Tooling allows developers to left-shift security within a DevSecOps lifecycle.
One of the most critical tools in DevSecOps is a dependency checker. That is because most software projects include at least 80% external dependencies, and they can introduce security vulnerabilities to your codebase. A report from Snyk found that 78% of vulnerabilities are found in indirect dependencies.
You can check out their full report on ‘The state of open source security – 2019’
A dependency check analyses the version of external dependencies installed in your codebase and looks them up in an external vulnerability database like the NVD or CVE. If the version you have installed is linked to a CVE (Common Vulnerabilities and Exposures), depending on CVE score (0 for little to no impact and 10 being critical), the tool alerts your devsecops team.
These scans can be launched locally in development process or by a CI/CD pipeline. Configure your pipeline to fail if the CVE score is too high.
The following article tells you everything you need to know about CI/CD pipeline.
The tools you can use for this depend on your codebase. Here are a few:
Static application security testing or SAST is a core part of DevSecOps tooling. It allows development teams to scan code while they work by identifying and remediating potential security flaws. These threats each have a level of severity to help determine the priority of the fix.
In CI/CD pipelines, SAST configuration contains ‘gates,’ which allow configuring how many vulnerabilities are allowed before having the pipeline fail.
These tools depend on the codebase:
For more tools and information, visit the OWASP website.
Engineers deploy Docker images every day. In a DevSecOps environment, the main concern is identifying vulnerabilities within these images. Dependency checkers help remove security problems from the codebase, but you still rely on the docker image to host your code, the ‘base images’ is what will define it. This base image a ready to use environment for your code to run on, but you need to upgrade frequently the version of the base image to make sure dependencies of this environment are not vulnerable.
Image scanning comes into play in DevSecOps during the CI/CD pipeline. The automation tools scan every layer from the image. If this doesn’t mean anything to you, you should read this article about containers.
For docker images, I find that Clair is one of the best products to scan your images. It integrates with container registries.
They scan your image as soon as they are uploaded
DevSecOps is getting ever more critical to maintain a secure codebase within your organization. Access management is an important aspect of DevSecOps check out the following article if you to learn more about how to use Terraform with AWS accounts.
Today we deploy multiple times a day, and security issues can sneak in at any time. These tools help developers visualize and take action on these vulnerabilities as soon as possible because knowing is half the battle. All these tools are white-box testing. If you want to go further, you can implement black-box testing with ZAP or Burp.
I’ll talk about them more in a future article.