DevSecOps - Background, Status

and Future Challenges

F. Ozgur Catak
University of Stavanger
https://github.com/ocatak/devsecops-tutorial
DevOps
A philosophy, aims at building up a Departments
culture of collaboration between •Software development Development
•deployment operations
originally isolated teams.

Improving the efficiency by eliminating the boundaries between Quality IT

these two phases of development. Assurance Operations

Continuous integration, where the coding, building, integration, and testing

processes are carried out.
Includes Continuous delivery, which includes continuous integration but mainly focuses on
product delivery.
Continuous deployment, which aims at automating project deliveries.
 Defining DevOps: C-A-M-S

CULTURE AUTOMATION MEASUREMENT SHARING

 Culture

• Primary charactheristics of DevOps culture: Increased collaborations

• Dev-Ops interact for a single target: to break down the barries

INTERACTION TARGET TEAMS

DEVELOPMENT - OPERATION
 Automation

• Keyword: automation
• Speed-up feedback between teams
• The app will be delivered to the customers easily and successfully.
• DevOps pipeline: flow of information
• New functionality in the app.
• New library, New attack surface, SQLi?

FEEDBACK PROCESS TOOLS FOR

COLLABORAION
Measurement
• Track improvement
• See bottlenecks/problems easily
• Performance of the production system
• Production system didn’t degraded anything like response time,

PERFORMANCE MEASUREMENT BOTTLENECKS

Sharing
• Sharing ideas, problems, and solutions between various teams
• By transfering the knowledge, the collective intelligence increases and
benefits for everyone.

IDEA SHARING TALK

DevOps Lifecycle
• 8 stages in the
• Planing
• Development
• Operation
 Version control systems: Git, SVN,
Mercurial, etc.
Continuous integration (CI): Jenkins and
TeamCity
DevOps Tools
Containers: Docker or Vagrant.
and
Technologies Framework automation tools: Python,
Shell, or Bash.
Cloud services: Microsoft Azure, Google
Cloud, Amazon Web Services
Traditional Security Perspective: Penetration testing

A pentest or ethical hacking, is an authorized

simulated cyberattack on a computer system,
performed to evaluate the security of the system;

The test is performed to identify weaknesses (or

vulnerabilities), including the potential for
unauthorized parties to gain access to the system's
features and data
Carrying out an ethical hack involves duplicating
strategies and actions of malicious attackers.

Ethical hacking = Penetration testing

 DevSecOps: what’s and differences from DevOps?
• It is a philosophy of integrating security methods into a DevOps process.
• From the very start of a SDLC, DevSecOps works to make the application secure by introducing a variety of
security techniques.
• DevOps heavily relies on automation. The same is true for DevSecOps, which aims at automating every
aspect, including security audit.

Dev Dev

DevOps Sec DevSecOps IT Op

Qua.
IT Op
Assur Qua.
Assu
r
Why DevSecOps
Companies implementing DevSecOps address vulnerabilities faster
than others
Higher speed and agility: security teams

Quality and compliance assurance

Implement, Educate & Follow best practices for secure coding and
infrastructure provisioning/ deployment / configuration.
DevSecOps: Securing CI/CD

Integrating security in the CI/CD pipeline which helps

minimizing threats/vulnerabilities with every code check in.

Automation of security part.

• Minimize the manual Pentest effort.

To bridge the gap between Dev. Sec and Ops teams

 As DevOps & agile enables speed, it comes
with risk as well.

DevSecOps: Frequent code changes, expanding attack

surfaces, day by day growing number of
Upcoming hacks is building the market for DevSecOps
hot buzz
80% of threats & vulnerabilities can be
tackled if we enable DevSecOps (20%
effort). Famous 80/20 rules or “Pareto
principle”
 Cloud Security Alliance: The Six Pillars of DevSecOps:
Automation
The Cloud Security Alliance (CSA) is the world's leading organization dedicated to defining and raising awareness of best
practices to help ensure a secure cloud computing environment.

COLLECTIVE COLLABORATION AND PRAGMATIC BRIDGING AUTOMATION

RESPONSIBILITY INTEGRATION IMPLEMENTATION COMPLIANCE AND
DEVELOPMENT

MEASURE, MONITOR,
REPORT AND ACTION
https://cloudsecurityalliance.org/press-releases/2020/07/07/cloud-security-alliance-publishes-new-paper-the-six-pillars-of-
devsecops-automation/
 Why do we need DevSecOps

Gartner Report: 10 Things to Get Right for Successful DevSecOps

• implement and maintain the compliance reqirements
• minimize security bottlenecks also automate the
security checks
• collaborate with Information security team in the
upcoming future by 2021

MAINTAIN COMPLIANCE / SECURITY AUTOMATION /

REGULATORY REQUIREMENT MINIMIZE SECURITY
BOTTLENECKS
Practical Transitioning from DevOps to DevSecOps

Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST)

• White-box security testing • Black-box security testing

• Access to the underlying framework, • The tester doesn’t know the
design, and implementation technologies or frameworks of the app
• The app is tested from the inside out • The app is tested from the outside in
• It is developer approach • It is hacker approach
• Finds vulnerabilities earlier in the SDLC • Finds vulnerabilities toward the end of the
• Less expensive to fix vulnerabilities SDLC
• Can’t discover run-time and environment • More expensive to fix vulnerabilities
related issues (like configuration • Can discover run-time and environment
vulnerabilities) related issues (like configuration
vulnerabilities)
DevOps vs DevSecOps
• Traditional Build Phases • Future Build Phases
 DevSecOps Practical
Implementation
https://github.com/ocatak/devsecops-tutorial
http://www.ozgurcatak.org/devsecops-tutorial/
 Example Web Application: DevSecOps
https://github.com/ocatak/devsecops-tutorial
GitHub repository for the lecture at University of Stavanger
Pipeline
SAST DAST
Dynamic application Container Deployment
Development Static application
Security
security testing security testing

