Department of Collegiate and Technical Education Diploma in CS&E

Course: Cyber Security Code: 20CS54I

WEEK-12: Session 3
 Secure DevOps tools and workflows
 Conduct effective risk assessments and threat modeling in a rapidly changing
environment
 Design and write automated security tests and checks in CI/CD
 Understand the strengths and weaknesses of different automated testing
approaches in Continuous Delivery
 Inventory and patch your software dependencies
 Wire security scanning into Jenkins, Code Pipeline, and Azure DevOps workflows

Secure DevOps tools and workflows:

What Are DevOps Tools?
 DevOps tools help simplify and accelerate testing, configuration, deployment, and other software-
related tasks required to implement DevOps processes.
 Some DevOps tools provide the ability to identify and resolve errors and defects at high velocity
and scale. Others add automation to processes such as monitoring, testing, deployment, updates,
and infrastructure management, while others facilitate information sharing and improve
collaboration.
 An effective DevOps toolchain can improve the quality, stability, and reliability of applications,
and can help identify and resolve problems earlier in the development lifecycle.
 In general, DevOps tools provide the following benefits:
 Reduce repetitive work and optimize processes
 Organize work into structured processes
 Improve collaboration and communication between teams
 Simplify work processes, saving time and effort
 Prevent human errors and misjudgements via automation, while allowing human oversight of
processes where necessary

Important DevSecOps Tools For DevOps Pipeline:

 Log Management Tools
 Monitoring Tools
 Alerting Tool
 Dashboard Tools
 Threat Modeling Tools
 Testing Tools
 Automated Testing Tools
 Additional DevOps Security Tools

[Cyber Security-20CS54I] Page 1

Department of Collegiate and Technical Education Diploma in CS&E
Log Management Tools
 Log Management helps the organization and its environment function correctly as it helps to
analyze and manage a large volume of logs generated in most organizations. Organizations need
to discover and identify weak spots through either manual search or automated tools. Log
Management tools help to serve this purpose. Many devices can be used for log management,
monitoring, and alerting. Some of them are:
 Splunk
 SumoLogic
 Scalyr
 Nagios Fusion/Nagios Log Server
Monitoring Tools
 Monitoring tools help the organization have an eagle's eye view of their applications,
deployments, infrastructure, and users, which allows them to get the required information quickly.
These tools can have an auto-scaling feature, enabling the organization to scale the application
with their changing needs.
 ExtraHop
 Datadog
 SignalFx
 Sqreen
 Tripwire
Alerting Tools
 Alerting Tools help organizations by providing and generating passive and active alerts. These are
essential as whatever is observed by the Monitoring Tools and found suspicious should be
conveyed to the appropriate personnel; else, having or not having Monitoring Tools will not
matter if alerts are not generated. Alerting Tools also allow for teamwide communication and
response. Some of the tools used are:
 VictorOps
 PagerDuty
 OpsGenie
 Alerta
 Contrast Assess
 Contrast Protect
 ElastAlert
Threat Modeling Tools
 The three most important tools used for DevOps Security in identifying, defining, and mitigating
the threats are as follows:
 IriusRisk
 ThreatModeler
 OWASP Threat Dragon
Infrastructure Automation Tools
DevSecOps strongly relies on automation, and modern approaches involve automating infrastructure
configuration and security. Tools in this category automatically detect and repair various security
vulnerabilities and configuration issues for various aspects of cloud environments. They range from

[Cyber Security-20CS54I] Page 2

Department of Collegiate and Technical Education Diploma in CS&E
event-based automation to configuration management, infrastructure as code (IaC), and cloud
configuration management tools such as Cloud Workload Protection Platforms (CWPP).

Dashboard and Visualization Tools

 DevSecOps teams need tools that make it possible to view and share security information between
developers, operations, DevOps, and security teams in a single pane of glass or integrated with
existing security risk management tools.
 Effective tools show trends and KPIs in a way that is meaningful to all stakeholders—for
example, visualizing the growth or reduction in vulnerabilities for a specific application over
time. Custom dashboards can aggregate all relevant security data, log data, and other application
monitoring stats visible to all members of the team.

