OSS-based environmental investigations to enable vulnerability mitigation in DevSecOps schemes Kentaro Mori

Table of contents 1. Research Background 2. Vulnerability reduction techniques 3. Building a Verification Environment 4. Discussion on verification results 5. Contribution of this survey

Research Background

1. Research Background (1) ・In recent years, the development method called DevOps has been attracting attention in software development ・DevOps is a development method that integrates development and operations teams to realize rapid implementation and operation. ・DevOps development has been pointed out to have the problem that security measures are not sufficiently implemented. Figure 1: What is DevOps ?

1. Research Background (2) ・ DevSecOps development methods that incorporate security into DevOps ・ Aiming to ensure security throughout the entire application lifecycle ・ In DevSecOps development, not only developers and operators but also security personnel participate in development,Automate and perform security checks and vulnerability assessments of source code and infrastructure Figure 2: What is DevSecOps? security

1. Research Background (3) ・In this research study, I investigated whether it is possible to reduce vulnerabilities by building an OSS-based development environment under a DevSecOps scheme that includes security measures in DevOps, and examined the survey results.

Vulnerability reduction techniques

2. Vulnerability reduction method (1) A vulnerability is a security flaw or weakness in an application or system that can be exploited by an attacker. Vulnerability management in DevSecOps is implemented as a continuous, automated process. plan develo pment build release applicati on Vulnerab ility Manage ment Figure 3: DevSecOps lifecycle stages

2. Vulnerability reduction methods (2) ・ Threat analysis: The process of identifying, assessing, and counteracting against potential threats and risks in applications and systems. ・Source code can: Detect credential information and vulnerabilities contained in source code. ・Vulnerability scanning: Scanning to detect known vulnerabilities. ・Policy checks: Checks and verifications against security requirements and standards to be met. ・Security testing: Penetration testing to detect vulnerabilities.

Building a Verification Environment

3. Building a verification environment - (1) A sample app that builds a DevSecOps verification environment using OSS products on the public cloud service Azure, performs a five-step security check on the sample app, and confirms the number and type of vulnerabilities < Sample App > Languages: Python v3.9.6, Node.js v14.17.3, .NET v5.0.8 DB: Redis v6.2.4, Postgres v13.3 Container: Docker v20.10.7 < Security Check> (1) Source Code Scanning (2) Container Image Scanning (3) Kubernetes Cluster Scan (4) Policy Check (5) Penetration Testing Figure 4: example-voting-app

3. Building a verification environment - (1-) ① (2) Container image scanning (3) Kubernetes cluster scan (4) Policy check (5) Penetration test Source code scanning

3. Building a verification environment - (2) Test Results ・GitHub Advanced Security Dependency Diagnosis Identifies Node.js Package Vulnerability ・ Trivy‘s image scan detects that security patches are missing from the host image and that there are security update issues in the language you are using. ・Kube-hunter's diagnosis detects vulnerabilities such as pod exposure and container exposure. ・OWASP ZAP vulnerability assessment detects session management issues and security header issues.

Discussion on verification results

4. Consideration of verification results - (1) Consideration of construction results 〇 Vulnerabilities found in conventional security tests can be detected at an early stage of development. △ Even if you build a DevSecOps environment, you cannot completely eliminate application vulnerabilities therefore, it is necessary to implement measures using SIEM and perform security triage (described later) △ DevSecOps takes time to build the environment itself In this survey, even if you have DevOps development experience, it takes about 40 hours to build this verification environment.

4. Consideration of verification results - (2) Consideration of security measures < Test results, implement > ・ SIEM to monitor security events in real time and detect anomalous patterns. ・Prioritize security triage of vulnerabilities based on indicators such as urgency and importance. < Network > ・ It is possible to prevent external attacks by building the development environment in the intranet and installing WAF at the L7 level and FW at the L4 level at the boundary with the Internet. ・ Network-level segmentation by configuring a Hub&Spoke network. < Effective use of schemes > ・With the introduction of threat analysis, a team structure that considers system security from the planning stage is required.

Contribution of this survey

5. Contribution of this survey ・Demonstrate that the construction of an OSS-based DevSecOps environment can reduce system vulnerabilities ・Clarified the cost, man-hour advantages, and disadvantages of the DevSecOps scheme using OSS. ・Presented a security countermeasure method that takes a bird's-eye view of the entire development and operation phases ・ Demonstrated methods to improve security skills within the team based on threat analysis

Image Reference Figure 1: What is DevOps ? https://www.dynatrace.com/news/blog/what-is-devops/ Figure 2: What is DevSecOps? https://www.dynatrace.com/news/blog/what-is-devsecops/ Figure 3: DevSecOps lifecycle stageshttps://learn.microsoft.com/en- us/azure/architecture/guide/devsecops/devsecops-on-aks#devsecops-lifecycle-stages Figure 4: example-voting-apphttps://github.com/dockersamples/example-voting-app#architecture