Skip to main content

Security Scanning Tools for Cloud Native Software

This document will describe the changing process model for security scanning and provide a brief survey of security scanning technologies under evaluation.  

Purpose of Security Scanning

Security scanning is a specialized kind of testing that attempts to identify potential software bugs that could make a deployed application vulnerable to attack and compromise.  As with any testing, the tests can be manual or automatic, and they wan be performed at various points in the development cycle.   We can classify security scanning into three categories:

  1. Static Scanning - performed against source code / configuration data a static scan looks for common logic errors that might lead to system compromise.  Also referred to as Static Application Security Testing (SAST)
  2. Dynamic Scanning - Performed against a running system, a dynamic scan looks for vulnerable software / configurations that might lead to system compromise. Also referred to as Dynamic Application Security Testing (DAST)
  3. Security Monitoring - Deployed as a part of the system, a security monitor continuously evaluates the security status relative to a set of rules or policies and reports anomalies.  Best chance to detect and protect against zero-day exploits.

Static and Dynamic scanning are typically integrated into the development process;  security monitoring is delivered as a feature component of the system.

Static Scanning Technology Overview

Name
Target
Type
Detects
Policy Configuration
Notes
FortifySource code (including C++, PHP, Java)Compliance / VulnerabilityExploitable Coding DefectsUser-Defined PoliciesMostly manual execution; CI pipeline automation started in 5G NF 1.3. Cloud Lab provides Pipeline Integration: Fortify Tooling User Guide#gitlabci - Some NFs have started to use this.
McAfee Anti-MalwareDocker ImagesComplianceMalware
Integrated into the 5G CI Pipelines for all 5G NFs (and OC-CNE)
OWASP Dependency CheckerSource Code (Typically Java)VulnerabilityKnown Vulnerabilities (CVEs) in 3rd Party packages (typically Java)
Integrated into the 5G CI Pipelines for all 5G NFs (and OC-CNE)
OCSC 3rd PartyDocker ContainersCompliance / Vulnerably

Oracle Open Source Policy Compliance; 3rd Party SW vulnerabilities (CVEs).


Some overlap with OWASP dependency checker - also verifies 3rd party approval status for all components used in build. 

Anchore -EngineDocker Containers: Base OS, Java, JS, Python packagesVulnerabilityKnown Vulnerabilities (CVEs) in Container OSUser-Defined Policies; whitelist/blacklist

Integrated in the OCCNE deployment pipeline in 1.2. 

Dynamic Scanning Technology Overview

Name
Target
Type
Detects
Notes
RESTfuzzRESTful APIVulnerabilityUnexpected responses from unexpected inputsAn Oracle Tool - Integration begin in 5G NF 1.3 pipelines. See RESTfuzz Scanning Guidelines.
OCCNE CipherScanTLS PortsCompliance / VulnerabilityOSSA TLS Compliance

An Oracle Tool - plan to start using in 5G NF 1.1 as TLS is introduced 

nmapK8s EnvironmentPorts Scanner / Penetration TestingIdentifies open ports

Used to identify open ports. This scan is being added as a part of  to identify TLS ports for cipherscanning. (Story target: OCCNE 1.4)

OpenscapLocal OSCompliance / VulnerabilityCIS-inspired Verification; Base OS (and lots more)Automated execution via CI pipeline in OC-CNE 1.1.
OL 7 CIS BenchmarkLocal OSComplianceCIS Verification; Base OS

Automated execution vi CI pipeline planned. 

docker-bench-securityDocker EnvironmentComplianceInsecure Docker configurationAutomated execution via CI pipeline in OC-CNE 1.1.
kube-benchK8s EnvironmentComplianceInsecure K8s configurationAutomated execution via CI pipeline in OC-CNE 1.1.
kube-hunterK8s EnvironmentPen TestAutomated Penetration TestingTo be evaluated
kube-scan
Workload Security AssessmentComplianceScores workload for questionable configurations

To be evaluated

webinspectOAM GUIsVulnerabilityUnexpected responses from unexpected inputsWe need to run this against out CNCC offering

Monitoring Technology Overview

Name
Target
Detects
Notes
Pod Security PoliciesK8s EnvironmentNon-conformant podsPod security Policies look for pods that don't match a configured security policy and refuses to run them.
FalcoK8S EnvironmentSecurity Anomalies

Need to try this and understand run-time impact if any; also need to understand what checks some built in. 

SysdigK8S EnvironmentSystem Call Tracing

Need to try this and understand run-time impact if any; also need to understand what checks some built in. 

NeuVectorK8S EnvironmentSecurity Anomalies
StackRoxK8s EnvironmentSecurity AnomaliesAdds machine learning to standard set of run-time checks.
StarboardK8s EnvironmentKubectl integration of security toolingAdds ability to integrate 3rd party security tools (compliance, vulnerabilities, etc) into the kubectl API.


Comments

Post a Comment

Popular posts from this blog

Jenkins CI Pipeline for Security Scans

This document describes the set of Jenkins CI Pipeline steps currently in use. Context Diagram Jenkins Workflow OCCNE CI Job Gradle Build  - using gradle, the available source is scanned using OWASP dependency checker, then a number of docker containers are created. Static Scan  - using the McAfee malware scanner container (created in the  Gradle Build  step), all created docker containers are scanned for malware. Verify Build  - Each docker container is loaded and the self test method is executed. Deploy  - An  OCCNE Deployment  job is created and invoked.  ( OCCNE CI  Jobs may run in parallel -  OCCNE Deploy  Jobs are serialized.) OCCNE Deploy Job Prepare Deploy  - Wipe out any old cluster artifacts - get ready for a fresh deploy for (container in  OS_Install, DB_Install,. K8s_install, Cfg_Install ) do: Deploy_{{container}}  - runs the named docker container Test_Deploy_{{container}}  - verifies that the d...
Post a Comment
Read more

GoF patterns

Why learn GoF Design Patterns? Design patterns help you find out patterns in your code. It helps to visualize your code at a higher level and decompose it into logical units.   What are Design Patterns? Design patterns are canonical solutions to recurring problems. They are different from a library that is called from your code. Neither are they framework which is a complicated collection of libraries. Frameworks typically calls your code. The 24 design patterns covered in GoF book can be divided into three categories. Creational Patterns . These patterns seek to answer - "How should objects be created?".  Examples are - Factory, Abstract Factory, Singleton, Builder, Prototype, Dependency Injection. They usually seek to decouple the construction of an object from its use. There are advantages to doing this. Hide implementation of an object, only reveal its interface.  Defer instantiation until run-time.  Allow creation of finite number of instances.  Have f...
Post a Comment
Read more

Git Workflow For Multiple Repositories

Introduction Imagine a situation where you have to work off multiple repositories hosted on multiple hosts. Let us say there are two hosts - ALM and Cloudlab. These repositories on these hosts are managed by two separate teams - ALM and Policy respectively. By setting up a Git workflow across Cloudlab and ALM instances, we can create a development environment for Policy developers working on ATS. This allows them to make changes to the  step files  and approve them within Policy team. Both teams - Policy and ALM, can work independently.  All development and code review is done in the Cloudlab instance. Once changes pass the team's quality assurance review, they are deployed to ALM instance as desired.  This article describes the method for Setting up a Git workflow among multiple repositories across Cloudlab and ALM How to keep those repositories in sync How to use another repo within a given repo Developer Workflow The overall process is as follows: Create a lo...
Post a Comment
Read more