Bonjour, Habr! Je suis consultant en sécurité de l'information chez Swordfish Security pour créer des DevOps sécurisés pour nos clients. Je suis la tendance de développement des entreprises vers DevSecOps dans le monde, j'essaye de diffuser les pratiques les plus intéressantes à la communauté russophone et d'aider à construire ce processus avec notre équipe avec les clients. Au cours des 2 dernières années, DevSecOps a attiré de plus en plus d'attention. Les nouveaux outils n'ont pas le temps de faire partie d'un ensemble de pratiques en croissance rapide, ce qui m'a donné envie de mettre une sorte de point de contrôle sous la forme d'une liste d'outils. Le point de départ était la publication de l' articlecollègues de Mail.ru, où une section sur la sécurité Kubernetes a été mise en évidence séparément. J'ai décidé d'élargir cette liste pour couvrir d'autres étapes du cycle de vie du SDLC et fournir quelques nouveaux outils.
Pratiquer signifie un ensemble de mesures qui peuvent être intégrées dans l'une des étapes de SDLC / DevOps (modélisation des menaces, SAST, DAST, SCA, analyse d'image Docker, analyse Kubernetes, AWS Audit, etc.).
Table des matières
Dev
Modélisation des menaces
Secure Development Lifecycle . , . , backlog. , , DevSecOps “Shift security to the left”.
IT-, . open-source , .
OWASP Threat Dragon
. , , STRIDE. , , , . GitHub.
Pytm
Pytm - Python .
Pytm , . .
Materialize threats tool
Materialize-threats - Python, draw.io , SQL . Gherkin.
open-source , , Enterpise- Irius Risks.
:
.drawio, data flow
, Rapid Threat Model Prototyping methodology( readme )
.drawio
materialize.py .drawio
.
open-source :
, , , , :
(SAST):
, . . Open-source , , , - . :
, .
Salus
, , Bandit, Gosec, Brakeman, open-source (Ruby,Node.js, Python,Go). :
# Navigate to the root directory of the project you want to run Salus on
$ cd /path/to/repo
# Run the following line while in the root directory (No edits necessary)
$ docker run --rm -t -v $(pwd):/home/repo coinbase/salusJSON/YAML . GitHub CircleCI.
ShiftLeft Scan
Salus, . , docker (gosec, find-sec-bugs, psalm, bandit, …). Docker terraform, bash, kubernetes .
Python :
$ docker run --rm -e "WORKSPACE=${PWD}" -v "$PWD:/app" shiftleft/sast-scan scan --src /app --type python, IDE.
GitLab SAST
Gitlab DevOps , , open-source SAST, . Gitlab SCA, , fuzzing DevSecOps, Gold-.
LGTM
LGTM - Semmle, GitHub. Semmle CodeQL, GitHub - Satellite.
Semgrep
, . , , AST Data flow, . , :
$ semgrep --config=<path/to/config> path/to/srcsemgrep :
rules:
- id: user-eval
patterns:
- pattern-inside: |
def $F(...):
...
- pattern-either:
- pattern: eval(..., request.$W.get(...), ...)
- pattern: |
$V = request.$W.get(...)
...
eval(..., $V, ...)
- pattern: eval(..., request.$W(...), ...)
- pattern: |
$V = request.$W(...)
...
eval(..., $V, ...)
- pattern: eval(..., request.$W[...], ...)
- pattern: |
$V = request.$W[...]
...
eval(..., $V, ...)Semgrep , ( , semgrep ):
. , open-source , SAST, . CWE , - . , , CWE CVE.
open-source - SCA
, , open-source, . ( , Equifax). , SCA , , .
Dependency Check
Dependency Check - open-source OWASP . , , . , Secure SDLC . Dependency Check , , , , Dependency Track.
# Dependency Check Maven Plugin example
$ mvn org.owasp:dependency-check-maven:checkDependency Track
Dependency Track - OWASP, -, Software bill of materials (SBOM) CycloneDx. Dependency Track BOM, , , NVD. Slack, Microsoft Teams, .
