What is DevSecOps? Pipelines...What is DevSecOps? DevSecOps is a methodology in which security is...
1
What is DevSecOps? DevSecOps is a methodology in which security is integrated into the entire life cycle of application development. Rather than being an afterthought, security present throughout development. This benefits NASA and the NCCS by decreasing the instance of security issues in later stages of the development process. Christopher J. Hong – George Mason University | George Rumney, Jasaun Neff, John Jasen, Jordan A. Caraballo-Vega – NCCS 606.2 | Summer 2019 Pipelines BUILD What is CI/CD? CI – Continuous Integration: Rapid commitments of created code to repositories. Keeps developers up to date and and allows for bugs/errors to be detected faster. CD – Continuous Delivery: Focusing on frequent and automated deployments with confidence in code quality and security. What is a Pipeline? A CI/CD “Pipeline” is a series of automated checks that are performed on code before deployment. As the code moves through the pipeline, a series of progressive tests/events are executed on the code. Why is this useful? Manual code review can take days, weeks, or months depending on the size of the application. Use of tools to check code and security can take hours or days, and the process is still manual. A pipeline can complete these tasks without human intervention, and stores the results in a centralized location. TEST CLEANUP Recon Vulnerability Scans Web Attacks Recon Enumeration Report build code_quality nmap_scans static_app_security_testing dynamic_app_security_testing dependency_checks cleanup anchore_scans Generic Container-scanning Pipeline Generic Containerized Web App Pipeline Container With JupyterHub Pipeline Use Case: Docker Container Scanning Expansion There are an infinite number of ways that this project could expand. Pipelines can be adapted to cater to the testing needed for various applications, systems, and tools. Each of the pipelines developed in this project are well documented and are designed to be easily transferrable to other projects with minimal modification to the code. clair_scans Terminology Container – A small, barebones virtual computer. Useful for running and testing apps without the need for a virtual machine, which requires large amounts of space and processing power Docker – An open source tool which creates and runs containers Enumeration – The process of gathering information about a system. This is typically performed early in an evaluation process in order to determine basic information about a system and its services Static Analysis – Using tools to perform tests on source code while not running. Tests for potential injections, backdoors, code flaws Dynamic Analysis – Using tools to perform tests on a program while “live” in order to determine vulnerabilities, observe behavior, test error handling, etc. Use Case: Evaluate Security of a Physical / Virtual System Compliance Checks golismero_scans discovery uniscan nmap_vuln_scan OpenSCAP gobuster_bruteforce nikto_scan Primary Tools Web Attacks Container Scans Code Analysis System Enumeration Compliance Scans masscan_scanning Technologies gitleaks 0 10 20 30 40 50 60 70 80 Generic Container Scanning Scanning JupyterHub Container Physical/Virtual System Scanning Black Box System Scanning Time (Minutes) Use Case Scanning Time: Manual Execution of Tools vs. Pipeline Manual Use of Tools Automated Pipeline Conclusion & Results The primary purpose of a pipeline is to save time by automating tasks that would otherwise be done manually. To gauge the effectiveness of the pipeline’s automation, the time needed to complete the exact same evaluation of a system/container is measured for both a pipeline, and manual execution of the same tools implemented by the pipeline. Times for each use case were calculated from the average of 3 successful runs on the same use case. For each use case, the automated pipeline saw significantly faster and more consistent results when compared to manual execution. In addition to faster times, each pipeline produces a formatted report after execution. This is useful for creating issues in a tracker, as well as providing guidance for code changes. 29 16 29 61 67 Use Case: Black Box Enumeration of System Operating Systems masscan_scanning golismero_scans discovery report FTP_enumeration SSH_enumeration HTTP_enumeration RPC_enumeration SMB_enumeration HTTPS_enumeration MySQL_enumeration port_8080_enumeration 18 16 NetBIOS_enumeration DNS_enumeration 35 MSSQL_enumeration Acknowledgements I would like to sincerely thank George Rumney, John Jasen, Jordan A. Caraballo-Vega, Jasaun Neff, and the rest of the NCCS SWG team for their guidance and expertise. Threat Modeling Each pipeline includes a questionnaire. Answers to certain questions/combinations of questions will trigger pipeline actions based on the input using python to interact with the Gitlab API. For example, “Does this project interactive with SQL databases?”, if yes, will cause SQL scans to be performed. This increases the degree of precision in pipeline scans.
Transcript of What is DevSecOps? Pipelines...What is DevSecOps? DevSecOps is a methodology in which security is...