Top DevSecOps Tools

GitLab
 GitLab is a cloud-based solution for managing git repositories. It covers the entire software
lifecycle in one management application. GitLab starts with project planning and source code
control, and extends to later stages of the CI/CD pipeline, all the way to production deployments.
 GitLab provides planning, creation and management of software artifacts, validation, packaging,
release management, configuration, and monitoring capabilities. GitLab’s core competency, Git
repository management, supports issue tracking, automated feeds, code review, and wiki for
documentation and knowledge sharing.
Docker
 Docker helped encourage a massive adoption of containers amid the modernization of software
development. Docker containers enable repeatable, consistent deployment of software components
in an isolated environment. They are similar to virtual machines, but faster, lighter, and easier to
work with because they do not contain an entire operating system.
 Docker allows DevOps teams to split an application into multiple containers, in a microservices
model, making it more portable and easier to test and maintain. Docker has driven major changes
in the software delivery workflow and is considered by many to be the foundation of modern
deployment automation.

OWASP Zed Attack Proxy (ZAP)

 OWASP ZAP is a popular security tool designed to help developers practice better software
security. The tool comes with several features, including an active scanner, which you can
integrate into your CI/CD pipeline. To increase security, OWASP ZAP uses a proxy server
through which it routes website traffic. You can use this tool to intercept web vulnerabilities.

Jenkins
 Jenkins is a continuous integration (CI) server. It is deployed on one or more physical build
servers. It is written in Java and is highly customizable for projects of any size and complexity.
Jenkins has a large community which has created over 1,000 plug-ins for different use cases.
 Jenkins makes it possible to write scripts that can integrate almost any other tool or automated
process into the build pipeline. It provides several interfaces for managing build processes,
including a web UI, CLI, and API.

[Cyber Security-20CS54I] Page 3

Department of Collegiate and Technical Education Diploma in CS&E
Maven
 Maven is an open source build tool that allows you to build, release, and deploy multiple software
projects while improving project management by building and documenting software lifecycles.
 Maven is written in Java, and can be used to build projects written in C#, Scala, Ruby, and other
languages. It is based on the Project Object Model (POM), which enables reporting, build and test
automation.
 Maven provides dependency management with automated updating, reporting of errors and
integrity issues, parent versioning, and enforces consistent practices across multiple software
projects.
CircleCI
 CircleCI is an open source CI/CD tool. It provides job scheduling, resource configuration,
caching, debugging, security, and reporting on customizable dashboards. CircleCI integrates with
a variety of DevOps tools such as GitHub, Heroku, Slack, and Docker.
 CircleCI provides a free edition, which you can use as a cloud service, or run locally on Linux,
Mac, or Windows. Paid editions provide more advanced capabilities, such as higher concurrency,
Docker layer caching, and 24/7 support.
What is DevOps Workflow?
 Curious about DevOps Workflow? We explain the DevOps process, how automation relates to
workflow, and best practices for workflow design.
 DevOps is a methodology that involves Development and Operations working together during the
development process. Workflow is the sequence in which tasks occur. DevOps workflow relies
heavily on automation and involves:
 Continuous development
 Continuous integration
 Continuous testing
 Continuous monitoring
 Continuous delivery and deployment
 Using DevOps, teams can increase collaboration and improve processes to create more stable and
manageable processes. Adopting a DevOps methodology can have major benefits for teams and
companies, including accelerated time to market, high user satisfaction, and boosting efficiency.
What does a typical DevOps workflow look like?
 The DevOps process flow is all about collaborating together and finding ways to automate parts of
the lifecycle. For each step of the process, teams will need to work together to identify what
improvements can be made and where automation makes the most sense.
 Generally, there are four parts to a DevOps workflow:
 Continuous integration: Code changes are broken down into small parts and are
combined at regular intervals into a collective repository for testing.
 Continuous testing: Once code changes enter the repository, automated testing is run on
the changes to check for failures and errors. If issues are detected, the code change is sent
back to the team to fix and test again. If no issues are detected, the code changes move to
the next part of the workflow.
 Continuous delivery: Code changes that pass through the testing process are then released
into the production environment.
 Continuous deployment: Code changes are directly released to customers, with no
manual intervention necessary.

