GitHub DevOps - Secure Development
Source: My personal note from Microsoft DevOps course
Introduction
Section titled “Introduction”- Shock, you’ve been hacked – you don’t even know what to do – you rush to your laptop, power it up, and panic, potentially introducing more risk. But wait, there is a better idea – use GitHub codespaces and GitHub security to develop securely.
Session agenda:
- Navigating the whole GitHub Codespaces experience.
- Push an insecure app full of vulnerabilities.
- Powerful new GitHub Security features to scan and suggest fixes.
DevSecOps
Section titled “DevSecOps”-
DevSecOps = software development and operations (DevOps) and security
-
Vulnerability sources:
- Unchecked dependencies (80-90% of our code)
- Dependencies can have vulnerabilities, ex. log4shell
- Developer errors
- Exposed access tokens
- Unsafe code patterns
- Environment:
- There are 570 times more developers than security researchers
- Higher risks in production
- Unchecked dependencies (80-90% of our code)
-
“Shifting security left”: Develop > Build > Test > Deploy > Breach
- Shift security processes towards beginning of development cycle
-
Benefits of DevSecOps:
- Faster remediation time
- Integrate with security tools
- Faster threat identification
-
Barriers to DevSecOps:
- Organization
- Dev vs. Ops vs. Security as supposed to integrated teams
- People, skills, knowledge gaps
- Organization
Securing Software Development
Section titled “Securing Software Development”- Requirements:
- Shared accountability: developers, security
- Secure environments
Sample governance
Section titled “Sample governance”- Central security team
- Industry security research
- Community of practice
Teams cover security testing, research, and development
Secure Environments
Section titled “Secure Environments”GitHub codespaces
- Advantages:
- Limit scope of non-trusted repositories
- Manage trusted resources
- Isolated environments
- DevOps pipelines
- Scan for policies compliance
- Managed trusted and non-trusted pipelines
- Builds:
- Compilers - signed
- Build - verified
- Build machines & infrastructure - least privilege
- DevOps pipelines - trusted
- Code
- Repositories must have maintainers
- Least privileges access, only access for developers to specific code, not at organization level
- Pipelines
- Secure machines, endpoint protection
- Automatically apply IAA policies
- Multi-factor authentication, Just-in-time access
- Monitor developer cloud
- Automatic detection and response to suspicious activity
- Alerting
- Scan for policy issues
Development Lifecycle Security
Section titled “Development Lifecycle Security”Pre-commit
Section titled “Pre-commit”- Threat modeling
- IDE security plug-in
- Pre-commit hooks
- Secure coding standards
- Peer review
Commit
Section titled “Commit”- Static code analysis
- Ex. code scanning
- Security and Vulnerabilities
- CWEs
- OWASP Top 10
- SANS 25
- Language specific
- Correctness
- Code best practices like readability
- Community
- Custom
- Ex. code scanning
- Security unit tests
- Ex. penetration testing
- Dependency management
- Credential scanning
- Detect secrets in code
Deploy
Section titled “Deploy”- Infrastructure as code (laC)
- Dynamic security scanning
- Cloud configuration checks
- Security acceptance tests
Operations
Section titled “Operations”- Continuous monitoring
- Ex. Azure Policy, Monitor, Secure ARM templates
- Threat intelligence
- Microsoft Defender for Cloud
- Blameless post-mortems
- OWASP WebGoat - deliberately insecure web app
- Fork WebGoat into GitHub
- Run in Codespaces, use port forwarding to access remote web application
- Find vulnerabilities:
- Use CodeQL command line so CodeQL can scan code hierarchy and build a database
- Use database to scan for issues, check vulnerabilities or check on your specific vulnerability
See Also
Section titled “See Also”- DevOps - Development and Operations - DevOps - Development and Operations
- Microsoft Technology - Microsoft Technology