DevSecOps: Building a Secure Continuous Delivery Pipeline

DevSecOps: Building a Secure Continuous Delivery Pipeline

Linkedin Learning - Instructor: James Wickett

Stages of a CD Pipeline

1. Develop: Application design and development takes place
2. Inherit: Dependecies get bundled and inherited into code
3. Build: Build steps are run and acceptance testing is done
4. Deploy: Artifacts are deployed
5. Operate: Application is up and running

Develop: Static Code Analysis

Develop: Secrets

git-secrets for scanning repo for secrets

Example setup (in target repo):

git secrets --install
git secrets --register-aws

Example usage:

git secrets --scan
git secrets --scan-history

# Returns non-zero status code if secret found
# Handy for when incorporating into pipeline

Develop: Rapid Risk Assessment

See: Mozilla RRA

Inherit: OWASP Dependecy Check

See: Dependency Check CLI

dependency-check --project "demo" --scan ./httpclient-4.0.jar --out dep-check-out.html

Can be integrated / has plugins for Jenkins, etc..

Inherit: Software Composition Analysis

Docker scanning:

• Quay Clair

Build: Components

Build phase includes:

• Binaries
• Zipped artifacts
• Images
• HTML/JS
• IaC
• Cloud Config

Build: Security Testing

BDD: Behavior Driven Development Emulate user actions with software.

DAST: Dynamic Application Security Testing

Infrastructure Testing

Compliance Testing

Build: DAST

General Purpose Scanners:

• Arachni, Nikto, ZAP, Burp

SQLi Scanner:

• Sqlmap

SSL/TLS Scanner:

• SSLScan
• SSLyze

Deploy: Rundeck for Deployments

Operate: Security

Shift Left AND Shift Right

DevSecOps Instrumentation:

• Metrics based
• Provides APIs
• Promotes learning
• Attacker driven

Operate: Modern AppSec

• Bug Bounties
• Runtime Application Self-Protection (RASP)
• Next-Gen Firewall (NGFW)

Operate: Cloud Security Monitoring

• Check for configuration changes, compliance, audit, hardening
• AWS { Config, CloudTrail }