What is DevSecOps? DevSecOps is a methodology in which security is integrated into the entire life cycle of application development. Rather than being an afterthought, security present throughout development. This benefits NASA and the NCCS by decreasing the instance of security issues in later stages of the development process.
Christopher J. Hong – George Mason University | George Rumney, Jasaun Neff, John Jasen, Jordan A. Caraballo-Vega – NCCS 606.2 | Summer 2019
Pipelines
BUILDWhat is CI/CD? CI – Continuous Integration: Rapid commitments of created code to repositories. Keeps developers up to date and and allows for bugs/errors to be detected faster.
CD – Continuous Delivery: Focusing on frequent and automated deployments with confidence in code quality and security.
What is a Pipeline? A CI/CD “Pipeline” is a series of automated checks that are performed on code before deployment. As the code moves through the pipeline, a series of progressive tests/events are executed on the code.
Why is this useful? Manual code review can take days, weeks, or months depending on the size of the application. Use of tools to check code and security can take hours or days, and the process is still manual. A pipeline can complete these tasks without human intervention, and stores the results in a centralized location.
TEST CLEANUP
Recon Vulnerability Scans Web Attacks
Recon Enumeration Report
build code_quality
nmap_scans
static_app_security_testing
dynamic_app_security_testing
dependency_checks
cleanup
anchore_scans
Generic Container-scanning Pipeline
Generic Containerized Web App Pipeline
Container With JupyterHub Pipeline
Use Case: Docker Container Scanning
ExpansionThere are an infinite number of ways that this project could expand. Pipelines can be adapted to cater to the testing needed for various applications, systems, and tools.
Each of the pipelines developed in this project are well documented and are designed to be easily transferrable to other projects with minimal modification to the code.
clair_scans
TerminologyContainer – A small, barebones virtual computer. Useful for running and testing apps without the need
for a virtual machine, which requires large amounts of space and processing power
Docker – An open source tool which creates and runs containers
Enumeration – The process of gathering information about a system. This is typically performed early in an evaluation process in order to determine basic information about a system and its services
Static Analysis – Using tools to perform tests on source code while not running. Tests for potential injections, backdoors, code flaws
Dynamic Analysis – Using tools to perform tests on a program while “live” in order to determinevulnerabilities, observe behavior, test error handling, etc.
Use Case: Evaluate Security of a Physical / Virtual SystemCompliance
Checks
golismero_scans
discovery
uniscan
nmap_vuln_scan OpenSCAP gobuster_bruteforce
nikto_scan
Primary Tools
Web AttacksContainer ScansCode Analysis
System Enumeration
Compliance Scans
masscan_scanning
Technologies
g i t l eaks
0
10
20
30
40
50
60
70
80
Generic ContainerScanning
Scanning JupyterHubContainer
Physical/Virtual SystemScanning
Black Box SystemScanning
Tim
e (M
inu
tes)
Use Case
Scanning Time: Manual Execution of Tools vs. Pipeline
Manual Use of Tools Automated Pipeline
Conclusion & ResultsThe primary purpose of a pipeline is to save time by automating tasks that would otherwise be done manually. To gauge the effectiveness of the pipeline’s automation, the time needed to complete the exact same evaluation of a system/container is measured for both a pipeline, and manual execution of the same tools implemented by the pipeline.
Times for each use case were calculated from the average of 3 successful runs on the same use case.
For each use case, the automated pipeline saw significantly faster and more consistent results when compared to manual execution.
In addition to faster times, each pipeline produces a formatted report after execution. This is useful for creating issues in a tracker, as well as providing guidance for code changes.
29
16
29
6167
Use Case: Black Box Enumeration of System
OperatingSystems
masscan_scanning
golismero_scans
discovery
reportFTP_enumeration
SSH_enumeration
HTTP_enumeration
RPC_enumeration
SMB_enumeration
HTTPS_enumeration
MySQL_enumeration
port_8080_enumeration
18 16
NetBIOS_enumeration
DNS_enumeration
35
MSSQL_enumeration
AcknowledgementsI would like to sincerely thank George Rumney, John Jasen, Jordan A. Caraballo-Vega, Jasaun Neff, and the rest of the NCCS SWG team for their guidance and expertise.
Threat ModelingEach pipeline includes a questionnaire. Answers to certain questions/combinations of questions will trigger pipeline actions based on the input using python to interact with the Gitlab API. For example, “Does this project interactive with SQL databases?”, if yes, will cause SQL scans to be performed. This increases the degree of precision in pipeline scans.
