 security vulnerabilities and 38 security hotspots using static code analysis.

Dependency Vulnerability Scanning QAware | 16 plugins { id "org.owasp.dependencycheck" version "7.2.1" } dependencyCheck { cveValidForHours=24 failOnError=true } The compile time and runtime dependencies of your applications and services can be checked for CVEs regularly using the OWASP dependency check plugin.

Docker Image Vulnerability Scanning QAware | 17 # Installation and usage instructions for Docker Lint # https://github.com/projectatomic/dockerfile_lint dockerfile_lint -f Dockerfile -r src/test/docker/basic_rules.yaml dockerfile_lint -f Dockerfile -r src/test/docker/security_rules.yaml # Installation and usage instructions for Trivy # https://github.com/aquasecurity/trivy trivy image -s HIGH,CRITICAL secure-devex22:1.0.0 # Installation and usage instructions for Snyk # https://docs.snyk.io/snyk-cli/install-the-snyk-cli snyk container test --file=Dockerfile secure-devex22:1.0.0 Several suitable tools can be used to scan your Docker images for vulnerable OS packages and other software components.

Kubernetes Security Scanning QAware | 18 # see https://github.com/zegl/kube-score kubectl score k8s/base/microservice-deployment.yaml # Checkov, see https://github.com/bridgecrewio/checkov checkov --directory k8s/base checkov --directory k8s/overlays/int # Snyk, see https://docs.snyk.io/snyk-cli/install-the-snyk-cli snyk iac test k8s/base snyk iac test k8s/overlays/int # Trivy, see https://github.com/aquasecurity/trivy trivy k8s -n default --report summary all trivy k8s -n default --report all all Many security misconfigurations are possible when deploying Kubernetes workloads. Most can be found easily via static code analysis using different tools.

Terraform Security Scanning QAware | 19 # TFLint und Rule Sets # see https://github.com/terraform-linters/tflint # see https://github.com/terraform-linters/tflint-ruleset-aws terraform init terraform plan tflint # Checkov # see https://github.com/bridgecrewio/checkov checkov --directory aws # Snyk # https://docs.snyk.io/snyk-cli/install-the-snyk-cli snyk iac test aws/ Many security misconfigurations of your cloud infrastructure are possible when working with Terraform. Most can be found easily via static code analysis using different tools.

Continuous Developer Experience QAware | 20 # see https://github.com/pre-commit/pre-commit brew install pre-commit # see https://pre-commit.com/hooks.html # see https://github.com/gruntwork-io/pre-commit # see https://github.com/antonbabenko/pre-commit-terraform # install the Git hook scripts pre-commit install pre-commit run --all-files # see https://github.com/lreimer/secure-devex22/actions # see https://github.com/lreimer/secure-devex22/actions/new?category=security The linters and static analysis tools are ideally run before and with every Git commit and push. Also GitHub and many other platforms provide CI and security integration functionality that can be used.

Continuous Security Scanning QAware | 21 # installing the Starboard Operator and CLI # see https://aquasecurity.github.io/starboard/ helm repo add aqua https://aquasecurity.github.io/helm-charts/ helm repo update helm install starboard-operator aqua/starboard-operator \ --namespace starboard-system --create-namespace \ --set="trivy.ignoreUnfixed=true" --version 0.10.8 kubectl get vulnerabilityreports --all-namespaces -o wide kubectl krew install starboard kubectl starboard install kubectl starboard scan vulnerabilityreports deployment.apps/nginx-deployment kubectl starboard get vulnerabilityreports deployment/nginx-deployment -o yaml # see https://github.com/lreimer/continuous-zapk8s # see https://www.zaproxy.org/getting-started/ # see https://www.zaproxy.org/docs/docker/api-scan/

There is no 100% security! Incorporate security into your daily development process.

Pay your Devs well! Cater for a productive and secure work environment.

qaware.de QAware GmbH Aschauer Straße 32 81549 München Tel. +49 89 232315-0 info@qaware.de twitter.com/qaware linkedin.com/company/qaware-gmbh xing.com/companies/qawaregmbh slideshare.net/qaware github.com/qaware