Application

by TWN
Vulnerability Scanning
No part of this publication may be reproduced, copied, transmitted in any
form or by any means, electronic, mechanical, photocopying, recording or
otherwise, without the prior written permission of nnSoftware GmbH

Copyright 2023 nnSoftware GmbH. All rights reserved.

TechWorld with Nana is an established name in the DevOps and
Cloud industry, and it stands for the quality trainings helping 1,000s
of engineers acquire the most in-demand skills in this field.

Our mission is enable individual engineers as well as companies to take advantage of the
recent developments in Cloud and DevOps fields, to use technologies and concepts in
order to create efficient, automated, streamlined DevSecOps processes in organisations.

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Missing Security Scanning Steps in CI Pipeline

With a simple, basic CI pipeline with no

security scanning steps, we don’t know:

CI Pipeline - No security checks

How secure our application is

If our code allows SQL injections

If there are any vulnerabilities for XSS

If there are any hardcoded credentials

Copyright 2023 nnSoftware GmbH. All rights reserved.

 2 Options, one worse than the other

Security Team checking before release No manual checks - Release to Production

Manual security checks, would block right If we release it, we would end up with an
before release app full of security vulnerabilities

Slow feedback cycle, blocking release for We are blind to what we are deploying
weeks or months
Copyright 2023 nnSoftware GmbH. All rights reserved.
 Solution:
Integrate App Vulnerability Scanning Tools

So we want to add the security tests from the beginning, integrating it into the
developer workflow instead of a separate isolated step

Copyright 2023 nnSoftware GmbH. All rights reserved.

Secret Scanning
 Prevent Secrets in Git Repositories

As we learnt, there are different vulnerability scanning types for different

purposes
We start with scanning our application code for leaked secrets.

Why? Even private repositories don’t have adequate protection

Source code is made to be duplicated and distributed

It’s a leaky asset, you never know hwere it is going to end up.
Could be cloned to a compromised server

It just takes one compromised developer account to

compromise all the secrets they have access to

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Secret Scanning Tool - GitLeaks

What are Secret Scanning Tools?

Tools that scan the source code and detect hard-coded secrets
There are many different such tools available
Choose based on what you are trying to achieve and find a
widely, validated tool that does exactly that

GitLeaks Secret Scanning Tool

One such tool is GitLeaks

A fast, light-weight and open-source secret scanner for Git
repositories
GitLeaks Detects over 160 secret types, new types added all the time
GitLeaks parses the output of a git log -p command
Copyright 2023 nnSoftware GmbH. All rights reserved.
 How to get started

1 - Install it locally

2 - Run it against your application

3 - Integrate it into the CI pipeline

GitLeaks

Copyright 2023 nnSoftware GmbH. All rights reserved.

 How to get started

1 - Install it locally

Install directly on your OS Use Docker Image

Use a ready GitLeaks image and run

Different for each operating system
as a Docker container

May change in the future

Installation steps the same,
regardless of your operating system

Copyright 2023 nnSoftware GmbH. All rights reserved.

 How to get started

2 - Run it locally against your application

Copyright 2023 nnSoftware GmbH. All rights reserved.

 How to get started

3 - Integrate it into the CI pipeline

We want to automate the execution Manual execution is not reliable

First step in creating a DevSecOps pipeline and

shifting security left
Copyright 2023 nnSoftware GmbH. All rights reserved.
Pre-Commit Hook
 Why Pre-Commit Hook?

Git repository

Even though sensitive data is being removed, the

history of the repository remains intact

So while GitLeaks checks the code for leaked secrets once a commit is pushed, it’s
actually too late

We could change the password or revert Git history, but that is not an ideal solution

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Why Pre-Commit Hook?

Git repository

Automatically run scan before code is pushed to remote Git repository

With this we prevent any hard-coded secrets in the Git repository

Copyright 2023 nnSoftware GmbH. All rights reserved.

 What is a Pre-Commit Hook?

Git Hooks

Git Hooks is a Git functionality

It’s a way to fire off custom scripts when certain
important actions occur
There are different types of hooks:
pre-commit
pre-push
pre-rebase

“Pre-Commit” Hook

Fires when you are about to commit your changes

Copyright 2023 nnSoftware GmbH. All rights reserved.

 How to configure a Pre-Commit Hook?

Git Hooks Folder

The hooks are all stored in the hooks sub

directory of the Git folder: .git/hooks
In this folder you can already view samples
for different hooks

Configure Pre-Commit Hook

You can turn them into actual

scripts that get executed

File should be called “pre-commit”

And in this file you just run the same command as executed locally (shell script)
Pre-commit script must be made executable
Now, every time you do “git commit”, it gets executed
 Shift Security Left

Most “shift left”

We learnt we want to shift security as much left as possible to detect security issues as
early as possible
Besides planning phase and threat modeling before development, pre-commit hook is
one of the furthest shifts left possible

Copyright 2023 nnSoftware GmbH. All rights reserved.

Client-Side vs Server-Side Hooks

Server-side Hooks

Scripts that run before and after pushes to the server,

so you can enforce this server-side
Different server-side hooks available:
pre-receive
update
post-receive

Copyright 2023 nnSoftware GmbH. All rights reserved.

