Pawan Uppadey

Interested in security automation for Cloud, Containers, K8s, IoT etc.

Follow me on GitHub

Following are some toolchains I have played around with to get a feel of how DevSecOps could be implemented in Cloud, Kubernetes, AppSec, and other delivery model.

Kubernetes-Native Tekton Security Pipeline

A DevSecOps pipeline living within Kubernetes Cluster as Tekton CI/CD, checking for Application Security, Container Security, Infrastructure as Code security, using opensource and free tools.

  • CICD - Tekton
  • Git Secret Check - trufflehog
  • SCA - safety
  • SAST - bandit
  • DAST - OWASP Zed Attack Proxy
  • IaC Scanner - checkov
  • Container Vulnerability Analysis - starboard trivy
  • Container Image storage - Docker Hub
  • Database Dynamic Secrets - Hashicorp Vault Database Engine, PostgreSQL
  • Pod Secret Injection - Hashicorp Vault annotation + agent
  • Kubernetes resource deployment - kubectl, helm
  • Kubernetes CIS benchmark - starboard kube-bench
  • Kubernetes workload audit - starboard polaris
  • Kubernetes penetration test - starboard kube-hunter
  • Kubernetes Engine - Minikube
  • Kubernetes nodes - virtualbox driver

tektonpipeline

Vulnerability Management Driven Security Pipeline

A vulnerability manager (DefectDojo) based pipeline for Python based project which comes with ASVS Standard to provide security test plan and requirements, integration of vulnerability data from 70+ tools, and slack integration for monitoring.

Toolchain

  • Planning - OWASP ASVS
  • CI/CD - Go CD
  • secret-check - trufflehog
  • SCA - safety
  • SAST - bandit
  • DAST - nikto
  • Container Vulnerability Analysis - trivy
  • Vulnerability Manager - DefectDojo
  • Monitoring - Slack
  • Environment - AWS

gocd_pipeline

Container/Kubernetes Security Pipeline

DevSecOps pipeline for container based application deployed to GCP kubernetes cluster using GCP k8s and container solutions, and security tests with open source container solutions.

  • CICD - Jenkins
  • Git Secret Check - trufflehog
  • Container image vulnerability analysis - trivy
  • Container Image malware analysis - clamav
  • Container Image storage - Google Container Registry
  • Kubernetes Engine - Google Kubernetes Engine
  • Kubernetes nodes - Google Container-Optimized OS
  • Kubernetes setup - gcloud
  • Kubernetes resource deployment - kubectl, helm
  • Kubernetes CIS benchmark - kube-bench
  • Kubernetes penetration test - kube-hunter
  • Kubernetes runtime protection - falco
  • Environment - GCP

image

Python Jenkins Declarative Pipeline

DevSecOps pipeline for Python based project using Jenkins, Ansible, AWS, and open-source security tools and checks.

Toolchain

  • CICD - Jenkins
  • Orchestration - Ansible Playbook
  • SCM - Github
  • Secret check - trufflehog
  • SCA - safety
  • SAST - bandit
  • Container Audit - lynis
  • DAST - nikto for scans, selenium-chrome for grabbing session cookie
  • Security Audit - lynis
  • WAF - modsecurity, also configured as reverse proxy
  • Environment - AWS

pipeline

psparch

JAVA AWS Cloud-Native Pipeline

DevSecOps pipeline for JAVA based project using AWS DevOps tools, AWS security tools, and some open source tools.

Toolchain

  • CICD - AWS CodePipeline, AWS CodeBuild, AWS CodeDeploy
  • IDE - AWS Cloud9
  • Secret Check - Talisman for pre-commit hook, trufflehog checks secrets in pipeline
  • SCM - Github
  • Artifact repository - AWS S3
  • SCA - dependency-check
  • SAST - findsecbugs
  • DAST - OWASP ZAP
  • Compliance Scanning - AWS Inspector
  • Threat Detection - AWS GuardDuty
  • Security Advisor - Security Hub
  • WAF - AWS WAF
  • Environment - AWS

AWS_Code_Pipeline

JavaScript Azure-DevOps Pipeline

DevSecOps pipeline for React+Docker based project using Azure DevOps - Release Pipeline, Azure security solutions, and some open source tools.

Toolchain

  • CICD - Azure DevOps, Azure Release Pipeline
  • Secret Check - trufflehog
  • SCM - Github
  • SCA - anchore non-os scans
  • SAST - sonarqube community edition 7.9.2
  • DAST - gauntlt with arachni, nmap etc
  • Host security - Azure Security Center including FIM, Qualys vulnerability scans
  • Container security - anchore full scan (os, non-os)
  • Continious Compliance - Azure security center for PCI-DSS, ISO 27001 etc
  • WAF - Azure Application Gateway with WAF rules
  • DDoS protection - Vnet DDoS setting
  • Azure account protection - Azure Security Center recommendation
  • SIEM & SOAR - Azure Sentinel
  • Environment - Azure Cloud

azure_devops2

REST API GCP GoCD Pipeline

DevSecOps pipeline for Python flask REST API project using Go CD, Terraform, GCP, and open-source and cloud native security tools and checks.

Toolchain

  • CICD - Go CD
  • Secret Check - trufflehog
  • SCM - Github
  • SCA - safety
  • SAST - bandit
  • DAST - GCP Web Security Scanner
  • Container security - lynis
  • Compliance - terraform-compliance
  • Environment - GCP

Secret check, SCA, SAST, Container security, compliance checks have all been shifted left and are tested all within code level i.e. source code and Infrastructure as Code (IaC).

GoCDPipelineView

GoCDValueStreamMap

Android/iOS App Security Pipeline

A DevSecOps pipeline for Android and iOS based project using Jenkins, android open-source security tools, and a security testing framework MobSF which does code/binary analysis, malware analysis, general and sensitive information check on iOS+Android apps.

Toolchain

  • CICD - Jenkins
  • secret-check - trufflehog
  • SAST - findsecbugs
  • Vulnerability Analysis - androbugs
  • Malware Analysis - quark-engine
  • Malicious Behaviour Analysis - androwarn
  • Application Vulnerability Analysis - qark
  • APK composition analysis - APKiD
  • Security Test - MobSF for iOS and Android
  • Environment - GCP

For Android, MobSF also checks certificate strength, obfuscation techniques, anti reverse engineering, dangerous permission etc.

pipeline

iOSPipeline

Attack Tree SlackBot

A simple bot that sits on AWS EC2 instance with Python Flask API, will create attack-tree-diagram using graphviz library when numbered list of attack is provided as input.

Toolchain

  • ChatOps - Slack
  • Diagram service - Python for code & logic, graphviz library for diagraming
  • Artifact Repository - AWS S3
  • Request API service - Slack Actions
  • Response API server - Python Flask
  • Bot client host - Slack
  • Bot server host - AWS

slackbot