Pages

Friday 22 January 2021

SkenAI's role in DevSecOps CI/CD pipeline

 

The term DevOps has pretty much revolutionized the entire IT industry. We have heard of different versions/definitions and nomenclature for different methods of adoption of the culture by different organizations. Some well known are NoOps, GitOps, ChatOps, TechOps, SecOps and there are surely many others out there. However, the introduction of all these “Ops” summarize a common pattern and understanding of speeding up the traditional Software Development Life Cycle using automation via tools, technologies and processes that would allow developers to focus only on code. As per organizational need whichever part of their process seems to be operating slow and introducing unnecessary delay, they would want to “Opsify” it.


Over the last few years we have seen a lot of new tools being introduced in the DevOps world intended to bring in more efficiency and speed in the Software Development process. We have seen equal movement in the risk, threat and security field as well. New tools are subject to new languages, versions, APIs and SDKs. With every such new innovation, we also invite a possibility of new threats and vulnerabilities. So we typically hear about new vulnerabilities in different libraries of different source code. We then get into the phase of version upgrade, patching, etc to make sure that our environment is clean and safe. This process however traditionally has been extremely slow. Many times security threats and vulnerabilities are identified in production and take a long time to get fixed. This is when you need to introduce DevSecOps in the flow.


Eliminating the possibility of having vulnerabilities introduced at code level itself can help in the long run and save a lot of man hours. This is where DevSecOps ideally must get introduced. And, a typical DevSecOps pipeline would look like this:


  • Identifying of vulnerable libraries being used.

  • Secrets stored

  • Static code analysis

  • SAST

  • DAST

  • SCA

  • Image verification

  • OS vulnerabilities

  • System software packages


Most of this is curbed prettty much in the pipeline with some well known tools in the market that parse your source code and identify different threats.


Based on the language you need to do some research and get the best code scanners available to scan your code and resolve the issues identified. There are many opensource scanners available out there that help you do all the scanning and threat/vulnerability identification. Once you are sure which tool you need to use, you simply integrate it with you CI system by installing it there and setting up appropriate binary paths to be used while executing the build. This effort saves considerable time in the long run and helps you focus more on product and less in security.


However, setting up the security scanners could be time consuming or may need additional knowledge of that language. Also, since new vulnerabilities keep coming in, these scanners also keep getting upgraded all the time. It is important to stay updated with them and also update your CI system components periodically. This is where Sken.ai solution comes into picture. Sken offloads the responsibility of setting up a DevSecOps pipeline to a large extent.

  • You don't need to be remembering different ways to setup code scanners

  • You also need not worry to update them periodically. 

  • Moreover, you do not even need to know what programming language is being used in the source code. Sken is intelligent enough to parse the code and automatically select the best scanner based on the languages found in the source code.

  • Docker is the only requirement.

  • Once you insert Sken's credentials, it will automatically pull the best scanners most updated docker image and scan your code completely, provide result quick and you are good to go.

  • The scanners will automatically look for SAST, DAST, SCA, secret leaks etc and provide you all of the data in the results to be fixed.

  • You don’t have to be a security expert, its Saas. It does it all for you.

  • Easy integration with most of the CI tools; Jenkins, Bamboo, TravisCI, Github, CircleCI

  • Free 300 test per month on private projects

  • Opensource scanners integrated, no costing or licensing issues of proprietary application scanners

  • Bonus: AI driven, scan results in prioritized scan types, less false positives and reduced noise.

  • Consolidated visuals for all apps and scans, you can prioritize vulnerabilities based on risk rating.

Here is a GIF that can help you have an overview of how to quickly integrate and get started.










Sken.ai DevSecOps walkthrough

 

Sken.ai Introduction:-

Sken.ai is a Continuous Application Security Testing and vulnerability scanning tool. It helps in static code analysis, Source code analysis, code review, code complexity, and penetration testing. It is a new and automated DevSecOps tool that provides multi-language scanning features in one place. It provides comprehensive Saas based continuous application testing software developers and DevOps, without the need for any security expertise. It helps to Find and fix all types of application security issues within your DevOps CI/CD cycle.