[Cyber Security-20CS54I] Page 4

Department of Collegiate and Technical Education Diploma in CS&E
Conduct effective risk assessments and threat modeling in a rapidly changing
environment :
 A security risk assessment is a process that identifies, evaluates, and prioritizes potential
vulnerabilities to various information assets (i.e., systems, hardware, applications, and data) and
then prioritizes the various risks that could affect those vulnerabilities.
 The primary purpose of a risk assessment is to inform decision-makers about vulnerabilities in
corporate systems, allowing them to take preemptive defensive actions and prepare effective risk
responses.
 The assessment also provides an executive summary to help executives make informed decisions
about ongoing security efforts.
 Security risk assessments also indicate to management areas where employees need training to
help minimize attack surfaces.

The 8 Step Security Risk Assessment Process

 Security risk assessments involve a detailed and iterative process.
 Your security assessment plan begins with understanding exactly what resources your
organization has.
 Once you have built a thorough and complete inventory, you can begin to identify each resource’s
vulnerabilities and implement appropriate security measures to rectify the vulnerabilities or
protect them against exploits.

1. Map Your Assets

2. Identify Security Threats & Vulnerabilities
3. Determine & Prioritize Risks
4. Analyze & Develop Security Controls
5. Document Results From Risk Assessment Report
6. Create A Remediation Plan To Reduce Risks
7. Implement Recommendations
8. Evaluate Effectiveness & Repeat

Step 1: Map Your Assets

 Without a thorough understanding of your organization’s assets, security efforts will always be
lacking.
 Therefore, the first step in any effective security risk assessment is to generate a complete map of
potentially vulnerable assets.
 Asset maps require more than identifying hardware in use.
 You must also include all applications, all users (whether human or processes) and all data storage
containers because each of these contributes to your overall attack surface.
 You should log and track each asset in a centralized database that you can quickly and easily
update.
 For users, you need to have a centralized system for assigning and managing all users and their
respective permissions, for instance, an Active Directory system.

[Cyber Security-20CS54I] Page 5

Department of Collegiate and Technical Education Diploma in CS&E
 After completing your asset inventory, you should assign each asset a value and map data flows
among your various resources.
 Building data flow diagrams allows you to understand better where weak points and
vulnerabilities exist in your network.
 As part of assigning value to your assets, you should categorize your data by access levels.
 Example categories include:
 Public – Data that you intentionally make publicly available and that generates no concerns in the
event of a breach.
 Confidential – Data that is not publicly accessible and that you only share with third parties under
a non-disclosure agreement (NDA). Potentially includes sensitive technical, financial or customer
information.
 Internal Use Only – The term is self-explanatory; this is information that you do not share outside
the company, even with an NDA.
 Intellectual Property – This includes trade secrets and sensitive information underlying issued
patents, pending patent applications and copyrights.
 Compliance Restricted Data – This includes any data subject to legal or regulatory obligations.
 Data flow analyses should include what data is stored where and which users have access to what
data.
 User is a generic term that can include any person, program or process with access to corporate
data storage.
 In addition to identifying all internal assets, you must also identify and track connections to and
data sharing with third-party providers, whether infrastructure-as-a-service (IaaS), platform-as-a-
service (PaaS), software-as-a-service (SaaS), or other type of service provider.
 Third-party data flow assessments are particularly important for compliance with worldwide data
privacy laws and regulations.
 Building data flow maps, whether internal or with third-party providers, requires that you know:
 What data you have
 How you collect data (online forms, phone calls, hard copy, etc.)
 How you store data (electronic databases, hard copy documents, etc.)
 Where you store data (internal electronic storage, filing cabinets, cloud storage)
 How you process data (internal workflows)
 How you transfer data (email, FTP sites, phone, mail, etc.)
Step 2: Identify Security Threats & Vulnerabilities

 Having built your asset inventory, you can now begin to identify vulnerabilities and threats for
each asset.
 There are many tests and risk assessment software tools available to help you in this process.
 For example, vulnerability scanning investigates your network and applications to identify
susceptibility to known threats.
 Having scan results categorized by severity allows your security team to prioritize remediation
efforts.
 Security gap analyses compare your current state of security readiness to established standards,
such as CIS Top 18, CMMC or PCI/DSS. These analyses help you identify administration and
configuration risks.
[Cyber Security-20CS54I] Page 6
Department of Collegiate and Technical Education Diploma in CS&E
 Penetration testing takes vulnerability and threat assessment to the next level.
 By replicating actual attacks on your systems, pen testing can both validate the results of your
vulnerability scans and security gap analyses and pinpoint previously unidentified vulnerabilities.
 Pen testing also tells you more than whether a vulnerability exists and can be exploited.
 It lets you assess how difficult it is to access your systems, as well as the scope of access and
potential damage from a successful attack.
 You will calculate a risk rating for each vulnerability that indicates the likelihood and impact of an
exploit.
 For known vulnerabilities, public information will give you a good sense of how easy it is to
exploit the vulnerability, including whether there are already public tools designed to exploit the
vulnerability.
 You also want to assess the potential impacts for each vulnerability:

 Is the most likely outcome business disruption?

