Professional Documents
Culture Documents
WEEK-12: Session 3
Secure DevOps tools and workflows
Conduct effective risk assessments and threat modeling in a rapidly changing
environment
Design and write automated security tests and checks in CI/CD
Understand the strengths and weaknesses of different automated testing
approaches in Continuous Delivery
Inventory and patch your software dependencies
Wire security scanning into Jenkins, Code Pipeline, and Azure DevOps workflows
Jenkins
Jenkins is a continuous integration (CI) server. It is deployed on one or more physical build
servers. It is written in Java and is highly customizable for projects of any size and complexity.
Jenkins has a large community which has created over 1,000 plug-ins for different use cases.
Jenkins makes it possible to write scripts that can integrate almost any other tool or automated
process into the build pipeline. It provides several interfaces for managing build processes,
including a web UI, CLI, and API.
Without a thorough understanding of your organization’s assets, security efforts will always be
lacking.
Therefore, the first step in any effective security risk assessment is to generate a complete map of
potentially vulnerable assets.
Asset maps require more than identifying hardware in use.
You must also include all applications, all users (whether human or processes) and all data storage
containers because each of these contributes to your overall attack surface.
You should log and track each asset in a centralized database that you can quickly and easily
update.
For users, you need to have a centralized system for assigning and managing all users and their
respective permissions, for instance, an Active Directory system.
Having built your asset inventory, you can now begin to identify vulnerabilities and threats for
each asset.
There are many tests and risk assessment software tools available to help you in this process.
For example, vulnerability scanning investigates your network and applications to identify
susceptibility to known threats.
Having scan results categorized by severity allows your security team to prioritize remediation
efforts.
Security gap analyses compare your current state of security readiness to established standards,
such as CIS Top 18, CMMC or PCI/DSS. These analyses help you identify administration and
configuration risks.
[Cyber Security-20CS54I] Page 6
Department of Collegiate and Technical Education Diploma in CS&E
Penetration testing takes vulnerability and threat assessment to the next level.
By replicating actual attacks on your systems, pen testing can both validate the results of your
vulnerability scans and security gap analyses and pinpoint previously unidentified vulnerabilities.
Pen testing also tells you more than whether a vulnerability exists and can be exploited.
It lets you assess how difficult it is to access your systems, as well as the scope of access and
potential damage from a successful attack.
You will calculate a risk rating for each vulnerability that indicates the likelihood and impact of an
exploit.
For known vulnerabilities, public information will give you a good sense of how easy it is to
exploit the vulnerability, including whether there are already public tools designed to exploit the
vulnerability.
You also want to assess the potential impacts for each vulnerability:
Coupled with your categorization of data and asset valuations, vulnerability testing allows you to
assess the likelihood that attacks will compromise high-value targets, as well as your potential
liability if they are.
Step 3: Determine & Prioritize Risks
Vulnerability and security threat assessments will invariably identify more risks than you can
address at once.
Therefore, when following your risk assessment procedures, your next step is to prioritize risks by
giving each vulnerability a risk rating so that you can prepare your remediation plans.
Prioritizing your remediation responses involves assessing your overall remediation budget
against the risks and impacts of each threat or vulnerability.
For example, you may decide to prioritize vulnerabilities that affect medium-value assets if the
likelihood of exploit and damage potential is much more significant than for higher-value assets.
Costing remediation efforts should include the costs of employees allocated to security efforts.
For example, you can expect to pay a back-end developer with IT security training roughly $80 an
hour in the United States.
If you divert them from their everyday tasks to address risk remediation, this involves an
additional cost for the company.
You should continuously update your risk prioritization and calculate the associated remediation
costs on an annual basis.
Step 4: Analyze & Develop Security Controls
For any given vulnerability, there are several types of security controls you may consider.
The primary security controls are:
Physical Security Controls – These control physical access to corporate assets and include
biometric or coded locks, security cameras and guards, among other protections.
Administrative Security Controls – These include corporate security policies, practices and
workflows.
Risk management is a central concern for every organization and one which executives take
seriously. Risk can take different forms and originate from either inside or outside the
organization. IT security is amongst one of the concerns that drive strategy at large corporations,
including the risk of non-compliance, data breaches, infrastructure outages, legal penalties and
more.
Information security regulations are now more strict than ever. They are heavily focused on risk
management and putting controls in place to prevent potential threats. The General Data
Protection Regulation (GDPR), for example, was approved by the EU parliament to strengthen
data protection regulations. Noncompliant organizations can face massive fines. This is where
threat modeling comes into play to address all the underlying sub-threats and root causes of
higher-level threats.
Threat modeling, combined with risk management, should give answers to the question of who
will attack your own systems, and how or where the attack will originate from. Threat modeling
will provide valuable insights on IT risks facing organizations, and then outline necessary
measures and sufficient controls to stop the threat before it becomes effective.
What Are the Types Threat Modeling Methodologies?
Threat modeling is a structured process, so it follows a certain set of rules, or what we would call
a methodology. There is a number of methodologies available for implementation but the popular
ones you should know include:
1. STRIDE
STRIDE is a threat model initially developed by Microsoft in 1999. The classification focuses more on
the attacker’s goals, including:
Spoofing of user identity
Tampering
Repudiation
Information disclosure.
Denial of service (D.o.S)
Elevation of privilege
2. The Process for Attack Simulation & Threat Analysis (PASTA)
PASTA is a risk-oriented methodology that attempts to connect business objectives and technical
requirements. PASTA methodology is a process which consists of seven stages aiming to provide
a dynamic process ranging from identification, enumeration to scoring.
