Heise Developer Experience 2022, Oktober 2022, Mario-Leander Reimer (@LeanderReimer, Principal Software Architect bei QAware). == Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! == Sicherheit spielt in modernen, hochverteilten Enterprise-Anwendungen eine immer tragendere Rolle. Doch leider steht Sicherheit immer noch im Verruf, kompliziert und aufwendig in der Umsetzung zu sein, und wird deshalb gerne auf die lange Bank geschoben oder gar vernachlässigt. Mit manchmal unangenehmem Ausgang. In diesem Vortrag zeigen wir zahlreiche Tools und Technologien, die schnell und unkompliziert in den Entwickleralltag integriert werden können, um Sicherheit von Beginn an zu berücksichtigen und dabei gleichzeitig nicht zur Produktivitätsbremse werden.

1. qaware.de
Time to Shift Left!
Unkomplizierte Security Tools und Technologien
für den Entwickleralltag
Mario-Leander Reimer
mario-leander.reimer@qaware.de
@LeanderReimer Bild von H. Hach auf Pixabay

2. 2
Mario-Leander Reimer
Principal Software Architect
@LeanderReimer
#cloudnativenerd #qaware
#gernperDude

3. Berücksichtigt ihr Sicherheit bereits
während der Entwicklung?
ⓘ Start presenting to display the poll results on this slide.

4. Security.
Oft nur ein 2nd Class Citizen unter den anderen -illities.
QAware | 4
Software Product
Quality
(ISO 25010)
● Modularity
● Reusability
● Analysability
● Modifiability
● Testability
Maintainability
● Confidentiality
● Integrity
● Non-repudiation
● Authenticity
● Accountability
Security
● Adaptability
● Installability
● Replaceability
Portability
● Co-existence
● Interoperability
Compatibility
● Maturity
● Availability
● Fault Tolerance
● Recoverability
Reliability
● Time Behaviour
● Resource Utilization
● Capacity
Efficiency
● Completeness
● Correctness
● Appropriateness
Functional Suitability
● Operability
● Learnability
● UI Aesthetics
● Accessibility
Usability

5. Meet …
QAware | 5

6. “Too much cognitive load will become a bottleneck for fast
flow and high productivity for many teams.”
QAware | 6
■ Intrinsic Cognitive Load
Relates to fundamental aspects and knowledge in the
problem space (e.g. used languages, APIs, frameworks)
■ Extraneous Cognitive Load
Relates to the environment (e.g. console
command, deployment, configuration)
■ Germane Cognitive Load
Relates to specific aspects of the business domain
(aka. „value added“ thinking)

7. Software wie vom Fließband. Shift Left heißt Sicherheit von
Tag 1 an. Immer wieder auf’s Neue.
QAware | 7
Sicherheitsanforderungen
Sichere Komponenten
Domain Driven Design
Security Patterns
OWASP Top 10
Defensive Programming
Schutzbedarfsanalyse
Angreifer-Analyse Dependencies
Security Testing
DAST + SAST
Package Signing
Container Security
Infrastructure
Deployment
Certificates
Secrets

8. 221 Regeln für stabilen, sicheren und besseren Code.
QAware | 8
Secure Coding Guidelines for Java SE
Version: 9.1, Last updated: October 2022
https://www.oracle.com/java/technologies/javase/seccodeguide.html
Java Coding Guidelines
Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda
The CERT™ Oracle™ Secure Coding Standard for Java
Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda
Rules are also available online at www.securecoding.cert.org

9. Software wie vom Fließband.
QAware | 9

10. Software wie vom Fließband.
QAware | 10
Clean Code and Defensive Programming

11. Software wie vom Fließband.
QAware | 11
Concurrency & Thread Programming

12. Software wie vom Fließband.
QAware | 12
Secure Programming

13. lreimer/secure-devex22

14. Google ErrorProne
QAware | 14
plugins {
id 'java'
id "net.ltgt.errorprone" version "2.0.2"
}
dependencies {
// dependency for the javac compiler plugin
errorprone "com.google.errorprone:error_prone_core:2.15.0"
}
tasks.named("compileJava").configure {
options.errorprone.enabled = true
// and many other options
}
Find common programming mistakes early during development as part of the Java compile phase.

