DevOps combines cultural philosophies, practices, and tools that combine software development with information technology operations. These combined practices enable companies to deliver new application features and improved services to customers at a higher velocity
Security testing is often treated as an ‘after the process’ necessity. This leaves the ongoing operations defenseless to malicious attacks. Application security testing is done after the software delivery. With this approach security defects are found at the last stage, and it's a very expensive and time consuming process to eliminate those defects. In that case security as a part of the process is the only way to ensure safety.
SSDLC is the ideology to integrate security practices into the software development life cycle and create security as a code culture.
Advantages of SSDLC:
- Early identification of vulnerabilities in code during development
- Greater flexibility in managing sudden changes during the development lifecycle
To implement the SSDLC pipeline we are using java based vulnerable WebGoat application. We are injection the following security checks into Jenkins pipeline.
- Secret Scanning
- SCA (Source composition analysis)
- SAST (Static Application Security Testing)
- DAST (Dynamic Application Security Testing)
- DevSecOps Guidlines
- OWASP secure coding practices
- Java-SE - Secure Coding Guidelines for Java SE
- OWASP Top 10 - Top 10 security risks from OWASP
Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed
Software Composition Analysis (SCA) tools find common open source libraries and components used in application, Compare findings to a list of known vulnerabilities (e.g., Common Vulnerabilities and Exposures, or CVEs) and determine whether components have known and documented vulnerabilities, are out of date, and have patches available
SAST tools analyze source code to look for security issues in an application during a non-running state and are supported by a large number of languages. They usually have quite a high false positive rate, due to the fact they cannot track data through an app, instead using a bit of guesswork to determine if flaws exist.
DAST tools run automated penetration testing scans against a running service as a blackbox. It tries to hack into the service using well known vulnerabilities, however scans can take a while due to the vast number, as well as crawling services to find all the endpoints.
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.
WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat's default configuration binds to localhost to minimize the exposure.
WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.
- Java 11
- Maven > 3.2.1
- Your favorite IDE
- Git, or Git support in your IDE
- Jenkins
- Sonarqube
- Zap proxy
- Dependency check