¡Hola, Habr! Soy consultor de seguridad de la información en Swordfish Security para crear DevOps seguras para nuestros clientes. Sigo la tendencia de desarrollo de las empresas hacia DevSecOps en el mundo, trato de difundir las prácticas más interesantes a la comunidad de habla rusa y ayudo a construir este proceso con nuestro equipo con clientes. Durante los últimos 2 años, DevSecOps ha recibido cada vez más atención. Las nuevas herramientas no tienen tiempo para convertirse en parte del conjunto de prácticas en rápido crecimiento, lo que me hizo querer poner algún tipo de punto de control en forma de lista de herramientas. El punto de partida fue el lanzamiento del artículo.colegas de Mail.ru, donde se destacó por separado una sección sobre seguridad de Kubernetes. Decidí ampliar esta lista para cubrir otras etapas del ciclo de vida de SDLC y proporcionar un par de herramientas nuevas.
Práctica significa un conjunto de medidas que se pueden integrar en una de las etapas de SDLC / DevOps (modelado de amenazas, SAST, DAST, SCA, escaneo de imágenes de Docker, escaneo de Kubernetes, AWS Audit, etc.).
Tabla de contenido
Dev
Modelado de amenazas
Secure Development Lifecycle . , . , backlog. , , DevSecOps “Shift security to the left”.
IT-, . open-source , .
OWASP Threat Dragon
. , , STRIDE. , , , . GitHub.
Pytm
Pytm - Python .
Pytm , . .
Materialize threats tool
Materialize-threats - Python, draw.io , SQL . Gherkin.
open-source , , Enterpise- Irius Risks.
:
.drawio, data flow
, Rapid Threat Model Prototyping methodology( readme )
.drawio
materialize.py .drawio
.
open-source :
, , , , :
(SAST):
, . . Open-source , , , - . :
, .
Salus
, , Bandit, Gosec, Brakeman, open-source (Ruby,Node.js, Python,Go). :
# Navigate to the root directory of the project you want to run Salus on
$ cd /path/to/repo
# Run the following line while in the root directory (No edits necessary)
$ docker run --rm -t -v $(pwd):/home/repo coinbase/salusJSON/YAML . GitHub CircleCI.
ShiftLeft Scan
Salus, . , docker (gosec, find-sec-bugs, psalm, bandit, …). Docker terraform, bash, kubernetes .
Python :
$ docker run --rm -e "WORKSPACE=${PWD}" -v "$PWD:/app" shiftleft/sast-scan scan --src /app --type python, IDE.
GitLab SAST
Gitlab DevOps , , open-source SAST, . Gitlab SCA, , fuzzing DevSecOps, Gold-.
LGTM
LGTM - Semmle, GitHub. Semmle CodeQL, GitHub - Satellite.
Semgrep
, . , , AST Data flow, . , :
$ semgrep --config=<path/to/config> path/to/srcsemgrep :
rules:
- id: user-eval
patterns:
- pattern-inside: |
def $F(...):
...
- pattern-either:
- pattern: eval(..., request.$W.get(...), ...)
- pattern: |
$V = request.$W.get(...)
...
eval(..., $V, ...)
- pattern: eval(..., request.$W(...), ...)
- pattern: |
$V = request.$W(...)
...
eval(..., $V, ...)
- pattern: eval(..., request.$W[...], ...)
- pattern: |
$V = request.$W[...]
...
eval(..., $V, ...)Semgrep , ( , semgrep ):
. , open-source , SAST, . CWE , - . , , CWE CVE.
open-source - SCA
, , open-source, . ( , Equifax). , SCA , , .
Dependency Check
Dependency Check - open-source OWASP . , , . , Secure SDLC . Dependency Check , , , , Dependency Track.
# Dependency Check Maven Plugin example
$ mvn org.owasp:dependency-check-maven:checkDependency Track
Dependency Track - OWASP, -, Software bill of materials (SBOM) CycloneDx. Dependency Track BOM, , , NVD. Slack, Microsoft Teams, .