15. SonarCloud Security Analysis
QAware | 15
plugins {
id "jacoco"
id "org.sonarqube" version "3.4.0.2513"
}
jacocoTestReport {
reports { xml.enabled true }
}
sonarqube {
properties {
property "sonar.projectKey", "lreimer_secure-devex22"
property "sonar.organization", "lreimer"
property "sonar.host.url", "https://sonarcloud.io"
}
}
Sonar can detect 54 security vulnerabilities and 38 security hotspots using static code analysis.

16. Dependency Vulnerability Scanning
QAware | 16
plugins {
id "org.owasp.dependencycheck" version "7.2.1"
}
dependencyCheck {
cveValidForHours=24
failOnError=true
}
The compile time and runtime dependencies of your applications and services can be checked for CVEs
regularly using the OWASP dependency check plugin.

17. Docker Image Vulnerability Scanning
QAware | 17
# Installation and usage instructions for Docker Lint
# https://github.com/projectatomic/dockerfile_lint
dockerfile_lint -f Dockerfile -r src/test/docker/basic_rules.yaml
dockerfile_lint -f Dockerfile -r src/test/docker/security_rules.yaml
# Installation and usage instructions for Trivy
# https://github.com/aquasecurity/trivy
trivy image -s HIGH,CRITICAL secure-devex22:1.0.0
# Installation and usage instructions for Snyk
# https://docs.snyk.io/snyk-cli/install-the-snyk-cli
snyk container test --file=Dockerfile secure-devex22:1.0.0
Several suitable tools can be used to scan your Docker images for vulnerable OS packages and other
software components.

18. Kubernetes Security Scanning
QAware | 18
# see https://github.com/zegl/kube-score
kubectl score k8s/base/microservice-deployment.yaml
# Checkov, see https://github.com/bridgecrewio/checkov
checkov --directory k8s/base
checkov --directory k8s/overlays/int
# Snyk, see https://docs.snyk.io/snyk-cli/install-the-snyk-cli
snyk iac test k8s/base
snyk iac test k8s/overlays/int
# Trivy, see https://github.com/aquasecurity/trivy
trivy k8s -n default --report summary all
trivy k8s -n default --report all all
Many security misconfigurations are possible when deploying Kubernetes workloads. Most can be found
easily via static code analysis using different tools.

19. Terraform Security Scanning
QAware | 19
# TFLint und Rule Sets
# see https://github.com/terraform-linters/tflint
# see https://github.com/terraform-linters/tflint-ruleset-aws
terraform init
terraform plan
tflint
# Checkov
# see https://github.com/bridgecrewio/checkov
checkov --directory aws
# Snyk
# https://docs.snyk.io/snyk-cli/install-the-snyk-cli
snyk iac test aws/
Many security misconfigurations of your cloud infrastructure are possible when working with Terraform.
Most can be found easily via static code analysis using different tools.

20. Continuous Developer Experience
QAware | 20
# see https://github.com/pre-commit/pre-commit
brew install pre-commit
# see https://pre-commit.com/hooks.html
# see https://github.com/gruntwork-io/pre-commit
# see https://github.com/antonbabenko/pre-commit-terraform
# install the Git hook scripts
pre-commit install
pre-commit run --all-files
# see https://github.com/lreimer/secure-devex22/actions
# see https://github.com/lreimer/secure-devex22/actions/new?category=security
The linters and static analysis tools are ideally run before and with every Git commit and push. Also GitHub
and many other platforms provide CI and security integration functionality that can be used.

21. Continuous Security Scanning
QAware | 21
# installing the Starboard Operator and CLI
# see https://aquasecurity.github.io/starboard/
helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo update
helm install starboard-operator aqua/starboard-operator
--namespace starboard-system --create-namespace
--set="trivy.ignoreUnfixed=true" --version 0.10.8
kubectl get vulnerabilityreports --all-namespaces -o wide
kubectl krew install starboard
kubectl starboard install
kubectl starboard scan vulnerabilityreports deployment.apps/nginx-deployment
kubectl starboard get vulnerabilityreports deployment/nginx-deployment -o yaml
# see https://github.com/lreimer/continuous-zapk8s
# see https://www.zaproxy.org/getting-started/
# see https://www.zaproxy.org/docs/docker/api-scan/

22. There is no 100% security!
Incorporate security into your
daily development process.

23. Pay your Devs well!
Cater for a productive and
secure work environment.

24. qaware.de
QAware GmbH
Aschauer Straße 32
81549 München
Tel. +49 89 232315-0
info@qaware.de
twitter.com/qaware
linkedin.com/company/qaware-gmbh
xing.com/companies/qawaregmbh
slideshare.net/qaware
github.com/qaware