3. Trike
This methodology is frequently used as a risk management tool during security audits. Trike
framework relies on the requirements model which defines the acceptable level of risk with
respect to stakeholders input. The resulting threat model generally contains all the enumerated
threats, along with risk scores. Trike is also used to describe the security characteristics of a given
system from its high-level to low-level architecture.
4. Visual, Agile & Simple Threat Modeling (VAST)
The present VAST methodology came into light mainly to address the limitations and
shortcomings of other threat methodologies. The principle of VAST methodology is the
importance of scaling the threat modeling process across infrastructure and the SDLC, and also
achieving a seamless integration into an agile software development methodology. VAST aaims to
provide valuable and actionable insights to various involved parties including senior executives,
developers and security professionals.
Design and write automated sec
security tests and checks in CI/CD:
Continuous Integration/Continuous
/Continuous Delivery (CI/CD) is a methodology borne out of the cultural
shift that bridges the gap between Developers, TeTesters,
sters, and Operations via DevOps. The process
emphasizes on developers continuously integrating their work, followed by testers testing it
rigorously so that operations teams can release products and updates more often.
Phases of CI/CD
The practice of CI/CD embodies Agile methodologies. These methodologies were formed to
address the shortcomings of other SDLC models like Waterfall, Spiral, Iterative, Big
Big-Bang, etc.
To start with, let’s have a quick overview of the major phases of CI/CD:
Continuous Integration
1. Commit: The developer commits code regularly to the version control system.
2. Build: The code is then built using suitable build tools to obtain an artifact.
3. Unit Test: The developer generally writes unit tests to test functionalities at ground level. These are run
along with the build.
4. Deploy to Development Environment: The build is then deployed onto a common Development
Environment where devs can test how their code works when combined with other developers’ code.
Continuous Delivery
Deploy
ploy to Testing Environment: Deployment to this environment happens once a development
phase(sprint) is completed. The last successful build is deployed onto the Testing Environment.
This environment will ideally be a mimic of the Production Environment.
Testing: QA teams run various automated tests like Integration testing, Regression testing, Load,
and Performance testing. This ensures that the product developed at the end of each sprint is ready
to be released to the market.
Continuous Deployment
Deploy to Production Environment
Environment:: Ideally, this happens at the end of the testing phase in each
sprint. But companies have preferred to take this step based on business strategy and needs.
Continuous Monitoring: This involves monitoring the product’s performance, the underlying
server status and ensuring the sanity and security of the Production Environment.
Rollback: This entails the ability to roll back to a previous stable version of the product in case of
any unfortunate issues.
What is Jenkins?
Jenkins is an open source automation tool written in Java programming language that allows
continuous integration.
Jenkins builds and tests our software projects which continuously making it easier for developers
to integrate changes to the project, and making it easier for users to obtain a fresh build.
It also allows us to continuously deliver our software by integrating with a large number of testing
and deployment technologies.
Jenkins achieves CI (Continuous Integration) with the help of plugins. Plugins is used to allow the
integration of various DevOps stages. If you want to integrate a particular tool, you have to install
the plugins for that tool. For example: Maven 2 Project, Git, HTML Publisher, Amazon EC2, etc.
For example: If any organization is developing a project, then Jenkins will continuously test
your project builds and show you the errors in early stages of your development.
Possible steps executed by Jenkins are for example:
Perform a software build using a build system like Gradle or Maven Apache
Execute a shell script
Archive a build result
Running software tests
Work Flow:
In Jenkins you have the ability to setup users and their relevant permissions on the Jenkins instance. By
default you will not want everyone to be able to define jobs or other administrative tasks in Jenkins. So
Jenkins has the ability to have a security configuration in place.
To configure Security in Jenkins, follow the steps given below.
Step 1 − Click on Manage Jenkins and choose the ‘Configure Global Security’ option
Step 2 − Click on Enable Security option. As an example, let’s assume that we want Jenkins to maintain
it’s own database of users, so in the Security Realm, choose the option of ‘Jenkins’ own user database’.
By default you would want a central administrator to define users in the system, hence ensure the ‘Allow
users to sign up’ option is unselected. You can leave the rest as it is for now and click the Save button.
Step 3 − You will be prompted to add your first user. As an example, we are setting up an admin users for
the system.
Step 4 − It’s now time to setup your users in the system. Now when you go to Manage Jenkins, and scroll
down, you will see a ‘Manage Users’ option. Click this option.
Step 6 − Now it’s time to setup your authorizations, basically who has access to what. Go to Manage
Jenkins → Configure Global Security.
Now in the Authorization section, click on ‘Matrix based security’
Step 7 − If you don’t see the user in the user group list, enter the user name and add it to the list. Then
give the appropriate permissions to the user.
Click on the Save button once you have defined the relevant authorizations.
Your Jenkins security is now setup.
Azure DevOps supports a collaborative culture and set of processes that bring together developers,
project managers, and contributors to develop software. It allows organizations to create and
improve products at a faster pace than they can wit
withh traditional software development approaches.
Azure DevOps Services supports integration with GitHub.com and GitHub Enterprise Server
repositories. Choose Azure DevOps Services when you want the following outcomes:
Quick set-up
Maintenance-free
free operations
Easy collaboration across domains
Elastic scale
Rock-solid security