Outcomes

 

Integrating Security Tools in the SDL using OWASP DevSecOps Studio

View the original Working Session content
 

Outcomes

After a discussion of DevSecOps and its history and motivations, participants were introduced to OWASP DevSecOps Studio. This included the following topics:

  • Benefits of Integrating security tools in SDL
  • CI/CD and security tools
  • Different challenges involved while integration
  • Using DevSecOps Studio to do hands-on exercise with open source projects

Synopsis and Takeaways

Integrating security tools in the software development lifecycle ensures appropriate protection for all the information that the system will transmit, process, and store.

Typical Security Activities in DevOps:

  • Plan
    • Threat Modelling
    • ASVS
  • Code
    • Git Secrets
    • Dependency scanning
  • Build
    • Dependency scanning
    • SAST
    • Security Unit Tests
    • Git Secrets scanning
    • Component scanning
  • Test
    • ZAP testing - baseline
    • Container Scanning
    • Modsecurity CRS
  • Release
    • Docker/Third Party
    • SSL scanning
    • Nikto/dirbuster
    • WPScan/JoomScan
    • ZAP + selenium + python
    • Component scanning
  • Deploy
    • Docker Benchmark
    • System Hardening
    • Application Hardening
  • Operate
    • Compliance as code
    • SOC with ELK
    • Verify Controls

OWASP DevSecOps Studio:

DevSecOps Studio project aims to reduce the time to bootstrap the environment and help you in concentrating on learning/teaching DevSecOps practices.

The Benefits of DevSecOps Studio

  • Easy to setup environment - takes only a few minutes to setup and start with just one command (“vagrant up”)
  • Free & Open Source Software - this project is free and open software to help more people learn about DevSecOps
  • Reproducible - the aim of this project is to setup a reproducible DevSecOps Lab environment for learning and testing different tools

Some of the Python Security Tools discussed:

  • SAST: Bandit
  • DAST: ZAP Proxy
  • Hardening: Ansible
  • Compliance: Inspect
  • Git Secrets: Trufflehog

DevSecOps Studio Setup

DevSecOps Studio uses vagrant, virtualbox and ansible to setup the lab environment. You can visit the vendor’s website to download the above software for on Windows/Linux/macOS.

Install Vagrant, Virtualbox, Ansible and follow the below steps.

References

Additional/External References

Session organiser(s)

Imran Mohammed A Imran Mohammed A

Participants

Francois Raynaud Francois Raynaud , Timo Pagel Timo Pagel , Jim Newman Jim Newman , Orid Ahmed Orid Ahmed , Russell Coleman Russell Coleman , Alex Chapman Alex Chapman , Abhinav Sejpal Abhinav Sejpal , Avi Douglen Avi Douglen , Dominik de Smit Dominik de Smit , John DiLeo John DiLeo , Jonas Vanalderweireldt Jonas Vanalderweireldt , Luis Saiz Luis Saiz , Mark Stickley Mark Stickley , Ruben Tronçon Ruben Tronçon , Sotiraki Sima Sotiraki Sima , Tanya Janca Tanya Janca Andrew Martin Andrew Martin , Cao Wei Cao Wei , Domenico Malorni Domenico Malorni , Ernesto Bethencourt Ernesto Bethencourt , Harmeet Singh Harmeet Singh , MrsYisWhy MrsYisWhy , Sophie Tonnoir Sophie Tonnoir , Sugumaran Uppili Sugumaran Uppili , Vinod Anandan Vinod Anandan

Attached materials: