DevOps and Security - DevSecOps

[monperrus]

Wikipedia references:

• https://en.wikipedia.org/wiki/Information_security
• https://en.wikipedia.org/wiki/Information_security_audit
• https://en.wikipedia.org/wiki/Attribute-based_access_control
• https://en.wikipedia.org/wiki/Penetration_test
• https://en.wikipedia.org/wiki/Intrusion_detection_system
• https://en.wikipedia.org/wiki/Runtime_application_self-protection
• https://en.wikipedia.org/wiki/Dynamic_application_security_testing
• https://en.wikipedia.org/wiki/Supply_chain_attack

[monperrus]

Principles:

• Complete Mediation Principle (useful for APIs)
• Least privileged

[monperrus]

Intrusion detection: https://en.wikipedia.org/wiki/Intrusion_detection_system

(signature based, anomaly detection)

[monperrus]

Very good set of pointers: https://www.sqreen.io/checklists/devops-security-checklist

[sbuc]

Mapping security design principles to devops on one axis, mapping security concepts/mechanisms to devops on another.

[lsc]

Dynamic and short lived secrets for authorisation, see for example AWS IAM Roles are implemented or Hashicorp Vault.

[monperrus]

Open Source: Simplifying Serverless Secrets https://open.nytimes.com/open-source-simplifying-serverless-secrets-in-google-cloud-a95451e545b1

[bbaudry]

Vault and kubernetes https://github.com/kelseyhightower/vault-on-google-kubernetes-engine

[monperrus]

CI/CD enables automated program hardening:

Operating system protection through program evolution, Fred Cohen, 1993

[monperrus]

Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week) https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

[monperrus]

7 Tips for Container and Kubernetes Security http://lxer.com/module/newswire/ext_link.php?rid=264809

[gluckzhang]

Microservices Hierarchy of Needs KUBERNETES: AN OVERVIEW (This is a nice introduction to Kubernetes architecture and advantages)

[monperrus]

On The Relation Between Outdated Docker Containers, Severity Vulnerabilities and Bugs. http://arxiv.org/abs/1811.12874

[bbaudry]

Reproducible builds https://reproducible-builds.org/

[monperrus]

added wikipedia references in the top post of this thread.

[monperrus]

Security standards: NIST800 53, ISO27000

[monperrus]

Super Secret Dynamic Secrets with Vault https://tech.gogoair.com/super-secret-dynamic-secrets-with-vault-cf6f29fefc8f

[monperrus]

Vault http://vaultproject.io

[monperrus]

InSpec https://www.inspec.io

[monperrus]

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs. https://arxiv.org/pdf/1811.12874

[monperrus]

On the Impact of Outdated and Vulnerable Javascript Packages in Docker Images. https://ieeexplore.ieee.org/abstract/document/8667984/

[monperrus]

Kubernetes security: 5 mistakes to avoid https://enterprisersproject.com/article/2019/5/kubernetes-security-5-mistakes

[bbaudry]

security for containers https://github.com/coreos/clair

[gluckzhang]

Two interesting papers on container security / vulnerabilities analysis:

• ConPan: a tool to analyze packages in software containers. MSR 2019: 592-596
• On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs. SANER 2019: 491-501

[monperrus]

The Three Rs of Enterprise Security: Rotate, Repave, and Repair https://builttoadapt.io/the-three-r-s-of-enterprise-security-rotate-repave-and-repair-f64f6d6ba29d

[bbaudry]

A framework to secure the integrity of software supply chains https://in-toto.io/ https://github.com/in-toto/in-toto/

[bbaudry]

DoD Enterprise DevSecOps Reference Design

[monperrus]

Attack graph generation for microservice architecture https://www.researchgate.net/profile/Amjad_Ibrahim/publication/332814067_Attack_graph_generation_for_microservice_architecture/links/5ccd8a30299bf14d9576f2f5/Attack-graph-generation-for-microservice-architecture.pdf

[bbaudry]

Everything You Ever Wanted To Know About Test-Case Reduction, But Didn’t Know to Ask https://blog.trailofbits.com/2019/11/11/test-case-reduction/

[bbaudry]

Netflix's repulsive grizzly for Application Layer DoS Testing https://github.com/netflix-skunkworks/repulsive-grizzly

[matsskoglunds]

OWASP https://www.owasp.org/

JFrog Xray is an application security SCA tool that integrates security directly into your DevOps workflows, https://jfrog.com/xray/

[bbaudry]

What DevOps Means for Risk Management https://cloudacademy.com/blog/what-devops-means-for-risk-management/

[rarkins]

Open Source Security: https://www.whitesourcesoftware.com/open-source-security/ The Next Generation of DevOps Adds Security into the Blend: https://resources.whitesourcesoftware.com/blog-whitesource/next-generation-devops

[monperrus]

Hacking into Google's Network for $133,337 (keywords: Remote Code Execution / Google Cloud Deployment Manager ) https://www.ezequiel.tech/2020/05/rce-in-cloud-dm.html

[monperrus]

Nist DevSecOps Documents https://csrc.nist.gov/Projects/devsecops/publications

• Zero Trust Architecture
• Building Secure Microservices-based Applications Using Service-Mesh Architecture
• Hardware-Enabled Security for Server Platforms: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases
• Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF)
• Developing Cyber Resilient Systems: A Systems Security Engineering Approach
• Security Strategies for Microservices-based Application Systems
• Security Recommendations for Server-based Hypervisor Platforms
• Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
• Application Container Security Guide
• Secure Virtual Network Configuration for Virtual Machine (VM) Protection
• Guide to Enterprise Patch Management Technologies
• Guide to Security for Full Virtualization Technologies

[rarkins]

FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks

[monperrus]

The Linux Foundation created Sigstore to provide free certificates and tools to automate and verify signatures of software components, to defend software supply chain attacks. http://sigstore.dev

[mrbgco]

An overview of the DevSecOps world.

[monperrus]

The Dance Dance Authentication Scheme https://m.youtube.com/watch?v=VgC4b9K-gYU

[bbaudry]

Software of unknown pedigree https://en.wikipedia.org/wiki/Software_of_unknown_pedigree

[monperrus]

Mozilla Sops: Simple and flexible tool for managing secrets, encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. https://github.com/mozilla/sops

[bbaudry]

Monitoring the Software Supply Chain with Azure Sentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463

[monperrus]

Lacework is a startup company doing:

• Cloud security for SMBs and startups
• Container Security,
  • Infrastructure as Code Security

https://www.lacework.com

[bbaudry]

Securing your software supply chain, by Github https://docs.github.com/en/code-security/supply-chain-security

[monperrus]

Open Source Security Foundation https://openssf.org/

[bbaudry]

OWASP ZAP zed attack proxy https://www.zaproxy.org/

[monperrus]

FYI, added https://en.wikipedia.org/wiki/Dynamic_application_security_testing to the reference list of wikipedia pages at the top.

[monperrus]

Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies IEEE TSE 2022

[bbaudry]

signing, verifying and protecting software https://www.sigstore.dev/

[bbaudry]

It’s Time to Get Hip to the SBOM https://jfrog.com/blog/its-time-to-get-hip-to-the-sbom/

[bbaudry]

Software Supply Chain Best Practices - Linux Foundation