BSidesNCL 2020 - Shift Left with DevSecOps: Scanning every single code change - @logicbomb_1

take away my uh yeah so i think uh i'm good to go uh i will just add my leftovers and fine uh again again thank you guys for for having me and giving this opportunity to share my talk uh so my talk title is basically shift left with dev dancer cops scanning every single code change so before you know before going to the depth of the topic let's understand let's first let me introduce myself uh myself uh you can find me on twitter and medium within handed s logic boom underscore one uh i've been doing infrastructure for past five years uh for for more than five years right and now i'm a i'm a cyber security speaker i've been

speaking in various conferences and meetups i'm an active blogger you can find my blogs on medium with handless logic bomb underscoring i've been actively writing on various stuff around infosec devs equals data breaches and data privacy issues so i i usually uh my free time is uh try to break application logics try to bypass them and uh this is something which uh keeps me you know motivated to learn various things i've been recently featured in various news medicine and articles uh recently got uh covered in force bbc uh z that techcrunch for for the work that i do in infosec uh for the type of uh data breaches and data privacy issues that i find

i've been acknowledged and uh honored by uh companies like google nasa yahoo european sun government u.s and uh uk government as well and some of the top companies of india so this is about me uh no but before jumping to the title uh of the topic the the first two words uh basically the first word of the talk is basically shift left now before moving to the depth of the topics list and understand what that word mean uh what is shift left so let's get to do the journaling meaning of shift left so all of you all of us have seen red light uh in the in the in the traffic turning right uh traffic light standing right to

stop you know us from from parking from from crossing the road uh have you ever wondered why only the red color being used uh to stop the vehicles in the traffic in the traffic light and uh you know you you must have seen rainbow uh you know coming in during the day and uh sun season uh have you ever wondered why only the red color comes at the last of the of the rainbow why the color red always come to the end of the rainbow so the the scientific reason behind is that because the red color has the largest wavelength so because the red color has the largest wavelength they it travels to a larger

distance hence it comes hence it comes at the end of the at the end of that rainbow so it basically means when you move or when you increase some distance uh you are moving away from the source and that is you are moving towards the right side you are moving to the right side so whenever you bring something close to the source that is when you move to the left side that's basically uh means you are shifting through the left shape and that basically means you are shifting to the to close the source so this is what generic meaning of shift lab is now coming to the term what shift left means in in computer

world in technology so when you bring your security process uh in in in the in your as you recycle or in your release process as close as your developers or as follows as to the source it basically means strictly so when you bring your your security testing your security checks your vipt pen testing all kind of those security work workflows as close to the to the to the developers or as close to the hdlc cycle uh as close to the starting of the street cycle that means you are shifting left on the cycle that means you are shifting left uh in the in the complete process so that is what we mean by shift left in the depths of corpse i i

hope we must be aware of what that's a cough scenes i think uh they have been talks in in these sets uh itself when people when when when speakers are told about what that exactly mean so it brings me to a code where uh i i quote that uh securities should not be traded as an afterthought so what traditionally happens that security always come at the end of the cycle uh how companies release their product or how companies release their futures functionality is that after everything is done after the code is dependent production after the release has gone live after the future has gone into production then the security testing starts happening then security team comes into picture

they do security testing security checks vpd and all all all kind of those checks what brings me to this what bring shift lab basically means security should not be treated as an afterthought security should not be taken as something which people can assume that it can happen after everything happens why why the the reason why we should not treat security as an afterthought why we should bring security as close to the truth to the developers or why we should bring uh security uh at the starting of the hdl cycle this graph clearly shows that what is the cost if you are if you are doing security testing or if you are you know involving security checks at

the end of the sdrcc cycle so suppose uh how how typical as you as a circuit looks like it's basically uh you know but first of all information gathering happens then product team with the developers they design the future and they give they ship it to the developers developer develop the future and then it goes to qa q it does the keyword testing and then finally it goes to interactive for the deployment of production and at the at the last say that the security teams comes to to test uh the future from the security perspective now what actually happens that suppose security teams find some vulnerability now what will happen that that that that vulnerability or

