SlideShare a Scribd company logo

Implementing Secure DevOps on Public Cloud Platforms

Gaurav "GP" Pal
Gaurav "GP" Pal

Businesses are looking to accelerate the delivery of production quality software with fewer defects, and better security. Continuous Integration/Continuous Deployment (CI/CD) also known as DevOps is a rapidly maturing practice for reducing the time and effort it takes to test and deploy code into production. The rapid automation of the integration and deployment activities is common especially on cloud-based platforms. Adding security testing into the DevOps pipeline can help address the needs of regulated, compliance and public sector focused organizations. This white paper describes the use of open source technologies and commercial packages to design and deploy a Secure DevOps pipeline. Tools such as Yasca, SonarQube, and OpenSCAP amongst others when integrated with vulnerability scanners such as Tenable Nessus, HP Fortify and others provide a robust SecDevOps implementation. This white paper by stackArmor provides an overview on how an organization can implement a Secure DevOps pipeline and its key elements.

Technology
1 of 13
Download to read offline
IMPLEMENTING SECURE DEVOPS ON PUBLIC CLOUD PLATFORMS White Paper stackArmor DevOps Solutions Team This document is provided for informational purposes only. Readers are responsible for making their own independent assessment of the information in this document and any use of products or services, each of which is provided “as is” without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions or assurances. All copyrights and trademarks are acknowledged.
1 Contents Abstract...................................................................................................................................................2 What is Secure DevOps or SecDevOps?..................................................................................................2 Implementing a CI/CD Security Process..................................................................................................2 Develop Code......................................................................................................................................3 Commit Code to CI/CD........................................................................................................................3 Tools for a Secure DevOps Pipeline ........................................................................................................4 YASCA Static Code Analysis.................................................................................................................4 Yasca Severity Levels.......................................................................................................................4 SonarQube ..........................................................................................................................................4 Yasca-SonarQube Severity Mapping...............................................................................................4 Yasca Sample Reports.....................................................................................................................5 HPE Fortify Static Code Analyzer (SCA)...............................................................................................6 Fortify Severity Levels.....................................................................................................................6 Fortify-SonarQube Severity Mapping .............................................................................................6 Fortify Sample Reports....................................................................................................................7 Nessus.................................................................................................................................................9 OpenSCAP ...........................................................................................................................................9 OpenSCAP Severity Levels) .............................................................................................................9 OpenSCAP-SonarQube Severity Mapping.......................................................................................9 OpenSCAP Sample Report.............................................................................................................10 ClamAV..............................................................................................................................................10 Windows Defender ...........................................................................................................................10 Conclusion.............................................................................................................................................11 About stackArmor.................................................................................................................................11 Resources..............................................................................................................................................11
