Overview of Topics covered
SAST
Secret Scanning
SCA
DAST
Image Scanning
This free course is part of a
complete DevSecOps certification program 🥇
DevSecOps Crash Course FREE | From Zero to DevSecOps engineer in 1 hour! 👇
Importance of Security in Software Development
Security is important at all levels of software development life cycle:
in the application itself
in the application's runtime environment
and the underlying infrastructure or cloud platform etc
It’s important to the level, that when companies fail to properly secure things, and get hacked, where their user data or company data gets compromised, or their systems get attacked and aren’t accessible any more, the price they pay for that is very expensive.
Both financially, but also reputation-wise 😓
[Cyber Security: https://www.cisa.gov/topics/cybersecurity-best-practices]
2 challenges companies have in terms of security 😫
There are 2 biggest challenges companies have in terms of security and why they fail to properly implement security:
Incentive
Often feature development and providing business value is more incentivized, because that’s what brings in customers, that’s what provides the direct value for users and that’s what brings in the money 🤷🏻♀️ 💸
So security is more like a necessary evil 😌
You don’t get so much reward and pat on the back, for implementing great security. But if an incident happens, you get real punishment.
And for that, you need to assess the risk, of how likely it is to happen. So security stays an afterthought in application development or infrastructure configuration process.
2. Difficulty
Second issue is, even if you and your team are dedicated to implementing great security, it becomes more and more difficult as systems and technologies get more complex.
That means, with every new technology or cloud platform you introduce, your team needs to learn how to secure THAT technology or platform. Plus how to secure every integration of those tools and platforms. So it is a continuous learning curve 📚
To give you an example, think about the modern tech stack in our application systems:
🚀 We have a large containerized micro services application, that is running in Kubernetes cluster on AWS cloud platform
🚀 It persists data in 10 different types of databases and talks to 10s of external service APIs
🚀 Plus all that infrastructure is geo-distributed to deliver high performance for users around the globe
🚀 And we have a streamlined CI/CD pipeline that deploys to the cluster
Which is what many real world projects look like and what you actually learn to build end to end, in our DevOps bootcamp 💪👇
With such complex setup, where technologies are inter-connected, you need to tell your team, to not only set this whole thing up, so everything is working properly (which is a challenge on its own), but to also make sure everything is set up securely, without any security vulnerabilities.
Imagine how many entry points and how large of an attack surface such a complex system has, that may allow different types of attacks 👇⚡️
Examples of Security Vulnerabilities
⚡️ Within the application code:
Your own code or third party apps and libraries, that allow for SQL injection, or cross site scripting or forging requests from clients or even worse from servers
⚡️ Within your application container image: The image OS layer, image configuration, using a root OS user, third party OS packages with security vulnerabilities
⚡️ Now, that container will run somewhere, like K8s cluster: So the question is "Is cluster secured from outside":
How secure is the access to cluster
Is API server publicly accessible or only from within the internal network?
Have you opened any unneeded ports on worker nodes, that allow access into cluster nodes?
What about access management to the cluster, who has what permission?
Do they have static long-term credentials or more secure short-lived tokens, that expire, so even if attackers get access to them, they aren’t valid long enough.
Now that’s just outside the cluster, what about inside the cluster? Once the attacker is inside, do they have wide open network, where 1000s of pods can all talk to each other freely, where control plane processes can be easily accessed, that potentially allows to completely destroy the cluster? Because in k8s, pod to pod communication is not encrypted by default etc.
⚡️ Now K8s isn’t just floating around in air, right? It’s running on actual infrastructure, let’s say cloud infrastructure on AWS, well what about servers? If someone is able to SSH into any worker node, they can access K8s, container or cloud processes running on the server directly, they don’t even need to go through K8s API server to mess up your cluster or access your applications. What if you left your VPC wide open with public access to your load balancer, your servers and other cloud resources used for the cluster, thus increasing the attack surface 🤯
⚡️ What about CI/CD accessing your cluster to make deployment updates? What permissions does your CI/CD have?
Is it able to delete components in all Kubernetes namespaces and do real damage, bring down all the apps?
So if an attacker hacked into 1 system, like CI/CD tool, through an outdated Jenkins plugin for example, which was not validated for security vulnerability, will they get access to credentials stored in your CI/CD platform, to your private repos, k8s cluster, AWS account? And if yes, what permissions do those credentials have? Are they restricted or can they do a lot of damage? 🤔
⚡️ And we can go on and on, with secret management tools, credentials rotation, etc. But you got the point ☝️
Security is complex, because the systems are complex.
[OWASP Top 10: https://owasp.org/www-project-top-ten/]
As you see security should be implemented in layers, to protect every layer of the system. And the closer you get to the more precious things, like payment data, personal finance data, production servers etc, the tighter the security should get! 🔒
And this is the approach we take in the DevSecOps bootcamp 👉
We learn exactly what those layers are, and how to secure each layer, each element of our systems one by one, so we end up with a fully fortified system 🔰
This skillset is one of the most important engineering skills for any organization. Therefore investing your time and resources to learning this skills will absolutely skyrocket your career. And even take you immediately from a mid-level to senior engineer 🥷
🚨 3 important things to consider when thinking about Security
🚨 Defence is more difficult than attack
Because attacker only needs one weak link or 1 opening to enter your system, while in defence, you need to secure every single opening and entry point
🚨 And that’s why, security should be implemented in layers
So security is not a large tall wall you build around your systems. It’s multiple layers of walls within your systems. So when attackers find a whole in the first wall and sneak in, they are faced with another wall, and another etc.