# CycloneDx Maven Plugin example to make SBOM
$ mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBomSnyk Open-source
Snyk , open-source , SaaS-. (GitHub, Bitbucket), CLI.
snyk npm:
$ npm install -g snyk
$ snyk auth
$ snyk monitorSonatype Open-source
NVD ( ) Sonatype OSS, Sonatype, Nexus IQ. , , Nexus IQ SCA . Sonatype OSS - , Dependency Check Dependency Track. , Sonatype open-source SCA, Sonatype OSS:
Nexus Vulnerability Scanner - Sonatype
AuditJS - JS (NPM, Angular, yarn, bower)
Nancy - Golang
Jake - Conda
Chelsea - Ruby
Cheque - C/C++ (GCC)
Ahab - apt, apk, yum, dnf
Pants - Rust (Cargo)
Sonatype Depshield - GitHub
SCA:
Renovate - White Source
Dependabot - GitHub open-source GitHub
, open-source , , , . , , . , . , .
git-secrets
$ git secrets --scan /path/to/fileGitrob
$ export GITROB_ACCESS_TOKEN=<TOKEN>
$ gitrob <target>Gitleaks
$ gitleaks --repo-path=<path to repo>
$ gitleaks --repo=<url of github>TruffleHog
$ trufflehog [-h] [--json] [--regex] [--rules RULES]
[--entropy DO_ENTROPY] [--since_commit SINCE_COMMIT]
[--max_depth MAX_DEPTH]
git_urlTruffleHog - , , .
GitGuardian
SaaS . on-prem . .
. Password Vault (HashiCorp Vault, conjur, …)
(DAST):
Arachni
open-source , . Docker-, CLI -. , . CWE-.
Docker:
$ docker run -d \
-p 222:22 \
-p 7331:7331 \
-p 9292:9292 \
--name arachni \
arachni/arachni:latest, REST API 7331 json.
OWASP ZAP
open-source , CI/CD. GUI, CLI docker-. .
# OWASP ZAP as a daemon
docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0
# OWASP ZAP runs for 1 minute and then waits for the passive scanning to complete before reporting the results.
docker run -t owasp/zap2docker-weekly zap-baseline.py -t https://www.example.com, . , Arachni 10 , ZAP , , , .
w3af
, (, 2012 (https://xakep.ru/2012/11/09/w3af-pentest/)), docker- CI/CD
, open-source Jenkins AWS, w3af.
docker:
$ git clone https://github.com/andresriancho/w3af.git
$ cd w3af/extras/docker/scripts/
$ sudo ./w3af_console_docker, open-source enterprise, . DAST .
Behaviour Driven Development
Behavioral Driven Development (BDD) ( “ ”)- , Test Driven Development (TDD) (“ ”). , , , , . BDD - Gherkin.
, .
Gauntlt
Guantlt - , Behavioral Driven Development. Arachni, nmap, sslyze, sqlmap Gherkin.
# nmap-simple.attack
Feature: simple nmap attack to check for open ports
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Check standard web ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should match /80.tcp\s+open/
Then the output should not match:
"""
25\/tcp\s+open
""", Guantlt “” , .
. Guantlt BDD-Security, OWASP ZAP, Tenable Nessus Scanner.
Docker:
, Docker ( Docker DevOps), Docker- .
.
Clair
CVE . UI , Klar.
$ docker run -d -e POSTGRES_PASSWORD="" -p 5432:5432 postgres:9.6
$ docker run --net=host -d -p 6060-6061:6060-6061 -v $PWD/clair_config:/config quay.io/coreos/clair:latest -config=/config/config.yamlKlar
API Clair.
$ mkdir klar && cd klar && wget https://github.com/optiopay/klar/releases/download/v2.4.0/klar-2.4.0-linux-amd64 -O klar && chmod +x klar
$ CLAIR_ADDR=http: //localhost:6060 CLAIR_THRESHOLD=10 ./klar <docker image>Trivy
Trivy ( Alpine, RedHat (EL), CentOS, Debian GNU, Ubuntu) (Gemfile.lock, Pipfile.lock, composer.lock, package-lock.json, yarn.lock, Cargo.lock) Clair , , .tar Docker .
# Download bin
$ wget https: //github.com/knqyf263/trivy/releases/download/v0.1.3/trivy_0.1.3_Linux-64bit.deb
$ dpkg -i ./trivy_0. 1 .3_Linux-64bit.deb
# Scan image
$ trivy bkimminich/juice-shop
# Scan image in tar
$ trivy -i ./ my_saved_docker_image.tarAnchore
Docker. REST API CLI.