2 Abstract Businesses are looking to accelerate the delivery of production quality software with fewer defects, and better security. Continuous Integration/Continuous Deployment (CI/CD) also known as DevOps is a rapidly maturing practice for reducing the time and effort it takes to test and deploy code into production. The rapid automation of the integration and deployment activities is common especially on cloud-based platforms. Adding security testing into the DevOps pipeline can help address the needs of regulated, compliance and public sector focused organizations. This white paper describes the use of open source technologies and commercial packages to design and deploy a Secure DevOps pipeline. Tools such as Yasca, SonarQube, and OpenSCAP amongst others when integrated with vulnerability scanners such as Tenable Nessus, HP Fortify and others provide a robust SecDevOps implementation. What is Secure DevOps or SecDevOps? Secure DevOps is the integration of security scans and reviews as part of the application development and deployment process. The figure on the right shows a high- level view of a CI/CD Environment. The CI/CD or DevOps pipeline includes common enabling components such as Jenkins, Nexus, Chef and SonarQube amongst others. This white paper is primarily focused on the security aspects of DevOps and therefore does not go into the details of a DevOps pipeline. Implementing a CI/CD Security Process The CI/CD or DevOps Security lifecycle begins with code development and integration. As the code is committed for deployment, the CI/CD security processes are activated. Common action items including static code analysis, vulnerability scanning, anti-virus scans and other similar integrity functions. The results from the security scans are provided to project management and the Chief Information Security Officer (CISO) within the organization.
3 Figure: CI/CD Security Processes integrating within the overall code deployment and integration processes as an integral part of the overall pipeline Key aspects of the CI/CD security pipeline are described in greater detail below. Develop Code Development is performed on an independent virtual machine (VM) within the CI/CD environment by the application development teams. In order to comply with NIST requirements for applying secure engineering principles, application developers should utilize code analysis utilities to ensure safe coding practices are followed. Project teams should leverage code analysis utilities as early as possible in the development lifecycle. By leveraging code analysis capabilities, and correcting identified issues prior to submission to the formal Security process, the project will experience fewer delays and incidents of rework due to flaws and other security concerns. At a minimum, code analysis should be performed as code modules are completed, but it is not necessary for modules to be completely finished for code review to be useful. Any supported language source file can be individually scanned or scanned within a directory along with other source files. Commit Code to CI/CD As application code is committed to the CI/CD branch in the git repository CI/CD performs a security review utilizing automated static code analysis tools. The commit step formally triggers the security checks and scans are described in greater detail below.
4 Tools for a Secure DevOps Pipeline SecDevOps includes the execution of automated scanning tools and manual security reviews of results by the Security Team in order to facilitate the application deployment process. YASCA Static Code Analysis Yasca is a static source code analysis tool that performs a number of tests to identify actual and potential coding issues, to include those identified in the OWASP Top 10 listed in Section 3. It should be noted that Yasca, an open source tool is only one of tools to support secure coding practices. Other code analysis tools include HP Fortify, IBM AppScan, and others. Yasca utilizes individual plugins to perform scanning of targeted files. The Yasca implementation may include the following plugins (depending on the development environment): • Grep Plugin. Uses external GREPfiles to scan target files for simple patterns. • PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues. • JLint Plugin. Uses J-Lint to scan Java .class files for issues. • antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues. • FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues. • Lint4J Plugin. Uses Lint4J to scan Java .class files for issues. Yasca Severity Levels Yasca plugins implement five (5) severity levels: • 1 – Critical • 2 – High • 3 – Warning • 4 – Low • 5 – Informational When code has been committed to the CI/CD Git repository the associated Jenkins job builds the code base. The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca report in HTML format as well as CSV format. The Yasca results CSV file is further processed and formatted into an xml document. After the Yasca file is processed, Sonar Scanner is invoked to analyze the created XML file using custom rules to map the Yasca results into the SonarQube dashboard. SonarQube SonarQube (formerly known as Sonar) is an open source tool suite to measure and analyse to quality of source code. SonarQube provides reporting and management oversight for the CISO and Security team to collect and monitor security issues as part of the CI/CD pipeline. Yasca-SonarQube Severity Mapping SonarQube implements five (5) severity levels: • Blocker • Critical • Major • Minor • Info Yasca severity levels are mapped to SonarQube severity levels in accordance with the table below:
5 Yasca Severity Level SonarQube Severity Level 1 – Critical Blocker 2 – High Critical 3 – Warning Major 4 – Low Minor 5 – Informational Info Yasca Sample Reports Once the mappings are established, Yasca scans performed as part of the CI/CD build process are configured to generate a detailed report of findings and piped into SonarQube. An example of a Yasca report finding is shown. CSV formatted reports are condensed versions providing Finding #, Plugin Name, Severity, Location, and Message fields. These CSV files are converted to an XML file that is imported to SonarQube. An example SonarQube report is provided below.
6 HPE Fortify Static Code Analyzer (SCA) Depending on the security needs of the organization additional security checks can be added. Commercial packages such as HPE Fortify Static Code Analyzer (SCA) provide static application security testing (SAST). It is used to analyse the source code of an application for security vulnerabilities. It reviews code and helps developers identify and resolve issues during development and testing. Fortify Severity Levels Fortify SCA implements four (4) severity levels: • Critical • High • Medium • Low Fortify-SonarQube Severity Mapping SonarQube implements five (5) severity levels: • Blocker • Critical • Major • Minor • Info Fortify severity levels are mapped to SonarQube severity levels in accordance with the table below:
