Skip to main content

Security Scanning Tools for Cloud Native Software

This document will describe the changing process model for security scanning and provide a brief survey of security scanning technologies under evaluation.  

Purpose of Security Scanning

Security scanning is a specialized kind of testing that attempts to identify potential software bugs that could make a deployed application vulnerable to attack and compromise.  As with any testing, the tests can be manual or automatic, and they wan be performed at various points in the development cycle.   We can classify security scanning into three categories:

  1. Static Scanning - performed against source code / configuration data a static scan looks for common logic errors that might lead to system compromise.  Also referred to as Static Application Security Testing (SAST)
  2. Dynamic Scanning - Performed against a running system, a dynamic scan looks for vulnerable software / configurations that might lead to system compromise. Also referred to as Dynamic Application Security Testing (DAST)
  3. Security Monitoring - Deployed as a part of the system, a security monitor continuously evaluates the security status relative to a set of rules or policies and reports anomalies.  Best chance to detect and protect against zero-day exploits.

Static and Dynamic scanning are typically integrated into the development process;  security monitoring is delivered as a feature component of the system.

Static Scanning Technology Overview

Name
Target
Type
Detects
Policy Configuration
Notes
FortifySource code (including C++, PHP, Java)Compliance / VulnerabilityExploitable Coding DefectsUser-Defined PoliciesMostly manual execution; CI pipeline automation started in 5G NF 1.3. Cloud Lab provides Pipeline Integration: Fortify Tooling User Guide#gitlabci - Some NFs have started to use this.
McAfee Anti-MalwareDocker ImagesComplianceMalware
Integrated into the 5G CI Pipelines for all 5G NFs (and OC-CNE)
OWASP Dependency CheckerSource Code (Typically Java)VulnerabilityKnown Vulnerabilities (CVEs) in 3rd Party packages (typically Java)
Integrated into the 5G CI Pipelines for all 5G NFs (and OC-CNE)
OCSC 3rd PartyDocker ContainersCompliance / Vulnerably

Oracle Open Source Policy Compliance; 3rd Party SW vulnerabilities (CVEs).


Some overlap with OWASP dependency checker - also verifies 3rd party approval status for all components used in build. 

Anchore -EngineDocker Containers: Base OS, Java, JS, Python packagesVulnerabilityKnown Vulnerabilities (CVEs) in Container OSUser-Defined Policies; whitelist/blacklist

Integrated in the OCCNE deployment pipeline in 1.2. 

Dynamic Scanning Technology Overview

Name
Target
Type
Detects
Notes
RESTfuzzRESTful APIVulnerabilityUnexpected responses from unexpected inputsAn Oracle Tool - Integration begin in 5G NF 1.3 pipelines. See RESTfuzz Scanning Guidelines.
OCCNE CipherScanTLS PortsCompliance / VulnerabilityOSSA TLS Compliance

An Oracle Tool - plan to start using in 5G NF 1.1 as TLS is introduced 

nmapK8s EnvironmentPorts Scanner / Penetration TestingIdentifies open ports

Used to identify open ports. This scan is being added as a part of  to identify TLS ports for cipherscanning. (Story target: OCCNE 1.4)

OpenscapLocal OSCompliance / VulnerabilityCIS-inspired Verification; Base OS (and lots more)Automated execution via CI pipeline in OC-CNE 1.1.
OL 7 CIS BenchmarkLocal OSComplianceCIS Verification; Base OS

Automated execution vi CI pipeline planned. 

docker-bench-securityDocker EnvironmentComplianceInsecure Docker configurationAutomated execution via CI pipeline in OC-CNE 1.1.
kube-benchK8s EnvironmentComplianceInsecure K8s configurationAutomated execution via CI pipeline in OC-CNE 1.1.
kube-hunterK8s EnvironmentPen TestAutomated Penetration TestingTo be evaluated
kube-scan
Workload Security AssessmentComplianceScores workload for questionable configurations

To be evaluated

webinspectOAM GUIsVulnerabilityUnexpected responses from unexpected inputsWe need to run this against out CNCC offering

Monitoring Technology Overview

Name
Target
Detects
Notes
Pod Security PoliciesK8s EnvironmentNon-conformant podsPod security Policies look for pods that don't match a configured security policy and refuses to run them.
FalcoK8S EnvironmentSecurity Anomalies

Need to try this and understand run-time impact if any; also need to understand what checks some built in. 

SysdigK8S EnvironmentSystem Call Tracing

Need to try this and understand run-time impact if any; also need to understand what checks some built in. 

NeuVectorK8S EnvironmentSecurity Anomalies
StackRoxK8s EnvironmentSecurity AnomaliesAdds machine learning to standard set of run-time checks.
StarboardK8s EnvironmentKubectl integration of security toolingAdds ability to integrate 3rd party security tools (compliance, vulnerabilities, etc) into the kubectl API.


Comments

Post a Comment

Popular posts from this blog

Supporting OpenTracing jaeger in spring boot applications

This page describes code changes in a typical spring-boot based application to support OpenTracing and jaeger. Instrumenting a tracer If you are creating a simple spring boot application that uses  spring-boot-starter-web , by default, the application does not support writing traces to jaeger. To support jaeger tracing, the first thing is to modify the build.gradle to add dependency of jaeger: dependencies {      implementation  'org.springframework.boot:spring-boot-starter-web'      implementation  'io.opentracing.contrib:opentracing-spring-web-starter:3.0.1'      // support opentracing jaeger      implementation  'io.opentracing.contrib:opentracing-spring-jaeger-starter:3.1.2'      testImplementation( 'org.springframework.boot:spring-boot-starter-test' ) {          exclude group:  'org.junit.vintage' , module:  'junit...
Post a Comment
Read more

HOWTO on implementing scanning into a CI Pipeline

Introduction As a part of the Software Security Assurance guidelines, we are required to perform various types of security scanning.  Security scanning is a specialized kind of testing that attempts to identify potential software bugs that could make a deployed application vulnerable to attack and compromise.  As with any testing, the tests can be manual or automatic, and they wan be performed at various points in the development cycle.   We can classify security scanning into three general categories: Static Application Security Testing (SAST)   - performed against source code / configuration data a static scan looks for common logic errors that might lead to system compromise. Dy namic Application Security Testing  (DAST)  - Performed against a running system, a dynamic scan looks for vulnerable software / configurations that might lead to system compromise. Security Monitoring  - Deployed as a part of the system, a security monitor co...
Post a Comment
Read more

Fortify Tooling User Guide

  Introduction The fortify-tools container is located within a shared repository in OCIR and requires a JWT to be able to access.  The variable WF_JWT will need to be set to a valid MAT You will want to choose one of three ways to use the Fortify SCA tooling: Integration Description Using the Fortify Tools Standalone to Scan a Project This is for using the tooling without integration in GitLab CI or Jenkins CI. Using the Fortify Tools In GitLab CI to Scan a Project This is for using the tooling against a project that whose code is hosted in GitLab and whose CI engine is GitLab CI. Using the Fortify Tools In Jenkins CI to Scan a Project This is for using the tooling against a project that whose code is hosted in GitLab and whose CI engine is Jenkins CI. Using the Fortify Tools Standalone to Scan a Project Simple Usage Run the Fortify Tools in a container docker run -t --rm -v <path to project source root directory>:/var/fortify/src phx.ocir.io/oraclegbudevcorp/cn-shared/s...
Post a Comment
Read more