DevOps and Security - DevSecOps

[monperrus]

Wikipedia references:

• https://en.wikipedia.org/wiki/Information_security
• https://en.wikipedia.org/wiki/Information_security_audit
• https://en.wikipedia.org/wiki/Attribute-based_access_control
• https://en.wikipedia.org/wiki/Penetration_test
• https://en.wikipedia.org/wiki/Intrusion_detection_system
• https://en.wikipedia.org/wiki/Runtime_application_self-protection
• https://en.wikipedia.org/wiki/Dynamic_application_security_testing
• https://en.wikipedia.org/wiki/Supply_chain_attack

[monperrus]

Principles:

• Complete Mediation Principle (useful for APIs)
• Least privileged

[monperrus]

Intrusion detection: https://en.wikipedia.org/wiki/Intrusion_detection_system

(signature based, anomaly detection)

[monperrus]

Very good set of pointers: https://www.sqreen.io/checklists/devops-security-checklist

[sbuc]

Mapping security design principles to devops on one axis, mapping security concepts/mechanisms to devops on another.

[lsc]

Dynamic and short lived secrets for authorisation, see for example AWS IAM Roles are implemented or Hashicorp Vault.

[monperrus]

Open Source: Simplifying Serverless Secrets
https://open.nytimes.com/open-source-simplifying-serverless-secrets-in-google-cloud-a95451e545b1

[bbaudry]

Vault and kubernetes
https://github.com/kelseyhightower/vault-on-google-kubernetes-engine

[monperrus]

CI/CD enables automated program hardening:

Operating system protection through program evolution, Fred Cohen, 1993

[monperrus]

Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)
https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

[monperrus]

7 Tips for Container and Kubernetes Security
http://lxer.com/module/newswire/ext_link.php?rid=264809

[gluckzhang]

Microservices Hierarchy of Needs
KUBERNETES: AN OVERVIEW (This is a nice introduction to Kubernetes architecture and advantages)

[monperrus]

On The Relation Between Outdated Docker Containers, Severity Vulnerabilities and Bugs.
http://arxiv.org/abs/1811.12874

[bbaudry]

Reproducible builds
https://reproducible-builds.org/

[monperrus]

added wikipedia references in the top post of this thread.

[monperrus]

Security standards: NIST800 53, ISO27000

[monperrus]

Super Secret Dynamic Secrets with Vault
https://tech.gogoair.com/super-secret-dynamic-secrets-with-vault-cf6f29fefc8f

[monperrus]

Vault
http://vaultproject.io

[monperrus]

InSpec
https://www.inspec.io

[monperrus]

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs.
https://arxiv.org/pdf/1811.12874

[monperrus]

On the Impact of Outdated and Vulnerable Javascript Packages in Docker Images.
https://ieeexplore.ieee.org/abstract/document/8667984/

[monperrus]

Kubernetes security: 5 mistakes to avoid
https://enterprisersproject.com/article/2019/5/kubernetes-security-5-mistakes

[bbaudry]

security for containers
https://github.com/coreos/clair

[gluckzhang]

Two interesting papers on container security / vulnerabilities analysis:

• ConPan: a tool to analyze packages in software containers. MSR 2019: 592-596
• On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs. SANER 2019: 491-501

[monperrus]

The Three Rs of Enterprise Security: Rotate, Repave, and Repair
https://builttoadapt.io/the-three-r-s-of-enterprise-security-rotate-repave-and-repair-f64f6d6ba29d

[bbaudry]

A framework to secure the integrity of software supply chains
https://in-toto.io/
https://github.com/in-toto/in-toto/

[bbaudry]

DoD Enterprise DevSecOps Reference Design

[monperrus]

Attack graph generation for microservice architecture
https://www.researchgate.net/profile/Amjad_Ibrahim/publication/332814067_Attack_graph_generation_for_microservice_architecture/links/5ccd8a30299bf14d9576f2f5/Attack-graph-generation-for-microservice-architecture.pdf

[bbaudry]

OWASP ZAP zed attack proxy
https://www.zaproxy.org/

[monperrus]

FYI, added https://en.wikipedia.org/wiki/Dynamic_application_security_testing to the reference list of wikipedia pages at the top.