7 Fortify Severity Level SonarQube Severity Level Critical Blocker High Critical Medium Major Low Minor -- Info Fortify Sample Reports By default HPE Fortify SCA natively produces a proprietary result file with an FPR extension. Fortify SCA may also be configured to produce a text (TXT) or an xml-based FVDL file. Fortify SCA also provides a Report Generator utility to produce PDF or XML files. For issues related to the flow of data, Fortify identifies a Source, the code that collects and sends input, and a Sink, the code that receives/processes the input. An example of the PDF report is shown below:
8 An example of the HTML Summary Report is shown below:
9 Nessus Nessus Vulnerability Scanner is a vulnerability scanner by Tenable. Nessus identifies system vulnerabilities, missing patches, and non-compliant system configurations. Scans can be performed on a periodic basis and the results are to the CI/CD Project Manager. Consistent with the DevOps culture, the application development teams are responsible for mitigating findings related to hosted applications. The CI/CD team is responsible for mitigating findings related to the underlying platform (OS, Database, Web Server). The CI/CD team coordinates with application development teams and/or the security team to address platform findings that may affect hosted applications. OpenSCAP OSCAP utilizes XCCDF checklist profiles to evaluate system configurations for the operating system against an established checklist profile. The CI/CD pipeline utilizes OSCAP to evaluate the system configurations for the instances supporting the CI/CD development pipeline. OpenSCAP Severity Levels OpenSCAP implements four (4) severity levels: • High • Medium • Low • Other OpenSCAP-SonarQube Severity Mapping SonarQube implements five (5) severity levels: • Blocker • Critical • Major • Minor • Info OpenSCAP severity levels are mapped to SonarQube severity levels in accordance with the table below: OpenSCAP Severity Level SonarQube Severity Level High Blocker Critical Medium Major Low Minor Other Info
10 OpenSCAP Sample Report ClamAV ClamAV is an antivirus scanner for Linux operating systems. ClamAV will be installed on Linux servers supporting application development. ClamAV is configured to scan local directories and files for known malicious code on a nightly schedule. The application development teams are responsible for mitigating findings related to hosted applications. The CI/CD team is responsible for mitigating findings related to the underlying platform (OS, Database, Web Server). Windows Defender Windows Defender is an antivirus scanner for Windows operating systems. Windows Defender will be configured on Windows servers and workstations supporting application development. Windows
11 Defender is configured to scan local directories and files for known malicious code on a nightly schedule. The application development teams are responsible for mitigating findings related to hosted applications. The CI/CD team is responsible for mitigating findings related to the underlying platform (OS, Database, Web Server). Conclusion The rapid adoption of cloud platforms such as Amazon Web Services (AWS) and use of Continuous Integration/Continuous Deployment (CI/CD) practices presents a unique opportunity to deliver more secure code by integrating security practices into the pipeline. There is a wide variety of open source and commercial tools that allow the creation SecDevOps pipelines that assist with the security and information assurance function. By integrating the performance of security testing and scanning as part of the build and deploy process, SecDevOps allows the ability to deliver Continuous Information Assurance. About stackArmor stackArmor is a AWS Certified partner with experienced cybersecurity and AWS solution architects with an experience deploying compliant applications for Healthcare, Financial Services, Public Sector, Department of Defense and Commercial customers including Non-profits. We help customers in the following areas: • AWS Cloud Architecture and Migration Services • DevOps and Automation Architecture and Implementation Services • AWS Managed Services and Cloud Operations • AWS Value-Added Resale and Hosting Support Services • Cybersecurity Compliance and Penetration Scanning Services Additionally, we have an out-of-the-box solution - stackArmor StackBuilderTM is a “Turbo Tax” like wizard for helping application owners quickly configure a fully functional AWS environment. The wizard walks the user through a series of simple questions through a 5 step process. Upon submission of the request, the user is presented with login credentials to a fully configured and operational environment ready to go. StackBuilderTM provides a rich and easy to use consumer-grade experience for non-technical users to jumpstart their projects by answering a series of simple questions. StackBuilder’s intelligent provisioning and capacity estimation engine leverages the rich set of services provided by the AWS cloud platform including wide variety of EC2 instances, Virtual Private Cloud (VPC), Auto Scaling Groups, Clustering and Elastic Load Balancers (ELB) amongst others. The user of StackBuilderTM does not have to go through the various steps associated with configuring and setting up the AWS infrastructure as they are handled automatically. This allows the user to focus on his project without waiting for costly consultants or the need for cloud infrastructure expertise. Please contact us at solutions@stackarmor.com or call at 888-964-1644. Resources 1. White paper on Cloud Security Best Practices and Common Errors. https://www.stackarmor.com/resources/
12 2. https://www.stackarmor.com/is-your-business-ready-for-the-coming-cybersecurity-tsunami/