that core fix will again now go to qa qa will uh qa will test it and then it will again go to developers develop will have to fix it and then basically the complete cycle is now getting repeated uh now again developer has to fix that code it will again go to qaq has to test it and then it will come to secure test security teams to check for the security vulnerabilities so what actually happening is here is that when we are involving security checks or when we are involving uh security testing at the end of the cycle we are doubling our effort and we are doubling up our time we are actually repeating the hdl cycle

again and again so that what this graph suggests so it grabs the graph so that as we as we move the security away uh from the source or as we move away from the source the cost of or the cost of security that is the cost of fixing of a bug or the cost of patch increases rapidly so this is what the the consequences of if you do not bring security close the source or if we are creating security as an afterthought that's something which can be done after or it can be de-prioritized by the team this is what makes uh secure testing more important and more critical when we want to in involve security testing

or security checks as close to the to the developers or as close to the source so that we can we can basically reduce the time and effort that we are spending on fixing a bug after the release has gone live after the after the features has gone into production this brings me to uh the the core of the talk basically uh in this talk i will be showing you how how basically we at uh at my company how we have achieved this how we are now scanning each and every pr or each and every course change that goes to github or any github repository any code repository against all the security checks so now what we have actually

done that every change or every core change every peer that that developer raised in their branch that actually goes through the continuous security checks they they go through a regular and automated security checks so at the end we don't need to wait that that pr get must mastered and the future get deployed to production then security checks are going on and now we have brought down the security checks uh within our uh code repository so within uh the the code repository that we're using so anytime now any developer or any any qa any engineer there is any pr or any they make any code commit our continuous github code hacking happens it basically checks the the commit against different kind of

security checks that we implemented so this is basically how the architecture of the of the tool or that we have that we have you know that we have developed that we have that we have developed in in the company so this is the basic architecture how it looks like i i will again come to this picture and we'll tell you how it actually functions uh on the top on the top of it i will i will i will tell you that this our product name is basically called g-shift uh with basically again uh symbolizing the git up sheet and there is a backend app which is our core uh backend application which is running and performing various kind of security

jacks this backend app is also integrated with jenkins to pull the you know to pull uh various uh various csd pipelines and it is it also have a salary queue to basically uh have uh basically pulled various kind of you know if there's multiple pr's going so it will be particularly pulling from the salary queue to process them so i will i will be again coming to this architecture to explain you how it exactly happens so how we have actually done is that uh github provides an uh uh extensive future of creating a github app so in github you can create your own github apps now this github app can be integrated with any of the repository that you have

in your company it can it can indeed you can indicate uh you get a app with one repository or with two or you can also integrate your github app with all that representative that uh that your uh your organizers have and on the top of it you can restrict this application to have access to some limited functionalities or limited uh limited commits of of that particular repository so you can you can provide access of read access to this app so that this particular application will have only read access to listen to all the peers uh you can also give comment permission so that this particular application can comment on the ps if you want to if you want to

make it more user definitely you can also uh configure this app to basically send all the events that it is getting to uh to a web uh to the web uh to our outgoing web url and this web viewer is basically the heart of uh part of this complete tool which is the continuous data code hacking so what actually happened is that uh whenever any and even this trigger the gita web because the github app is now integrated with you all that repository in your company so and when when any uh repository has any change has any port comment this getup app will listen to it and because it has an outgoing web level now it will send all those uh you

know all the even that that it hurts it listen it send the that and that http postcard to that bevel now this web can be used to for for various purposes this web is basically highly highly customizable yeah it has it has various tracks you can build your own checks you can you can use this website to trigger an issue tracker you can use this webhook to trigger a ci build or even you can use this web to deploy any changes to your production servers and as i said this checks uh this basically this uh this url uh which is uh which which is basically bringing uh some other benefits of having a modular and