 Can attackers completely lock you out of your systems or permanently destroy data?
 Are you subject to fines for compliance violations?

 Coupled with your categorization of data and asset valuations, vulnerability testing allows you to
assess the likelihood that attacks will compromise high-value targets, as well as your potential
liability if they are.
Step 3: Determine & Prioritize Risks
 Vulnerability and security threat assessments will invariably identify more risks than you can
address at once.
 Therefore, when following your risk assessment procedures, your next step is to prioritize risks by
giving each vulnerability a risk rating so that you can prepare your remediation plans.
 Prioritizing your remediation responses involves assessing your overall remediation budget
against the risks and impacts of each threat or vulnerability.
 For example, you may decide to prioritize vulnerabilities that affect medium-value assets if the
likelihood of exploit and damage potential is much more significant than for higher-value assets.
 Costing remediation efforts should include the costs of employees allocated to security efforts.
 For example, you can expect to pay a back-end developer with IT security training roughly $80 an
hour in the United States.
 If you divert them from their everyday tasks to address risk remediation, this involves an
additional cost for the company.
 You should continuously update your risk prioritization and calculate the associated remediation
costs on an annual basis.
Step 4: Analyze & Develop Security Controls
 For any given vulnerability, there are several types of security controls you may consider.
 The primary security controls are:
 Physical Security Controls – These control physical access to corporate assets and include
biometric or coded locks, security cameras and guards, among other protections.
 Administrative Security Controls – These include corporate security policies, practices and
workflows.

[Cyber Security-20CS54I] Page 7

Department of Collegiate and Technical Education Diploma in CS&E
 Technical Security Controls – As the name suggests, these controls apply technological resources
to address risk, including software tools such as firewalls, encryption and antivirus programs.
 Each of these controls can be further divided by function, that is, by whether they detect,
prevent/deter, correct or compensate for threats and vulnerabilities.
 Once you determine the appropriate controls for each vulnerability, you can then develop specific
remediation plans.
Step 5: Document Results From Risk Assessment Report
 Effective risk assessment reports will condense the results of the various threat and vulnerability
assessments in a concise threat ranking that show you a visual prioritization of your remediation
plan.
 One effective way to represent your risk prioritization is using risk analysis templates, for
example, a risk matrix.
 The risk matrix compares various levels of likelihood of exploitation against the severity of the
damage from a successful attack.
 As the likelihood of exploitation and value of attack increase, vulnerabilities increase in priority
and move higher in the remediation plan.
Step 6: Create A Remediation Plan To Reduce Risks
 Now that you have determined risk ratings and the order in which you will address vulnerabilities,
you can begin creating your detailed vulnerability remediation plan.
 This should include the basic, high-level steps for each remediation process and the associated
costs.
 If you still have several options for a given vulnerability, you should perform a cost/benefit
analysis.
 Comparing the cost of remediation against the potential cost of a successful attack can assist you
in narrowing down to your preferred control.
 Costs are not limited to monetary expenditures; they can also include the time it takes to
implement a solution and the disruption to the business.
 For example, applying software patches may have little overall cost for an organization, but it can
be disruptive if done during business hours.
Step 7: Implement Recommendations
 It’s finally time for action.
 Your security team should now assign each item in the remediation plan to the appropriate team.
 Assignments should include realistic time frames for completion.
 In addition, you should indicate steps that teams should take to monitor the effectiveness of their
remediation efforts, as well as any necessary reporting workflows.
 As part of your remediation efforts, you should consider proactive risk responses such as Managed
Detection and Response (MDR) solutions or Security Information and Event Management (SIEM)
solutions.
 Your choice among proactive risk response solutions may depend on whether you want to keep
your efforts internal (SIEM) or whether you want to rely on external providers (MDR).
 Experienced external providers can also help you build your SIEM processes, even if you control
them internally.