Recommended

Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARsDavid Jorm
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 
Srikanth_testing resume
Srikanth_testing resumeSrikanth_testing resume
Srikanth_testing resumesrikanth Burra
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityDavid Jorm
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
SafeLogic is Better than Open Source Encryption - The Top 10 Reasons
SafeLogic is Better than Open Source Encryption - The Top 10 ReasonsSafeLogic is Better than Open Source Encryption - The Top 10 Reasons
SafeLogic is Better than Open Source Encryption - The Top 10 ReasonsWalter Paley
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN securityDavid Jorm
 

Recommended

Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARsDavid Jorm
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 
Srikanth_testing resume
Srikanth_testing resumeSrikanth_testing resume
Srikanth_testing resumesrikanth Burra
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityDavid Jorm
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
SafeLogic is Better than Open Source Encryption - The Top 10 Reasons
SafeLogic is Better than Open Source Encryption - The Top 10 ReasonsSafeLogic is Better than Open Source Encryption - The Top 10 Reasons
SafeLogic is Better than Open Source Encryption - The Top 10 ReasonsWalter Paley
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN securityDavid Jorm
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemLouis Jacomet
 
Nareshkumar_CV
Nareshkumar_CVNareshkumar_CV
Nareshkumar_CVNaresh Kumar
 
2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security Automation2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security AutomationShawn Wells
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made EasyShawn Wells
 
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationNetwork Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationVskills
 
Resume
ResumeResume
Resumeroopajaganoor
 
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Ukraine
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure CodingJPCERT Coordination Center
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scap2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scapShawn Wells
 
Build Time Hacking
Build Time HackingBuild Time Hacking
Build Time HackingMohammed Tanveer
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkSandeep Jayashankar
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat Security Conference
 
Purnima
PurnimaPurnima
PurnimaPurnima V
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2Romansh Yadav
 
Java Exploit Analysis .
Java Exploit Analysis .Java Exploit Analysis .
Java Exploit Analysis .Rahul Sasi
 
The Continuous Delivery toolstack for embedded Java af Leif Sørensen, Praqma
The Continuous Delivery toolstack for embedded Java af Leif Sørensen, PraqmaThe Continuous Delivery toolstack for embedded Java af Leif Sørensen, Praqma
The Continuous Delivery toolstack for embedded Java af Leif Sørensen, PraqmaInfinIT - Innovationsnetværket for it
 
Oleksandr Valetskyy - Become a .NET dependency injection ninja with Ninject
Oleksandr Valetskyy - Become a .NET dependency injection ninja with NinjectOleksandr Valetskyy - Become a .NET dependency injection ninja with Ninject
Oleksandr Valetskyy - Become a .NET dependency injection ninja with NinjectOleksandr Valetskyy
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 

More Related Content

What's hot

Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemLouis Jacomet
 
2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security Automation2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security AutomationShawn Wells
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made EasyShawn Wells
 
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationNetwork Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationVskills
 
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Ukraine
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scap2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scapShawn Wells
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkSandeep Jayashankar
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat Security Conference
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2Romansh Yadav
 
Java Exploit Analysis .
Java Exploit Analysis .Java Exploit Analysis .
Java Exploit Analysis .Rahul Sasi
 
The Continuous Delivery toolstack for embedded Java af Leif Sørensen, Praqma
The Continuous Delivery toolstack for embedded Java af Leif Sørensen, PraqmaThe Continuous Delivery toolstack for embedded Java af Leif Sørensen, Praqma
The Continuous Delivery toolstack for embedded Java af Leif Sørensen, PraqmaInfinIT - Innovationsnetværket for it
 
Oleksandr Valetskyy - Become a .NET dependency injection ninja with Ninject
Oleksandr Valetskyy - Become a .NET dependency injection ninja with NinjectOleksandr Valetskyy - Become a .NET dependency injection ninja with Ninject
Oleksandr Valetskyy - Become a .NET dependency injection ninja with NinjectOleksandr Valetskyy
 

What's hot (20)

Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build system
 
Nareshkumar_CV
Nareshkumar_CVNareshkumar_CV
Nareshkumar_CV
 
2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security Automation2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security Automation
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
 
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationNetwork Security Open Source Software Developer Certification
Network Security Open Source Software Developer Certification
 
Resume
ResumeResume
Resume
 
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure Coding
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scap2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scap
 
Build Time Hacking
Build Time HackingBuild Time Hacking
Build Time Hacking
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
 
Purnima
PurnimaPurnima
Purnima
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2
 
Java Exploit Analysis .
Java Exploit Analysis .Java Exploit Analysis .
Java Exploit Analysis .
 
The Continuous Delivery toolstack for embedded Java af Leif Sørensen, Praqma
The Continuous Delivery toolstack for embedded Java af Leif Sørensen, PraqmaThe Continuous Delivery toolstack for embedded Java af Leif Sørensen, Praqma
The Continuous Delivery toolstack for embedded Java af Leif Sørensen, Praqma
 
Oleksandr Valetskyy - Become a .NET dependency injection ninja with Ninject
Oleksandr Valetskyy - Become a .NET dependency injection ninja with NinjectOleksandr Valetskyy - Become a .NET dependency injection ninja with Ninject
Oleksandr Valetskyy - Become a .NET dependency injection ninja with Ninject
 

Similar to Implementing Secure DevOps on Public Cloud Platforms

Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETY
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETYBUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETY
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETYIJNSA Journal
 
Top 5 DevSecOps Tools- You Need to Know About
Top 5 DevSecOps Tools- You Need to Know AboutTop 5 DevSecOps Tools- You Need to Know About
Top 5 DevSecOps Tools- You Need to Know AboutDev Software
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Devops phase-1
Devops phase-1Devops phase-1
Devops phase-1G R VISHAL
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxDeepakgupta273447
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 

