DevSecOps Security automation - MettupalliInc/ApplicationSecurity GitHub Wiki
https://devops.com/early-automation-key-requirement-devsecops-success/
Using SAST Tools
Static application security testing (SAST) tools help in scanning code and providing instant feedback to developers on security-related issues who, in turn, can remediate the potential vulnerabilities as part of the standard workflow.
However, static analysis may not be alone sufficient for detecting all problems in the code.
Automating DAST
Automated dynamic application security testing (DAST) searches for vulnerabilities in real time while the application is running and is really a major improvement over static analysis that only looks for potential security issues in the code.
Inclusion of automated security analysis helps in limiting the introduction of vulnerable code earlier in the development life cycle. The runtime analysis of the issues detected through automation enables developers to prioritize the code problems that need to be fixed
Integrating Security Tools in the SDL using OWASP DevSecOps Studio Ref: https://open-security-summit.org/outcomes/tracks/devsecops/user-sessions/integrating-security-tools-in-the-sdl-using-owasp-devsecops-studio/
After a discussion of DevSecOps and its history and motivations, participants were introduced to OWASP DevSecOps Studio. This included the following topics:
Benefits of Integrating security tools in SDL CI/CD and security tools Different challenges involved while integration Using DevSecOps Studio to do hands-on exercise with open source projects Synopsis and Takeaways Integrating security tools in the software development lifecycle ensures appropriate protection for all the information that the system will transmit, process, and store.
Typical Security Activities in DevOps: Plan Threat Modelling ASVS Code Git Secrets Dependency scanning Build Dependency scanning SAST Security Unit Tests Git Secrets scanning Component scanning Test ZAP testing - baseline Container Scanning Modsecurity CRS Release Docker/Third Party SSL scanning Nikto/dirbuster WPScan/JoomScan ZAP + selenium + python Component scanning Deploy Docker Benchmark System Hardening Application Hardening Operate Compliance as code SOC with ELK Verify Controls OWASP DevSecOps Studio: DevSecOps Studio project aims to reduce the time to bootstrap the environment and help you in concentrating on learning/teaching DevSecOps practices.
The Benefits of DevSecOps Studio Easy to setup environment - takes only a few minutes to setup and start with just one command (“vagrant up”) Free & Open Source Software - this project is free and open software to help more people learn about DevSecOps Reproducible - the aim of this project is to setup a reproducible DevSecOps Lab environment for learning and testing different tools Some of the Python Security Tools discussed: SAST: Bandit DAST: ZAP Proxy Hardening: Ansible Compliance: Inspect Git Secrets: Trufflehog DevSecOps Studio Setup DevSecOps Studio uses vagrant, virtualbox and ansible to setup the lab environment. You can visit the vendor’s website to download the above software for on Windows/Linux/macOS.
Install Vagrant, Virtualbox, Ansible and follow the below steps.
Download DevSecOps-Studio Appliance (4.45 GB) Import the above Appliance by following these steps Follow the wiki to embed security as part of DevOps Pipeline. References Session page Additional/External References OWASP DevSecOps Studio Project Page DevSecOps Studio Project on GitHub