It provides a SAAS orchestration layer that integrates continuous application security testing into your DevOps CI/CD workflow automating the use of any open source security scanners across all scan types; SAST, DAST, SCA, MAST, container scanning, license compliance, and secrets detection. 


What will you learn from this article/blog:-

  1. How to provide security in your CICD pipeline?

  2. What is SAST/DAST/SCA/MAST and how it works?

  3. How sken.ai works? Which features and scanners sken.ai provides?

  4. What vulnerability scanning and penetration testing is?

  5. List of Top IDE’s used by developers provided by DevOps?

  6. List of version control tools provided by DevOps?

  7. List of Top CI/CD pipeline tools provided by DevOps?

  8. What web application security scanner is?


Who will need this tool:-

    There are lots of open-source application security testing tools available in the market. So it's very hard and confusing to select what exactly we need. Here automation comes further there are many open-source plugins and security tools are available to provide and scan our application for security tests before the development state goes to production.

Sken.ai provides automated scanning features and Generally, it is used to find out the bugs at early stages of the development of software (coding stage). With this code review, the quality of the software gets improved and the bugs/errors in the program code decrease. The Code Review Tools automates the review process which in turn minimizes the reviewing task of the code. It provides free scanning forever for single users, Unlimited tests on open source projects, 300 tests per month across all apps on private projects, Priority Scoring, and Continuous Monitoring. As it is a freemium (with about 300 free scans per month) it is the best choice for beginners and small project developers.





What does Sken.ai contain:- Here are some detailed points that I have discussed about the Sken.ai. It helps to scan every application in any language from any CI/CD Platform (such as Jenkins, Bamboo, etc). It uses all scan types SAST, DAST, SCA, Secrets, and more to scan at the coding time or the runtime. As I said before it enables security by simply adding a 2-line code snippet into CICD to enable the complete range of tests. It provides open-source scanners packaged and managed, There's No need to set up, install or update scanners. It selects & auto-discover scanners as per scanning context.


Sken.ai performs the most comprehensive security scanning and testing of applications during the CI/CD process. This includes not only static source code analysis (SAST) and software composition analysis (SCA), but also dynamic security testing (DAST) to uncover run-time security holes as well. This ensures that all the common avenues hackers use to execute security breaches are discovered before going to production. By providing the relevant scan type at the right stage in the DevOps and CI/CD stage, Sken.ai covers more vulnerability and compliance holes than anyone's capability alone. It uses all major development languages & frameworks including Java, PHP, Python, Microsoft .NET, NodeJS, Ruby, GO, and more.

   

Sken.ai applies machine learning and data science to normalize and prioritize all the application security issues found across testing categories. It provides AI-Based Analysis, and it reduces noise up to 97%. It Aggregated scan findings View and filter findings across multiple scans. It tracks bugs through code changes and provides standard risk ratings across all scan types. DevOps and AppSec teams can manage their entire bug fix and mitigation processes with Sken.ai, including prioritization and risk scoring, bug verification, task assignment through resolution. It is Intelligent & prioritized to fix critical findings first. It helps users to Manage findings from the Sken.ai portal.


Here are some Open Source Scanners included in Sken.ai internally:

  1. SCA: OWASP Dependency Leaks.

  2. SAST: Find-Sec-Bugs, NodeJScan, Brakeman, Bandit, Gosec, PHPCodeSniffer, ES Lint, TSLint.

  3. DAST: OWASP ZAP

  4. Secrets: Gitleaks, Trufflehog.







Static application security testing (SAST), or static analysis, is a testing methodology that analyzes source code to find security vulnerabilities that make your organization’s applications susceptible to attack. SAST scans an application before the code is compiled. It’s also known as white box testing. SAST takes place very early in the software development life cycle (SDLC) as it does not require a working application and can take place without code being executed. It helps developers identify vulnerabilities in the initial stages of development and quickly resolve issues without breaking builds or passing on vulnerabilities to the final release of the application.