customized checks so you have now you can build as i said you can build on top of it you can build your custom checks you can have modules so that they're independent of each other uh if if one of the checks are not able to get performed the other will function as it is other will function with their full capabilities it is highly automated every security check is automated uh whenever any whenever someone raises any pr this web will listen to those events and send those even to the to the back end app which performs all this kind of checks equity check which performed automatically now i will now i will tell you how it

basically functions at the back end so you you already confirmed configured a github app you created a github app and give it a and basically configured it within a facebook url and that webhook url is basically your backend app so you have you you have your backup app running where you can put your backend in python and go in in any in any level that you want now what basically happens is that when anyone make any changes uh to to any of the good code repository because that github app is listening to every code base it is listening to every repository it will send the post event that yeah it has listened to the value

of which is now configured on the backend app and now backup has have multiple security checks have multiple modules which perform security checks on on the on on the even that just listen so suppose someone raised a pr and that pr contains a docker file so you you you have written a module in the backend backend forth checks basically if the the devil the webroot had received the event and that event contains a file with our name docker file that means someone is trying to build a docker image and then your module comes where it performs a check like it can perform a docker file under or because it is a docker file it will

also have you know various kind of a docker fire docker statement like from copy ad and you know it must be having if you're mounting any any sensitive mount points it will also have that command docker command in the dockerfile so you can now you can now create a module which can check whether uh whether that docker file is containing uh any sensitive mount point or not uh you can even after you come to know that that that pr contains a docker file you can also uh perform a linting on the docker file and similarly we have built something which is called uh through which we check whether anyone in the company has to use has is using a docker file

which contains an image which is not a trusted image so what we do is basically uh when this vivo get get the post event and our backend app checks whether the event contains a file with starting name as docker file if if the pr contains a file which is uh which is docker file then it checks the first statement the first is basically the from statement from where your base image is basically getting created and it checks whether that image is lying into the white list list that we have so we have a dynamic and very customized uh checklist of docker images that which contain all the trusted all the verified on all the official uh images that we use

in the company and also all the official images that are in the docker repository like ubuntu red hat on all those images so this is this is how it it it basically worked it the back end i have listened to the events that even is sent by the github github app because it is configured with the web and then on the on in the backend app we have created custom checks we perform docker file enter which perform you know the checking for sensitive mount point uh which also checks whether your image is an authorized docker image or not and we and also we have built other uh you know other checks you can basically this complete backend

app is highly customized uh it is highly modular you can build as amount of check that you want as many as checks as you want we have created more just like we also check whether any pr which is is contain any hard coded contents or not for which we are using open source tool like grid secret which is an open source tool by uw slabs so we also check spen when whenever anyone raise and appear that pr contains uh any hard coded connections or not and then we have a jenkins uh this web background have also indicated with the junkies who basically you know if you want to trigger any deployment if suppose all the checks are passed

so if you want to trigger an employment uh so if suppose any checks fail suppose your pr contains uh any any hardcoded connection of your aws or of your config in in your config device then you can trigger a genting job with basically just feel uh fail the deployment or basically it was you can also comment in the in the pdr itself saying that uh of course you you change the there they are security which are which has failed so you cannot uh proceed to get it much to master so this this is so in in a node these are the capabilities that we have built uh now this this app which is this tool

which is known as g shield perform says scanning which is static application security testing we are using sonar for uh for doing uh static analysis uh it also performed dash which is a dynamic application security testing we are using open source tool of os app to uh perform uh dash scanning on the on the on the pls that being released uh we are also checking whether uh the department.txt file contains any uh any any any any dependencies which has external vulnerabilities which has any open cv or which has any higher critical availability again using os uh zap dependency plug-in engine case and then this is something which we have created now so we uh checks whether the docker which

whether the pr contains any docker file and that docker file has uh has using the images which are lying into the list of white lists that we have created in house and then on the top of it there are additional effect capabilities that we have created like said secret detection we run great sticker to find someone right if someone hard coded any credentials into the apr before we we also perform docker front lantern if there's any docker fire being you know pushed into a pr and that docker file is not up to the standard so we use hedolin to perform docker valentine and as i said we also check to check against the base images

