Securing DevSecOps - Threat Research Release October 2021

DevSecOps stands for Development, Security and Operations. This is a practice aimed to automate or design security integration throughout the software development lifecycle or workflow.

Nowadays, collaborative frameworks and projects that share security protocols from end to end are really common, so DevSecOps practices attempt to emphasize building infrastructure with a strong security foundation and stable automation workflow and phases.

Watch the video below to learn more about Securing DevSecOps.

Some of the tools and workflow we used to illustrate the DevSecOps lifecycle are shown below:

• GDrive (Plan Phase): plan,track and manage software development of this project
  
• GitHub (Code Phase): Contains the version controlled code
  
• Semgrep (Build Phase): Code Quality, Code Security, Vulnerability Scanning of the application
  
• CircleCI (Test Phase): CI/CD pipelines
  
• AWS Elastic Container Registry (Release Phase): Storage of Docker Images used for the application
  
• Kube-Hunter (Deploy Phase): Security Scanner for Kubernetes Cluster
  
• Kubernetes (Operate Phase): Container Deployment, Scaling and Management
  
• Splunk (Monitor Phase): To monitor all these tools
  
  

The goal of this blog is to focus on detecting various suspicious scenarios or anomalies that may happen within the phases of the DevSecOps lifecycle: Plan, Code, Build, Test, Release, Deploy, Operate and Monitor.

In order to accomplish this, Splunk Threat Research Team created a simple proof-of-concept web application to collect events and study the phases of DevSecOps lifecycle. The architecture for this simple web application can be seen below:

The website built on a modern web development stack looks like this:

With this proof-of-concept and other system that may give us insight to the DevSecOps phases, we develop detections that includes the following:

• AWS ECR Container Scanning Findings High
  
• AWS ECR Container Scanning Findings Low Informational Unknown 
  
• AWS ECR Container Scanning Findings Medium 
  
• AWS ECR Container Upload Outside Business Hours 
  
• AWS ECR Container Upload Unknown User 
   

These detections are designed to leverage AWS logs to monitor AWS Elastic Container Service (ECR) events for possible anomalies and suspicious behavior in the Release phase of DevSecOPs:

• CircleCI Disable Security Job 
  
• CircleCI Disable Security Step
   

Detections related to bypassing circle CI security features to stop or disturb the Build phase of the workflow:

• GitHub Commit In Develop 
  
• GitHub Dependabot Alert 
  
• GitHub Pull Request From Unknown User 
   

Detections for possible anomalies and suspicious modification or pulling of code and disabling security features in github Code phase workflow:

• GSuite Drive Share In External Email 
  
• GSuite Email Suspicious Attachment 
  
• GSuite Email Suspicious Subject With Attachment 
  
• GSuite Email With Known Abuse Web Service Link 
  
• GSuite Outbound Email With Attachment To External Domain 
  
• GSuite Suspicious Shared File Name
   

Detections for suspicious GSuite events as part of the initial stage of attack  or Plan phase of the DevSecOps workflow:

• Kubernetes Nginx Ingress LFI 
  
• Kubernetes Nginx Ingress RFI
  
• Kubernetes Scanner Image Pulling 
   

And these detections are designed for suspicious events happening in the Deploy or Operate Phase of the DevSecOps workflow.

A Summary of all Detections In Security Content for the Dev Sec Ops Analytics 

Automating with SOAR Playbooks 

Many of the detections we’ve created as part of this Analytic Story are of the type Anomaly. If you’re unfamiliar with the types of analytics we create, you can read more about them here. Anomaly analytics do not necessarily indicate an attack, but can be used to modify risk. With that being said, the Splunk Threat Research Team wants to highlight the Risk Notable Playbook Pack released by Philip Royer and Kelby Shelton. You can view the talk they presented at .conf21 that highlights these playbooks here. These are available today, in product, for all Splunk SOAR customers. The implementation guide is available on docs.splunk.com and you can preview any individual playbook within this pack on research.splunk.com.

Why Should You Care?

We call DevSecOps a practice for a reason. DevSecOps isn’t a checkbox or a thing you can do sometimes. For an organization to practice DevSecOps, they need to integrate aspects of it into their day to day activities. These new methods of developing software come with their own risks and exposures. The Splunk Threat Research Team’s DevSecOps analytic story can help you mitigate those risks as you go.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. In the upcoming weeks, the Splunk Threat Research team will be releasing a more detailed blog post on this analytic story. Stay tuned!

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank the following for their contributions to this post.

• Patrick Bareiss
  
• Lou Stella
  
• Teoderick Contreras