A dynamic analysis security testing tool, or a DAST test, is an application security solution that can help to find certain vulnerabilities in web applications while they are running in production. A DAST test is also known as black-box testing, it is performed from the outside.


Traditional security scanners are proprietary, expensive, and difficult to use. They also need a team of app sec specialists to operate them, thus adding to the total cost. Sken.ai uses an innovative approach that uses a combination of popular, effective, and widely used open source security scanners to dramatically reduce the cost. Sken.ai provides free scanning forever for single users, Unlimited tests on open source projects, 300 tests per month across all apps on private projects, Priority Scoring, and Continuous Monitoring.


Vulnerability scanning is a continuous process that fits throughout an app’s software development life cycle (SDLC). Frequent scanning, especially in the early stages of development before upstream components are layered onto the source code, makes it much easier to fix issues before they become costly problems.
   

Sken.ai also provides IAST(Interactive Application Security Testing) Scanners are DAST scanners with some SAST capabilities. They test whether known code vulnerabilities can be exploited in the running app. Developers often layer API scanners over other tools, such as SAST and DAST, to ensure their APIs stay secure, even after a code or interface change. API scanning focuses on uncovering existing and potential security vulnerabilities like SQL Injection, Content-Type Missing, Misused Exception Handling, and Parameter Tampering.


For development, DevOps helps users to automate source code by providing IDE's like Microsoft Visual Studio, NetBeans, IntelliJ Idea, Eclipse, PyCharm, etc. For version control management Git, GitHub, GitLab, CVS, SVN, and for CI/CD pipeline DevOps provides Jenkins, CircleCI, Bamboo, Travis CI, etc. It enables security with a simple, 2-line code snippet to enable the complete range of tests. It provides Comprehensive testing across all scan types SAST, DAST, SCA, Secrets, and more. Perform security testing for all major development languages/frameworks. Sken.ai application developers are notified of security vulnerabilities as they commit and build their code. Also, Sken.ai helps app sec and DevOps respond to the vulnerability alerts, prioritize the issues found, and fix them during the code and build process.


A CI/CD pipeline is a series of steps that must be performed to deliver a new version of the software. Continuous integration/continuous delivery (CI/CD) pipelines are a practice focused on improving software delivery using either a DevOps or site reliability engineering (SRE) approach. 

A CI/CD pipeline introduces monitoring and automation to improve the process of application development, particularly at the integration and testing phases, as well as during delivery and deployment. Although it is possible to manually execute each of the steps of a CI/CD pipeline, the true value of CI/CD pipelines is realized through automation. A comprehensive set of application security testing (AST) tools help you test for and remediate security vulnerabilities in your CI/CD pipeline. 


SecDevOps (also known as DevSecOps and DevOpsSec) is the process of integrating secure development best practices and methodologies into development and deployment processes that DevOps makes possible. SecDevOps consists of two distinct parts:
1. Security as Code (SaC).
2. Infrastructure as Code (IaC). 

Cybercriminals take no prisoners. According to cybersecurity experts, SecDevOps, or the process of integrating secure development best practices and methodologies into the development and deployment processes, is the best way to do just that. 

Here automation comes further there are many open-source plugins and security tools are available to provide and scan our application for security tests before the development state goes to production.



A website vulnerability is a weakness or misconfiguration in a website or web application code that allows an attacker to gain some level of control of the site, and possibly the hosting server. 

A web application security scanner is a software program that performs automatic black-box testing on a web application and identifies security vulnerabilities. Scanners do not access the source code; they only perform functional testing and try to find security vulnerabilities. Various paid and free web application vulnerability scanners are available. Security Testing is a type of Software Testing that uncovers vulnerabilities of the system and determines that the data and resources of the system are protected from possible intruders. It ensures that the software system and application are free from any threats or risks that can cause a loss. 





Ruby on Rails is the most popular open-source web application framework. It’s built with the Ruby programming language. Rails help you build websites. 