[Cyber Security-20CS54I] Page 8

Department of Collegiate and Technical Education Diploma in CS&E
Step 8: Evaluate Effectiveness & Repeat

 Risk assessments are never static processes.

 They require ongoing monitoring and optimization. As the old saying goes, rinse and repeat.
 Internal audits are one way to evaluate whether remediation efforts are working.
 You can also repeat your risk evaluations and gap analyses to verify that your actions have
improved your security posture.
 Another very effective test of remediation efforts is the so-called “Blue Team” exercise.
 Blue Team is your internal defensive group responsible for performing security threat assessment,
creating and implementing remediation plans and managing incident response.
 In contrast, Red Team represents attack vectors, for example, by conducting penetration testing.
 Blue Team exercises are widely varied and can include anything from performing domain name
server audits to tracking individual user activity to identify anomalous actions to putting firewalls
and anti-virus programs in place.
 Blue Teams should also police compliance with company security policies.
 As with all business processes, once you identify a flaw or fault, you must correct it and restart the
process.

What Is Threat Modeling?

 Threat modeling is something that people incorporate in their daily life without even realizing it.
For example, a child determining the best road to reach their destination without being bullied
along the way is threat modeling.
 Within information security, threat modeling is a structured approach and process aiming to
analyze the security of an application. The process starts with the identification of all entry points,
and follows with enumeration and prioritization all the potential threats associated with each asset
or entry point. The ultimate goal is to mitigate all these threats and prevent any future attacks.
 Organizations have also started incorporating threat modeling in their own SDLC to ensure their
applications are developed with built-in security measures. Microsoft has adopted this approach,
which is the reason we have witnessed an increase in the security of their products.
What Is the Role of Threat Modeling in Risk Management?

 Risk management is a central concern for every organization and one which executives take
seriously. Risk can take different forms and originate from either inside or outside the
organization. IT security is amongst one of the concerns that drive strategy at large corporations,
including the risk of non-compliance, data breaches, infrastructure outages, legal penalties and
more.
 Information security regulations are now more strict than ever. They are heavily focused on risk
management and putting controls in place to prevent potential threats. The General Data

[Cyber Security-20CS54I] Page 9

Department of Collegiate and Technical Education Diploma in CS&E

Protection Regulation (GDPR), for example, was approved by the EU parliament to strengthen
data protection regulations. Noncompliant organizations can face massive fines. This is where
threat modeling comes into play to address all the underlying sub-threats and root causes of
higher-level threats.
 Threat modeling, combined with risk management, should give answers to the question of who
will attack your own systems, and how or where the attack will originate from. Threat modeling
will provide valuable insights on IT risks facing organizations, and then outline necessary
measures and sufficient controls to stop the threat before it becomes effective.
What Are the Types Threat Modeling Methodologies?
 Threat modeling is a structured process, so it follows a certain set of rules, or what we would call
a methodology. There is a number of methodologies available for implementation but the popular
ones you should know include:
1. STRIDE
STRIDE is a threat model initially developed by Microsoft in 1999. The classification focuses more on
the attacker’s goals, including:
 Spoofing of user identity
 Tampering
 Repudiation
 Information disclosure.
 Denial of service (D.o.S)
 Elevation of privilege
2. The Process for Attack Simulation & Threat Analysis (PASTA)
 PASTA is a risk-oriented methodology that attempts to connect business objectives and technical
requirements. PASTA methodology is a process which consists of seven stages aiming to provide
a dynamic process ranging from identification, enumeration to scoring.
3. Trike
 This methodology is frequently used as a risk management tool during security audits. Trike
framework relies on the requirements model which defines the acceptable level of risk with
respect to stakeholders input. The resulting threat model generally contains all the enumerated
threats, along with risk scores. Trike is also used to describe the security characteristics of a given
system from its high-level to low-level architecture.
4. Visual, Agile & Simple Threat Modeling (VAST)
 The present VAST methodology came into light mainly to address the limitations and
shortcomings of other threat methodologies. The principle of VAST methodology is the

[Cyber Security-20CS54I] Page 10

Department of Collegiate
llegiate and Technical Educa
Education Diploma in CS&E

importance of scaling the threat modeling process across infrastructure and the SDLC, and also
achieving a seamless integration into an agile software development methodology. VAST aaims to
provide valuable and actionable insights to various involved parties including senior executives,
developers and security professionals.
Design and write automated sec
security tests and checks in CI/CD:
 Continuous Integration/Continuous
/Continuous Delivery (CI/CD) is a methodology borne out of the cultural
shift that bridges the gap between Developers, TeTesters,
sters, and Operations via DevOps. The process
emphasizes on developers continuously integrating their work, followed by testers testing it
rigorously so that operations teams can release products and updates more often.

