In today’s rapidly evolving software landscape, ensuring security is not just an afterthought but a critical part of the development lifecycle. DevSecOps—integrating security practices into DevOps processes—aims to automate and streamline security within the CI/CD pipeline. This article provides a comprehensive tutorial on incorporating security checks into CI/CD pipelines using Azure DevOps and Jenkins. We’ll cover tools and techniques for continuous security monitoring and compliance, offering practical steps and real-world examples.
Introduction
The DevSecOps approach ensures that security is embedded at every stage of the software development lifecycle, from planning and development to delivery and operations. By integrating security into CI/CD pipelines, organizations can detect and mitigate vulnerabilities early, ensuring robust and secure software releases.
Setting Up Security in Azure DevOps
Azure DevOps provides a suite of tools to help integrate security into your CI/CD pipelines. Below, we outline the steps to incorporate security checks using Azure DevOps.
Step 1: Set Up a Basic CI/CD Pipeline
- Create a New Pipeline:
- Navigate to Azure DevOps and select your project.
- Go to Pipelines and click on “New pipeline”.
- Choose your repository source (e.g., Azure Repos, GitHub).
- Define Your Pipeline Configuration:
- Use the YAML syntax to define your pipeline configuration.
trigger: branches: include: - main pool: vmImage: 'ubuntu-latest' steps: - task: UseDotNet@2 inputs: packageType: 'sdk' version: '5.x' installationPath: $(Agent.ToolsDirectory)/dotnet - script: dotnet build --configuration Release displayName: 'Build Project' - task: PublishBuildArtifacts@1 inputs: PathtoPublish: '$(Build.ArtifactStagingDirectory)' ArtifactName: 'drop'
Step 2: Integrate Security Tools
- Static Application Security Testing (SAST):
- Incorporate a SAST tool like SonarQube to analyze your code for security vulnerabilities.
steps: - task: SonarQubePrepare@5 inputs: SonarQube: 'SonarQubeServer' scannerMode: 'MSBuild' projectKey: 'my-project' projectName: 'My Project' - script: dotnet build --configuration Release displayName: 'Build Project' - task: SonarQubeAnalyze@5 - task: SonarQubePublish@5 inputs: pollingTimeoutSec: '300' - Dependency Scanning:
- Use tools like WhiteSource or OWASP Dependency-Check to scan for vulnerable dependencies.
steps: - task: WhiteSourceBolt@20 inputs: cwd: '$(System.DefaultWorkingDirectory)' product: 'my-product' project: 'my-project'
Step 3: Implement Dynamic Application Security Testing (DAST)
- DAST with OWASP ZAP:
- Use OWASP ZAP for dynamic security testing.
steps: - script: | wget https://github.com/zaproxy/zaproxy/releases/download/v2.10.0/ZAP_2_10_0_unix.sh chmod +x ZAP_2_10_0_unix.sh ./ZAP_2_10_0_unix.sh -q -dir /zap displayName: 'Download and Install OWASP ZAP' - script: | /zap/zap.sh -daemon -config api.disablekey=true -config scanner.threadPerHost=10 -config view.mode=attack -port 8090 -host 0.0.0.0 -config connection.dnsTtlSuccessfulQueries=0 displayName: 'Start OWASP ZAP' - script: | while ! nc -z localhost 8090; do sleep 1 done displayName: 'Wait for ZAP to start' - script: | zap-cli --zap-url http://localhost -p 8090 quick-scan http://my-application-url displayName: 'Run ZAP Scan' - script: | zap-cli --zap-url http://localhost -p 8090 report -o zap_report.html -f html displayName: 'Generate ZAP Report'
Step 4: Continuous Monitoring and Compliance
- Security Information and Event Management (SIEM):
- Integrate with a SIEM tool like Azure Sentinel to monitor security events and alerts continuously.
steps: - script: | az sentinel alert create --resource-group myResourceGroup --workspace-name myWorkspace --alert-rule myAlertRule displayName: 'Create SIEM Alert' - Compliance as Code:
- Use tools like InSpec or Chef Compliance to enforce compliance policies.
steps: - task: InSpec@1 inputs: target: 'https://my-application-url' profile: 'compliance-profile'
Setting Up Security in Jenkins
Jenkins is a widely used CI/CD tool that can also be configured for DevSecOps practices. Here’s how you can integrate security checks in Jenkins.
Step 1: Set Up a Basic Pipeline
- Create a New Pipeline:
- Open Jenkins and create a new pipeline job.
- Configure your SCM (e.g., Git) repository.