Ruby on Rails is an open-source web development framework, which provides Ruby developers a time-saving alternative to develop code. It is a collection of code libraries, which offer a ready-made solution for repetitive tasks like developing tables, forms, or menus on the website. Ruby on Rails also comes with a unit testing setup called RSpec, which is very easy to learn. It uses some other scanners to scan application source code. Static analysis security vulnerability scanners are used in Ruby on Rails for scanning. So here, we can use any static analysis security tools to scan ruby on rails.


Sken.ai aligns with the security framework OWASP ZAP. It is an open-source tool which is offered by OWASP (Open Web Application Security Project), for penetration testing of your website/web application. It helps you find the security vulnerabilities in your application. Here are the OWASP top 10 security threats that your website/application might face: SQL injection, Broken authentication and session management, Cross-site scripting (XSS), Broken access control, Security misconfiguration, Sensitive data exposure, Insufficient attack protection, Cross-site request forgery (CSRF), Using components with known vulnerabilities, and Underprotected APIs. ZAP provides the following features: active scans, alerts, API authentication, and verification, etc. 

Zap is used as a proxy server, it allows the user to manipulate all of the traffic that passes through it, including traffic using HTTPS. It helps you find the security vulnerabilities in your application. Here is a list of the main features: Intercepting Proxy, Automated Scanner, Passive Scanner, Brute Force Scanner, Fuzzer, Port Scanner, Spider, Web Sockets, REST API. 

ZAP is an easy-to-use tool. Following are some more reasons for using ZAP: 

1. Ideal for both beginners and professionals 

2. Cross-platform - works across all OS (Linux, Mac, Windows) 

3. Reusable 

4. Can generate reports of the results, etc. 


A penetration test, also known as a pen test, is a simulated cyberattack against your computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF). Penetration testing in simple terms is a simulation of a process a hacker would use to launch an attack on a business network, attached devices, network applications, or a business website. The purpose of the simulation is to identify security issues before hackers can locate them and perform an exploit.




Mobile application security focuses on the software security posture of mobile apps on various platforms like Android, iOS, and Windows Phone. Mobile application security testing involves testing a mobile app in ways that a malicious user would try to attack it. Effective security testing begins with an understanding of the application’s business purpose and the types of data it handles. From there, a combination of static analysis, dynamic analysis, and penetration testing results in an efficient holistic assessment to find vulnerabilities that would be missed if the techniques were not used together effectively.


List of tools available in the market for all types of scanning & the sken.ai is provide same scanning features in one place:

