‘DevSecOps’ and ‘DevOps’ are terms thrown around quite a bit these days in the software and cloud industry, but what exactly does DevSecOps mean for a team of developers, managers, and cyber security professionals? A lot of emphasis is put on tool capabilities and the features that stand-out in the marketplace, which are important traits, but how do those tools integrate with your suite of tools, infrastructure, and users?
DevOps security tools come in many different flavors and provide different levels of risk assessment, compliance, and active security. If your team is already building containers or any application for that matter, they have more than likely chosen a programming framework built on-top of a programming language (ie: Node.js framework, using Java Script language).
The majority of software frameworks and third-party libraries come from open source project, which is great, but leaves lots of opportunity for security vulnerabilities and unknown components to be introduced into your software project. Identifying those third-party component libraries, packages, licenses, and other components will help a team categorize and filter risky and unknown components. Scanning and analyzing open source components is called software composition analysis (SCA). The software bill of materials generated by an SCA scan are checked against database sources like NVD, software vendor security advisories, and other security data sources. Sources can provide information such as severity level, impact if the vulnerability is exploited, and provide remediation suggestions. CI/CD pipelines can include logic to exclude certain severity levels and block builds/deployments based on rules. Developers can integrate plugins to identity vulnerable components and get suggestions on which components are the safest to use prior to their first build. Integrations with source control can be configured to automatically create pull requests
Dynamic Application Security Testing (DAST) tools can perform vulnerability scanning of applications running in real-time. DAST scanning work at TCP layer 7 level where applications interface with users and services. From an attackers perspective, DAST tools would show what application vulnerabilities can be exploited. DAST tools can be automated and can provide artifact data with various tools. Gitlab premium provides open source DAST tool, ZAP to identify OWASP vulnerabilities.
Static Application Security Testing (SAST) provides developers with feedback on source code vulnerabilities that would identify poor coding practices, insecure coding, and weak encryption/decryption methods. Tight integration with developer IDE linter, build pipelines, and deployment pipelines will help keep vulnerable components from getting integrated into environments. Opensource tools like Sonarqube provide free and paid options for SAST scanning.
Covering application vulnerability from initial development efforts through deployed and running applications will provide a full SDLC lifecycle assessment of application security. Not getting a full lifecycle assessment would allow un-secure and vulnerable components to be introduced at various points in the software development lifecycle.
Many organizations are shifting to container based application deployments to enhance application immutability, cloud agnostic deployments, and applications with a smaller footprint. Many docker container images are sourced from public repositories that could contain vulnerabilities. Containers are typically run in scalable cloud environments that can also scale in vulnerabilities if components aren’t validated prior to deployment. Container images that are built and stored in registries can also be scanned after deployment to a Kubernetes environment that references the same container images. Validating that image vulnerabilities are tracked and remediated are valuable to risk management and ensuring application security is continually tracked. Tools on the market reference various vulnerability databases and have different methods to hook into Kubernetes runtime components.
Differentiators between container image scanning tools can be significant when it comes to network traffic analysis (east/west – internal service to service traffic and north/south – outside to inside the cluster). Although signature based behavior can be beneficial to identifying container image anomalies, additional layers of security that validate network traffic patterns, deep packet inspections, and a container firewall service allow application owners to strictly define traffic and container behaviors. Security frameworks like CIS, PCI-DSS, NIST, and others can be applied to container security settings.
Bringing all of the security data together and deciphering what to be concerned with is a critical part of the ‘Sec’ in DevSecOps. When selecting a monitoring solution, things like ease of integration, data resolution, and identifying anomalous trends are key features to consider. If your SCA Open Source scanner detects a component vulnerability and your container image/pod that is running in your cluster was built using the same SCA identified component, it would help find and remediate the issue faster and more efficiently. Using tools like Prometheus, Grafana, and other common open source alerting/monitoring tools provide more of cloud agnostic approach. Integrating alerting with Slack, email, text messages and other communication methods let’s your team define how they prefer to get notified when certain alerts are triggered.