DevSecOps Tools of the trade
In the previous post, we walked through the different stages of the DevSecOps pipeline and looked at the security controls introduced at each stage, their necessity, and the security concerns they address.
The many tools used at various stages of the pipeline shown below will be covered in this post.
Below is the sample pipeline we referred to in the last post.
Let’s run through the various DevSecOps tools that we can use at different stages in the pipeline.
DevSecOps tool categories
A) Pre-push/pre-commit hooks
There have been numerous instances of sensitive information like passwords, AWS Keys, Access tokens and SSH keys getting leaked via public source code repositories due to git commits. This can be avoided by using pre-push or pre-commit hooks. This pre-push or pre-commit hook checks for sensitive information before any push or commit is made to the repository.
The following tools can be used:
- Truffle Hog – https://github.com/trufflesecurity/trufflehog
- Talisman – https://github.com/thoughtworks/talisman
- Git Hooks – https://githooks.com/
- Git Secrets – https://git-secret.io/
- Pre-Commit – https://pre-commit.com/
- Git Hound – https://github.com/ezekg/git-hound
B) Secret scanning
The following tools are widely used for scanning the secrets present in the code:
- GitLeaks – https://github.com/zricethezav/gitleaks
- Whispers – https://github.com/Skyscanner/whispers
- Gittyleaks – https://github.com/kootenpv/gittyleaks
- Detect-Secrets – https://github.com/Yelp/detect-secrets
- DSpectralops – https://spectralops.io/
Apart from the above tools, a few of the tools mentioned in the pre-push or pre-commit hooks can also be used for scanning secrets in the repositories.
C) Secret storage and management
To avoid leaking secrets from the repo, one can use the following tools for storing and managing the secrets.
- Hashicorp Vault – https://www.vaultproject.io/
- AWS Secrets Manager – https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
- Cloud KMS – https://cloud.google.com/security-key-management
- Azure Key Vault – https://azure.microsoft.com/en-us/services/key-vault/
- Confidant – https://lyft.github.io/confidant/
- Keywhiz – https://github.com/square/keywhiz
- Knox – https://github.com/pinterest/knox
D) Source composition analysis (SCA)
SCA identifies vulnerabilities in open-source software (OSS) being used by the application. The following tools are widely used:
- OWASP Dependency Check – https://owasp.org/www-project-dependency-check/
- SonaType – https://ossindex.sonatype.org/
- Snyk – https://snyk.io/
- Mend (Formerly WhiteSource) – https://www.mend.io/
- BlackDuck – https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis.html
- Veracode – https://www.veracode.com/products/software-composition-analysis
- JFrog XRay – https://jfrog.com/xray/
E) Static analysis security testing (SAST)
SAST tools analyze and assist in the identification of vulnerabilities present in the source code.
Though many SAST tools are available, the most used are as follows:
- SonarQube – https://www.sonarqube.org/
- Semgrep – https://github.com/returntocorp/semgrep
- Snyk – https://snyk.io/product/snyk-code/
- CloudDefense – https://www.clouddefense.ai/sast-static-application-security-testing
- Fortify – https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer
- OWASP ASST – https://owasp.org/ASST/
- Veracode – https://www.veracode.com/products/binary-static-analysis-sast
If you are looking specifically for any programming language, this link serves as a good reference point: https://owasp.org/www-community/Source_Code_Analysis_Tools.
F) Infrastructure as code (IaC) and container scanning
IaC and container scans are performed to avoid misconfiguration like unnecessarily exposing network interfaces, privilege escalation, compliance violation, and so on.
One can use the following tools for scanning:
- Checkov – https://www.checkov.io/
- Trivy and TFsec by aqua – https://www.aquasec.com/cloud-native-academy/devsecops/infrastructure-as-code-iac/
- TFLint and Terrafirma – Specifically for Terraform.
- Dockle and Dockscan – Specifically for Docker.
- Cloudsploit – For CloudFormation.
G) Dynamic application security testing (DAST)
The following are prominent tools for performing DAST scans.
- OWASP ZAP – https://owasp.org/www-project-zap/
- Burpsuite – https://portswigger.net/burp
- Acunetix – https://www.acunetix.com/
- Qualys – https://www.qualys.com/
- Arachni – https://www.arachni-scanner.com/
- Nikto – https://www.cirt.net/Nikto2
H) Infrastructure scanning
The following tools can be used for scanning the infrastructure.
- OpenVAS – http://openvas.org/
- Nessus – https://www.tenable.com/products/nessus
- Qualys – https://www.qualys.com/
I) Compliance scanning
To clear regulations like PCI DSS, HIPAA etc., organizations can use the following tools:
- Inspec – https://www.inspec.io/
- Serverspec – https://serverspec.org/
- DevSec Hardening Framework – https://dev-sec.io/
- Kitchen CI – https://kitchen.ci/
J) Vulnerability management
The following tools can be used to manage and track vulnerabilities discovered in the pipeline:
- ArcherySec – https://github.com/archerysec/archerysec
- DefectDojo – https://www.defectdojo.org/
- Qualys – https://www.qualys.com/apps/vulnerability-management-detection-response/
- Rapid7 insightVM – https://www.rapid7.com/info/introducing-insightvm/
We have gone through various tools one can use to integrate security into the DevOps pipeline. Some tools are open source, while others are paid; depending on the budget, environment and setup, selecting the right tool is paramount.
- Top 9 Secret Management Tools for 2022, Security Boulevard
- Best DevSecOps Tools, pcwdld.com
- 9 DevSecOps Scanning Tools to Keep the Bad Guys at Bay, Cybersecasia
- Source Code Analysis Tools, Owasp.org
- Vulnerability Management, Gartner.com
- The Devops Guide to Vulnerability Management Tools, Spectralops,io