Similar to Implementing Secure DevOps on Public Cloud Platforms (20)

Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETY
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETYBUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETY
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETY
 
Top 5 DevSecOps Tools- You Need to Know About
Top 5 DevSecOps Tools- You Need to Know AboutTop 5 DevSecOps Tools- You Need to Know About
Top 5 DevSecOps Tools- You Need to Know About
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Devops phase-1
Devops phase-1Devops phase-1
Devops phase-1
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptx
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 

More from Gaurav "GP" Pal

stackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutionsstackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutionsGaurav "GP" Pal
 
stackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutionsstackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutionsGaurav "GP" Pal
 
stackArmor Security MicroSummit - Next Generation Firewalls for AWS
stackArmor Security MicroSummit - Next Generation Firewalls for AWSstackArmor Security MicroSummit - Next Generation Firewalls for AWS
stackArmor Security MicroSummit - Next Generation Firewalls for AWSGaurav "GP" Pal
 
stackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeestackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeeGaurav "GP" Pal
 
stackArmor MicroSummit - Niksun Network Monitoring - DPI
stackArmor MicroSummit - Niksun Network Monitoring - DPIstackArmor MicroSummit - Niksun Network Monitoring - DPI
stackArmor MicroSummit - Niksun Network Monitoring - DPIGaurav "GP" Pal
 
stackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with SplunkstackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with SplunkGaurav "GP" Pal
 
Rapid deployment of Sitecore on AWS
Rapid deployment of Sitecore on AWSRapid deployment of Sitecore on AWS
Rapid deployment of Sitecore on AWSGaurav "GP" Pal
 
Secured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWSSecured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWSGaurav "GP" Pal
 
FGMC - Managed Data Platform - CloudDC Meetup
FGMC - Managed Data Platform - CloudDC MeetupFGMC - Managed Data Platform - CloudDC Meetup
FGMC - Managed Data Platform - CloudDC MeetupGaurav "GP" Pal
 
stackArmor presentation for DevOpsDC ver 4
stackArmor presentation for DevOpsDC ver 4stackArmor presentation for DevOpsDC ver 4
stackArmor presentation for DevOpsDC ver 4Gaurav "GP" Pal
 
AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016Gaurav "GP" Pal
 
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
DevOps for ETL processing at scale with MongoDB, Solr, AWS and ChefDevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
DevOps for ETL processing at scale with MongoDB, Solr, AWS and ChefGaurav "GP" Pal
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceGaurav "GP" Pal
 
Big Data - Accountability Solutions for Public Sector Programs
Big Data - Accountability Solutions for Public Sector ProgramsBig Data - Accountability Solutions for Public Sector Programs
Big Data - Accountability Solutions for Public Sector ProgramsGaurav "GP" Pal
 
2013 11-06 adopting aws at scale - lessons from the trenches
2013 11-06 adopting aws at scale - lessons from the trenches2013 11-06 adopting aws at scale - lessons from the trenches
2013 11-06 adopting aws at scale - lessons from the trenchesGaurav "GP" Pal
 
DevOps in the Amazon Cloud – Learn from the pioneersNetflix suro
DevOps in the Amazon Cloud – Learn from the pioneersNetflix suroDevOps in the Amazon Cloud – Learn from the pioneersNetflix suro
DevOps in the Amazon Cloud – Learn from the pioneersNetflix suroGaurav "GP" Pal
 
Enterprise transformation with cloud computing Jan 2014
Enterprise transformation with cloud computing Jan 2014Enterprise transformation with cloud computing Jan 2014
Enterprise transformation with cloud computing Jan 2014Gaurav "GP" Pal
 

More from Gaurav "GP" Pal (19)

stackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutionsstackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutions
 
stackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutionsstackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutions
 
stackArmor Security MicroSummit - Next Generation Firewalls for AWS
stackArmor Security MicroSummit - Next Generation Firewalls for AWSstackArmor Security MicroSummit - Next Generation Firewalls for AWS
stackArmor Security MicroSummit - Next Generation Firewalls for AWS
 
stackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeestackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfee
 
stackArmor MicroSummit - Niksun Network Monitoring - DPI
stackArmor MicroSummit - Niksun Network Monitoring - DPIstackArmor MicroSummit - Niksun Network Monitoring - DPI
stackArmor MicroSummit - Niksun Network Monitoring - DPI
 
stackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with SplunkstackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with Splunk
 
Magento Hosting on AWS
Magento Hosting on AWS Magento Hosting on AWS
Magento Hosting on AWS
 