Phases of CI/CD
 The practice of CI/CD embodies Agile methodologies. These methodologies were formed to
address the shortcomings of other SDLC models like Waterfall, Spiral, Iterative, Big
Big-Bang, etc.
To start with, let’s have a quick overview of the major phases of CI/CD:

Continuous Integration
1. Commit: The developer commits code regularly to the version control system.
2. Build: The code is then built using suitable build tools to obtain an artifact.
3. Unit Test: The developer generally writes unit tests to test functionalities at ground level. These are run
along with the build.
4. Deploy to Development Environment: The build is then deployed onto a common Development
Environment where devs can test how their code works when combined with other developers’ code.

Continuous Delivery
 Deploy
ploy to Testing Environment: Deployment to this environment happens once a development
phase(sprint) is completed. The last successful build is deployed onto the Testing Environment.
This environment will ideally be a mimic of the Production Environment.
 Testing: QA teams run various automated tests like Integration testing, Regression testing, Load,
and Performance testing. This ensures that the product developed at the end of each sprint is ready
to be released to the market.

[Cyber Security-20CS54I] Page 11

Department of Collegiate
llegiate and Technical Educa
Education Diploma in CS&E

Continuous Deployment
 Deploy to Production Environment
Environment:: Ideally, this happens at the end of the testing phase in each
sprint. But companies have preferred to take this step based on business strategy and needs.
 Continuous Monitoring: This involves monitoring the product’s performance, the underlying
server status and ensuring the sanity and security of the Production Environment.
 Rollback: This entails the ability to roll back to a previous stable version of the product in case of
any unfortunate issues.

Understand the strengths and weaknesses of different automated testing approaches

in Continuous Delivery:

Role of Automation Testing ng in CI/CD

 Automation enables meaningful and effective implementation of CI/CD. Automation Testing is at
the core of any CI/CD pipeline. This is because the whole concept of CI/CD revolves
around “build fast, test fast, fail fast.”
 Tests have to be run as fast as possible so that the feedback reaches the developer early. This
enables the early detection of bugs. As a result, the product th that
at goes out to the release stage will
be more accurate and bug-free.
free. All this will only be possible with the automation of test suites.
 Test automation offers the following advantages:
 Reduces manual efforts when the same test must be run repetitively. Th This frees up more time
to perform rigorous manual tests.
 Gives immediate feedback.
 Tests can be more accurate and cover more test cases.
 Helps generate and compare multiple test results, ensuring product consistency.
 Becomes an integral part of the CI/CD pipeline, abiding with its principle of build fast, fail
fast.

Where do Automation Tests fit in CI/CD pipelines?

 It is essential to have multiple automated test suites built for different purposes. Running a single
test suite covering all the scenarios will only slow down the process.
 Following are some testing types and where they fit into the CI/CD pipelines:
 Unit Tests: Many teams follow the Test Driven Development (TDD) approach. approach Unit tests are
written by the developers and run as a part of the build phase.
 Integration Tests: After every commit is built and deployed onto the development
environment, these tests are run to check if the newly added module/changes work well
together. Some organizations have a dedicated environment to run integration tests.

