In my last blog, DevSecOps with Public Cloud Providers: The Path to Automated and Integrated Security Testing, I discussed how complex the digital security landscape is for organizations and the numerous and advanced threats that make it more difficult to secure. CyberRes Fortify has developed a unique solution that helps provides security automation and enables a shift left culture within organizations for rapid deliveries with quicker security feedback.
Now in this part of my blog series, we will talk about a DevSecOps solution that can be integrated with the AWS CI/CD pipeline. But before we even discuss that, let’s have some understanding on how Amazon Web Services (AWS) works.
AWS Glossary
Here are some of the keywords being used in AWS world for development and deployment of cloud native applications.
CodeStar: It is an overall framework where developers can create a project/application and it will help automatically build all the required artifacts i.e. pipelines, yaml, EC2 VMs and its associated IAM roles.
CodeCommit: It is a source control service (SCM) that hosts private Git repositories within AWS environment. The Developer has the option to integrate or link other external Git repos as well.
CodeArtifact: It is a managed artifact service that could be utilized to securely store, publish, and share software packages used in their software development process.
CodeBuild: This is a CI service that compiles source code, runs tests, and produces software packages that are ready to deploy.
CodeDeploy: This is a deployment service that automates application deployments to different services such as EC2, AWS Lambda, and on-premises servers.
CodePipeline: This is a continuous delivery service that helps automate application release pipelines for quick and reliable shift to the next environment i.e., staging, production.
Cloud DevSecOps Process
Cloud Native application development moves through the process of continuous integration and testing cloud-based services. Now, since we know how to spell CI/CD in the AWS world, let’s look at how to secure application releases using AWS pipelines.
Here is the depiction of AWS CI Process:
Code Pipeline service internally pulls the source code from CodeCommit and then calls the CodeBuild service to build and create application artifacts. Usually integrating the SAST process can be injected at two levels. The first level is at static code when the AWS agent pulls the code, and the second level is after the build is complete. Now, a better way to integrate is to do “after build” so that any compilation errors can be reported back to the development team ASAP instead of looking in the security vulnerabilities information.
Unlike any other cloud provider, AWS also support YAML based pipelines. AWS CodeStar has specific templates that support continuous deployment. This includes two different YAML files, first, BuildSpec.yml for Build and second, AppSpec.yml for release.
AWS Build Process
AWS CodeStar has specific templates that support continuous integration. This is based on BuildSpec.yml.
BuiildSpec.yml: This template is used for Continuous Integration (CI) processes which also helps the pipeline to run required steps to build application artifacts. As far as security integration goes, static application security testing (SAST) can be integrated with this process.
Here is the sample of BuildSpec.yml:
Note: The above example demonstrates java application build and the highlighted events can be used to customize application build and artifacts.
Here is the depiction of AWS CD Process:
AWS Release Process
AWS CodeStar has specific templates that support continuous delivery. This is based on the template known as AppSpec.yml.
AppSpec.yml: This template is used for Continuous Delivery (CD) process which also helps the pipeline to promote the application’s artifacts to the next environment i.e. QA, ST, Staging, Production. As far as security integration goes, Dynamic application security testing (DAST) can be integrated with this process.
Here is the sample of AppSec.yml:
Note: The above example demonstrates java application deploy and the highlighted events can be used to customize application deployment and start activities.
Security testing using Fortify with AWS pipeline
Since the entirety of CodeStar is framed around BuildSpec and AppSpec templates, the Fortify platform can be leveraged for security testing processes that includes Static code assessment (SAST) and Dynamic Application Security Testing (DAST).
Fortify can be integrated using two approaches:
Approach 1: Native Integration
This approach is more of native support from Fortify using the Static Code Analyzer (SCA) tool. This approach is based on synchronous method. This approach gives the ability to build the quality gates since the result can be pulled while the pipeline is running. Below are some of the steps of performing an integration in CI pipeline.
1. Download the SCA Installer file ~1 GB
2. Download the fortify.license file
The first two steps require a publicly available file server or a public facing SharePoint server or even an application server which can be used to download these two required files by AWS pipeline agent/runner.
If the sample bash script to download and provide permission to execute:
3. Install the SCA using installer and license file
4. Update the Rule packs
5. Translate the code using SCA CLI
6. Analyze the code using SCA CLI
The step five and step six are technology-based and below are the sample script for JAVA based application, please refer to Fortify documentation for different technology scanning options.
7. Upload the results to SSC via FortifyClient
8. Apply Quality Gate via FPRUtility (Optional)
Approach 2: NextGen Integration (ScanCentral Approach)
This approach is based on the asynchronous method. Fortify has a ScanCentral engine which enables remote scanning quite easily. Below are some of the steps of performing a NextGen integration in CI pipeline.
1. Download the ScanCentral Client file ~60 MB, {required Java version >=1.8}
2. Download / Create the client.properties file
The first two steps require a publicly available file server or public facing SharePoint server or even application server which can be used to download these two required files by AWS pipeline agent/runner.
If the sample bash script to download and provide permission to execute:
3. Extract the ScanCentral Client
4. Translate the code (conditional)
5. Upload the code via ScanCentral Client to ScanCentral Controller
6. Results will be uploaded to SSC
The step five and step six are technology-based and below is the sample script for maven based Java application. Please refer to Fortify ScanCentral documentation for different build options.
7. Quality Gate (may be in next release)
You can still use –block switch to wait for the scan to finish and get the quality gate. For now, there is no flag or switch to return the scan finished status.
That’s it for this week.
Coming Up
This blog is a series where I will cover most of the cloud providers to ensure that DevOps teams understand the different approaches of integration and automating application security activities. In the next upcoming series, I will discuss how to integrate Fortify as part of your CI/CD process for the most popular cloud-based DevOps solutions.
- Integrate with Amazon Web Services (AWS) CodeStar
- Integrate with Azure DevOps
- Integrate with Google Cloud Platform
- Integrate with GitHub
- Integrate with GitLab
Learn more:
- Fortify DevSecOps Integrations
- Seamless Application Security
- Fortify CI Integrations Part 1 (GitHub, GitLab, Bamboo)
- Fortify CI Integrations Part 2 (Jenkins, Azure DevOps)
Join our Community | Fortify discussion forum | Tips & Info | What is Application Security