In this article, I will show you an end-to-end security pipeline. Products may change, ideas may change, but at the end of the day, a similar structure will significantly strengthen the infrastructure of your organization.
Table of Contents
- What should you address in application security?
- How much can your organization afford?
- What is the importance of Container?
- Example CI/CD End To End Pipeline Schema With Azure DevOps
- Example DevOps YAML Pipeline
What should you address in application security?
The processes that need to be addressed in application security require a comprehensive approach to detecting and remediating vulnerabilities at every stage of the application. Here are some of these processes:
- Static Application Security Testing (SAST): Identifies vulnerabilities before the application is run by examining source code or compiled binaries.
- Dynamic Application Security Testing (DAST): Tests a running application, specifically detecting runtime security issues.
- Dependency Check: Used to detect security vulnerabilities in the libraries and frameworks used.
- Container Security Scanning: Detects the security configurations and vulnerabilities of the containers in which the application runs.
- Security Configuration Review: It is the examination of the security configurations of application and infrastructure components.
How much can your organization afford?
The most important issue is cost. How much can your organization afford? Which ones will your manager want to prioritize? What kind of distribution can you follow? We should actually be able to ask ourselves the answers to these questions and answer them.
For example, dependency check. It is not a subject that you can manage open source. There are various open source software. Dependency-Check, Dependency-Track etc. These are open source software published by OWASP, but when compared with enterprise products, you observe a serious difference in finding quality.
You should be able to scale well the needs of your organization and in which areas you can turn to open source. Another positive example is container security. With Aqua Trivy, you can provide container security on a large scale for free. These are serious considerations.
What is the importance of Container?
Container technology is vital for securing application development processes in the DevSecOps pipeline. Containers enable applications to run in isolated environments, creating a consistent and repeatable deployment process. This isolation limits the spread of vulnerabilities and mitigates risks from inter-application interaction.
In addition, the lightweight nature of containers allows security patches and updates to be applied quickly, which ensures a fast response time to security breaches.
The use of containers in the DevSecOps pipeline allows automating security scans and analysis. For example, continuous scanning of container images provides proactive protection against known vulnerabilities. Container orchestration tools, e.g. Kubernetes, allow for centralized management and enforcement of security policies, which ensures that security standards and regulations are consistently met.
Finally, container technology works well with microservices architectures, which allow applications to be broken down into smaller, manageable and secure pieces. This granularity limits the impact of security breaches and helps to detect and resolve security incidents faster. For these reasons, the use of container technology in the DevSecOps pipeline is an integral part of modern software development and deployment processes.
Example CI/CD End To End Pipeline Schema With Azure DevOps
In this section, I will share with you a pipeline structure that I created as an example.
.png)
If we need to explain the visual verbally, our stages are as follows:
- The developer pushes the code via GitHub (examples can be multiplied.)
- The code in Azure DevOps environment first goes to dependency scanning with Sonatype IQ Server.
- If it passes the dependency check (should pipelines be broken for security reasons? I actually need to address this question in another article. Although many organizations do not allow this so that operational processes are not disrupted, this has to happen from a professional point of view). It should move to the next stage.
- In this step, we analyze the static source code with Fortify. Due to Fortify's compilation feature, we can also perform dataflow analysis of the relevant project. This is very useful for us at the point of true positive indicators.
- As a matter of fact, we can scan the dockerfile with Fortify, but I want to double stitch with Trivy at this stage. I tighten these controls with Trivy.
- If we come to this stage, I need to stand up my project for dynamic controls. At this stage, I use docker. The necessity and importance of containers comes to the fore exactly at this stage.
- I put Trivy into the circuit again and this time I scan my container image. Assuming there are no findings, I continue the pipeline. I have not broken the pipeline at any pipeline stage until this stage. The purpose of this is for you to witness a project that flows from end to end.
- In the last stage, I scan my project that I stand up with docker with Invicti.
- I transfer the build status of the pipeline to the relevant users or groups via Slack notification.
Basically, our pipeline, where we perform these stages, can cause many difficulties in the configuration and installation processes. For the sake of example, I have not done any breaking here. In fact, in another article I will show the "exit 1" power in these tools. This will be useful for everyone.
Example DevOps YAML Pipeline
We perform the steps that we have shown in the diagram and explained verbally with this pipeline YAML. Can additional steps be added? Absolutely. The values of the servers related to Grafana, prometheus, ELK can be monitored. More different steps can also be added. Examples such as monitoring with a vulnerability management tool can be diversified. But this will be enough for a medium level structure.
trigger:
- master
stages:
- stage: sonatype
pool: centos
jobs:
- job: sonatype
steps:
- task: NexusIqPipelineTask@1
inputs:
nexusIqService: 'sonatype'
applicationId: 'webgoat'
stage: 'release'
scanTargets: '**/*.*'
- stage: fortify
pool: batuhan-local
jobs:
- job: fortify
steps:
- task: FortifySCA@7
inputs:
applicationType: 'java'
buildSourceVersion: '11'
fortifyBuildId: 'webgoatjava'
fortifyScanType: 'LocalScan'
runFortifyUpload: true
fortifyServerName: 'ssc test'
fortifyApplicationName: 'webgoatjava'
fortifyApplicationVersion: 'webgoatjava'
- stage: trivy_file_scan
pool: centos
jobs:
- job: trivy
steps:
- task: Bash@3
inputs:
targetType: 'inline'
script: 'trivy repo https://github.com/nullx3d/WebGoat'
- stage: docker_up
pool: centos
jobs:
- job: docker
steps:
- task: CmdLine@2
inputs:
script: 'docker-compose up -d'
workingDirectory: '/home/sancak/Downloads/WebGoat'
- stage: trivy_image_scan
pool: centos
jobs:
- job:
steps:
- task: Bash@3
inputs:
targetType: 'inline'
script: 'trivy image webgoat/webgoat-8.0'
- stage: invicti
jobs:
- job: invicti
steps:
- task: netsparker-cloud@1
inputs:
apiConnection: 'invicti'
scanTypes: '0'
scanWebSites: 'e15b8874-5cff-4dd7-02a7-ae43025f6459'
scanWebSitesProfile: '5d21265b-4372-49fc-c209-b0ff051e9f2f'
hasReport: true
reportType: 'ScanDetail'Conclusion
This comprehensive DevSecOps pipeline demonstrates the importance of integrating security at every stage of the development process. From dependency scanning to container security, each stage plays a crucial role in building a secure application.
The pipeline includes:
- Sonatype Nexus IQ: Software composition analysis for open source vulnerabilities
- Fortify SCA: Static code analysis for security vulnerabilities
- Trivy: Container and repository vulnerability scanning
- Docker: Container orchestration and deployment
- Invicti: Dynamic application security testing (DAST)
Thank you for reading. Stay safe.