[Cyber Security-20CS54I] Page 12

Department of Collegiate and Technical Education Diploma in CS&E
 Regression Tests: Regression tests are run once nightly to ensure that the newly added
changes do not impact the existing code. This helps make sure the day’s work is all good and
gives feedback if any changes are necessary.
 Performance and Load Tests: Before releasing the code to the production environment, a set
of tests are run to evaluate the responsiveness and stability of the system. These tests are run
on the UAT/Pre-Production environment after the code is deployed at the end of the sprint.
 These are the tests that every CI/CD pipeline should ideally have, and essentially, they should be
automated. As the product grows and offers more features and updates, test cases also increase
exponentially. Running all the above tests manually would be impossible, and automation is the
only feasible way of executing them with speed and accuracy.
Strengths of Automated Testing in CD:
1. Runs tests quickly and effectively
 While the initial setup of automated test cases may take a while, once you’ve automated your
tests, you’re good to go. You can reuse tests, which is good news for those of you running
regressions on constantly changing code. You won’t have to continuously fill out the same
information or remember to run certain tests. Everything is done for you automatically.
2. Can be cost effective
 While automation tools can be expensive in the short-term, they save you money in the long-term.
They not only do more than a human can in a given amount of time, they also find defects quicker.
This allows your team to react more quickly, saving you both precious time and money.
3. More interesting
 Filling out the same forms time after time can be frustrating, and not to mention boring. Test
automation solves this problem. The process of setting up test cases takes coding and thought,
which keeps your best technical minds involved and committed to the process.
4. Everyone can see results:
 When one person is doing manual testing, the rest of the team can’t see the results of the tests
being run. With automated tests, however, people can sign into the testing system and see the
results. This allows for greater team collaboration and a better final product.
Weaknesses of Automated Testing in CD:
1. Tools can be expensive
 The automation tools can be an expensive purchase. As a result, it is important to only use the
ones that will give you full, or as close to full coverage, as you can find.
2.Tools still take time
 While the automation process cuts down on the time it takes to test everything by hand, automated
testing is still a time intensive process. A considerable amount of time goes into developing the
automated tests and letting them run. For example, a large client of ours ran into trouble when
their daily run of automated tests exceeded the 24-hour mark.
3.Tools have limitations
 While automated tests will detect most bugs in your system, there are limitations. For example,
the automated tools can’t test for visual considerations like image color or font size. Changes in
these can only be detected by manual testing, which means that not all testing can be done with
automatic tools.

[Cyber Security-20CS54I] Page 13

Department of Collegiate and Technical Education Diploma in CS&E
Inventory and patch your software dependencies
Establish a baseline inventory:
 The first step in the process is to establish an up-to-date baseline inventory of all of your
production systems. This inventory must be comprehensive in scope and at minimum should
include all of the operating systems and applications your organization uses.
 However, creating an application and operating system inventory is really just a starting point.
Just as software vendors release software updates that are designed to correct bugs and known
vulnerabilities, hardware vendors periodically release firmware updates that are intended to
address issues at the hardware level. So you'll also need to include firmware in the inventory.
 The reason it is so important to start with a baseline inventory of your production systems is
because you will need it to assess the current state of patching in your organization.
Patch your software dependencies:
 The benefit of software dependencies is that they allow developers to more quickly deliver
software by building on previous work. Software dependencies have revolutionized application
development over the past few decades, but they also introduce risks that are frequently
overlooked.
What are the types of dependencies?
 Software dependencies come in two types:
 Direct: Libraries or packages your code calls directly.
 Transitive: Libraries or packages your dependencies call. These are dependencies of
dependencies.
 Both types of dependencies require careful management to control the risks involved. Transitive
or indirect dependencies require extra consideration because it’s not immediately obvious
that they’re being used in an application. Dependencies become nested inside other
dependencies, forming a complex dependency tree, which makes it easy to miss when your
application uses a library with vulnerabilities.
How to secure your software dependencies
 Software dependencies play a key role in modern software development. They enable developers
to reuse code others have written, allowing for faster delivery and shorter cycle times. As a result,
their use has exploded, but they introduce risks and vulnerabilities that organizations often
underestimate.
 Open source dependencies are a particular area of concern. The majority of dependencies modern
developers use are open source, which means production software relies on external contributors
to write, update, and maintain these dependencies.
 Comprehensive monitoring of dependencies is therefore critical, but it’s hard to monitor every
dependency an application uses — particularly transitive dependencies.
 Snyk Open Source is a SCA tool that automatically detects and monitors dependencies throughout
the development lifecycle. Unlike other solutions, Snyk takes a developer-first approach and
enlists developers as active participants in application security.