Rapid deployment of Sitecore on AWS
Rapid deployment of Sitecore on AWSRapid deployment of Sitecore on AWS
Rapid deployment of Sitecore on AWS
 
Secured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWSSecured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWS
 
FGMC - Managed Data Platform - CloudDC Meetup
FGMC - Managed Data Platform - CloudDC MeetupFGMC - Managed Data Platform - CloudDC Meetup
FGMC - Managed Data Platform - CloudDC Meetup
 
stackArmor presentation for DevOpsDC ver 4
stackArmor presentation for DevOpsDC ver 4stackArmor presentation for DevOpsDC ver 4
stackArmor presentation for DevOpsDC ver 4
 
AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016
 
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
DevOps for ETL processing at scale with MongoDB, Solr, AWS and ChefDevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
 
Hosting Tableau on AWS
Hosting Tableau on AWSHosting Tableau on AWS
Hosting Tableau on AWS
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
 
Big Data - Accountability Solutions for Public Sector Programs
Big Data - Accountability Solutions for Public Sector ProgramsBig Data - Accountability Solutions for Public Sector Programs
Big Data - Accountability Solutions for Public Sector Programs
 
2013 11-06 adopting aws at scale - lessons from the trenches
2013 11-06 adopting aws at scale - lessons from the trenches2013 11-06 adopting aws at scale - lessons from the trenches
2013 11-06 adopting aws at scale - lessons from the trenches
 
DevOps in the Amazon Cloud – Learn from the pioneersNetflix suro
DevOps in the Amazon Cloud – Learn from the pioneersNetflix suroDevOps in the Amazon Cloud – Learn from the pioneersNetflix suro
DevOps in the Amazon Cloud – Learn from the pioneersNetflix suro
 
Enterprise transformation with cloud computing Jan 2014
Enterprise transformation with cloud computing Jan 2014Enterprise transformation with cloud computing Jan 2014
Enterprise transformation with cloud computing Jan 2014
 

Recently uploaded

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Recently uploaded (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Implementing Secure DevOps on Public Cloud Platforms

