Securing Your DevOps Pipelines

• Background on DevOps
• Security in DevOps or DevSecOps
• DevSecOps Tools
• Setting up a DevSecOps Pipeline
• Final Security Checks

Background on DevOps

1.1 Understand where DevOps came from

Long development cycles lead to cascading problems

• Security issues
• Feature conflicts
• QA bottleneck
• Scope creep
• Overlapping development

Business needed to speed up deploy cycles.

• Develop -->QA Bugs-->Back to develop-->Add more features

The process needed to be reproducible.

Needed to handle a number of steps.

• Build artifact
• Run unit tests
• Report failed tests
• Set environment variables
• Deploy to QA
• Run integration tests
• Deploy to staging
• Clear cache
• Deploy to feature environment
• Deploy to production

1.2 Learn how DevOps Works

Plan

Gather all of the feature requirements.

Code

Implement the code to add the feature to the application.

Build

Create the application build files.

Test

Run unit tests, do quality assurance (QA), and run integration tests.

Release

Tag a release of the approved feature implementation.

Deploy

Ship the approved feature implementation to production.

Operate

Keep the application running for end users and customers.

Monitor

Watch for any changes in the application's functionality.

1.3 DevOps versus Waterfall

Everything needs to be finished before deploying.

Incremental release make it less likely for bugs to get to production.

Harder to make changes when feedback comes.

Allow stakeholders to test out functionality as it is completed.

Can make code changes take months to release.

Able to release code changes multiple times per day.

New code slowly gets added to the initial request.

Controls scope creep.

Security gets left until the very end.

Security can be added in a number of places.

Security in DevOps or DevSecOps

2.1 Show where security comes in

Previously at the end of the waterfall

• Feature development, QA, build candidate
• Security testing
• Deployment

Happens at each stage in the pipeline

• Feature development
• Security testing
• QA
• Security testing

Detecting issues early shortens development.

Easier to include before issues arise.

2.2 Learn how issues get to production

Time restrictions

Hard to get answers

• What stages should run in parallel?
• What are the auth methods for services?
• Which CLI tools should be used?

Unfamiliar with tools

• Google Cloud
• Docker
• AWS
• Kubernetes
• Azure
• Redis

Unfamiliar with pipelines

2.3 Learn the OWAPS 10 Top security risks

https://owasp.org/www-project-top-ten/assets/images/mapping.png

Broken Access Control

Bypass access control checks by adding parameters to the URL.

APIs with missing access controls for POST, PUT and DELETE requests

Not following the principle of least privilege.

Cryptographic Failures

Data transmitted in clear text

Use of deprecated dash functions such as MD5 or SHA1

Have crypto keys checked into source code repositories.

Injection

No validation on user input.

Malicious data gets used in SQL queries

Scripts get add to and executed on a web page

Insecure Design

Missing or ineffective control design.

Security isn't addressed in user stories.

Certain user flow logic is weak.

Security Misconfiguration

Default user names and passwords are still in place for services.

Unnecessary features are installed that open access to restricted data.

Too much information is shared with users in error messages.

Vulnerable and Outdated Components

Current versions of the libraries used are behind the newest versions.

Compatibility with different libraries goes unchecked

Libraries are installed from unreliable sources.

2.4 Understand how attackers gain unauthorized access to apps

They use a number of free and paid tools.

They check for app and system misconfigurations.

They look for secrets in your version control.

They check for extra open ports.

They look for vulnerabilities in your packages.

2.5 Learn the basics of DevSecOps access to apps

Adds automated security best practices to DevOps

Keeps security considerations front of mind for each pipeline stage.

Spreads the responsibility of how security is addressed.

2.6 Use DevSecOps to mitigate risks

Detect common security vulnerabilities automatically.

Monitoring sends alerts to the right teams.

Get feedback faster when new risks are noted.

Lots of tools available.

DAST, OAST, SAST, IAST, Cloud security, Issue tracking