[monperrus]

Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies IEEE TSE 2022

[bbaudry]

signing, verifying and protecting software
https://www.sigstore.dev/

[bbaudry]

It’s Time to Get Hip to the SBOM
https://jfrog.com/blog/its-time-to-get-hip-to-the-sbom/

[bbaudry]

Software Supply Chain Best Practices - Linux Foundation

[matsskoglund]

https://docs.gitlab.com/ee/user/application_security/dependency_list/

[monperrus]

What are the Practices for Secret Management in Software Artifacts?. (arXiv:2208.11280v1 [cs.SE])

[bbaudry]

The steady project addresses the OWASP Top 10 security risk A9, Using Components with Known Vulnerabilities
https://projects.eclipse.org/projects/technology.

[monperrus]

Security support in continuous deployment pipeline

[monperrus]

Exploiting devops practices for dependable and secure continuous delivery pipelines

[monperrus]

Vulnerabilities in continuous delivery pipelines? A case study

[monperrus]

SpiceDB is a open source Zanzibar-inspired database that stores, computes, and validates fine grained permissions.
https://authzed.com/spicedb/

[monperrus]

https://github.com/codenotary/cas

cas detects or acts on the following (but not limited to):

• Immutable tagging of source code, builds, and container images with version number, owner, timestamp, organization, trust level, and much more
• Simple and tamper-proof extraction of notarized tags like version number, owner, timestamp, organization, and trust level from any source code, build and container (based on the related image)
• Quickly discover and identify untrusted, revoked or obsolete libraries, builds, and containers in your application
• Detect the launch of an authorized or unknown container immediately
• Prevent untrusted or revoked containers from starting in production
• Verify the integrity and the publisher of all the data received over any channel

and more

• Enable application version checks and actions
• Buggy or rogue libraries can be traced by simple revoke or unsupport
• Revoke or unsupport your build or build version post-deployment (no complex certificate revocation that includes delivery of newly signed builds)
• Stop unwanted containers from being launched
• Make revocation part of the remediation process
• Use revocation without impairing customer environments
• Trace source code to build to deployment by integration into CI/CD or manual workflow
• Tag your applications for specific use cases (alpha, beta - non-commercial aso).

[monperrus]

Google Cloud Key Management
https://cloud.google.com/security-key-management

[monperrus]

OWASP Top 10 CI/CD Security Risks
https://owasp.org/www-project-top-10-ci-cd-security-risks/

[monperrus]

Robbery on DevOps: Understanding and Mitigating Illicit Cryptomining on Continuous Integration Service Platforms
43rd Ieee Symposium On Security And Privacy (Sp 2022)
https://www.xiaojingliao.com/uploads/9/7/0/2/97024238/sp22-devops.pdf

[monperrus]

• SPIFFE – Secure Production Identity Framework for Everyone
• SPIRE is the Runtime Environment
  https://spiffe.io

[bbaudry]

fuzzing curl cli
https://blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-line-interface/

[monperrus]

SoK: run-time security for cloud microservices. Are we there yet?.

[bbaudry]

A Static Analysis Platform for Investigating Security Trends in Repositories.
http://arxiv.org/abs/2304.01725

[monperrus]

securing the software supply chain with optimized containers specific to your application needs, while automatically reducing vulnerabilities in the process.

https://slim.ai

[monperrus]

Reverse Engineering the Tesla Firmware Update Process
https://www.pentestpartners.com/security-blog/reverse-engineering-the-tesla-firmware-update-process/

[bbaudry]

Scan (skæn) is an open-source security audit tool for modern DevOps teams
https://appthreat.com/en/latest/

[monperrus]

Bitwarden Secrets Manager enables developers, DevOps, and cybersecurity teams to centrally store, manage, and deploy secrets at scale.

https://bitwarden.com/help/secrets-manager-overview/

[bbaudry]

GitGuardian is a developer-first solution scanning GitHub activity in real-time for API secret tokens, database credentials
https://github.com/GitGuardian

[monperrus]

Detecting intrusion with canary tokens
A canary token is a resource that is monitored for access or tampering. Usually, canary tokens come in the form of a URL, file, API key, or email, etc., and trigger alerts whenever someone (presumably an attacker) trips over them.

https://github.com/GitGuardian/ggcanary

[monperrus]

µDetector: Automated Intrusion Detection for Microservices.
SANER 23

[bbaudry]

Securing the Supply Chain for Your Java Applications By Thomas Vitale. Devoxx 2023
https://www.youtube.com/watch?v=ftPFxK8JPNM

[bbaudry]

Where does your software (really) come from?
https://github.blog/2024-04-30-where-does-your-software-really-come-from/