$ anchore-cli --u admin --p foobar image add httpd:latest
$ anchore-cli --u admin --p foobar image vuln httpd:latest allAquaMicroscanner
Aqua Security, Trivy.
$ docker run --rm -it aquasec/microscanner --register <email address>ADD https://get.aquasec.com/microscanner /
RUN chmod +x /microscanner
RUN /microscanner <TOKEN> [--continue-on-failure]. CVE :
Testing docker CVE scanners. Part 1: false negatives and what they mean for your security
Testing Docker CVE Scanners. Part 2: How good is package detection?
Testing docker CVE scanners. Part 2.5 — Exploiting CVE scanners
Testing Docker CVE scanners. Part 3: Test it yourself / Conclusions
Dagda
Dagda , Dependency Check, Retire.js ClamAV .
$ export DAGDA_HOST='127.0.0.1'
$ export DAGDA_PORT=5000
$ python3 dagda.py vuln --init
$ python3 dagda.py check --docker_image jboss/wildflyDocker bench
Docker bench - compliance- , .
CIS Benchmarks Docker.
$ docker run -it --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-securityDockle
compliance-, , CIS.
$ docker run --rm goodwithtech/dockle:v${DOCKLE_LATEST} [YOUR_IMAGE_NAME]Ops:
Kubernetes Security
Deploy. Kubernetes, Docker, Kubernetes , Kubernetes .
:
My Arsenal of Cloud Native (Security) Tools by MARCO LANCINI
Kube-bench
( ) Aqua Security. CIS Kubernetes Benchmark Kubernetes ( GKE, EKS and AKS)
:
# Run inside a container
$ docker run --rm --pid=host \
-v $(which kubectl):/usr/bin/kubectl \
-t aquasec/kube-bench:latest <master|node>
# Run in a cluster - on master node
$ kubectl run \
--rm \
-it \
kube-bench-master \
--image=aquasec/kube-bench:latest \
--restart=Never \
--overrides="{ \"apiVersion\": \"v1\", \
\"spec\": { \"hostPID\": true, \
\"nodeSelector\": \
{ \"kubernetes.io/role\": \"master\" }, \
\"tolerations\": [ { \
\"key\": \"node-role.kubernetes.io/master\", \
\"operator\": \"Exists\", \
\"effect\": \"NoSchedule\" }]}}" \
-- master \
--version 1.8
# Run in a cluster - on worker nodes
$ kubectl run \
--rm \
-it \
kube-bench-node \
--image=aquasec/kube-bench:latest \
--restart=Never \
--overrides="{ \"apiVersion\": \"v1\", \
\"spec\": { \"hostPID\": true } }" \
-- node \
--version 1.8Kubernetes Auto Analyzer
, Kube-bench, . Kube-bench Aqua Security.
# Put the config file in a directory and mount it to the /data folder
$ docker run --rm \
-v /data:/data raesene/kube_auto_analyzer \
-c /data/admin.conf -r testdock
# Provide a KUBECONFIG file to identify and authenticate the session
$ kubeautoanalyzer -c <kubeconfig_file_name> -r <report_name> --htmlKube-hunter
Kubernetes. , IP- / Kubernetes.
# Run from docker
$ docker run -it --rm --network host aquasec/kube-hunter
# Run from kubectl
$ kubectl run --rm -it \
kube-hunter \
--image=aquasec/kube-hunter \
--restart=Never \
--overrides="{ \"apiVersion\": \"v1\", \
\"spec\": { \"hostNetwork\": true } }"KubiScan
RBAC- Kubernetes.
, CyberARK.
# Run from MASTER node
$ docker run -it --rm -e CONF_PATH=~/.kube/config -v /:/tmp cyberark/kubiscan [CMD]
# Search for pods with privileged accounts
$ kubiscan -rp
# Show all risky subjects (users, service accounts, groups)
$ kubiscan -rs
# Show all the rules a service account has
$ kubiscan -aars "SANAME" -ns "default" -k "ServiceAccount"
# List service account RoleBindings
$ kubiscan -aarbs "SANAME" -ns "default" -k "ServiceAccount"Krane
, RBAC RBAC RedisGraph. RBAC . Krane CLI, docker- , CI/CD.
