Uncovering SAST ,DAST ,OWASP Dependency-Check in DevSecOps family (Part-2)

soumya14041987

Soumya

Posted on October 17, 2024

Uncovering SAST ,DAST ,OWASP Dependency-Check in DevSecOps family (Part-2)

In the first part I uncovered the fundamentals of DevSecOps principles and demonstrates with a Jenkins Pipeline . Following that blog I will explain all other DevSecOps tools commonly used in a Jenkins Pipeline in separate stages. Let's delve and try to under stand the SAST ,DAST & OWASP Dependency Check in a simple terms & from the Jenkins Pipeline prospective .

What is SAST?
SAST (Static Application Security Testing) is like a spell-checker for your code, but instead of checking for grammar, it searches for security vulnerabilities. SAST tools scan the source code (without executing it) to identify potential vulnerabilities early in the development cycle, such as SQL injections, cross-site scripting (XSS), or insecure configurations.

When is SAST used ?
SAST is typically used during the development phase and analyzes the code before it's run. It integrates into the CI pipeline, flagging vulnerabilities while developers are still writing and testing code.

What is DAST?
DAST (Dynamic Application Security Testing), on the other hand, is a "black-box" testing approach that simulates real-world attacks on your running application. It doesn’t look at the code itself but focuses on finding vulnerabilities in the application’s behavior during runtime. DAST tests an application in an operational state to uncover vulnerabilities like misconfigurations, authentication issues, or common web application attacks (e.g., SQLi, XSS).

When is DAST used ?

DAST is often used later in the CI/CD pipeline, after the application has been built and deployed to a testing environment. It ensures the application is secure under actual running conditions.

OWASP Dependency-Check: Finding Vulnerabilities in Dependencies
OWASP Dependency-Check focuses on third-party libraries and dependencies your project uses. Many vulnerabilities lie in outdated or insecure libraries, which can easily slip under the radar. Dependency-Check scans the dependencies for known vulnerabilities in the National Vulnerability Database (NVD) and alerts developers to update or fix vulnerable versions.

Why is this important ?

With modern applications depending on numerous open-source libraries, it’s vital to ensure these third-party components are secure. A vulnerable library can become the weakest link, compromising the security of the entire application.

Real-World Example of SAST, DAST, and OWASP Dependency-Check

Let’s imagine a real-world scenario where you’re building a web application using Python on the backend, React on the frontend, and a MySQL database. As part of the DevSecOps team, you want to ensure that your CI/CD pipeline not only tests functionality but also performs security checks.

1. SAST Example:
Before your developers push their code to the repository, a SAST tool such as SonarQube is integrated into the Jenkins pipeline. It scans the Python backend code for hardcoded credentials, insecure API calls, and SQL injection vulnerabilities.

How it works:
SonarQube scans the source code (before execution) and produces a report identifying any vulnerabilities in the logic.
Developers can view the report directly in Jenkins and fix the vulnerabilities before proceeding.

2. DAST Example:
After the code is built and deployed in a staging environment, a DAST tool like OWASP ZAP (Zed Attack Proxy) runs dynamic tests against the running application. It simulates common web-based attacks to identify potential vulnerabilities like cross-site scripting (XSS) and SQL injection.

How it works:
Jenkins triggers OWASP ZAP to scan the running application.
ZAP performs attacks (e.g., tries to inject SQL statements in input fields) and reports on vulnerabilities that exist in the running application.

Image description

  1. OWASP Dependency-Check Example As part of your build process, OWASP Dependency-Check scans your application’s dependencies for known vulnerabilities. Let’s say you’re using an older version of requests library in Python that contains a security flaw. Dependency-Check flags it as vulnerable and suggests updating to a safer version.

How it works:
The tool analyzes the libraries listed in your project (like requirements.txt in Python or package.json in Node.js).
Jenkins runs a scan and provides a detailed report, listing which dependencies are vulnerable, along with their CVE identifiers.

Image description

Now let's walkthrough how those actually functions in a typical Jenkins Pipeline .

  1. SAST with SonarQube Plugin: The SonarQube Scanner Plugin for Jenkins allows seamless integration of static code analysis into your pipeline. It runs SonarQube scans and presents the results in Jenkins. Usage: After a code push or pull request, Jenkins triggers a static code scan using SonarQube.
sonarScanner {
    scannerHome = tool 'SonarQubeScanner'
    options = ['-Dsonar.projectKey=my-project', '-Dsonar.sources=.']
}
Enter fullscreen mode Exit fullscreen mode

Now let's understand the above code part with a real world example :-
Imagine you are part of a team developing an online shopping application, and you want to ensure the code quality is maintained throughout the development process. You decide to use SonarQube for static code analysis to detect bugs, vulnerabilities, and code smells.

Here’s how this snippet fits in:

Scenario:
You are working on a new feature in the shopping cart section of the app, and you want to ensure that the code you write adheres to best practices.
Before merging your feature branch into the main branch, you need to check for issues like security vulnerabilities or bad coding patterns using SonarQube.

What the code does?

sonarScanner block: Jenkins is running a pipeline to build and test your code. As part of this process, it runs the SonarQube scanner.
scannerHome = tool 'SonarQubeScanner': Jenkins uses the SonarQube scanner installed on the server to perform code analysis.
options = ['-Dsonar.projectKey=my-project', '-Dsonar.sources=.']:

-Dsonar.projectKey=my-project: This tells SonarQube which project the code belongs to, in this case, the shopping cart app (my-project).

-Dsonar.sources=.: This indicates that the source code to be analyzed is located in the current directory of the project.

DAST (Dynamic Application Security Testing) Command Example: :-

In Jenkins, you could integrate a DAST tool like OWASP ZAP to scan your running application for security vulnerabilities. Here's a simplified version of how you might configure it:

zap-cli scan --target http://my-web-app.com

Enter fullscreen mode Exit fullscreen mode

Explanation:
zap-cli scan: This command runs a DAST scan using OWASP ZAP.
--target http://my-web-app.com: Specifies the target web application URL that will be dynamically tested for vulnerabilities like SQL injection or XSS (cross-site scripting).

***Real-world example:*
Imagine you’ve built an online payment platform, and you want to check if your live application is vulnerable to attacks. This command dynamically tests your app while it’s running, simulating real-world attacks to ensure the app is secure.

OWASP Dependency-Check Command Example:
This tool only scans the third party libraries such as Lodash , Spring integrated with my application during build, development phase .

dependency-check --project MyApp --scan /path/to/project

Enter fullscreen mode Exit fullscreen mode

Explanation:
dependency-check: Runs the OWASP Dependency-Check tool.
--project MyApp: Specifies the name of your project, like "MyApp"
--scan /path/to/project: Points to the directory where your project’s code and dependencies are located.

Real-world example:
Let’s say you’re building a social media app and you’ve used several third-party libraries like Lodash or Spring. This command checks all the libraries in your app for known vulnerabilities. If any are found, you can update the affected libraries before deploying the app, preventing potential security risks.

Conclusion
In the DevSecOps family, tools like SAST, DAST, and OWASP Dependency-Check ensure that security is baked into the development process. Jenkins pipelines make it incredibly easy by installing proper plugins with no additional cost to integrate these tools, providing an automated, scalable, and visible solution for secure code delivery. By adding security as a step in your Jenkins CI/CD pipeline, you can catch vulnerabilities early, reduce risks, and deliver safer applications to your users.

***Now, with Jenkins as your trusted butler and SAST, DAST, and Dependency-Check as your loyal security team, your DevSecOps journey just got a whole lot smoother!*😉😎

💖 💪 🙅 🚩
soumya14041987
Soumya

Posted on October 17, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related