# CycloneDx Maven Plugin example to make SBOM
$ mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBomSnyk Open-source
Snyk , open-source , SaaS-. (GitHub, Bitbucket), CLI.
snyk npm:
$ npm install -g snyk
$ snyk auth
$ snyk monitorSonatype Open-source
NVD ( ) Sonatype OSS, Sonatype, Nexus IQ. , , Nexus IQ SCA . Sonatype OSS - , Dependency Check Dependency Track. , Sonatype open-source SCA, Sonatype OSS:
Nexus Vulnerability Scanner - Sonatype
AuditJS - JS (NPM, Angular, yarn, bower)
Nancy - Golang
Jake - Conda
Chelsea - Ruby
Cheque - C/C++ (GCC)
Ahab - apt, apk, yum, dnf
Pants - Rust (Cargo)
Sonatype Depshield - GitHub
SCA:
Renovate - White Source
Dependabot - GitHub open-source GitHub
, open-source , , , . , , . , . , .
git-secrets
$ git secrets --scan /path/to/fileGitrob
$ export GITROB_ACCESS_TOKEN=<TOKEN>
$ gitrob <target>Gitleaks
$ gitleaks --repo-path=<path to repo>
$ gitleaks --repo=<url of github>TruffleHog
$ trufflehog [-h] [--json] [--regex] [--rules RULES]
[--entropy DO_ENTROPY] [--since_commit SINCE_COMMIT]
[--max_depth MAX_DEPTH]
git_urlTruffleHog - , , .
GitGuardian
SaaS . on-prem . .
. Password Vault (HashiCorp Vault, conjur, …)
(DAST):
Arachni
open-source , . Docker-, CLI -. , . CWE-.
Docker:
$ docker run -d \
-p 222:22 \
-p 7331:7331 \
-p 9292:9292 \
--name arachni \
arachni/arachni:latest, REST API 7331 json.
OWASP ZAP
open-source , CI/CD. GUI, CLI docker-. .
# OWASP ZAP as a daemon
docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0
# OWASP ZAP runs for 1 minute and then waits for the passive scanning to complete before reporting the results.
docker run -t owasp/zap2docker-weekly zap-baseline.py -t https://www.example.com, . , Arachni 10 , ZAP , , , .
w3af
, (, 2012 (https://xakep.ru/2012/11/09/w3af-pentest/)), docker- CI/CD
, open-source Jenkins AWS, w3af.
docker:
$ git clone https://github.com/andresriancho/w3af.git
$ cd w3af/extras/docker/scripts/
$ sudo ./w3af_console_docker, open-source enterprise, . DAST .
Behaviour Driven Development
Behavioral Driven Development (BDD) ( “ ”)- , Test Driven Development (TDD) (“ ”). , , , , . BDD - Gherkin.
, .
Gauntlt
Guantlt - , Behavioral Driven Development. Arachni, nmap, sslyze, sqlmap Gherkin.
# nmap-simple.attack
Feature: simple nmap attack to check for open ports
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Check standard web ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should match /80.tcp\s+open/
Then the output should not match:
"""
25\/tcp\s+open
""", Guantlt “” , .
. Guantlt BDD-Security, OWASP ZAP, Tenable Nessus Scanner.
Docker:
, Docker ( Docker DevOps), Docker- .
.
Clair
CVE . UI , Klar.
$ docker run -d -e POSTGRES_PASSWORD="" -p 5432:5432 postgres:9.6
$ docker run --net=host -d -p 6060-6061:6060-6061 -v $PWD/clair_config:/config quay.io/coreos/clair:latest -config=/config/config.yamlKlar
API Clair.
$ mkdir klar && cd klar && wget https://github.com/optiopay/klar/releases/download/v2.4.0/klar-2.4.0-linux-amd64 -O klar && chmod +x klar
$ CLAIR_ADDR=http: //localhost:6060 CLAIR_THRESHOLD=10 ./klar <docker image>Trivy
Trivy ( Alpine, RedHat (EL), CentOS, Debian GNU, Ubuntu) (Gemfile.lock, Pipfile.lock, composer.lock, package-lock.json, yarn.lock, Cargo.lock) Clair , , .tar Docker .
