This project gives a reader a picture of a CI/CD pipeline, that incorporates various security tools (SAST, DAST, 3rd party vulnerability and license management) and methodologies. You can see how whole thing works together and use it as a template. See below for in-depth explanation.
Requirements:
- Docker - https://docs.docker.com/get-docker/
- Docker Compose - https://docs.docker.com/compose/install/
- Java development environment as well as Maven - This one you need to do yourself :)
Usage
To run this project:
$ cd devsecops
$ docker-compose up
For services visit:
- Dependency-Track - localhost:80
- Jenkins server - localhost:8080
- SonarQube - localhost:9000
- OWASP ZAP - to be added later
- HashiCorp Vault - localhost:8300
- find-sec-bugs - to be added later
- gitsecrets - to be added later
DevSecOps stands for Development, Security and Operations. The idea is that security is embedded into product requirements, design, code and deployment. Too often security is neglected or embedded at the end of the software development lifecycle, which creates a number of issues, such as having to rewrite code, friction and arguments between product and security teams.
Before many organisations would do security at the very end of the developement lifecycle but new term has emerged - shift left. Shift left in terms of application security means embedding(shifting) security as early as possible in the development process. That means adding in security in design, developement, testing and release of software. Activities might be
ADD about CICD, Agile, shifting left etc
There are a number of security tools and checks you can add to your pipeline. A good start for a CI/CD pipeline that incorporates security would be to have following tools:
- SAST (Static Application Security Testing) tool - designed to analyse source code to find security flaws.
- DAST (Dynamic Application Security Testing) tool - designed to scan web applications to look for security vulnerabilities
- SCA (Software Composition Analysis) tools - designed to identify areas of risk from the use of third-party libraries and components
- Secrets management -
SAST tools are written to analyse source code and find security flaws. In this example I am using SonarQube. https://www.sonarqube.org/
Secrets management generally refers to tools and practises related to storing, managing and providing secrets. Example of secrets: credentials, API keys, certificates. Too often companies use bad practises: hard code secrets in the code, leave them in configuration files available for everyone, commit secrets to source version control, use cryptographically weak secrets.
Secrets management consists of a number of actions and benefits, such as:
- Creation, deletion, revocation, rotation of secrets
- Providing and managing access to secrets
- Secure backup and storage
- Audit
- Elimination of human error
- Centralised control
In this project I am using HashiCorp Vault. There are other solutions available from different vendors: AWS Secrets Manager, Keywhiz by Square, Confidant by Lyft. Key Vault by Microsoft, Docker secrets and others.
- Why tool X and not Y? - Everything shown here is for reference, in your environments different tools might suit your needs more. Mentioning or not mentioning any company/product does not mean my or my companies endorsement.
- Docker-Compose, is not for production, why did you use it? - It's a bit more complex than this, but this aside, from personal experience more people starting in IT have experience with Docker than alternatives.
- Why did you create this? - There are not many examples of full CI/CD pipelines that cover majority/many security options. Normally projects/articles cover only one type of security measure and do not provide the full picture.