Secure coding

DevSecOps Tools of the trade

Nitesh Malviya
January 17, 2023 by
Nitesh Malviya

In the previous post, we walked through the different stages of the DevSecOps pipeline and looked at the security controls introduced at each stage, their necessity, and the security concerns they address.

The many tools used at various stages of the pipeline shown below will be covered in this post.

Below is the sample pipeline we referred to in the last post.

A diagram of a sample DevSecOps pipeline with descriptive boxes. From left to right: git, Secret Scanning, SCA, SAST, IAC Scanning, Container Scanning, DAST, Infra Scanning, Compliance Check/PaC, checkmark of completion

Let’s run through the various DevSecOps tools that we can use at different stages in the pipeline.

Learn Secure Coding

Learn Secure Coding

Build your secure coding skills in C/C++, iOS, Java, .NET, Node.js, PHP and other languages.

DevSecOps tool categories

A) Pre-push/pre-commit hooks

There have been numerous instances of sensitive information like passwords, AWS Keys, Access tokens and SSH keys getting leaked via public source code repositories due to git commits. This can be avoided by using pre-push or pre-commit hooks. This pre-push or pre-commit hook checks for sensitive information before any push or commit is made to the repository.

 The following tools can be used:

  1. Truffle Hog - https://github.com/trufflesecurity/trufflehog
  2. Talisman - https://github.com/thoughtworks/talisman
  3. Git Hooks - https://githooks.com/
  4. Git Secrets - https://git-secret.io/
  5. Pre-Commit - https://pre-commit.com/
  6. Git Hound - https://github.com/ezekg/git-hound

B) Secret scanning

The following tools are widely used for scanning the secrets present in the code:

  1. GitLeaks - https://github.com/zricethezav/gitleaks
  2. Whispers - https://github.com/Skyscanner/whispers
  3. Gittyleaks - https://github.com/kootenpv/gittyleaks
  4. Detect-Secrets - https://github.com/Yelp/detect-secrets
  5. DSpectralops - https://spectralops.io/

Apart from the above tools, a few of the tools mentioned in the pre-push or pre-commit hooks can also be used for scanning secrets in the repositories. 

C) Secret storage and management

To avoid leaking secrets from the repo, one can use the following tools for storing and managing the secrets.

  1. Hashicorp Vault - https://www.vaultproject.io/
  2. AWS Secrets Manager - https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
  3. Cloud KMS - https://cloud.google.com/security-key-management
  4. Azure Key Vault - https://azure.microsoft.com/en-us/services/key-vault/
  5. Confidant - https://lyft.github.io/confidant/
  6. Keywhiz - https://github.com/square/keywhiz
  7. Knox - https://github.com/pinterest/knox

D) Source composition analysis (SCA)

SCA identifies vulnerabilities in open-source software (OSS) being used by the application. The following tools are widely used:

  1. OWASP Dependency Check - https://owasp.org/www-project-dependency-check/
  2. SonaType - https://ossindex.sonatype.org/
  3. Snyk - https://snyk.io/
  4. Mend (Formerly WhiteSource) - https://www.mend.io/  
  5. BlackDuck - https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis.html
  6. Veracode - https://www.veracode.com/products/software-composition-analysis
  7. JFrog XRay - https://jfrog.com/xray/

E) Static analysis security testing (SAST)

SAST tools analyze and assist in the identification of vulnerabilities present in the source code.

Though many SAST tools are available, the most used are as follows:

  1. SonarQube - https://www.sonarqube.org/
  2. Semgrep - https://github.com/returntocorp/semgrep
  3. Snyk - https://snyk.io/product/snyk-code/
  4. CloudDefense - https://www.clouddefense.ai/sast-static-application-security-testing
  5. Fortify - https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer
  6. OWASP ASST - https://owasp.org/ASST/
  7. Veracode - https://www.veracode.com/products/binary-static-analysis-sast

If you are looking specifically for any programming language, this link serves as a good reference point: https://owasp.org/www-community/Source_Code_Analysis_Tools.

F) Infrastructure as code (IaC) and container scanning

IaC and container scans are performed to avoid misconfiguration like unnecessarily exposing network interfaces, privilege escalation, compliance violation, and so on.

One can use the following tools for scanning:

  1. Checkov - https://www.checkov.io/
  2. Trivy and TFsec by aqua - https://www.aquasec.com/cloud-native-academy/devsecops/infrastructure-as-code-iac/
  3. TFLint and Terrafirma - Specifically for Terraform.
  4. Dockle and Dockscan - Specifically for Docker.
  5. Cloudsploit - For CloudFormation.

G) Dynamic application security testing (DAST)

The following are prominent tools for performing DAST scans.

  1. OWASP ZAP - https://owasp.org/www-project-zap/
  2. Burpsuite - https://portswigger.net/burp
  3. Acunetix - https://www.acunetix.com/
  4. Qualys - https://www.qualys.com/
  5. Arachni - https://www.arachni-scanner.com/
  6. Nikto - https://www.cirt.net/Nikto2

H) Infrastructure scanning

The following tools can be used for scanning the infrastructure.

  1. OpenVAS - http://openvas.org/
  2. Nessus - https://www.tenable.com/products/nessus
  3. Qualys - https://www.qualys.com/

I) Compliance scanning

To clear regulations like PCI DSS, HIPAA etc., organizations can use the following tools:

  1. Inspec - https://www.inspec.io/
  2. Serverspec - https://serverspec.org/
  3. DevSec Hardening Framework - https://dev-sec.io/
  4. Kitchen CI - https://kitchen.ci/

J) Vulnerability management

The following tools can be used to manage and track vulnerabilities discovered in the pipeline:

  1. ArcherySec - https://github.com/archerysec/archerysec
  2. DefectDojo - https://www.defectdojo.org/  
  3. Qualys - https://www.qualys.com/apps/vulnerability-management-detection-response/
  4. Rapid7 insightVM - https://www.rapid7.com/info/introducing-insightvm/

Learn Secure Coding

Learn Secure Coding

Build your secure coding skills in C/C++, iOS, Java, .NET, Node.js, PHP and other languages.

DevSecOps Tools

We have gone through various tools one can use to integrate security into the DevOps pipeline. Some tools are open source, while others are paid; depending on the budget, environment and setup, selecting the right tool is paramount.

 

Sources

Nitesh Malviya
Nitesh Malviya

Nitesh Malviya is a Security Consultant. He has prior experience in Web Appsec, Mobile Appsec and VAPT. At present he works on IoT, Radio and Cloud Security and open to explore various domains of CyberSecurity. He can be reached on his personal blog - https://nitmalviya03.wordpress.com/ and Linkedin - https://www.linkedin.com/in/nitmalviya03/.