  • 1. IMPLEMENTING SECURE DEVOPS ON PUBLIC CLOUD PLATFORMS White Paper stackArmor DevOps Solutions Team This document is provided for informational purposes only. Readers are responsible for making their own independent assessment of the information in this document and any use of products or services, each of which is provided “as is” without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions or assurances. All copyrights and trademarks are acknowledged.
  • 2. 1 Contents Abstract...................................................................................................................................................2 What is Secure DevOps or SecDevOps?..................................................................................................2 Implementing a CI/CD Security Process..................................................................................................2 Develop Code......................................................................................................................................3 Commit Code to CI/CD........................................................................................................................3 Tools for a Secure DevOps Pipeline ........................................................................................................4 YASCA Static Code Analysis.................................................................................................................4 Yasca Severity Levels.......................................................................................................................4 SonarQube ..........................................................................................................................................4 Yasca-SonarQube Severity Mapping...............................................................................................4 Yasca Sample Reports.....................................................................................................................5 HPE Fortify Static Code Analyzer (SCA)...............................................................................................6 Fortify Severity Levels.....................................................................................................................6 Fortify-SonarQube Severity Mapping .............................................................................................6 Fortify Sample Reports....................................................................................................................7 Nessus.................................................................................................................................................9 OpenSCAP ...........................................................................................................................................9 OpenSCAP Severity Levels) .............................................................................................................9 OpenSCAP-SonarQube Severity Mapping.......................................................................................9 OpenSCAP Sample Report.............................................................................................................10 ClamAV..............................................................................................................................................10 Windows Defender ...........................................................................................................................10 Conclusion.............................................................................................................................................11 About stackArmor.................................................................................................................................11 Resources..............................................................................................................................................11
  • 3. 2 Abstract Businesses are looking to accelerate the delivery of production quality software with fewer defects, and better security. Continuous Integration/Continuous Deployment (CI/CD) also known as DevOps is a rapidly maturing practice for reducing the time and effort it takes to test and deploy code into production. The rapid automation of the integration and deployment activities is common especially on cloud-based platforms. Adding security testing into the DevOps pipeline can help address the needs of regulated, compliance and public sector focused organizations. This white paper describes the use of open source technologies and commercial packages to design and deploy a Secure DevOps pipeline. Tools such as Yasca, SonarQube, and OpenSCAP amongst others when integrated with vulnerability scanners such as Tenable Nessus, HP Fortify and others provide a robust SecDevOps implementation. What is Secure DevOps or SecDevOps? Secure DevOps is the integration of security scans and reviews as part of the application development and deployment process. The figure on the right shows a high- level view of a CI/CD Environment. The CI/CD or DevOps pipeline includes common enabling components such as Jenkins, Nexus, Chef and SonarQube amongst others. This white paper is primarily focused on the security aspects of DevOps and therefore does not go into the details of a DevOps pipeline. Implementing a CI/CD Security Process The CI/CD or DevOps Security lifecycle begins with code development and integration. As the code is committed for deployment, the CI/CD security processes are activated. Common action items including static code analysis, vulnerability scanning, anti-virus scans and other similar integrity functions. The results from the security scans are provided to project management and the Chief Information Security Officer (CISO) within the organization.
  • 4. 3 Figure: CI/CD Security Processes integrating within the overall code deployment and integration processes as an integral part of the overall pipeline Key aspects of the CI/CD security pipeline are described in greater detail below. Develop Code Development is performed on an independent virtual machine (VM) within the CI/CD environment by the application development teams. In order to comply with NIST requirements for applying secure engineering principles, application developers should utilize code analysis utilities to ensure safe coding practices are followed. Project teams should leverage code analysis utilities as early as possible in the development lifecycle. By leveraging code analysis capabilities, and correcting identified issues prior to submission to the formal Security process, the project will experience fewer delays and incidents of rework due to flaws and other security concerns. At a minimum, code analysis should be performed as code modules are completed, but it is not necessary for modules to be completely finished for code review to be useful. Any supported language source file can be individually scanned or scanned within a directory along with other source files. Commit Code to CI/CD As application code is committed to the CI/CD branch in the git repository CI/CD performs a security review utilizing automated static code analysis tools. The commit step formally triggers the security checks and scans are described in greater detail below.
