Lab - Secure Development

Authors: Alfredo Matos

Slides

Download here

Introduction

Secure development practices are essential for building software resilient against threats and vulnerabilities. Software security starts with writing secure code, but entails other key pratices such as managing code storage, handling dependencies, and proactively identifying vulnerabilities. By integrating security considerations into every phase of the software development lifecycle (SDLC), developers can reduce risks and minimize the cost of fixing problems.

One clear way to do this is to incorporate a set of security tools into our software development pipeline (how we go from source code to deployment). OWASP DevSecOps Guideline explains how we can implement a secure pipeline, using best practices and tools that help us making more secure code.

In today’s session will take these ideas and look at 3 relevant topics be looking at three major areas:

  • Source Code Management (SCM): how you handle git and some of the usual problems that arise, such as credential management, secrets, and passwords.
  • Dependencies: how you manage the libraries that are used for development
  • Code Analysis: how to analyze existing code for vulnerabilities and potential problems

We’ll be following closely a security workshop previously ran at UA, “(in)secure git workshop” to go through these topics. This workshop uses GIT to help you navigate along several key security aspects of the software development process, building steps in a potential pipeline.

(in)secure git workshop

The workshop is available on a git repository. Each step is configure as a branch, so you will have to issue git checkouts. You should fork the repository to ensure that you can push to the repository, as certain tests are ran on commit hooks.

You’ll start on the setup stage, which is the start branch. The main branch shows you a quick introduction to the workshop. Then you’ll proceed to the start branch, and then step1 through step5.

main > start > step\[1,2,3,4,5,6,(7,8,9)\] > the-end

Overview

The workshop is loosely organization into the areas highlighted below:

  1. Secrets (git ignore, prec-commits with Talisman | audit_trufflehog)
  2. Dependencies (dependabot)
  3. Static Analysis (Sonar)
  4. Dynamic Analysis (OWASP ZAP)
  5. Container Scanning (grype)

Relevant tools in the different steps:

  1. Git ignore

  2. pre-commit hooks (secret detection with Talisman | audit_trufflehog)

  3. dependabot (dependencies)

  4. Sonar (static analysis)

  5. OWASP ZAP (dynamic analysis)

  6. grype (container scanning)

  7. Commits with secrets

  8. Container with secret

  9. Information leeks

Source Code Management

Source Code Management (SCM) plays an important role in secure development by ensuring the integrity, traceability, and accountability of changes made to software. Using tools like Git, developers enforce best practices such as access controls, branch protections, and signed commits to authenticate changes. Incorporating automated security tests into CI/CD pipelines ensures that every change is vetted for vulnerabilities before it is merged, minimizing the risk of introducing insecure code. Additionally, keeping sensitive projects in private repositories helps safeguard intellectual property and sensitive data. On the workshop you’ll be looking at SCM from the secrets perspective, how to detect them early, and preventing them from reaching the repository.

This will happen in steps 1 and 2.

Dependencies

Dependency management is an increasingly critical aspect of secure development. Applications rely on third-party libraries, which can introduce vulnerabilities. Developers must carefully select external dependencies, use tools to lock versions, and regularly scan for known vulnerabilities to prevent supply chain attacks. Ensuring dependencies are sourced from reputable providers and keeping them up to date with security patches further mitigates risks. On the workshop we’ll be looking at ensuring dependencies have no known vulnerabilities, and updating them if required. This will happend in step 3.

Code Analysis

Code analysis attemps to uncover vulnerabilities to address them early in the development process. Static Application Security Testing (SAST) tools analyze source code to find common issues like input validation errors, while Dynamic Application Security Testing (DAST) tools test running applications for runtime vulnerabilities.

Integrating such tools into the development process, can enhance the developers’ capability for identifying and fixing security flaws continously. We’ll look at both static (step 4) and dynamic (step 5) dynamic analysis.

Additional exercises

There are optional branches with exercises on what to do when something happens that escaped our control, either through not identify and addressing the threat, or by malpractice. On steps 7 through 9, you’ll find individual markdown files establishing the scenario and consideration points for the following scenariuos:

  • Commits with secrets (git)
  • Containers with secrets (docker)
  • Information leeks (gitbleed).

Run through them. They’re fun.

Getting Started

Head over to https://github.com/arainho/secure-git-workshop.git, fork the repository and then clone the forked repository to get started.

Acknowledgemnts

The workshop was developed by André Rainho.

Previous
Next

Last updated on 21 Nov 2024