DevSecOps using GitLab Secure
Gitlab Enterprise security scanning
In the traditional IT dev process. Security gets involved at the end of the stack (of an application or software). Every now and then, the Dev team will request security scans of their applications from the security teams. This applies even in a team that works in DevOps fashion.
This is where Development, Security, and Operations aka DevSecOps comes in.
What is DevSecOps?
DevOps and DevSecOps methodologies share similar aspects, including the use of automation and continuous processes for establishing collaborative cycles of development. However, while DevOps prioritizes delivery speed, DevSecOps builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.
DevSecOps consists of integrating IT security practices into the full life cycle of your application. To put it simply, It means thinking about application and infrastructure security from the start. Instead of isolating the role of the security team in the final stage of development. Security is considered a shared responsibility to be integrated from end to end.
This also involved automating some security gates to keep the DevOps workflow from slowing down; such as automated testing or scanning every time a developer pushes new code to your app CI/CD pipeline. These practices will provide better visibility to things such as vulnerabilities, code coverage, and risks.
Gitlab Enterprise security scanning
GitLab Secure. Secure provides Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Container Scanning, and Dependency Scanning to help you deliver secure applications along with License Compliance.
Static Application Security Testing (SAST) — Scan the application source code to check for vulnerability before deployment (bad code that might lead to SQL DB injection)
Dependency Scanning — analyze all external dependency such as libraries (like using an older version of a library)
Container Scanning — check docker images for known vulnerabilities in the application environment (such as using an older version of a dependency). It does this by using an open-source tool known as Clair.
Dynamic Application Security Testing (DAST) — Analyzes a web application for known vulnerabilities (such as missing X content type options header). It does this by running a live attack against the review app or an environment.
License Scanning — scan all the licenses within the dependencies of a project and match them against an approved or denied list. This list is based on a set of policies set by the security team.
Secret Detection — A recurring problem when developing applications is that developers may unintentionally commit secrets and credentials to their remote repositories. If other people have access to the source, or if the project is public, the sensitive information is then exposed and can be leveraged by malicious users to gain access to resources like deployment environments. Secret Detection scans the content of the repository to find API keys and other information that should not be there. — Source: GitLab application_security
The security scans display vulnerabilities in a uniform UI where a developer can resolve them before merging to master. The security posture of a project or group of projects can be further assessed via the Security Dashboard.
DevSecOps Showcase
For this showcase demo, we’re building on a demo Nodejs project, The project was written and designed for SEIS 664 IT Delivery course — grad school level, at the University of St. Thomas (St. Paul, MN) by Professor Charles Betz. Feel free to check out the Gitlab repo, the course content, and the demo project to learn more about it.
Before you get started on this, make sure that you completed the previous session on Terraform Showcase
All the described securities Scan can be added to your DevOps CI/CD pipeline by includding the default templates provided by GitLab. Take a moment to review the code and get a sense of what the templates do, Security Templates.
Enabling security Scans
- NOTE: Enabling Auto DevOps will enable all the scans in your current project CI/CD pipeline. For more details, see Auto DevOps.
We’ll do this by manually including the security scan templates in the existing .gitlab-ci.yml file as shown below:
Now, Commit a change and watch your new DevSecOps CI/CD pipeline in action and check your security and compliance board:
You have probably noticed that we have many vulnerabilities due to outdated versions of dependencies.
Now, you can explore ways to update the node js and other docker container packages dependencies while building the image. You can start by modifying the docker file and adding the following:
Run your pipeline again and compare to see if your Vulnerability Report looks different. Check vulnerabilities have been resolved due to the update:
Go from there to continuously improve your app security 🙂
If you enjoy this, you might also like: How to Launch AWS CloudFormation using Lamba function
Cheers!!!
