Guide to Building DevSecOps Pipeline on AWS

Introduction

DevSecOps pipeline ensures that security is monitored throughout the life cycle of software development. Here, we describe each DevSecOps category and suggest useful DevSecOps tools that can help protect and secure your software.

To put it simply, DevSecOps means integrating security into the life cycle of software development.

Therefore, the DevSecOps pipeline is a set of security measures installed in your software development life cycle (SDLC) to build and test secure software quickly and easily. The most common benefits of a DevSecOps pipeline include:

What are the Phases of the DevSecOps Pipeline?

Below are the stages of the DevSecOps Pipeline 

• Software Composition Analysis (SCA)
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Interactive Application Security Testing (IAST)

Stage 1: Software Composition Analysis (SCA)

Software Composition Analysis (SCA) scans open-source libraries used within the organization's codebase and identifies risks. It may also detect open-source license changes that conflict with software licensing organization policies. Today, many software applications contain at least one open-source component that makes SCA relevant to many organizations. Over time, the SCA should be implemented immediately after the build step. The pipeline should be prepared to fail if any SCA problems are detected. Snyk Open Source is a widely used SCA tool that fits well into any field.

Stage 2: Static Application Security Testing (SAST)

Static Application Security Testing (SAST) scans the entire base of the organization code for a wide range of risks, including significant risks identified in the OWASP Top Ten. SAST is a common and powerful method that all organizations should use due to the many tools available and their ability to detect basic risks based on organizational code. The SAST tool should be configured to operate immediately after the build stage. After the scanning is finished, the tool can publish the results straight to the build console, preventing the pipeline from proceeding if safety standards are not met. Other tools make SAST easily integrated into the HCL AppScan, SonarQube, and Checkmarx pipelines.

Stage 3: Dynamic Application Security Testing (DAST)

Dynamic Application Security Testing (DAST) is obvious in the operating system and attacks it as a malicious user. DAST can detect problems such as XSS, encrypted data transfer, and TLS certification. DAST should be done after the application has been submitted to the testing center. The pipeline process should be stopped so that the results are analyzed, and the pipeline route is stopped if any unacceptable hazards are found. Many DAST tools are part of the security rooms that include SAST. This includes tools like HCL AppScan and MicoFocus Fortify. The popular NowSecure mobile apps tool.

Stage 4: Interactive Application Security Testing (IAST)

IAST (Interactive Application Security Testing) is a test that monitors an application while it is being used by real users or automated testing like a DAST scanner. The IAST tool collects information about the application's vulnerability as the user or script navigates to it. It can recognize encrypted data, file systems, and website access. IAST must be performed after the application has been submitted to the test site and the automatic or manual test completed. Synopsys Seeker and Veracode are two other IAST.

Access the Complete Checklist for DevSecOps Security 

How to Build end-to-end AWS DevSecOps CI/CD Pipeline?

This section discusses the various AWS  and third-party tools used to build an end-to-end AWS DevSecOps CI/CD pipeline. 

The CI / CD can be presented as a pipeline, where the new code is transmitted to one side, tested over a series of stages, and published as a production-ready code.

Getting started with AWS CI/CD Pipeline

Each section of the CI / CD pipe is designed as a logical unit in the delivery system. Each stage serves as a gateway that tests a particular aspect of the code. Because many of the code's features are still being checked as it comes through the pipeline, it's assumed that the code's quality will improve in the following steps. Problems were identified early to stop the code from proceeding through the pipeline. The results from the test are immediately sent to the team, and all further builds and releases are stopped if the software does not pass the phase. Each of these steps can be performed manually, but the true value of CI/CD pipelines is realized through automation.

The pipeline can be integrated with others like Amazon Simple Storage Service (Amazon S3) or third-party products, such as GitHub.

What are the Components Of the AWS CI/CD pipeline?

