DevSecOps: Automating Security

Christopher J. Hong

The concept of DevSecOps revolves around one goal: integrating security into the development process of a project from the beginning. Traditionally, security has been a layer added on top of development, as a response to issues. Building security into the process saves time and resources, since bugs and security issues are caught early and often. DevSecOps is closely tied to Continuous Integration (CI), which is a concept that has several goals itself. First, CI aims to increase organization through version control. Second, CI increases the frequency in which code is pushed to a repository. Last, CI encourages automation of tasks that would normally be performed manually, such as security checks. Combining DevSecOps with CI results in a development process that is fast, efficient, and secure.

The focus of this internship was to create several “pipelines” to support the DevSecOps methodology. Simply put, a pipeline is a series of processes that execute automatically when a change is made in a repository. The pipeline runs its checks, then creates feedback that is used when reviewing the code and making changes. The general flow of events is as follows: Developer writes code, developer pushes code to a shared repository for collaboration with teammates, pipeline automatically runs and performs quality checks on code, pipeline output is examined by developer, changes to code are made based upon pipeline output. This process repeats each time the developer pushes code to the repository. The advantage of pipeline use lies in its automation, saving time and effort needed to test the project.

Four pipelines were created to support the NCCS Security Working Group in evaluating security of applications and systems for various use cases. First, a pipeline named Container-Scan focuses on performing quality and security tests on a docker-containerized application. These tests include dedicated tools for container vulnerability scanning. Second, WebApp-Scan is similar to Container-Scan, but includes tests geared specifically toward testing a container with a web application. Third, System-Scan is a pipeline designed to evaluate the overall security of a computer system from a grey-box perspective. This uses multiple penetration-testing tools to enumerate information from the system. Finally, Black-Box-Scan is a “blind” approach to scanning a system. It uses a wide array of tools to enumerate a system without any prior knowledge.

Based on comparisons between manual review of applications and system evaluation versus the automation of pipelines, it is determined that the utilization of pipelines saves significant amounts of time for developers and security professionals. Additionally, the breadth of the tests performed on the targets by a plethora of tools covers a diverse range of evaluation. This gives users clear insight into security and the steps needed to remediate issues. Lastly, while the scope of their use was focused on containers and system security scanning during this internship, the automated pipelines are flexible and highly adaptable to a multitude of situations and use cases.