Avishkar Nikale who is Senior Technical Architect at LTI took a Session on "DevSecOps with GitLab" at Global Testing Retreat #ATAGTR2019
Please refer our following post for session details:
https://atablogs.agiletestingalliance.org/2019/12/06/global-testing-retreat-atagtr2019-welcomes-avishkar-nikale-as-our-esteemed-speaker/
2. • Senior Technical Architect, DevSecOps Consultant
• Instrumental in various initiatives for Enterprise Agility
& enabling DevOps for Enterprise Applications
• AWS Certified Cloud Practitioner
• Certified Cloud DevOps Engineer
• Certified AI with Python Programmer
• https://www.youtube.com/watch?v=q49swr5Vhw0
About me
3. What is DevSecOps?
DevSecOps integrates security best practices in the
DevOps workflow.
DevSecOps automates security workflows to create an
adaptable process for your development and security
teams.
4. Why is DevSecOps needed?
Balancing business velocity with security is possible.
With GitLab, DevSecOps architecture is built into the CI/CD process.
Every merge request is scanned through its pipeline for vulnerabilities in your
code and its dependencies. This enables some magic to happen.
5. Benefits of DevSecOps
Every piece of code is tested upon commit, without
incremental cost.
The developer can remediate now, while they are still
working in that code, or create an issue with one click.
The dashboard for the security pro is a roll-up of
vulnerabilities remaining that the developer did not
resolve on their own.
Vulnerabilities can be efficiently captured as a by-
product of software development.
A single tool also reduces cost over the approach to buy,
integrate and maintain point solutions.
6. What Are The GitLab Advantages?
Contextual. Unlike traditional application security tools primarily intended for use by security pros,
GitLab secure capabilities are built into the CI/CD workflows where the developers live. We
empower developers to identify vulnerabilities and remove them early, while at the same time,
providing security pros a dashboard to view items not already resolved by the developer, across
projects.
Congruent with DevOps processes. GitLab secure capabilities support the decision-makers, within
their natural workflow. Reports are interactive, actionable, and iterative and most important
immediate and relevant to changes made. Developers immediately see the cause and affect of their
own specific changes so they may iteratively address security flaws alongside code flaws.
Integrated with DevOps tools. When triaging vulnerabilities, users can confirm (creating an issue to
solve the problem), or dismiss them (in case they are false positives or there are compensating
controls). When using GitLab, no additional integration is needed between app sec and ticketing,
CI/CD, etc.
Efficient and automated. Eliminates mundane work wherever possible. Auto remediation applies
patches to vulnerable dependencies and even re-runs the pipeline to evaluate the viability of the
patch.
7. Capabilities
Static Application Security Testing (SAST): Prevents vulnerabilities early in the development
process, allowing to be fixed before deployment
Dynamic Application Security Testing (DAST): Once code is deployed, prevents exposure to your
application from a new set of possible attacks as you are running your web applications
Dependency Scanning: Automatically finds security vulnerabilities in your dependencies while you
are developing and testing your applications, such as when you are using an external (open source)
library with known vulnerabilities
Container Scanning: Analyze your container images for known vulnerabilities
Auto Remediation: Auto remediation aims to automated vulnerability solution flow, and
automatically create a fix. The fix is then tested, and if it passes all the tests already defined for the
application, it is deployed to production.
Secret Detection: There are several types of secrets that need to be protected. Each commit is
scanned for secrets within SAST.
IAST and Fuzzing: Future features GitLab will be adding to its Security capabilities, see the visions
for IAST and Fuzzing
8. Continuous security testing within CI/CD
Static Application Security Testing (SAST)
Scan the application source code and binaries to spot
potential vulnerabilities.
Because these open source tools are installed as part of
GitLab Ultimate, there are no added costs.
Vulnerabilities are shown in-line with every merge
request and results are collected and presented as a
single report.
Evaluate vulnerabilities from the GitLab pipeline and
dismiss or create an issue with one click.
9. Continuous security testing within CI/CD
Dynamic Application Security Testing (DAST)
Dynamic scanning earlier in the SDLC than ever possible,
by leveraging the review app CI/CD capability of GitLab.
Test running web applications for known runtime
vulnerabilities.
Users can provide HTTP credentials to test private areas.
Vulnerabilities are shown in-line with every merge
request.
10. Continuous security testing within CI/CD
Dependency Scanning
Analyze external dependencies (e.g. libraries like Ruby
gems) for known vulnerabilities on each code commit
with GitLab CI/CD.
Identify vulnerable dependencies needing updating.
Vulnerabilities are shown in-line with every merge
request.
11. Continuous security testing within CI/CD
Dependency Scanning
Analyze external dependencies (e.g. libraries like Ruby
gems) for known vulnerabilities on each code commit
with GitLab CI/CD.
Identify vulnerable dependencies needing updating.
Vulnerabilities are shown in-line with every merge
request.
12. Continuous security testing within CI/CD
Container Scanning
Check Docker images for known vulnerabilities in the
application environment.
Avoid redistribution of vulnerabilities via container
images.
Vulnerabilities are shown in-line with every merge
request.
13. Continuous security testing within CI/CD
License Compliance
Automatically search project dependencies for approved
and blacklisted licenses defined by your policies.
Custom license policies per project.
License analysis results are shown in-line for every merge
request for immediate resolution.
15. Help and More Information
Please see Get help for GitLab if you have questions
Security Dashboard demo
Deep Dive into a Security demo
Static Application Security Testing
Dynamic Application Security Testing
Dependency Scanning
Container Scanning
License Compliance
See how integration is the key to successful DevSecOps
See how we compare against other Security tools