Introduction
DevSecOps stands for Development, Security, and Operations. It is a practice where security is seamlessly integrated into CI /CD pipelines. The goal is to consider the application and infrastructure security and automate security gates to keep the DevOps workflow from slowing down. Such security gates can be categorized in multiple stages, such as:
- SAST (Static Application Security Testing)
- DAST (Dynamic Application Security Testing)
- SCA (Software Composition Analysis )
- Container Security
- IaC scanning (Infrastructure as a code )
To execute these stages, we need tools such as Checkmarx, Appspider, Twistlock, etc. These tools generate output in different formats, and managing such output can be very overwhelming. Also, pushing them into defect management tools such as JIRA or QC can be very cumbersome. Security assessment tools primarily provide JIRA integration, but there is a risk of creating too many JIRA issues as these tools create defects in huge numbers.
OWASP DefectDojo can be very helpful in this scenario. Defectdojo is an open-source project developed in python Django and maintained by,
- Greg Anderson
- Aaron Weaver
- Matt Tesauro
Defectdojo can import 20+ tools reports and supports JIRA and Slack integration. So this tool can be integrated into CI /CD pipelines for defect management. Now let us see how to set up defectdojo and use it in CI / CD pipelines.
Terminologies of DefectDojo
Now let us look at some DefectDojo terminologies before using it.
- Product Type – Product Type is the topmost component in the hierarchy. Product type can be the name of the Team or Business Division.
- Product – Product is the name of any program or Product under testing.
- Engagements – Engagements are moments in time when testing is taking place. They are associated with a name for easy reference, a timeline, a lead (the user account of the main person conducting the testing), a test strategy, and a status. Engagement consists of two types:Â Interactive and CI/CD.
- Interactive Engagement:Â An interactive engagement is typically conducted by an engineer, where the engineer usually uploads findings.
- CI/CD Engagement: As its name suggests, a CI/CD engagement is for automated integration with a CI/CD pipeline.
- Tests -Tests are a grouping of activities conducted by engineers to attempt to discover flaws in a product. Tests are bundled within engagements, have a start and end date, and are defined by a test type.
Examples:
- Semgrep Scan: Semgrep is an open-source code scanner built for python to check issues such as SQL Injection, Hardcoded passwords, etc.
- Dependency Scan: Dependency Checker is a tool that checks for the vulnerabilities in the third-party libraries present in the code
DefectDojo Setup
As described in the original code repository, you can install defectdojo as mentioned below. This will deploy defectdojo as a docker image.
1git clone https://github.com/DefectDojo/django-DefectDojo
2cd django-DefectDojo
3# building
4./dc-build.sh
5# running (for other profiles besides mysql-rabbitmq look at
6./dc-up.sh mysql-rabbitmq
7
8# use docker-compose logs -f initializer to track progress
9docker-compose logs initializer | grep "Admin password:"
Configuration Of DefectDojo before Integration
After logging in, we need to configure defectdojo to make it ready for integration
- Create Product Type
- After logging in, the application will land on the dashboard page. On the left side, we can see the menu bar. On the menu bar, navigate to Products -> All Product Types to create a product type.
- Defectdojo Jira Integration
- On the menu bar, go to Configuration -> Jira to add Jira details.
- On the menu bar, go to Configuration -> Jira to add Jira details.
- Add Product
- Navigate to Product -> Add Product to create a product type. We can see that the JIRA instance that we added before is located in the dropdown.
- Navigate to Product -> Add Product to create a product type. We can see that the JIRA instance that we added before is located in the dropdown.
- Add Engagement
- After Creating Product, we will land on the product page. On the top middle, we can see the menu bar with Overview, Components, Metrics, Engagement, Findings, etc. options.
- Go to engagements and click on Add new CI/CD engagement.
- Fill in the required details and move to the next step.
- Add Tests
- After filling in engagement details, we can see an option to Add Tests.
- Click on Add Tests and fill in the required details.
- In the Test Type option, select the tool that is being used in the pipeline. For e.g. dependency Check
- After filling in engagement details, we can see an option to Add Tests.
Now we are ready to integrate defectdojo in CI / CD Pipeline.
Integrating DefectDojo into CI/CD Pipeline
Let us take one python vulnerable application and build a DevSecOps pipeline around it. We are going to use Semgrep and Dependency Check as SAST and SCA tools, respectively.
- Open Jenkins and create a new job as a freestyle project. In Source Code Management Section, integrate vulnerable repository.
- To run semgrep, select Execute shell in the build stage and put the following command.
1semgrep scan --config auto --json -o semgrep.json
This will run the semgrep scan and create the report “semgrep.json,” which we are going to upload to defectdojo.
- To upload a report in defectdojo, we are going to use the defectdojo API called reimportscan. Endpoint parameters can be found in defectdojo API docs. To integrate this API call in Jenkins, create another build step with Execute shell and put the following curl command.
1curl -X 'POST' \
2 'http://localhost:8080/api/v2/reimport-scan/' \
3 -H 'accept: application/json' \
4 -H 'Authorization: Token $defectdojo_token' \
5 -H 'Content-Type: multipart/form-data' \
6 -F 'test=2' \
7 -F '[email protected];type=application/json' \
8 -F 'scan_type=Semgrep JSON Report' \
9 -F 'tags=test' \
The required parameters are as follows:
- test: ID of the test created under Engagement. (test_id can be found by clicking on created test)
- file: semgrep report file in JSON format.
- scan_type: Tool name which is used to scan.
- tags: Tags needed for identifying the upload.
- Similarly, repeat the procedure for the dependency check and change the relevant parameter values in the curl command according to the dependency check.
- Click on Save and Build the Job.
- After each successful job, you can find defects uploaded in defectdojo and open in JIRA.
How can Payatu improve the DevSecOps process using an existing solution?
- This tool can be integrated into any DevSecOps pipeline and with other CI / CD tools such as Bamboo.
- Being open-source software, the functionality of this software can be extended for the tools not currently supported by defectdojo by writing custom parsers.
- We can speed up the process of vulnerability management by opening defects into defect management software such as Jira.
- Get instant updates on defect instances using the webhook facility.
Conclusion
- Defectdojo is easy to build and deploy in any environment.
- We successfully demonstrated the seamless integration of “Semgrep,” “Dependency Checker,” “DefectDojo,” and “Jira” representing SAST, SCA, and Defect management Stages respectively.
- DefectDojo supports 20+ security tools.
- DefectDojo can be integrated into any CI/CD pipeline due to available API support.
References
