Saltar para o conteúdo principal

Building Application DevSecOps Pipelines (In Theory)

Author: Damien Burks

Introduction

I want you to always remember: A well-designed DevSecOps pipeline follows the Secure Software Development Life Cycle (SSDLC). Rather than treating security as a separate or final step (SDLC), a DevSecOps pipeline embeds security into every aspect of development, testing, and deployment.

In this section, I'll outline the critical stages a DevSecOps pipeline should have, which will for just application deployment cases.

Stages of a DevSecOps Pipeline

So, I've decided to use Jenkins compared to any other solution, because it's the one that I'm most familiar with. I personally think Jenkinsfile are easiest to read compared to GitLab Runners and GitHub/Gitea Actions files. Therefore, I highly advise you to go through this documentation how to write a Jenkinsfile: Using A Jenkinsfile

Usually, a Jenkins pipeline for DevSecOps typically involves the a variety of stages to build, test, scan, and deploy your application. The outline listed below is sudo code, with an small explanation in each stage to follow:

pipeline {
agent any

stages {
stage('Checkout Code') {
steps {
// Checking out code from Git repository (like GitHub, Gitea, GitLab, etc.)
checkout scm
}
}

stage('Build') {
steps {
// Example: Building the application
// Could also include containerizing the application as well
}
}

stage('Run Application Tests') {
// Example: Running unit tests, acceptance tests, integration tests
// It's usually best to do these in parallel to save time on builds :)
parallel {
stage('Unit Test'){
steps {
}
}
stage('Acceptance Test'){
steps {
}
}
stage('Integration Test'){
steps {
}
}
}
}

stage('Security Scanning') {
parallel {
stage('SAST Scanning'){
steps {
// This stage will run SAST Scanning tests against your code base.
}
}
stage('DAST Scanning'){
steps {
// This stage will run DAST scans against your running application.
// You'll want to ensure you run your app locally and run the solution against it.
}
}
stage('Container Scanning'){
steps {
// This stage would be dependant whether or not you're deploying
// a container to Kubernetes or Docker Swarm (or just plain old Docker).
}
}
stage('Dependency Scanning') {
steps {
// This stage will check your dependencies of you applicatino and
// log any vulnerabilities.
}
}
}
}

stage('Deploy') {
steps {
// Lastly, we will deploy your application. This could to any
// environment you want.
}
}
}

post {
always {
// Example: Archiving reports and test results
archiveArtifacts artifacts: '**/target/*.jar', allowEmptyArchive: true
junit '**/target/test-*.xml'

// Best practice - clean up the workspaces after it's all said an done.
// Don't be that guy...
cleanWs()
}
}
}

Security Tools To Integrate Into CI/CD Pipelines

If you're trying to figure out what CI/CD and security tools you should use (aside from Jenkins), and you want to understand CI/CD in more detail, I have some resources for you outlined below.

Tool NameDescriptionCategory
SonarQubeOne of the most popular SAST tools, SonarQube analyzes code quality and security across multiple languages.SAST
SemgrepA fast and flexible static analysis tool for identifying security vulnerabilities in source code.SAST
BanditPopular Python-focused SAST tool for identifying security issues in Python codebases.SAST
OWASP Dependency-CheckA widely-used tool that checks for known vulnerabilities in project dependencies.SAST
OWASP ZAPOne of the most popular DAST tools, ZAP identifies security vulnerabilities in running web applications.DAST
ArachniA modular DAST scanner that is widely used for testing modern web applications.DAST
NiktoA highly popular DAST tool that scans web servers for vulnerabilities and misconfigurations.DAST
TrivyA comprehensive vulnerability scanner for containers and cloud-native applications.Container & Cloud Security
Anchore EngineOpen-source tool for scanning container images for vulnerabilities and enforcing security policies.Container Security
ClairA popular open-source tool for scanning vulnerabilities in Docker and OCI container images.Container Security

Additional Resources

Books

Book NameAuthorLink
Continuous Delivery with Docker and Jenkins - Second Edition: Create secure applications by building complete CI/CD pipelinesRafal LeszkoAmazon
Using Docker: Developing and Deploying Software with ContainersAdrian MouatAmazon
Agile Application Security: Enabling Security in a Continuous Delivery PipelineLaura Bell, Michael Brunton-Spall, Rich Smith, Jim BirdAmazon