-
Define Your Pipeline Script:
pipeline { agent any stages { stage('Build') { steps { script { // Build steps sh 'dotnet build --configuration Release' } } } stage('Publish Artifacts') { steps { archiveArtifacts artifacts: '**/target/*.jar', allowEmptyArchive: true } } } }
Step 2: Integrate Security Tools
- Static Code Analysis:
- Integrate SonarQube for static code analysis.
pipeline { agent any stages { stage('Build') { steps { script { // Build steps sh 'dotnet build --configuration Release' } } } stage('SonarQube Analysis') { steps { script { // SonarQube steps withSonarQubeEnv('SonarQubeServer') { sh 'dotnet sonarscanner begin /k:"my-project" /d:sonar.login="${env.SONAR_TOKEN}"' sh 'dotnet build' sh 'dotnet sonarscanner end /d:sonar.login="${env.SONAR_TOKEN}"' } } } } stage('Publish Artifacts') { steps { archiveArtifacts artifacts: '**/target/*.jar', allowEmptyArchive: true } } } } - Dependency Scanning:
- Use OWASP Dependency-Check for dependency scanning.
pipeline { agent any stages { stage('Build') { steps { script { // Build steps sh 'dotnet build --configuration Release' } } } stage('Dependency Check') { steps { script { // Dependency-Check steps dependencyCheck additionalArguments: '--project "my-project" --scan "**/*.csproj" --out "dependency-check-report.html"' } } } stage('Publish Artifacts') { steps { archiveArtifacts artifacts: '**/target/*.jar', allowEmptyArchive: true } } } }
Step 3: Implement Dynamic Security Testing
- DAST with OWASP ZAP:
- Use OWASP ZAP for dynamic application security testing.
pipeline { agent any stages { stage('Build') { steps { script { // Build steps sh 'dotnet build --configuration Release' } } } stage('Run OWASP ZAP') { steps { script { // OWASP ZAP steps sh 'wget https://github.com/zaproxy/zaproxy/releases/download/v2.10.0/ZAP_2_10_0_unix.sh' sh 'chmod +x ZAP_2_10_0_unix.sh' sh './ZAP_2_10_0_unix.sh -q -dir /zap' sh '/zap/zap.sh -daemon -config api.disablekey=true -config scanner.threadPerHost=10 -config view.mode=attack -port 8090 -host 0.0.0.0 -config connection.dnsTtlSuccessfulQueries=0' sh 'while ! nc -z localhost 8090; do sleep 1; done' sh 'zap-cli --zap-url http://localhost -p 8090 quick-scan http://my-application-url' sh 'zap-cli --zap-url http://localhost -p 8090 report -o zap_report.html -f html' } } } stage('Publish Artifacts') { steps { archiveArtifacts artifacts: 'zap_report.html', allowEmptyArchive: true } } } }
Step 4: Continuous Monitoring
and Compliance
- Integrate with SIEM Tools:
- Use Jenkins plugins to integrate with SIEM tools like Splunk or Elastic Stack.
pipeline { agent any stages { stage('Build') { steps { script { // Build steps sh 'dotnet build --configuration Release' } } } stage('SIEM Integration') { steps { script { // SIEM steps splunkins_send data: 'Security event: build completed', source: 'jenkins', sourcetype: '_json', index: 'main' } } } stage('Publish Artifacts') { steps { archiveArtifacts artifacts: '**/target/*.jar', allowEmptyArchive: true } } } } - Compliance as Code:
- Use Jenkins to run compliance checks with tools like InSpec or Chef Compliance.
pipeline { agent any stages { stage('Build') { steps { script { // Build steps sh 'dotnet build --configuration Release' } } } stage('Compliance Check') { steps { script { // InSpec compliance check sh 'inspec exec compliance-profile' } } } stage('Publish Artifacts') { steps { archiveArtifacts artifacts: '**/target/*.jar', allowEmptyArchive: true } } } }
Conclusion
Integrating security into the CI/CD pipeline through DevSecOps practices ensures that vulnerabilities are identified and mitigated early in the development process. Azure DevOps and Jenkins provide robust platforms to embed security checks using a variety of tools and techniques. By following the steps outlined in this article, you can enhance the security posture of your applications and ensure continuous security monitoring and compliance.
For more hands-on experience and advanced techniques, consider joining our Advanced DevOps training program, where we cover DevSecOps practices and other essential DevOps tools in depth.
About the Author
Hello! I’m Basil Varghese, a seasoned DevOps professional with 16+ years in the industry. As a speaker at conferences like Hashitalks: India, I share insights into cutting-edge DevOps practices. With over 8 years of training experience, I am passionate about empowering the next generation of IT professionals.
In my previous role at Akamai, I served as an ex-liaison, fostering collaboration. I founded Doorward Technologies, which became a winner in the Hitachi Appathon, showcasing our commitment to innovation.
Let’s navigate the dynamic world of DevOps together! Connect with me on LinkedIn for the latest trends and insights.
DevOps Door is here to support your DevOps and SRE learning journey. Join our DevOps training programs to gain hands-on experience and expert guidance. Let’s unlock the potential of seamless software development together!