13 June 2023
DevSecOps highlights why security is vital in DevOps. It revolves around empowering developers with the security issues of their code along 3 axes: people, process, and tooling. We are going to talk about tools and what are the main ones you need and why they are essential.
Tooling allows developers to left-shift security within a DevSecOps lifecycle.
Dependency check, one of the most critical DevSecOps tools
What is it?
One of the most critical tools in DevSecOps is a dependency checker. That is because most software projects include at least 80% external dependencies, and they can introduce security vulnerabilities to your codebase. A report from Snyk found that 78% of vulnerabilities are found in indirect dependencies.
You can check out their full report on ‘The state of open source security – 2019’
How does it work?
A dependency check analyses the version of external dependencies installed in your codebase and looks them up in an external vulnerability database like the NVD or CVE. If the version you have installed is linked to a CVE (Common Vulnerabilities and Exposures), depending on CVE score (0 for little to no impact and 10 being critical), the tool alerts your devsecops team.
These scans can be launched locally in development process or by a CI/CD pipeline. Configure your pipeline to fail if the CVE score is too high.
The following article tells you everything you need to know about CI/CD pipeline.
Tools
The tools you can use for this depend on your codebase. Here are a few:
- Java, DotNet
- Javascript
- Python
Static Application Security Testing
What is it?
Static application security testing or SAST is a core part of DevSecOps tooling. It allows development teams to scan code while they work by identifying and remediating potential security flaws. These threats each have a level of severity to help determine the priority of the fix.
How does it work?
In CI/CD pipelines, SAST configuration contains ‘gates,’ which allow configuring how many vulnerabilities are allowed before having the pipeline fail.
Tools
These tools depend on the codebase:
- Most languages
For more tools and information, visit the OWASP website.
Image scanning
What is it?
Engineers deploy Docker images every day. In a DevSecOps environment, the main concern is identifying vulnerabilities within these images. Dependency checkers help remove security problems from the codebase, but you still rely on the docker image to host your code, the ‘base images’ is what will define it. This base image a ready to use environment for your code to run on, but you need to upgrade frequently the version of the base image to make sure dependencies of this environment are not vulnerable.
How does it work?
Image scanning comes into play in DevSecOps during the CI/CD pipeline. The automation tools scan every layer from the image. If this doesn’t mean anything to you, you should read this article about containers.
Tools
For docker images, I find that Clair is one of the best products to scan your images. It integrates with container registries.
They scan your image as soon as they are uploaded
DevSecOps is getting ever more critical to maintain a secure codebase within your organization. Access management is an important aspect of DevSecOps check out the following article if you to learn more about how to use Terraform with AWS accounts.
Today we deploy multiple times a day, and security issues can sneak in at any time. These tools help developers visualize and take action on these vulnerabilities as soon as possible because knowing is half the battle. All these tools are white-box testing. If you want to go further, you can implement black-box testing with ZAP or Burp.
I’ll talk about them more in a future article.