Push
Jenkins: Pipeline Creation
 Source Code Security (GitHub)
• Browsing security vulnerability in the GitHub
Advisory DB
• https://github.com/advisories : It allows you to
browse or search for vulnerabilities which affect
open source projects on GitHub
• Below sources are used for vulnerabilities by
GitHub
• The National Vulnerability Database
• A combination of machine learning and human
review to detect vulnerabilities in public commits on
GitHub
• Security advisories on GitHub
• FriendsOfPHP
• Security alerts for vulnerable dependencies
• Automated security updates
• Update vulnerable dependencies in repository
• Managing alerts for vulnerable dependencies
in your organization
 Example Web Application: DevSecOps
https://github.com/ocatak/devsecops-tutorial
GitHub repository for the lecture at University of Stavanger
Pipeline
SAST DAST
Dynamic application Container Deployment
Development Static application
Security
security testing security testing

Push
DevSecOps: SAST - SonarQube

It is an open-source tool used for continuous inspection of code quality, static analysis of code to
detect bugs, code smells and security vulnerabilities on 20+ programming languages.

It provides reports on duplicated lines of code, coding standards, unit tests, coverage, code
complexity, comments, bugs etc.

Reduces risks in software development within a short span of time, detects bugs in the code and automatically alerts
developers.
Receives all files as input , stores them in a database, analyses them with barriers and displays it in a dashboard.
Benefits of SonarQube It increases the productivity of Dev team by detecting duplicated & redundant code.
Dev Team receive regular feedback on quality issues and it helps them increase their programming skills.
Code quality becomes part of CI/CD & Development team.
Security flaws detection & remediation.
DevSecOps: SAST - SonarQube
1. git clone https://github.com/ocatak/SonarQube.git
2. sudo npm install sonarqube-scanner
3. Run SonarQube Docker image: docker-compose up –d
4. GitHub: sonar-project.js
DevSecOps: SAST - SonarQube

In Jenkins, add a new item “Execute Shell”

npm run sonar
DevSecOps: SAST - SNYK

• Lots of Multi-Ntional Companies are

protected by SNYK
• Google
• Microsoft
• Salesforce
• You can integrate it to your DevSecOps
pipeline
• Install snyk jenkins pluggin
• Create an account in snyk
• Create a token in snyk
• create a synk job and input the git
url for scanning,
• add it to build step.
• npm install -g snyk
• synk auth
DevSecOps: SAST - SNYK
DevSecOps: SAST - SNYK
 Example Web Application: DevSecOps
https://github.com/ocatak/devsecops-tutorial
GitHub repository for the lecture at University of Stavanger
Pipeline
SAST DAST
Dynamic application Container Deployment
Development Static application
Security
security testing security testing

Push
DevSecOps: DAST - ARACHNI

• Arachni is a feature-full, modular, high performance Ruby

framework aimed towards helping PenTesters and
administrators evaluate the security of modern web
applications.
• It is free, with its source code public and available for review.
• https://github.com/Arachni/arachni
 DevSecOps: DAST - ARACHNI
https://github.com/Arachni/arachni/releases/download/v1.5.1/arachni-1.5.1-0.5.12-linux-x86_64.tar.gz
DevSecOps: DAST - ARACHNI
DevSecOps: DAST – OWASP ZAP
• Owasp-zap is one of the world's most popular free security tool and is
actively maintained by hundreds of international volunteers.
• It helps to find vulnerabilities automatically with every ci/cd build.
• One of the best free tool for experienced PenTesters to be used for
manual security testing.
DevSecOps: DAST – OWASP ZAP
 Example Web Application: DevSecOps
https://github.com/ocatak/devsecops-tutorial
GitHub repository for the lecture at University of Stavanger
Pipeline
SAST DAST
Dynamic application Container Deployment
Development Static application
Security
security testing security testing

Push
DevSecOps: Container Security - Anchore
• Anchore allows us to perform detailed
analysis on container images, run
queries, produce reports. Also we can
define our own policies that can be used
with CI/CD pipelines
DevSecOps: Container Security - Anchore
 Example Web Application: DevSecOps
https://github.com/ocatak/devsecops-tutorial
GitHub repository for the lecture at University of Stavanger
Pipeline
SAST DAST
Dynamic application Container Deployment
Development Static application
Security
security testing security testing

Push
What We Learned?
• Paradigm-shifting from time consuming Penetration testing Activities
to DevSecOps
• PenTesters use same/similar tools (Kali, Sqlmap, Arachni, Nmap,
Metasplot etc) to perform a security testing to find the vulnerabilities
• We can integrate them into our CI/CD Pipelines
• Speed-Up security checks
Future Challenges
• Complex Tool Integrations
• come from various vendors.
• Adding security tools makes things even more complex.
• time-consuming, labor-intensive approach is incompatible with DevOps’ high-
speed,
• Shifting security left in the SDLC
• Security principles apply to overall organization and not just to security
engineering teams.
• End-of-cycle security testing results in delays and vulnerabilities left in
production
 Thank You
F. Ozgur Catak
f.ozgur.catak@gmail.com
https://www.ozgurcatak.org