# Download bin
$ wget https: //github.com/knqyf263/trivy/releases/download/v0.1.3/trivy_0.1.3_Linux-64bit.deb
$ dpkg -i ./trivy_0. 1 .3_Linux-64bit.deb
# Scan image
$ trivy bkimminich/juice-shop
# Scan image in tar
$ trivy -i ./ my_saved_docker_image.tarAnchore
Docker. REST API CLI.
$ anchore-cli --u admin --p foobar image add httpd:latest
$ anchore-cli --u admin --p foobar image vuln httpd:latest allAquaMicroscanner
Aqua Security, Trivy.
$ docker run --rm -it aquasec/microscanner --register <email address>ADD https://get.aquasec.com/microscanner /
RUN chmod +x /microscanner
RUN /microscanner <TOKEN> [--continue-on-failure]. CVE :
Testing docker CVE scanners. Part 1: false negatives and what they mean for your security
Testing Docker CVE Scanners. Part 2: How good is package detection?
Testing docker CVE scanners. Part 2.5 — Exploiting CVE scanners
Testing Docker CVE scanners. Part 3: Test it yourself / Conclusions
Dagda
Dagda , Dependency Check, Retire.js ClamAV .
$ export DAGDA_HOST='127.0.0.1'
$ export DAGDA_PORT=5000
$ python3 dagda.py vuln --init
$ python3 dagda.py check --docker_image jboss/wildflyDocker bench
Docker bench - compliance- , .
CIS Benchmarks Docker.
$ docker run -it --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-securityDockle
compliance-, , CIS.
$ docker run --rm goodwithtech/dockle:v${DOCKLE_LATEST} [YOUR_IMAGE_NAME]Ops:
Kubernetes Security
Deploy. Kubernetes, Docker, Kubernetes , Kubernetes .
:
My Arsenal of Cloud Native (Security) Tools by MARCO LANCINI
Kube-bench
( ) Aqua Security. CIS Kubernetes Benchmark Kubernetes ( GKE, EKS and AKS)
:
# Run inside a container
$ docker run --rm --pid=host \
-v $(which kubectl):/usr/bin/kubectl \
-t aquasec/kube-bench:latest <master|node>
# Run in a cluster - on master node
$ kubectl run \
--rm \
-it \
kube-bench-master \
--image=aquasec/kube-bench:latest \
--restart=Never \
--overrides="{ \"apiVersion\": \"v1\", \
\"spec\": { \"hostPID\": true, \
\"nodeSelector\": \
{ \"kubernetes.io/role\": \"master\" }, \
\"tolerations\": [ { \
\"key\": \"node-role.kubernetes.io/master\", \
\"operator\": \"Exists\", \
\"effect\": \"NoSchedule\" }]}}" \
-- master \
--version 1.8
# Run in a cluster - on worker nodes
$ kubectl run \
--rm \
-it \
kube-bench-node \
--image=aquasec/kube-bench:latest \
--restart=Never \
--overrides="{ \"apiVersion\": \"v1\", \
\"spec\": { \"hostPID\": true } }" \
-- node \
--version 1.8Kubernetes Auto Analyzer
, Kube-bench, . Kube-bench Aqua Security.
# Put the config file in a directory and mount it to the /data folder
$ docker run --rm \
-v /data:/data raesene/kube_auto_analyzer \
-c /data/admin.conf -r testdock
# Provide a KUBECONFIG file to identify and authenticate the session
$ kubeautoanalyzer -c <kubeconfig_file_name> -r <report_name> --htmlKube-hunter
Kubernetes. , IP- / Kubernetes.
# Run from docker
$ docker run -it --rm --network host aquasec/kube-hunter
# Run from kubectl
$ kubectl run --rm -it \
kube-hunter \
--image=aquasec/kube-hunter \
--restart=Never \
--overrides="{ \"apiVersion\": \"v1\", \
\"spec\": { \"hostNetwork\": true } }"KubiScan
RBAC- Kubernetes.
, CyberARK.
# Run from MASTER node
$ docker run -it --rm -e CONF_PATH=~/.kube/config -v /:/tmp cyberark/kubiscan [CMD]
# Search for pods with privileged accounts
$ kubiscan -rp
# Show all risky subjects (users, service accounts, groups)
$ kubiscan -rs
# Show all the rules a service account has
$ kubiscan -aars "SANAME" -ns "default" -k "ServiceAccount"
# List service account RoleBindings
$ kubiscan -aarbs "SANAME" -ns "default" -k "ServiceAccount"Krane
, RBAC RBAC RedisGraph. RBAC . Krane CLI, docker- , CI/CD.