  • 5. 4 Tools for a Secure DevOps Pipeline SecDevOps includes the execution of automated scanning tools and manual security reviews of results by the Security Team in order to facilitate the application deployment process. YASCA Static Code Analysis Yasca is a static source code analysis tool that performs a number of tests to identify actual and potential coding issues, to include those identified in the OWASP Top 10 listed in Section 3. It should be noted that Yasca, an open source tool is only one of tools to support secure coding practices. Other code analysis tools include HP Fortify, IBM AppScan, and others. Yasca utilizes individual plugins to perform scanning of targeted files. The Yasca implementation may include the following plugins (depending on the development environment): • Grep Plugin. Uses external GREPfiles to scan target files for simple patterns. • PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues. • JLint Plugin. Uses J-Lint to scan Java .class files for issues. • antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues. • FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues. • Lint4J Plugin. Uses Lint4J to scan Java .class files for issues. Yasca Severity Levels Yasca plugins implement five (5) severity levels: • 1 – Critical • 2 – High • 3 – Warning • 4 – Low • 5 – Informational When code has been committed to the CI/CD Git repository the associated Jenkins job builds the code base. The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca report in HTML format as well as CSV format. The Yasca results CSV file is further processed and formatted into an xml document. After the Yasca file is processed, Sonar Scanner is invoked to analyze the created XML file using custom rules to map the Yasca results into the SonarQube dashboard. SonarQube SonarQube (formerly known as Sonar) is an open source tool suite to measure and analyse to quality of source code. SonarQube provides reporting and management oversight for the CISO and Security team to collect and monitor security issues as part of the CI/CD pipeline. Yasca-SonarQube Severity Mapping SonarQube implements five (5) severity levels: • Blocker • Critical • Major • Minor • Info Yasca severity levels are mapped to SonarQube severity levels in accordance with the table below:
  • 6. 5 Yasca Severity Level SonarQube Severity Level 1 – Critical Blocker 2 – High Critical 3 – Warning Major 4 – Low Minor 5 – Informational Info Yasca Sample Reports Once the mappings are established, Yasca scans performed as part of the CI/CD build process are configured to generate a detailed report of findings and piped into SonarQube. An example of a Yasca report finding is shown. CSV formatted reports are condensed versions providing Finding #, Plugin Name, Severity, Location, and Message fields. These CSV files are converted to an XML file that is imported to SonarQube. An example SonarQube report is provided below.
  • 7. 6 HPE Fortify Static Code Analyzer (SCA) Depending on the security needs of the organization additional security checks can be added. Commercial packages such as HPE Fortify Static Code Analyzer (SCA) provide static application security testing (SAST). It is used to analyse the source code of an application for security vulnerabilities. It reviews code and helps developers identify and resolve issues during development and testing. Fortify Severity Levels Fortify SCA implements four (4) severity levels: • Critical • High • Medium • Low Fortify-SonarQube Severity Mapping SonarQube implements five (5) severity levels: • Blocker • Critical • Major • Minor • Info Fortify severity levels are mapped to SonarQube severity levels in accordance with the table below:
  • 8. 7 Fortify Severity Level SonarQube Severity Level Critical Blocker High Critical Medium Major Low Minor -- Info Fortify Sample Reports By default HPE Fortify SCA natively produces a proprietary result file with an FPR extension. Fortify SCA may also be configured to produce a text (TXT) or an xml-based FVDL file. Fortify SCA also provides a Report Generator utility to produce PDF or XML files. For issues related to the flow of data, Fortify identifies a Source, the code that collects and sends input, and a Sink, the code that receives/processes the input. An example of the PDF report is shown below:
  • 9. 8 An example of the HTML Summary Report is shown below:
  • 10. 9 Nessus Nessus Vulnerability Scanner is a vulnerability scanner by Tenable. Nessus identifies system vulnerabilities, missing patches, and non-compliant system configurations. Scans can be performed on a periodic basis and the results are to the CI/CD Project Manager. Consistent with the DevOps culture, the application development teams are responsible for mitigating findings related to hosted applications. The CI/CD team is responsible for mitigating findings related to the underlying platform (OS, Database, Web Server). The CI/CD team coordinates with application development teams and/or the security team to address platform findings that may affect hosted applications. OpenSCAP OSCAP utilizes XCCDF checklist profiles to evaluate system configurations for the operating system against an established checklist profile. The CI/CD pipeline utilizes OSCAP to evaluate the system configurations for the instances supporting the CI/CD development pipeline. OpenSCAP Severity Levels OpenSCAP implements four (4) severity levels: • High • Medium • Low • Other OpenSCAP-SonarQube Severity Mapping SonarQube implements five (5) severity levels: • Blocker • Critical • Major • Minor • Info OpenSCAP severity levels are mapped to SonarQube severity levels in accordance with the table below: OpenSCAP Severity Level SonarQube Severity Level High Blocker Critical Medium Major Low Minor Other Info
  • 11. 10 OpenSCAP Sample Report ClamAV ClamAV is an antivirus scanner for Linux operating systems. ClamAV will be installed on Linux servers supporting application development. ClamAV is configured to scan local directories and files for known malicious code on a nightly schedule. The application development teams are responsible for mitigating findings related to hosted applications. The CI/CD team is responsible for mitigating findings related to the underlying platform (OS, Database, Web Server). Windows Defender Windows Defender is an antivirus scanner for Windows operating systems. Windows Defender will be configured on Windows servers and workstations supporting application development. Windows
  • 12. 11 Defender is configured to scan local directories and files for known malicious code on a nightly schedule. The application development teams are responsible for mitigating findings related to hosted applications. The CI/CD team is responsible for mitigating findings related to the underlying platform (OS, Database, Web Server). Conclusion The rapid adoption of cloud platforms such as Amazon Web Services (AWS) and use of Continuous Integration/Continuous Deployment (CI/CD) practices presents a unique opportunity to deliver more secure code by integrating security practices into the pipeline. There is a wide variety of open source and commercial tools that allow the creation SecDevOps pipelines that assist with the security and information assurance function. By integrating the performance of security testing and scanning as part of the build and deploy process, SecDevOps allows the ability to deliver Continuous Information Assurance. About stackArmor stackArmor is a AWS Certified partner with experienced cybersecurity and AWS solution architects with an experience deploying compliant applications for Healthcare, Financial Services, Public Sector, Department of Defense and Commercial customers including Non-profits. We help customers in the following areas: • AWS Cloud Architecture and Migration Services • DevOps and Automation Architecture and Implementation Services • AWS Managed Services and Cloud Operations • AWS Value-Added Resale and Hosting Support Services • Cybersecurity Compliance and Penetration Scanning Services Additionally, we have an out-of-the-box solution - stackArmor StackBuilderTM is a “Turbo Tax” like wizard for helping application owners quickly configure a fully functional AWS environment. The wizard walks the user through a series of simple questions through a 5 step process. Upon submission of the request, the user is presented with login credentials to a fully configured and operational environment ready to go. StackBuilderTM provides a rich and easy to use consumer-grade experience for non-technical users to jumpstart their projects by answering a series of simple questions. StackBuilder’s intelligent provisioning and capacity estimation engine leverages the rich set of services provided by the AWS cloud platform including wide variety of EC2 instances, Virtual Private Cloud (VPC), Auto Scaling Groups, Clustering and Elastic Load Balancers (ELB) amongst others. The user of StackBuilderTM does not have to go through the various steps associated with configuring and setting up the AWS infrastructure as they are handled automatically. This allows the user to focus on his project without waiting for costly consultants or the need for cloud infrastructure expertise. Please contact us at solutions@stackarmor.com or call at 888-964-1644. Resources 1. White paper on Cloud Security Best Practices and Common Errors. https://www.stackarmor.com/resources/