Secure DevOps for FedRAMP Compliant Cloud

US Federal Agencies are rapidly adopting and deploying secure cloud platforms to deliver production quality software with fewer defects, and better security. Continuous Integration/Continuous Deployment (CI/CD) also known as DevOps is a rapidly maturing practice for reducing the time and effort it takes to test and deploy code into production. The rapid automation of the integration and deployment activities is common especially on cloud-based platforms. However, meeting FedRAMP and FISMA related compliance requirements as part of the Security Accreditation and Authorization (SA&A) process requires additional steps in the CI/CD pipeline.  Tools such as Yasca, SonarQube, and OpenSCAP amongst others when integrated with vulnerability scanners such as Tenable Nessus, HP Fortify and others can provide additional reports and information requires by the IA team to help ensure compliant with FedRAMP and FISMA requirements.

Implementing Security in the CI/CD Pipeline

The CI/CD or DevOps Security lifecycle begins with code development and integration. As the code is committed for deployment, the CI/CD security processes are activated. Common action items including static code analysis, vulnerability scanning, anti-virus scans and other similar integrity functions. The results from the security scans are provided to project management and the Chief Information Security Officer (CISO) within the organization. SecDevOps includes the execution of automated scanning tools and manual security reviews of results by the Security Team in order to facilitate the application deployment process. Key areas of concern for the IA team include: static code scanning, dynamic code scanning, anti-virus, vulnerability scanning and NIST SCAP compliant reporting and analytics. stackArmor’s DevOps and Compliance Engineering teams have implemented Secure DevOps solutions for Agencies including US Treasury, HUD, and GSA 18F amongst others.

YASCA Static Code Analysis: Yasca is a static source code analysis tool that performs a number of tests to identify actual and potential coding issues, to include those identified in the OWASP Top 10 listed in Section 3.  It should be noted that Yasca, an open source tool is only one of tools to support secure coding practices.  Other code analysis tools include HP Fortify, IBM AppScan, and others.  Yasca utilizes individual plugins to perform scanning of targeted files.  The Yasca implementation may include the following plugins (depending on the development environment):

• Grep Plugin. Uses external GREPfiles to scan target files for simple patterns.
• PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues.
• JLint Plugin. Uses J-Lint to scan Java .class files for issues.
• antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues.
• FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues.
• Lint4J Plugin. Uses Lint4J to scan Java .class files for issues.

Yasca plugins implement five (5) severity levels:

• 1 – Critical
• 2 – High
• 3 – Warning
• 4 – Low
• 5 – Informational

When code has been committed to the CI/CD Git repository the associated Jenkins job builds the code base.  The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca report in HTML format as well as CSV format.  The Yasca results CSV file is further processed and formatted into an xml document.  After the Yasca file is processed, Sonar Scanner is invoked to analyze the created XML file using custom rules to map the Yasca results into the SonarQube dashboard.

SonarQube: SonarQube (formerly known as Sonar) is an open source tool suite to measure and analyse to quality of source code. SonarQube provides reporting and management oversight for the CISO and Security team to collect and monitor security issues as part of the CI/CD pipeline.

SonarQube implements five (5) severity levels:

• Blocker
• Critical
• Major
• Minor
• Info

Yasca severity levels are mapped to SonarQube severity levels in accordance with the table below:

Once the mappings are established, Yasca scans performed as part of the CI/CD build process are configured to generate a detailed report of findings and piped into SonarQube.  CSV formatted reports are condensed versions providing Finding #, Plugin Name, Severity, Location, and Message fields.  These CSV files are converted to an XML file that is imported to SonarQube.

HPE Fortify Static Code Analyzer (SCA): Depending on the security needs of the organization additional security checks can be added. Commercial packages such as HPE Fortify Static Code Analyzer (SCA) provide static application security testing (SAST).  It is used to analyse the source code of an application for security vulnerabilities. It reviews code and helps developers identify and resolve issues during development and testing.

Fortify SCA implements four (4) severity levels:

• Critical
• High
• Medium
• Low

SonarQube implements five (5) severity levels:

• Blocker
• Critical
• Major
• Minor
• Info

Fortify severity levels are mapped to SonarQube severity levels in accordance with the table below:

By default HPE Fortify SCA natively produces a proprietary result file with an FPR extension.  Fortify SCA may also be configured to produce a text (TXT) or an xml-based FVDL file.  Fortify SCA also provides a Report Generator utility to produce PDF or XML files.  For issues related to the flow of data, Fortify identifies a Source, the code that collects and sends input, and a Sink, the code that receives/processes the input.

Nessus: Nessus Vulnerability Scanner is a vulnerability scanner by Tenable.  Nessus identifies system vulnerabilities, missing patches, and non-compliant system configurations.  Scans can be performed on a periodic basis and the results are to the CI/CD Project Manager.

Consistent with the DevOps culture, the application development teams are responsible for mitigating findings related to hosted applications.  The CI/CD team is responsible for mitigating findings related to the underlying platform (OS, Database, Web Server).  The CI/CD team coordinates with application development teams and/or the security team to address platform findings that may affect hosted applications.

OpenSCAP: OSCAP utilizes XCCDF checklist profiles to evaluate system configurations for the operating system against an established checklist profile.  The CI/CD pipeline utilizes OSCAP to evaluate the system configurations for the instances supporting the CI/CD development pipeline.

OpenSCAP implements four (4) severity levels:

• High
• Medium
• Low
• Other

SonarQube implements five (5) severity levels:

• Blocker
• Critical
• Major
• Minor
• Info

OpenSCAP severity levels are mapped to SonarQube severity levels in accordance with the table below:

ClamAV: ClamAV is an antivirus scanner for Linux operating systems.  ClamAV will be installed on Linux servers supporting application development.  ClamAV is configured to scan local directories and files for known malicious code on a nightly schedule. The application development teams are responsible for mitigating findings related to hosted applications.  The CI/CD team is responsible for mitigating findings related to the underlying platform (OS, Database, Web Server).

Windows Defender: Windows Defender is an antivirus scanner for Windows operating systems.  Windows Defender will be configured on Windows servers and workstations supporting application development.  Windows Defender is configured to scan local directories and files for known malicious code on a nightly schedule. The application development teams are responsible for mitigating findings related to hosted applications.  The CI/CD team is responsible for mitigating findings related to the underlying platform (OS, Database, Web Server).

Interested in reading more? Download our white paper on Sec DevOps

Download Whitepaper: Implementing Secure DevOps (SecDevOps) on public cloud platforms.