Statboard
, Kubernetes CustomResourceDefinitions (CRDs) trivy, kube-bench, kube-hunter. Starboard kubectl- Octant, Kubernetes.
$ starboard find vulnerabilities deployment/nginx --namespace dev
$ starboard get vulnerabilities deployment/nginx \
--namespace dev \
--output yamlKubeaudit
, Kubernetes.
# Run from kubectl (as plugin)
$ kubectl audit allKubesec
Kubernetes .
$ krew install kubesec-scan
$ kubectl kubesec-scan pod <podname>Deepfence Runtime Threat Mapper
Deepfence Runtime Threat Mapper
community- . , , CI/CD , Registry. SIEM, Slack, Jira, Amazon S3 ( ).
Sysdig Falco
run-time Sysdig, .
Vulnerability Management
SAST, DAST, SCA, Docker Kubernetes, . Vulnerability Management . , API - -. AppSec.Hub, , DevSecOps- CI/CD . open-source .
DefectDojo
OWASP. (22+) open-source (ZAP, Trivy, nmap, Dependency Check), enterprise (Veracode, Checkmarx, Twistlock). , API.
Secure code Box
Open-source , (ZAP, NMAP, Nikto, Arachni), docker-compose Kibana Elasticsearch. DefectDojo, , ( issue ). UI. -.
, , one-button-click-solution .
Archery
open-source . Acuntetix, Nessus, Burp, Netsparker, WebInspect. DefectDojo, , ZAP, Burp OpenVAS. , false positive. CI/CD.
vulnerability management:
Public Cloud Security
DevOps (AWS, GCP, Azure, Oracle) on-prem .
, . , , .
AWS-inventor
AWS AWS.
$ python aws_inventory.py
# Select the generated JSON file when prompted
$ firefox gui/dist/index.htmlAws-public-ips
AWS ip-.
# Uses default ~/.aws/credentials
$ aws_public_ips -f json -s apigateway,cloudfront,ec2, \
elasticsearch,elb,elbv2,lightsail,rds,redshift
# With a custom profile
$ AWS_PROFILE=production aws_public_ips ...CloudSploit
compliance- AWS, GCP, Azure, OCI. , CIS PCI DSS.
# Edit the index.js file with your AWS key and secret
# Run a standard scan
$ node index.js
# Run a compliance scan
$ node index.js --compliance=hipaaAWS Security Benchmark
AWS CIS Amazon Web Services Foundations Benchmark 1.1.
$ python aws-cis-foundation-benchmark-checklist.pyS3 Scan
, S3- .
$ python s3scan.py [-f <format>] [-p <profile>]. , AWS Security:
My-arsenal-of-aws-security-tools
G-Scout
, GCP.
# Permissions required on the projects: Viewer, Security Reviewer, Stackdriver Account Viewer
$ python gscout.py --project-id <projectID>ScoutSuite
GCP, AWS, Oracle, Azure.
# GCP example
# Using an user account
$ python Scout.py --provider gcp --user-account --project-id <projectID>
# Using a service account
$ python Scout.py --provider gcp \
--service-account --key-file service_account.json \
--project-id <projectID>?
, , DevOps/SDLC. , . , IaC. , . BSIMM OWASP SAMM.
, .
RASP - , , ( , , .). Container Run-time Security ( Sysdig Falco). RASP -:
IAST - , SAST DAST:
Fuzzing - , , :
IaC Security - :
Cfn Nag - AWS CloudFormation
Checkov - Terraform, AWS CloudFormation Kubernetes
Terrascan - Terraform
Tfsec - Terraform AWS, Azure GCP.
Kubernetes YAML validating:
Compliance-as-code - :
Security Chaos Engineering - , : "" , , , "" . , . - , . Security Chaos Engineering Chaos Engineering , . , , Security Groups, , , VPC, "" . , . :
DevSecOps :
DevSecOps Wine - DevSecOps
CloudSec Wine - Public Cloud Security
UPD.
, Awesome DevSecOps , :