DevSecOps Pipelines

Listed are some of my personal DevSecOps pipeline projects and their progresses.

They are based on my interests and some popular tools used in the industry. I tried to vary each pipeline tooling in order to learn and overcome whatever challenge would present itself during the process.

• Python Jenkins Declarative pipeline
• JAVA AWS cloud-native Pipeline
• JavaScript Azure-DevOps Pipeline
• RESTApi GCP GoCD Pipeline
• Android/iOS App Security Pipeline
• Container/kubernetes security Pipeline
• Attack Tree SlackBot
• Vulerability Management driven Pipeline
• Tekton K8s native Security Pipeline

More details and screenshots for pipelines completed

Python Jenkins Declarative pipeline

DevSecOps pipeline for Python based project using Jenkins, Ansible, AWS, and open-source security tools and checks.

Toolchain

• CICD - Jenkins
• Orchestration - Ansible Playbook
• SCM - Github
• Secret check - trufflehog
• SCA - safety
• SAST - bandit
• Container Audit - lynis
• DAST - nikto for scans, selenium-chrome for grabbing session cookie
• Security Audit - lynis
• WAF - modsecurity, also configured as reverse proxy
• Environment - AWS

---

JAVA AWS cloud-native Pipeline

DevSecOps pipeline for JAVA based project using AWS DevOps tools, AWS security tools, and some open source tools.

Toolchain

• CICD - AWS CodePipeline, AWS CodeBuild, AWS CodeDeploy
• IDE - AWS Cloud9
• Secret Check - Talisman for pre-commit hook, trufflehog checks secrets in pipeline
• SCM - Github
• Artifact repository - AWS S3
• SCA - dependency-check
• SAST - findsecbugs
• DAST - OWASP ZAP
• Compliance Scanning - AWS Inspector
• Threat Detection - AWS GuardDuty
• Security Advisor - Security Hub
• WAF - AWS WAF
• Environment - AWS

---

JavaScript Azure-DevOps Pipeline

DevSecOps pipeline for React+Docker based project using Azure DevOps - Release Pipeline, Azure security solutions, and some open source tools.

Toolchain

• CICD - Azure DevOps, Azure Release Pipeline
• Secret Check - trufflehog
• SCM - Github
• SCA - anchore non-os scans
• SAST - sonarqube community edition 7.9.2
• DAST - gauntlt with arachni, nmap etc
• Host security - Azure Security Center including FIM, Qualys vulnerability scans
• Container security - anchore full scan (os, non-os)
• Continious Compliance - Azure security center for PCI-DSS, ISO 27001 etc
• WAF - Azure Application Gateway with WAF rules
• DDoS protection - Vnet DDoS setting
• Azure account protection - Azure Security Center recommendation
• SIEM & SOAR - Azure Sentinel
• Environment - Azure Cloud

---

REST-API GCP GoCD Pipeline

DevSecOps pipeline for Python flask REST API project using Go CD, Terraform, GCP, and open-source and cloud native security tools and checks.

Toolchain

• CICD - Go CD
• Secret Check - trufflehog
• SCM - Github
• SCA - safety
• SAST - bandit
• DAST - GCP Web Security Scanner
• Container security - lynis
• Compliance - terraform-compliance
• Environment - GCP

Secret check, SCA, SAST, Container security, compliance checks have all been shifted left and are tested all within code level i.e. source code and Infrastructure as Code (IaC).

---

Android/iOS App Security Pipeline

A DevSecOps pipeline for Android and iOS based project using Jenkins, android open-source security tools, and a security testing framework MobSF which does code/binary analysis, malware analysis, general and sensitive information check on iOS+Android apps.

Toolchain

• CICD - Jenkins
• secret-check - trufflehog
• SAST - findsecbugs
• Vulnerability Analysis - androbugs
• Malware Analysis - quark-engine
• Malicious Behaviour Analysis - androwarn
• Application Vulnerability Analysis - qark
• APK composition analysis - APKiD
• Security Test - MobSF for iOS and Android
• Environment - GCP

For Android, MobSF also checks certificate strength, obfuscation techniques, anti reverse engineering, dangerous permission etc.

---

Container/kubernetes security Pipeline

DevSecOps pipeline for container based application deployed to GCP kubernetes cluster using GCP k8s and container solutions, and security tests with open source container solutions.

• CICD - Jenkins
• Git Secret Check - trufflehog
• Container image vulnerability analysis - trivy
• Container Image malware analysis - clamav
• Container Image storage - Google Container Registry
• Kubernetes Engine - Google Kubernetes Engine
• Kubernetes nodes - Google Container-Optimized OS
• Kubernetes orchestration - gcloud
• Kubernetes management - kubectl, helm
• Kubernetes CIS benchmark - kube-bench
• Kubernetes penetration test - kube-hunter
• Kubernetes runtime protection - falco
• Environment - GCP

Attack Tree SlackBot

A simple bot that sits on AWS EC2 instance with Python Flask API, will create attack-tree-diagram using graphviz library when numbered list of attack is provided as input.

Toolchain

• ChatOps - Slack
• Diagram service - Python for code & logic, graphviz library for diagraming
• Artifact Repository - AWS S3
• Request API service - Slack Actions
• Response API server - Python Flask
• Bot client host - Slack
• Bot server host - AWS

---

Vulnerability Management driven Security Pipeline

A vulnerability manager (DefectDojo) based pipeline for Python based project which comes with ASVS Standard to provide security test plan and requirements, integration of vulnerability data from 70+ tools, and slack integration for monitoring.

Toolchain

1. Planning - OWASP ASVS
2. CI/CD - Go CD
3. secret-check - trufflehog
4. SCA - safety
5. SAST - bandit
6. DAST - nikto
7. Container Vulnerability Analysis - trivy
8. Vulnerability Manager - DefectDojo
9. Monitoring - Slack
10. Environment - AWS

---

More to follow