Author- Faheem Javed
This tutorial is adapted from the Web Age course Introduction to Devsecops.
DevOps is a collaboration between development and operational teams that supports the software development lifecycle (SDLC) from code creation through product deployment.
DevOps streamlines the SDLC but does not, by itself, ensure that the deployed software is:
- Free of security concerns,
- Free of licensing issues
DevSecOps integrates security as a goal into the DevOps process by:
- Identifying SW components with known security vulnerabilites that are being used in product builds
- Identifying written code that includes patterns of usage with known security vulnerabilites
DevSecOps goals are acheived through shifts in tools and culture that allow the development, security and operations teams to work together on security concerns throughout the SDLC pipeline.
Implementing DevSecOps involves:
- Scanning of SW code and dependencies,
- Reporting when vulnerabilities are uncovered,
- Keeping vulnerable SW from being put into production,
- Mitigating vulnerabilites so that SW can be put into production
SDLC software development lifecycle
CVE Common Vulnerabilities and Exposures(/Enumerations) program, they catalog software and firmware vulnerabilities and assign each vulnerability a unique id.
A vulnerability is a mistake in software code that provides an attacker with direct access to a system or network. It could allow an attacker to pose as a super-user or system administrator with full access privileges.
An exposure is a mistake that gives an attacker indirect access to a system or network. It could allow an attacker to gather customer information that could be sold.
The Jfrog Platform includes
- Artifactory Repository- A repository that can be used to hold everything from source code to deployment packages
- XRay- A tool that scans software dependencies for security vulnerabilities. It can also scan software for licensing issues
The two tools can be setup to work together, for example: Xray can scan for vulnerabilities whenever a new software packages is uploaded to the Artifactory repository.
XRay is a software composition analysis (SCA) tool. It manages security risks and licensing issues related to open source components. It scans applications as they are built to produce an inventory of dependencies – components and code libraries that the application uses. Xray compares each dependency against a list of components with known security vulnerabilities. Xray can be configured to take action based on known vulnerabilities by generating reports about the vulnerabilities and disabling the use of the application.
XRay scans artifacts, builds and release bundles for security vulnerabilities and license compliance.
XRay comes with JFrog’s own vulnerabilities database. It also uses data from the industry-standard VulnDB vulnerabilities database.
Software management is made up of many concerns including:
Software license compliance
- Is the SW being used covered by valid licenses?
- Do we need to purchase additional licenses?
- Are the licenses we do have being utilized effectively?
SW security management
- Does the SW being created or used include security vulnerabilites?
- Can we reduce vulnerability by using different components?
- Taking action when vulnerabilites are uncovered
How Security Vulnerabilities are handled by XRay:
- Xray includes a database of vulnerabilities that is synchronized with their central database on a daily basis
- Builds and release bundles are analyzed to create an index of dependencies
- The vulnerability db is used to identify dependencies that map to known vulnerabilities
- Security “Policies” define actions to take when vulnerabilities are uncovered
- “Watches” define which vulnerabilities you consider important
- When a “watch” uncovers a vulnerability XRay saves a “Violation” record. Violation records can be viewed in the Xray user interface.
Ongoing Impact Analysis: When a new vulnerability or license is added to the Xray Database, Xray immediately identifies all of the impacted artifacts, and runs the relevant policies to continuously protect your artifacts, builds, and Release bundles.
JFrog Xray’s License Management provides a comprehensive list of open-source licenses existing on the market and provides an indication of which scanned artifacts use each license. Using Xray’s License Management, you can also create custom licenses that you can assign to components at any time.
License compliance is important for:
- Evaluating net worth including products and IP (intellectual property)
- Listing all licenses involved in existing products/services
- Tracking open source software usage related to new products
How License Compliance issues are handled by XRay:
- Xray includes a list of license types and allows creation of custom licenses as well
- Your product builds and release bundles are automatically analyzed by XRay to create a list of components and their licenses
- With this information XRay can produce a complete license report for each product (or component)
- License reports can be exported in various formats as needed
JFrog Xray’s License Management provides a comprehensive list of open-source licenses existing on the market, and provides an indication of which scanned artifacts use each license. Using Xray’s License Management, you can also create custom licenses which you can assign to components at any time.
Xray creates a component graph representing build artifacts and their dependencies.
The component graph can be viewed in the GUI or retrieved in JSON format using the REST interface.
Policy violations are determined by checking all dependencies against a database of known vulnerabilities.
impact analysis graph
XRay Policies have:
- Policy Name
- Type
- List of Policy Rules
Multiple rules can be attached to the same policy. Rules allow a policy to target vulnerabilities with a given range of severities.
Policy Rules include:
- Rule name
- Criteria:Minimal Severity to be considered or, CVSS Score
- Automatic Actions
Automatic actions can be any of these types: Generate Violation, Trigger WebHook, Notify Watch Recipients, Notify Deployer, Notify Email, Block Download, Block Release Distribution, Fail Build
For example: A policy rule targeting HighSeverity vulnerabilites might take these actions if a vulnerability is found in a build artifact:
- Generate a Violation record that can be reported on
- Notify individuals by email of the violation
- Block the download of the build’s artifacts
Watches define the resources on which to apply policies
Watches include:
- Name and Description
- Watch Recipients (list of emails)
- Lists of managed resources (repositories, builds and bundles) that the Watch applies to
- List of policies to be applied for the listed resources
In a perfect world a CI pipeline runs all the way from start to finish:
- Start: Code is checked in
- Finish: Deployable package is saved in a repository
There are several factors though that can be set up to stop the action before the pipeline has completed its work:
- Static code analysis
- Build process failure
- Unit tests
- Security vulnerabilities scan
These events can act as a gateway that either stops the build or promotes to the next stage in the pipeline
Jfrog’s Xray can be called from a build server to determine if build artifacts are safe to deploy and use. Scanning for vulnerabilites can be done as a build-server task. Then, if vulnerabilities are found the build server can be instructed to automatically fail the build.
In Xray:
- Configure a Watch for the expected Build artifacts
- The Watch should include a Policy with a “Fail Build” action
Jenkins
- Configure a build job that uses the “Jenkins Artifactory Plug-in” to request an Xray scan of the build artifacts
- Alternately the Jfrog CLI or REST API can be used to trigger the scan from a Jenkins tasks
In this tutorial, we covered:
- DevOps
- DevSecOps
- What is XRay
- Software Management
- Security and License Compliance with XRay
- XRay Component Graph
- XRay Policies
- XRay Watches
- Mandatory CI Gates
- Triggering XRay from a Build Server
