DevOps makes it easier and faster for organizations to design, develop, review, test, and deploy services to production than conventional software development organizations. This is achieved through collaboration among different teams and tools.
DevOps combines several processes to enable seamless collaboration and software product maintenance. Several organizations have started using DevOps to accelerate software development and release. As a result, security issues have simultaneously popped up, which also have to be tackled. You can use several tools for this. DevSecOps maintains security practices and follows guidelines at every stage of the software development process.
Challenges of DevOps Security
Sometimes, while enabling faster development, security practices are compromised. This creates open-source and security vulnerabilities in the software, prone to attacks like SQL injections, DDoS attacks, Cross-site Request Forgery, etc. On the other hand, security checks and testing slow down the development process, which the team won’t like. However, fixing these issues later in the process requires a lot more time and effort, thus increasing the delay in the software development lifecycle (SDLC).
DevOps Tools
Softwares around the world today depend on open source libraries maintained by individual maintainers. Though these can accelerate the development process and make it a lot less complicated, they come with their disadvantages—security vulnerabilities, improper access control management, and version deprecations. So whether one uses proprietary or open-source software, they have several issues that hackers can exploit. The development team has to tackle these issues, which ultimately leads to delay. Using specific tools to tackle these issues can prevent some of these delays.
Azure DevOps
There are several Azure DevOps services available that can be integrated with your existing code. Microsoft Azure offers Azure Boards, Pipelines, Repos, Artifacts, the extensions marketplace, and Azure Test Plans. Azure Pipelines lets you use continuous integration and continuous deployment for deploying your applications to the cloud. You can connect from a local git or an existing repository on GitHub. You can use several community-built extensions with Microsoft Azure to identify potential security threats in the code and used libraries.
Integrating Security to Your CI/CD Pipelines
DevOps is essential for organizations that scale their software, as it makes developing, testing, and deploying applications easier and faster. However, you cannot compromise safety for speed. It is important to identify security threats in the continuous integration pipeline itself so that secure applications are deployed faster. Security protocols must be complied with at every step of the development process.
Several tools can be applied at different stages of the development process, like pull requests via self-hosting open source vulnerability checkers, marketplace integrations to the Azure Pipeline, and final deployment.
You can conduct DAST (dynamic application security testing) with OWASP ZAP. It gives you a report that includes the results of the builds that are available in the log. The status of the bugs is available as well. It gets updated to ‘resolved’ once the issues are resolved. To understand how this can be done, we will be creating a test app with Python and Flask.
Create a folder python_web_app and create an app.py file with the following code:
from flask import Flask
app = Flask(__name__)
@app.route(“/”)
def home():
return “This is a test python web app!”
Next, specify dependencies in requirements.txt:
Flask==1.1.2
Your azure-pipelines.yml will look like this:
trigger:
– main
variables:
creation
azureServiceConnectionId: ’00c3f1ce-6f7c-41b4-a1bc-57fc08a4e472′
webAppName: ‘PythonWebApplication’
vmImageName: ‘ubuntu-latest’
environmentName: ‘PythonWebApplication’
manage.py file.
projectRoot: $(System.DefaultWorkingDirectory)
# Python version: 3.7
pythonVersion: ‘3.7’
stages:
– stage: Build
displayName: Build stage
jobs:
– job: BuildJob
pool:
vmImage: $(vmImageName)
steps:
– task: UsePythonVersion@0
inputs:
versionSpec: ‘$(pythonVersion)’
displayName: ‘Use Python $(pythonVersion)’
– script: |
python -m venv antenv
source antenv/bin/activate
python -m pip install –upgrade pip
pip install setup
pip install -r requirements.txt
workingDirectory: $(projectRoot)
displayName: “Install requirements”
– task: ArchiveFiles@2
displayName: ‘Archive files’
inputs:
rootFolderOrFile: ‘$(projectRoot)’
includeRootFolder: false
archiveType: zip
archiveFile: $(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip
replaceExistingArchive: true
– upload: $(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip
displayName: ‘Upload package’
artifact: drop
– stage: Deploy
displayName: ‘Deploy Web App’
dependsOn: Build
condition: succeeded()
jobs:
– deployment: DeploymentJob
pool:
vmImage: $(vmImageName)
environment: $(environmentName)
strategy:
runOnce:
deploy:
steps:
– task: UsePythonVersion@0
inputs:
versionSpec: ‘$(pythonVersion)’
displayName: ‘Use Python version’
– task: AzureWebApp@1
displayName: ‘Deploy Azure Web App : PythonWebApplication’
inputs:
azureSubscription: $(azureServiceConnectionId)
appName: $(webAppName)
package: $(Pipeline.Workspace)/drop/$(Build.BuildId).zip
You can find the Python_web_app and renovate-docker repositories on GitHub.
DevSecOps with Azure DevOps
Git secrets
Editor plugins can be used before committing code to the repository. At this stage, access tokens, storage account keys, and API access keys are identified. Git secrets is a pre-commit hook that does away with the need for committing passwords and access tokens to a repository.
Here’s how you can configure it:
Git clone https://github.com/awslabs/git-secrets.git
Cd git-secrets
Make install
If required, use sudo make install for installation.
Enable it on your repository:
cd Python_web_app
git secrets –install
git secrets –register-aws
Try!
Scan all files in the repo:
git secrets –scan
If you want to check only a certain file in your repository for secrets, use:
git secrets –scan FILE_PATH
With git secrets –scan -r /path/to/directory, you can scan a complete directory recursively for secrets.
Open Source Security Vulnerabilities
Your code may include several dependencies, e.g., third-party components, open-source libraries. Versions of these libraries will get deprecated with time. This has to be monitored so that the code can be updated accordingly on time. Security issues have to be checked constantly. You also need to identify problems related to open source licensing. There are tools that can help with all or some of these issues. Some of them include WhiteSource and Veracode.
WhiteSource Bolt
I personally love the free WhiteSource Bolt extension for Azure DevOps. It provides a detailed report on the severity of the security threats and suggests fixes. It also identifies open source licensing risks for third-party libraries. You can integrate it into your GitHub repository as well as your Azure DevOps pipeline.
Veracode
Veracode allows users to manage all security issues from a single place. It can be used with Azure Pipelines by installing the Veracode marketplace extension with your Azure DevOps organization. It identifies security threats early in the development process and allows you to stop the build and release if a critical security risk is detected. It also suggests fixes to remove the vulnerabilities.
Conclusion
If security vulnerabilities are identified at the later stages of the software development life cycle, it may cost a lot to fix them, way more than what would have been spent if the security issues had been detected at earlier stages. Hence, it is important for every organization developing software, to not only test their software for functionality but also scan for security and open source vulnerabilities as well before deploying it to production.