The following AWS developer tools can be used to setup CI/CD pipeline on AWS :

1. AWS CodeCo:A secure, highly scalable, and source control service completely managed by AWS of resources that host private git repositories.
2. AWS CodeBuild: It is a fully managed continuous integration service that compiles the source code, runs the required tests, and produces software packages ready to deploy. 
3. AWS CodePipeline: A fully managed continuous delivery service helps us automate our release pipelines for fast and reliable application and infrastructure updates.
4. AWS CodeDeploy: It is a fully managed deployment service that automates the software deployments to a variety of compute in AWS like Amazon EC2, AWS Fargate, AWS Lambda, etc., and also on on-premises servers.
5. Amazon Elastic Container Registry: It is a fully managed container registry that offers high-performance hosting, so we can reliably deploy application images and artifacts anywhere.
6. AWS CodeStar: Enables us to develop, build, and deploy applications quickly on AWS. It provides us with a unified user interface(UI), enabling us to easily manage our software development activities in one place.

Continuous Testing Tools

Here are some open source Continuous Testing /scanning tools 

1. OWASP Dependency-Check - Software Design Analysis Tool (SCA) that attempts to identify publicly exposed risks contained in your project.
2. SonarQube (SAST) - Hosting bugs and damage to your application, with thousands of default Standalone Analysis rules.
3. PHPStan (SAST) - Focuses on finding errors in your code without running it. It hosts all classes of bugs even before you write the code tests.
4. OWASP Zap (DAST) - Helps you automatically detect security risks in your web applications while developing and testing your applications.

You can also use the Amazon CodeGuru static code update tool.

Continuous Logging and Monitoring Services

The following are the AWS continuous login and monitoring services:

1. AWS CloudWatch Logs - Allows you to monitor, store, and access your files for access times EC2, AWS CloudTrail, Amazon Route 53, and other sources
2. AWS CloudWatch Events - Provides real-time streaming of system events that explain changes to AWS resources

Assessment and Governance Resources

The following are the AWS assessments for evaluation and governance:

1. AWS CloudTrail - Enables your AWS account's governance, compliance, effective audit, and risk assessment.
2. AWS Identity and Access Management - This allows you to control access to AWS and secure applications. With IAM, you can create and manage AWS users and groups and use permissions to enable and deny access to AWS.
3. AWS Config - allows you to test, evaluate, and configure your AWS.

Operational AWS Tools

The following are the various tools by AWS for operations:

1. AWS Security Hub - gives you a comprehensive overview of your security alerts and security status across your AWS accounts. This post uses the Protection Hub to integrate all threats into a single glass window.
2. AWS CloudFormation - provides you with an easy way to model AWS collections related to third-party resources, provide them quickly and consistently, and manage them throughout their life cycles by treating infrastructure as code.
3. AWS System Administrator Store - Provides secure, consistent data management for configuration and privacy management. You can store passwords, website cables, Amazon Machine Image (AMI) IDs, and license codes as parameter values.
4. AWS Elastic Beanstalk - An easy-to-use tool for installing and scaling web applications and tools developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on standard servers like Apache, Nginx, Passenger, and IIS. This post uses Elastic Beanstalk to install the LAMP stack with WordPress and Amazon Aurora MySQL. Although we use Elastic Beanstalk for this post, you may arrange for the pipeline to be moved to various locations in AWS or elsewhere as needed.

Pipeline security is implemented by restricting access to pipeline resources using IAM roles and S3 bucket policies. Encryption and SSL secure transport are used to protect pipeline data at rest and in transit. Parameter Store is where we keep sensitive data like API tokens and passwords. Other items, such as Multi-Factor Authentication, may be necessary to be fully compliant with frameworks like FedRAMP.

Implementing DevSecOps to secure Applications in AWS Cloud with a Security-as-code approach to developing confidence while focusing on business growth and development. Know how XenonStack can help

Conclusion

In this blog, the concept of the DevSecOps pipeline includes CI / CD, continuous testing, continuous logging, monitoring, auditing, administration, and performance. The demonstration showed how to integrate various open source scanning tools, such as SonarQube, PHPStan, and OWASP Zap for SAST and DAST analysis. This post also talked about using pipeline and pipeline security using traditional AWS cloud resources

Read Next 

• Know the difference DevSecOps Vs SecDevOps 
• Access XenonStack's DevSecOps Services