DEV Community

Cover image for #90DaysOfDevOps: Day 2
Laura
Laura

Posted on

#90DaysOfDevOps: Day 2

Day 1 was about reflection & welcome 2023 so my journey starts on Day 2 🙌

Security everywhere all the time 💻

Day 1 was all about the introduction to DevSecOps (development, security, and operations).

The software development life cycle consists of 6 stages:

Analysis -> Design -> Development -> Testing -> Deployment -> Maintenance

What is DevSecOps?
It is a software development approach that automates the integration of security at every phase of the software development lifecycle: from design through integration, testing, deployment, and software delivery.
Security is an integral part of the software development process and has to become the responsibility of every person involved.
It addresses security issues as soon as they emerge when they're easier, faster, and less expensive to fix (and before they are put into production🙌).

We need DevSecOps for various reasons:

  • Developers may use vulnerable/outdated 3rd party libraries.
  • License issues.
  • Sensitive data leaked (for example a password exposed).
  • Vulnerable Docker base images.

Security is important for Banking apps, Social Media apps, E-commerce platforms, etc.
There are more security risks nowadays, and many layers and components need securing.
To solve this, developers are also responsible for security (they may include security tasks in normal sprints and iterations) and the security team has to pivot from being the only security touch point to being a security focus team helping and supporting all the other functions: A big cross-functional, cross-discipline team rather than separate teams.

The security team will:

  • Create security policies and guidelines.
  • Select automation tools for detecting security issues.
  • Train developers and operations.

The developer team will be able to get an automated output on their app security status and what issues and vulnerabilities needs to be fixed.

So in practice would look something like this:

  • Pre-commit hooks.
  • Source composition analysis.
  • Static App Security Testing.
  • Dynamic App Security Testing.
  • Security and Infrastructure as Code.
  • Secret Management.

The whole goal is to find the security bugs earlier because it is easier to fix and this would result in a shorter feedback cycle (rapid), cost-effective software delivery.

Understanding some concepts
I also learned some cool concepts about Security itself and wanted to share them with you...

What is a vulnerability?

It is a security flaw, glitch, or weakness found in software code that could be exploited by an attacker (threat source).
A software vulnerability is a defect in software that could allow an attacker to gain control of a system. These defects can be because of the way the software is designed, or because of a flaw in the way that it’s coded.
An attacker first finds out if a system has a software vulnerability by scanning it. The scan can tell the attacker what types of software are on the system, whether are they up to date, and whether any of the software packages are vulnerable.
When the attacker finds that out, he or she will have a better idea of what types of attacks to launch against the system.
A successful attack would result in the attacker being able to run malicious commands on the target system.

Types of application and website security weaknesses

Porous defense vulnerabilities
Defensive techniques such as encryption, authentication, and authorization, when implemented correctly, are essential to application security.
Examples:

  • Weak password encoding.
  • Insufficiently protecting credentials.
  • Missing or single-factor authentication.
  • Sessions that don’t expire.

`Risky resource management
Such as memory, functions, and open-source frameworks.

Insecure Interaction Between Components
Many applications today send and receive data across a wide range of services, threads, and processes. The way different components interact with each other can introduce vulnerabilities.

What does Exploit mean?
An exploit is a code that takes advantage of a software vulnerability or security flaw.
An attacker can exploit a software vulnerability to steal or manipulate sensitive data, join a system to a botnet, install a backdoor, or plant other types of malware. Also, the attacker could use that host to break into other hosts on the same network.
Some of the most common web-based security vulnerabilities include SQL injection
 attacks, cross-site scripting  and cross-site request forgery, as well as abuse of broken authentication code or security misconfigurations.
Computer exploits can be categorized in several different ways, depending on how the exploits work and what type of attacks they can accomplish.

What is a Threat?
Software threats are malicious pieces of computer code and applications that can damage your computer, as well as steal your personal or financial information. For this reason, these dangerous programs are often called malware (short for “malicious software”).

Web App Vulnerabilities
I learned about Snyk, which is a developer security platform for securing code, dependencies, containers, and infrastructure as code.
Snyk scans your code reads through it and tells you if you have any vulnerabilities in your code.

These are the steps I followed to get started:

  1. As a first step, you should create an account in Snyk.
  2. If you use VSC, you can install this Snyk extension.
  3. Once it's installed, you will find the Snyk icon on the left-hand side bar. Click on the icon and start scanning!
  4. Now you will be able to see what are the vulnerabilities and check out how to solve them.

The Snyk extension is super cool, you will be able to visualize the vulnerabilities in the 3rd party libraries as well as in your own code, examples of how others fix those vulnerabilities, and what version of the affected package contains the fix.
To learn this, I worked with the Snyk Nodejs Goof project, and would look something like this:

Image description

Conclusion
I found this 2nd day (technically the first one😬) very interesting.
I learned so many new concepts and got a better understanding of security, why it is important and how the 3 teams (developers, security, and operations) can collaborate and work together to obtain better results: cost-effective process (saves time and reduces costs by minimizing the need to repeat a process to address security issues after the fact), improved proactive security (issues are addressed as soon as they are identified) and quickly manage newly identified security vulnerabilities.
And finally, I was able to add a layer of security to my development process with the Snyk tool, scan my projects and write safer and robust code!

See you on day 3, so excited to continue learning about security✨

Top comments (0)