[Cyber Security-20CS54I] Page 14

Department of Collegiate and Technical Education Diploma in CS&E
Wire security scanning into Jenkins, Code Pipeline, and Azure DevOps workflows:
Wire security scanning into Jenkins:

What is Jenkins?
 Jenkins is an open source automation tool written in Java programming language that allows
continuous integration.
 Jenkins builds and tests our software projects which continuously making it easier for developers
to integrate changes to the project, and making it easier for users to obtain a fresh build.
 It also allows us to continuously deliver our software by integrating with a large number of testing
and deployment technologies.
 Jenkins achieves CI (Continuous Integration) with the help of plugins. Plugins is used to allow the
integration of various DevOps stages. If you want to integrate a particular tool, you have to install
the plugins for that tool. For example: Maven 2 Project, Git, HTML Publisher, Amazon EC2, etc.
 For example: If any organization is developing a project, then Jenkins will continuously test
your project builds and show you the errors in early stages of your development.
 Possible steps executed by Jenkins are for example:
 Perform a software build using a build system like Gradle or Maven Apache
 Execute a shell script
 Archive a build result
 Running software tests
Work Flow:

In Jenkins you have the ability to setup users and their relevant permissions on the Jenkins instance. By
default you will not want everyone to be able to define jobs or other administrative tasks in Jenkins. So
Jenkins has the ability to have a security configuration in place.
To configure Security in Jenkins, follow the steps given below.
Step 1 − Click on Manage Jenkins and choose the ‘Configure Global Security’ option

[Cyber Security-20CS54I] Page 15

Department of Collegiate and Technical Education Diploma in CS&E

Step 2 − Click on Enable Security option. As an example, let’s assume that we want Jenkins to maintain
it’s own database of users, so in the Security Realm, choose the option of ‘Jenkins’ own user database’.
By default you would want a central administrator to define users in the system, hence ensure the ‘Allow
users to sign up’ option is unselected. You can leave the rest as it is for now and click the Save button.

Step 3 − You will be prompted to add your first user. As an example, we are setting up an admin users for
the system.

[Cyber Security-20CS54I] Page 16

Department of Collegiate and Technical Education Diploma in CS&E

Step 4 − It’s now time to setup your users in the system. Now when you go to Manage Jenkins, and scroll
down, you will see a ‘Manage Users’ option. Click this option.

[Cyber Security-20CS54I] Page 17

Department of Collegiate and Technical Education Diploma in CS&E
Step 5 − Just like you defined your admin user, start creating other users for the system. As an example,
we are just creating another user called ‘user’.

Step 6 − Now it’s time to setup your authorizations, basically who has access to what. Go to Manage
Jenkins → Configure Global Security.
Now in the Authorization section, click on ‘Matrix based security’

Step 7 − If you don’t see the user in the user group list, enter the user name and add it to the list. Then
give the appropriate permissions to the user.
Click on the Save button once you have defined the relevant authorizations.
Your Jenkins security is now setup.

[Cyber Security-20CS54I] Page 18

Department of Collegiate
llegiate and Technical Educa
Education Diploma in CS&E
Best Security Practices for CI/CD Pipeline
DevOps comes with its own set of security risks, so it’s important to have a set of best practices in
place. These include:
 Employ one-time time passwords for your more sensitive systems and tools
 Use password managers and rotate your passwords after every use
 Take out all hardcoded secrets from CI/CD config files and Jenkins files
 Make sure secrets aren’t accidentally passpassed
ed along during builds for pull requests occurring in CI/CD
pipeline
 Follow the practice of least privilege. This means giving access only to the requisite secrets, nothing
beyond that. This practice applies to applications, employee access, systems, and cconnected devices
that require permissions or privileges to perform certain tasks.
 Use authentication measures to confirm machine identity
 Keep track of who has access to what resources. Create a clear repository of access management,
regardless of whether it’s task-based,
based, time
time-based, or role-based.
 Distribute secrets among Jenkinsfiles to reduce the risk of attacks on the files
 Scan scripted builds and regularly monitor source code for vulnerabilities before deploying an app into
production

Azure DevOps workflows:

 Azure DevOps supports a collaborative culture and set of processes that bring together developers,
project managers, and contributors to develop software. It allows organizations to create and
improve products at a faster pace than they can wit
withh traditional software development approaches.
 Azure DevOps Services supports integration with GitHub.com and GitHub Enterprise Server
repositories. Choose Azure DevOps Services when you want the following outcomes:

 Quick set-up
 Maintenance-free
free operations
 Easy collaboration across domains
 Elastic scale
 Rock-solid security

[Cyber Security-20CS54I] Page 19