  • DAST Scanning Tools:- 

  1. OWASP ZAP

  2. Netsparker

  3. Acunetix

  4. veracode

  5. Detectify Deep Scan

  6. SonarQube

  7. Fortify Static Code Analyzer

  8. AppScan

  9. Checkmarx

  10. Synk


  • SAST Scanning Tools:-

  1. SonarQube

  2. veracode

  3. Fortify Static Code Analyzer 

  4. AppScan

  5. Brakeman

  6. Code Climate 

  7. bundler-audit

  8. codacy

  9. VisualCodeGrepper

  10. RIPS (Re-Inforce Programming Security)

  11. Flawfinder

  12. Bandit






  • Combine Scanning (SAST/DAST/SCA) tools and alternative to sken.ai tools:-

  1. Checkmarx

  2. veracode

  3. Detectify Deep Scan

  4. AppScan

  5. SonarQube

  6. Pycharm

  7. Sucuri

  8. Pentest-Tools

  9. Netsparker

  10. OWASP ZAP 

  11. Acunetix

  12. Prospector

  13. pylint 

  14. Pyflakes

  15. Bandit

  16. Snyk

  17. Burp Suite

  18. Grabber

  19. Arachni

  20. w3af

  21. Nikto

  22. JavaScript Lint

  23. ESLint

  24. Flow

  25. JSHint

  26. Intruder

  27. Nikto2

  28. Gerrit

  29. Crucible

  30. Codacy

  31. Nessus

  32. Resharper

  33. Appknox

  34. CodeSonar

  35. Wireshark

  36. SQLmap

  37. Selenium

  38. JOHN THE RIPPER

  39. Suricata

  40. Grapl


  • Cloud Security Scanning Tools:-

  1. Rapid7 Nexpose

  2. Synk

  3. Acunetix

  4. Nessus

  5. JOHN THE RIPPER

  6. Suricata

  7. Grapl

  8. Wireshark


  • Ruby on Rails application scaling tools:-

  1. Brakeman

  2. Code Climate 

  3. bundler-audit

  4. codacy


  • SCA Scanning Tools:-

  1. OWASP Dependency Leaks.


How is it different than other tools in market:-

    I have used the sken.ai scanning tool, I have mentioned some features which I liked, 

1. There is "No App Security  Expertise" required to use this scanner.

2. "Commercial Scanners are expensive"  so mid-markets can decide to use open-source scanners. However, Open-source scanners are extremely unmanageable. There are too many of them, so it is confusing to select what you'd exactly need.

3. This includes code level scanners like SAST, SCA, Secrets, License, Test/Deploy level scanners like DAST, Containers, API, Serverless, etc. It is extremely difficult for mid-markets to operationalize scanning with these multiple types of scanners.


The mid-markets need a product that:

  1. Provides app security with no required app-security expertise. 

  2. Is affordable yet manageable.

  3. Supports comprehensive scanning across the application, yet simple to understand and use. 

Sken tackles each one of the requirements of the mid-markets. There are three pillars in Sken, and they correspond and tackle these three core requirements of the mid-markets. 

  • Sken provides a product that can be used by DevOps with no app security experience.

  • Sken packages open-source scanners in a SaaS orchestration layer and automates them in CI/CD. This SaaS orchestration does a bunch of the heavy lifting, but it makes it so simple for the end-user to operate.

  • Sken does all scan types. There includes 

  1. Code-level scanners like

    1. SAST (Static Application Security Testing) for scanning source code across multiple languages.

    2. SCA (Software Composition Analysis) for scanning open source libraries that are included in your application.

    3. Secrets for scanning open passwords

    4. License for scanning license files

  2. Test level scanners like

    1. DAST (Dynamic Application Security Testing)

  3. Deployment level scanners

    1. Containers

    2. API, etc.

It provides free scanning forever for single users, Unlimited tests on open source projects, 300 tests per month across all apps on private projects, Priority Scoring, and Continuous Monitoring. As it is a freemium (with about 300 free scans per month) it is the best choice for beginners and small project developers.


Why should you use Sken.ai:- Because of the number of different features sken.ai provides, It helps in static code analysis, Source code analysis, code review, code complexity, and penetration testing free of cost. As it is a freemium (with about 300 free scans per month) it is the best choice for beginners and small project developers.

What are the integrations possible in sken.ai:- Sken.ai integrates with the CICD pipeline with 3 simple steps. 1. Add Sken.ai in CICD. 2. Write sken.yml as you need. 3. Review issues in the Sken.ai portal. It uses automated open-source scanners providing tools like SCA, SAST, DAST, Secrets management, and many more. Those are included:-

  1. SCA: OWASP Dependency Leaks.

  2. SAST: Find-Sec-Bugs, NodeJScan, Brakeman, Bandit, Gosec, PHPCodeSniffer, ES Lint, TSLint.

  3. DAST: OWASP ZAP

  4. Secrets: Gitleaks, Trufflehog.


Here is the demo of sken integration with jenkins and travis-ci:-

  1. Jenkins integrate with sken:- https://drive.google.com/file/d/1OxpziWQZ6lEZ4Q6c7WYWAw3DTNf9qLd6/view?usp=sharing

  2. Travis CI integrate with sken:-

https://drive.google.com/file/d/1-zEbJ0rwzkR_vpvDkBvTXY4MwRXZcOFX/view?usp=sharing