 False Positives and
Fixing Security Vulnerabilities
 Fixing Security Issues
Next step would be to fix the detected security vulnerabilities

Recap of roles and responsibilities

Developers
DevSecOps Engineer

Help team to identify any issues and Developers will see failed CI/CD Pipeline and
bring issues to the attention of the vulnerabilities found by the tool
developers Developers and other project team members will
fix it

Copyright 2023 nnSoftware GmbH. All rights reserved.

 False Positives

Many reasons for this

What is a “false positive”?
Tools are not mature enough

When a scanning tool incorrectly flags

Complexity of the system
a security vulnerability

Limited context awareness

What is a “false negative”?

Overly Strict Policies

Opposite error, where the test
result incorrectly indicates the
Outdated vulnerability data
absence of a vulnerability when
it’s actually present

Copyright 2023 nnSoftware GmbH. All rights reserved.

 False Positives

How to deal with false positives? Why it’s important

Slows down the team

As part of the set up we need to
tweak our security tools to Distracts them from real risks
mitigate false positives
Makes the security scan almost
Configure those tools properly useless

Keep them updated with latest rules

Regularly review and refine results

based on real-world context
Copyright 2023 nnSoftware GmbH. All rights reserved.
 Handling False Positives

1 - We don’t fail the CI build

You will almost always face some false positives

But if there are so many that it distracts the team you need to
take steps to reduce them
We will integrate it into the pipeline to optimize it - step by step
But we don’t interrupt the developer workflow until we have
matured the tool

2 - Adjusting the tool configuration

Start adjusting tool configuration, custom configuration that is application specific

With the goal of producing less false positives over time

Copyright 2023 nnSoftware GmbH. All rights reserved.

Example Security Vulnerability Fix

Bad Security Practice: Using hard-coded

credentials in the pipeline configuration

No hard-coded secrets in Pipeline Configuration

We achieve that, for example, by extracting the

password and using variables

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Example Security Vulnerability Fix

Define the environment variable in the CI Platform

Use the variable in the Pipeline Configuration

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Access Permissions on Git Repositories
CI platforms have granular permission systems
So you can and should give access with least privilege principle

Restrict access to specific repositories

Or restrict access to the project settings etc.

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Access Permissions on Git Repositories
CI platforms have granular permission system
So you can and should give access with least privilege principle

Restrict access to specific repositories

Or restrict access to the project settings etc

Copyright 2023 nnSoftware GmbH. All rights reserved.

Secrets across whole CI/CD

CI/CD platform interacts with different external systems, platforms and services, as it
is the orchestrator of the whole release pipeline
So you have secrets throughout the pipeline

Copyright 2023 nnSoftware GmbH. All rights reserved.

Integrate SAST Scans
in Release Pipeline
 Introduction to SAST

Detecting leaked secrets is just one part of

vulnerability scanning
The code itself can be written in a way that allows
for exploitation

Source code with good coding practices prevents exploitation

It depends on the ability of developers to implement secure code
And also - a developers’ focus is about the speed of developing
new features
Code quality and security is often secondary

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Introduction to SAST

So application developers have to learn writing code with security best

practices
Security tools giving feedback to developer team helps in that learning
process
And eventually this will lead to less security findings over time

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Introduction to SAST

We learnt about the different types of SAST Tools help in finding those
security vulnerabilities the code can have vulnerabilities automatically

Copyright 2023 nnSoftware GmbH. All rights reserved.

 What is SAST?

Static Application Security Testing

Static code analysis (app is not running)

Identifies security vulnerabilities in app’s source code, configuration files etc.
SAST
using SAST tools

Copyright 2023 nnSoftware GmbH. All rights reserved.

 SAST Tools
Different SAST tools based on programming language

They are focused and specialized on finding vulnerabilities in only that

programming language
Each language has its own syntax, semantics and potential security pitfalls,
which is why specialized SAST tools are created
Language-specific vulnerabilities

SAST Tools that can scan multiple languages

Tools that can understand and test multiple programming languages

Like Semgrep, Snyk Code, SonarQube etc.

Open Source and Proprietary Tools available

Copyright 2023 nnSoftware GmbH. All rights reserved.

 How to use a SAST Tool
Pick tool that fits your requirements
For example you can use njsscan for
JavaScript applications
All tests (functional and security) can run in
parallel, as there are no dependencies
between them
Use Docker Image for that tool
Execute command in pipeline configuration

Always reference latest official

docs on how to use it

Often there are example snippets, even for

different CI/CD tools
Copyright 2023 nnSoftware GmbH. All rights reserved.
 Different levels of Severity

Security tools’ results often contain “severity” information

Refers to the degree of impact or potential harm that a security
vulnerability could have on a system, app or data
Often categorized into:
Critical or High Severity
Medium Severity
Low or Warning
Informational
Helps us understand the level of risk posed by a particular
vulnerability and determine how urgently it needs to be addressed
Improvement to reduce unnecessary findings: We don’t fail the
build on Info and Warning Risks
Copyright 2023 nnSoftware GmbH. All rights reserved.
Combine multiple security tools

To achieve full coverage, you may need to combine

multiple tools

Free, open-source SAST tool

It supports multiple languages like C#, Go, Java,
JavaScript, Python, PHP, Ruby, Scala
A powerful tool
Again - use the official Docker Image
Use command in pipeline code to execute
semgrep scanning
Copyright 2023 nnSoftware GmbH. All rights reserved.
Our DevSecOps Pipeline until now
Get insight about state of application security

Copyright 2023 nnSoftware GmbH. All rights reserved.