that we have enough so this is how uh this is how uh uh basically uh generic pr looks like uh so whenever this is the screenshot taken when someone raised an apr so when when any engineer disappears this is our this is however g shield works so it basically comment in the pr itself just like a quote review just like everyone could do a code review they comment that this this one or following standard or something like that our g g shield app itself works to do a code review and comment just like any human user so if you can see uh it first tells the security analysis of security checks has started this has been no secret in that

particular period so it is saying that there is no secret in your peer uh so narco analysis it basically are performing static analysis on the appear and if there's any if there's any high vulnerability it basically uh just says that it based p0 vulnerability and there's a full report where a developer can access a full report and then it also perform a dockerfile render so this particular pr contain a docker file and because we have a customer check which checks whether any pr container docker file or not and then it performs a dockerfile internet so this is this is basically commented by to a developer who raised the peer to basically make changes in the docker

file according uh to the standard docker obviously according uh to the result that early internet has been has has given out so this is how our github uh uh application uh our github tool which is known as g shield works like uh so we can also uh we we can also in the initial we have started uh in a non-blocking mode we don't want we are getting blogger and developer uh you know are not able to push their comments into the master branch so initially we started with with a non-blocking mode uh so this uh our tool just comment all the security checks which has been cleared uh and now it is up to the developer to

basically fix it or not so we wanted to bring that productiveness within our developers and after you know after we find that you know developers engines are now uh able to understand what these security checks mean then we want to bring that productiveness within our developers to fix those security issues you can also make it uh make it in a way that uh if any of the security checks get filled you are developer any no one cannot merge uh the that that we are to master you can also make those changes so this this is the benefit of this complete uh github application of this complete tool that we have that recorded which is known as g sheet

so now all the security checks is being performed whenever any pr is raised so now we don't need to wait when a pr is raised and it is much to master the future is gone to live and then we are doing a secondary text now within uh whenever us any engineer or any developer is is raising any pr into into their dev branch all the security are performed as unmanned so now the word now the developer don't need to wait for security team uh you know to to perform those checks these checks perform automatically so one of the beauty of this tool is also automation every everything is is an automation automated manner uh our developer days appear and all the

security sets are performed automatically this is highly flexible as i said these tracks are highly modeled and customized you can add as many checks as you want in your backend app uh you can add you know as we have you know integrated uh secure detection we have integrated uh docker image scanning uh we have indicated a docker file interact so these checks are modular you can you can add as many checks that you want and make it more customizable so this these are the improvements so these are benefit that our tool brings uh uh to to to basically bring security uh close the source which basically bring to me which basically brings me to a con

concept of uh the title that we have that they shift left epsilon so where we are shifting our security checks as close to the source where we are bringing security checks or security testing uh as close when as close to the source so now we don't need to wait uh any future is going live and then we are bringing security checks then we are bringing security testing and creatine to perform those checks now everything is in a way that we don't need to wait uh and we also don't need to think that security is not for thought everything is done whenever developer any using npr and basically we are getting the result as and when

uh the cost of fixing the bug is also very very less because now uh the checks are being performed in the developer branch itself now developer is getting getting to know that their checks or they they appear contain any hardcore recognition or the apr has any static code analysis vulnerability or any dynamic vulnerability so uh then they now come to know about those results uh whenever they are developing there or whenever they are writing their code so this is basically not not preventing a lot of time and effort that now being that earlier being spent when the releases are going live and then security check or security testing being performed so this is the beauty of this

one these are the benefit uh it brings when you are when you're bringing uh your security or when you're bringing your security to the close the source close to the developers so that's it uh about this talk uh uh if you if you have any question uh you can shoot it out uh here are here are my credentials if anyone uh if anyone you want to dm me i'm highly available on twitter with handle scratchy founders for one and you can also shoot out my me a shout out mail to my melee it's been given here yeah that's it

thank you very much for that um sorry i'm just using the wrong camera for a second there we go no listen i haven't asked thank you so much for that that was amazing i'm just looking through for any questions from the audience