🚨 Tracking and Monitoring
And finally, security measures aren’t just limited to making it hard to break into a system, but also tracking and monitoring the behavior when attacker is attempting to break into the systems. And ideally alerting you about the suspicious behavior or potential break-in and provide you with logging data to analyze what actually happened.
Similar to having cameras and alarm system in a well protected building
So the issue with current security state is, that even though security issues have become more challenging, the security measures have stayed same.
The Pitfalls of Treating "Security as an Afterthought"
Traditional approach of developing everything, setting up things, and right before production or pre-production, asking: "Hmm, everything is working fine, but have we also secured things?" is largely inefficient 🤦
Like we built the building with the best design and a beautiful facade, furniture, but is the building secure? But do we have strong doors, do we have security system inside in case someone tries to break in? We are thinking about security after the main functionalities have been implemented.
And security as afterthought means, that those potential security issues get analyzed after the work is done.
Those found issues block release, so it comes back to engineers who need to fix those issues.
2 problems with implementing security like that
Long Feedback Cycles 🔄
It creates long iterations in software development and slows down the release process, compared to if we checked and found security issues earlier, during development
Higher Chance of Errors ❌
When you are checking security issues all at once of 50 new features & bug fixes and 50 configuration changes, you may more easily oversee stuff and more issues may slip into production. Also naturally you have a higher chance of human error, when this is done manually
DevOps and Security | Security Bottleneck in DevOps 📛
Now, when we bring DevOps in the mix, we have streamlined and optimized the application development and release pace.
We are releasing fast, or trying to releasing fast, but all those attempts get blocked by having a manual, slow security checks right before the release, which is done by security engineers or compliance team or even external pen testers:
And this may take weeks or months. So we are just aggravating the security bottleneck with DevOps 🙈
DevSecOps vs DevOps
Here is my simplified definition of what is DevOps. What it really comes down to eventually is:
“DevOps is anything, any tool or concept, used to remove any bottlenecks on the way of releasing and delivering changes to the end user fast and with minimum bugs”
This applies whether it’s application or infrastructure changes.
So naturally if security is a bottleneck, that should become part of DevOps issue that we have to eliminate.
So DevOps naturally should include security, but as I often say: “reality and theory or how it’s supposed to be, are 2 different scenarios" 🤷🏻♀️
So in practice, it so happened that DevOps left out security.
It focused on development and fast release cycle, but security teams and external pen tests stayed outside the DevOps cycle.
What is DevSecOps and Why is DevSecOps so important
So as a reminder, to highlight the importance of security in DevOps, DevSecOps emerged:
Also as we saw, security is overarching the entire software development lifecycle (SDLC), all parts and layers. And as you also know, DevOps affects entire software development lifecycle too.
So DevSecOps is taking that overarching security and integrating it in all DevOps steps from start to finish, from automated tests to building and deploying steps.
This means, DevSecOps is really:
"DevOps that doesn’t forget about security"
So the responsibility of fixing security issues and secure implementation still lies with individual teams, who have the expertise in those specific areas, but DevSecOps creates an over-stretching CI/CD process and automated processes that measure what’s called the security posture, basically giving us a visibility of how secure your systems are.
That's what is meant by DevSecOps.
Now how does DevSecOps do all these? 🤔
5 Main DevSecOps Concepts 🔰 💡
Automation is the key here as well, just like it is in DevOps in general.
So with DevSecOps we automate checking and validating all these layers of security in different parts of the SDLC.
And there are tools and technologies to run those automated tests.
So what are those automated checks and where in the release pipeline are they added?
1) SAST - Static Application Security Testing
First we wanna check security of our application code:
Do we allow for SQL injection because we aren’t sanitizing user input?
Are we using weak or outdated encryption algorithm to encrypt user passwords?
Do we allow downloading scrips and images from any source in our frontend code?
This is called "Static Application Security Testing" or SAST, where various SAST tools will validate static code for such security issues.
So SAST tools will basically scan the codebase for known patterns and common coding mistakes that could lead to security issues.
2) Secret Scanning
We also wanna check our code for any hard-coded secrets.
Maybe developers forgot to remove API keys they used during testing or maybe they hard coded passwords for database connection etc.
Secret scanning tools can be used to go through code and identify any hard-coded access tokens, API keys, passwords etc.
Again in the DevSecOps bootcamp we go into detail and learn various use cases of hard coded secrets, as well as how to use these tools in pre-commit hooks, so they don’t even end up in code repository commit history in the first place 👏
3) SCA - Software Composition Analysis
We also wanna check whether code from other engineers that we use in our application has any such issues.
