HUD – Security CICD Pipeline for Cloud Deployment Automation
HUD Office of Information Technology Security (OITS) required the ability to meet compliance and security milestones within a CI/CD pipeline for the HUD Cloud PaaS. stackArmor designed and implemented the QAICDS to provide a security dashboard and reports for the HUD CISO Security Team.
Secure DevOps Solution
stackArmor Security and DevOps engineering team developed and implemented a Jenkins based security reporting system that included using tools such as Yasca, SonarQube, and OpenSCAP amongst others and integrated with vulnerability scanners such as Tenable Nessus, HP Fortify and others.
Static Code Analysis with Yasca
Yasca is a static source code analysis tool that performs a number of tests to identify actual and potential coding issues, to include those identified in the OWASP Top 10 listed in Section 3. It should be noted that Yasca, an open source tool is only one of tools to support secure coding practices. Other code analysis tools include HP Fortify, IBM AppScan, and others. Yasca utilizes individual plugins to perform scanning of targeted files. The Yasca implementation included the following plugins:
• Grep Plugin. Uses external GREPfiles to scan target files for simple patterns.
• PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues.
• JLint Plugin. Uses J-Lint to scan Java .class files for issues.
• antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues.
• FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues.
• Lint4J Plugin. Uses Lint4J to scan Java .class files for issues.
Quality Management with SonarQube
SonarQube (formerly known as Sonar) is an open source tool suite to measure and analyse to quality of source code. SonarQube provides reporting and management oversight for the CISO and Security team to collect and monitor security issues as part of the CI/CD pipeline.
HPE Fortify Static Code Analyzer (SCA)
HPE Fortify Static Code Analyzer (SCA) provides static application security testing (SAST). It is used to analyse the source code of an application for security vulnerabilities. It reviews code and helps developers identify and resolve issues during development and testing.
Nessus Vulnerability Scanner is a vulnerability scanner by Tenable. Nessus identifies system vulnerabilities, missing patches, and non-compliant system configurations. Scans can be performed on a periodic basis and the results are to the CI/CD Project Manager.
Consistent with the DevOps culture, the application development teams are responsible for mitigating findings related to hosted applications. The CI/CD team is responsible for mitigating findings related to the underlying platform (OS, Database, Web Server). The CI/CD team coordinates with application development teams and/or the security team to address platform findings that may affect hosted applications.
OSCAP utilizes XCCDF checklist profiles to evaluate system configurations for the operating system against an established checklist profile. The CI/CD pipeline utilizes OSCAP to evaluate the system configurations for the instances supporting the CI/CD development pipeline.
ClamAV is an antivirus scanner for Linux operating systems. ClamAV was installed on Linux servers supporting application development. ClamAV is configured to scan local directories and files for known malicious code on a nightly schedule.
Windows Defender is an antivirus scanner for Windows operating systems. Windows Defender will be configured on Windows servers and workstations supporting application development. Windows Defender is configured to scan local directories and files for known malicious code on a nightly schedule.