Statboard
, Kubernetes CustomResourceDefinitions (CRDs) trivy, kube-bench, kube-hunter. Starboard kubectl- Octant, Kubernetes.
$ starboard find vulnerabilities deployment/nginx --namespace dev
$ starboard get vulnerabilities deployment/nginx \
--namespace dev \
--output yamlKubeaudit
, Kubernetes.
# Run from kubectl (as plugin)
$ kubectl audit allKubesec
Kubernetes .
$ krew install kubesec-scan
$ kubectl kubesec-scan pod <podname>Deepfence Runtime Threat Mapper
Deepfence Runtime Threat Mapper
community- . , , CI/CD , Registry. SIEM, Slack, Jira, Amazon S3 ( ).
Sysdig Falco
run-time Sysdig, .
Vulnerability Management
SAST, DAST, SCA, Docker Kubernetes, . Vulnerability Management . , API - -. AppSec.Hub, , DevSecOps- CI/CD . open-source .
DefectDojo
OWASP. (22+) open-source (ZAP, Trivy, nmap, Dependency Check), enterprise (Veracode, Checkmarx, Twistlock). , API.
Secure code Box
Open-source , (ZAP, NMAP, Nikto, Arachni), docker-compose Kibana Elasticsearch. DefectDojo, , ( issue ). UI. -.
, , one-button-click-solution .
Archery
open-source . Acuntetix, Nessus, Burp, Netsparker, WebInspect. DefectDojo, , ZAP, Burp OpenVAS. , false positive. CI/CD.
vulnerability management:
Public Cloud Security
DevOps (AWS, GCP, Azure, Oracle) on-prem .
, . , , .
AWS-inventor
AWS AWS.
$ python aws_inventory.py
# Select the generated JSON file when prompted
$ firefox gui/dist/index.htmlAws-public-ips
AWS ip-.
# Uses default ~/.aws/credentials
$ aws_public_ips -f json -s apigateway,cloudfront,ec2, \
elasticsearch,elb,elbv2,lightsail,rds,redshift
# With a custom profile
$ AWS_PROFILE=production aws_public_ips ...CloudSploit
compliance- AWS, GCP, Azure, OCI. , CIS PCI DSS.
# Edit the index.js file with your AWS key and secret
# Run a standard scan
$ node index.js
# Run a compliance scan
$ node index.js --compliance=hipaaAWS Security Benchmark
AWS CIS Amazon Web Services Foundations Benchmark 1.1.
$ python aws-cis-foundation-benchmark-checklist.pyS3 Scan
, S3- .
$ python s3scan.py [-f <format>] [-p <profile>]. , AWS Security:
My-arsenal-of-aws-security-tools
G-Scout
, GCP.
# Permissions required on the projects: Viewer, Security Reviewer, Stackdriver Account Viewer
$ python gscout.py --project-id <projectID>ScoutSuite
GCP, AWS, Oracle, Azure.
# GCP example
# Using an user account
$ python Scout.py --provider gcp --user-account --project-id <projectID>
# Using a service account
$ python Scout.py --provider gcp \
--service-account --key-file service_account.json \
--project-id <projectID>?
, , DevOps/SDLC. , . , IaC. , . BSIMM OWASP SAMM.
, .
RASP - , , ( , , .). Container Run-time Security ( Sysdig Falco). RASP -:
IAST - , SAST DAST:
Fuzzing - , , :
IaC Security - :
Cfn Nag - AWS CloudFormation
Checkov - Terraform, AWS CloudFormation Kubernetes
Terrascan - Terraform
Tfsec - Terraform AWS, Azure GCP.
Kubernetes YAML validating:
Compliance-as-code - :
Security Chaos Engineering - , : "" , , , "" . , . - , . Security Chaos Engineering Chaos Engineering , . , , Security Groups, , , VPC, "" . , . :
DevSecOps :
DevSecOps Wine - DevSecOps
CloudSec Wine - Public Cloud Security
UPD.
, Awesome DevSecOps , :