Like libraries, frameworks we are using as dependencies. They are code too, and those engineers may also write insecure code just like our engineers.
This is called "Software Composition Analysis" or "SCA".
So we use SCA tools to scan all our application dependencies for any publicly known, already discovered vulnerabilities and identify whether we are using any outdated versions of third party software with known security issues.
4) DAST - Dynamic Application Security Testing
Now above are all static checks, which means they all do analysis on the static code base. But there are some security issues that can only be caught while the application itself is running.
This is called "Dynamic Application Security Testing" or "DAST", which is a testing method that assesses a RUNNING application to identify security vulnerabilities.
It sends various malicious requests to the application, as a hacker would do, and observes how the app responds, looking for potential security weaknesses.
So basically, very simply explained, we are putting ourselves in the shoes of a hacker and trying to hack our own app and systems. 🤠
If we succeed, hackers will too.
5) Image Scanning
In modern applications, using container images to deploy our application is pretty much a standard already. So when we build an application image, we wanna validate the security of the image artifact itself.
Again, there are tools that scan the image layers, to find any security issues. Like:
Are we using a root OS user in the image
Are we using a deprecated vulnerable OS package
Are we using a bloated image with lots of tools that we don’t actually need, thus increasing the attack surface and risk unnecessarily?
Next Steps:
Learn Advanced, Real-World DevSecOps Implementations 🚀
Now understanding these core DevSecOps concepts is great to get you started with the topic 👍
But when it comes to actually implementing this in your organization, evaluating various tools, building complete DevSecOps pipelines, securing cloud platforms, K8s clusters etc, things get more complex.
Hands-On Real-World Projects is the key 🔑
Knowing how to do all this hands-on, is just tremendously valuable skillset, but also a pretty complex one to learn. You need a structured, detailed guide that shows you how to do every step and explains the concepts behind every single tool, configuration or platform, with simple words and visualizations 🤝
And that's exactly what we have created with our DevSecOps bootcamp. It's a 4-month program that will help you learn this highly demanded skillset in the simplest and fastest way possible 💪
We cover the individual security issue types in the bootcamp in detail and even learn how to fix some of this issues in code. We go beyond just automated security checks, and learn security best practices of deploying from CI/CD to EC2 instances or K8s clusters.
We learn how to evaluate false positives and tweak various DevSecOps tools, to deliver more high quality results 💎
We learn how to visualize the scan reports in a vulnerability management tool like Defect Dojo and even automate the process by automatically uploading all scan results to DefectDojo using a custom Python script 🤠
We learn how to analyze the discovered security issues, understand what CWEs and CVEs are and how to use them in analyzing and fixing those issues.
Now all this is JUST part 1 of our DevSecOps bootcamp 🤫
AWS Cloud Security, Kubernetes Security
In part 2 we dive into even more interesting topics, like AWS cloud security, using various AWS services, to configure logging and monitoring, as well secure access to servers and clusters, AWS services for creating of secrets and encryption keys.
We then learn everything about Kubernetes security:
🔥 Starting with the K8s security best practices
🔥 to secure access management with K8s RBAC and AWS IAM service,
🔥 to security cluster internal communication using Istio Service Mesh,
🔥 securely create and use secrets in K8s with external secrets manager service, integrated with AWS secrets manager and Hashicorp Vault
We also learn how to enforce security policies in K8s, using Policy as Code implementation OPA Gateway.
And the best thing, we learn how to provision and configure all of this in a fully automated way using Terraform IaC and ArgoCD GitOps. So no changes to K8s happen with manual kubectl commands, but rather a streamlined Application and IaC pipeline:
No worries, all of this is learnt step by step, chapter by chapter, building on top of previous concepts and extending previous demos. Thus, you learn how to combine various different tools, instead of learning things isolated, leaving you with knowledge gaps.
And we end the program, with the overarching topic of Compliance as Code and learn what CIS benchmarks are and how to configure automatic alerting and remediation for any compliance violations in AWS cloud platform.
That means, lots of tools and concepts involved.
So 1 hour is really a drop 💧 in this large DevSecOps ocean, to learn about it.
So If you want to become a confident Senior Engineer that is irreplaceable for companies, this DevSecOps certification program will absolutely skyrocket your career with extensive DevSecOps projects that mirror actual real-life implementations with best practices. Find out more HERE.
Summary of DevSecOps Course
In conclusion, DevSecOps represents a paradigm shift in software development, placing security at the forefront of the process.
By integrating security measures, automating checks, and involving all stakeholders, DevSecOps ensures that software is not only developed faster, but also more robust and secure from the start.
It's a fundamental approach for organizations looking to thrive in an increasingly digital and interconnected world 🌎
[AWS Cloud Security: https://aws.amazon.com/security/]
[Official DevSecOps manifesto: https://www.devsecops.org/]
So overall, this makes the release process fast again by reducing the feedback cycle on any security issues, by infusing the security checks throughout the pipeline, instead of having it as a big task right before the release ✅
If it was helpful, share the article on LinkedIn with your engineering network 😍👇