Search the Community
Showing results for tags 'devsecops'.
-
Artificial Intelligence (AI) and Machine Learning (ML) have emerged as transformative technologies, driving innovation across many industries. However, in addition to their benefits, AI and ML systems bring unique security challenges that demand a proactive and comprehensive approach. A new methodology that applies the principles of DevSecOps to AI and ML security, called AISecOps, ensures […] The article AISecOps: Applying DevSecOps to AI and ML Security appeared first on Build5Nines. View the full article
-
Datadog today published a State of DevSecOps report that finds 90% of Java services running in a production environment are vulnerable to one or more critical or high severity vulnerabilities introduced by a third-party library, versus an average of 47% for alternative programming languages. Based on an analysis of IT environments being monitored using the […] View the full article
-
Incidents It has been implicated in activity which resembles scanning remote hosts on the internet for security vulnerabilities. Activity of this nature is forbidden in the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We’ve included the original report below for your review. This is a notification of unauthorized uses of systems or networks. We have observed IP addresses from your network probing my servers for TCP open ports. Due to their dubious behavior, they are suspected to be compromised botnet computers. If you regularly collect IP traffic information of your network, you will see the IPs listed connected to various TCP ports of my server at the time logged, and I suspect that they also connected to TCP ports of many other IPs. If a Linux system was at the attacker’s IP, you might want to use the command “netstat -ntp” to list its active network connections. If there is still some suspicious connection, find out what PID/program/user ID they belong to as you might find something to help you solve this problem. In addition to the above, kindly notify the victims (owners of those botnet computers) as this will assist them in taking the appropriate action to clean their computers. Once this action is completed, not only will it prevent severe incidents such as data leakage and DDos but, it will also stand off botnets from taking up your network bandwidth. Solution Step – 1 – Investigate the Process $ netstat -ntp $ ps -p 207082 -o command= $ ls -l /proc/207082/exe Step 2 – Check for Service Units or Cron Jobs The process might be started by a systemd service or a cron job: Systemd service: Check for custom systemd service files in /etc/systemd/system/ or /lib/systemd/system/ and use systemctl to list all services to see if any custom or suspicious service is running. Step 3 – Stop and Disable the Process If the process is managed by a systemd service, disable and stop it: $ sudo systemctl stop servicename.service $ sudo systemctl disable servicename.service If it's a cron job, remove or comment out the line in the crontab. Step 4 – Remove Executable and Clean Up After identifying the executable, consider carefully removing it if it's confirmed to be malicious or not needed: $ sudo rm /path/to/executable Be cautious, as removing system files or legitimate processes can harm your system. 5. Further Security Measures Rootkit Check: Since this process appears suspicious, it’s a good idea to run a tool like rkhunter or chkrootkit to check for rootkits. Malware Scan: Use a Linux-based antivirus tool to scan your system for malware. Audit Logs: Check /var/log/auth.log, /var/log/syslog, or relevant system logs for any unusual activity, especially around the times the process was started. System Updates: Ensure your system and all applications are up-to-date with the latest security patches. Firewall Review: Verify your iptables rules and ensure no unwanted rules are allowing traffic through. Network Monitoring: Monitor outbound and inbound connections for further suspicious activities. CULPRIT#1 I see the process was getting created by daemon user and through crontab file /var/tmp/bash18 file /var/tmp/sh18 file /var/tmp/init18 file /var/bash18 file /var/sh18 file /var/init18 file /var/lock/bash18 file /var/lock/sh18 file /var/lock/init18 Investigation Further -> How this code was added in Crontab? I am wondering how these executable such as bash18, sh18 and init18 is set in user daemon crontab using XAMPP. Any clue? To search through your JavaScript (.js) and PHP (.php) codebase for patterns that might indicate code responsible for adding cron jobs, you can use the grep command in Linux. Basic grep Search This searches all PHP and JS files for the word "crontab": $ grep -r --include=\*.{php,js} "crontab" . Search for Shell Execution Functions Many malicious scripts use PHP's shell execution capabilities (exec, shell_exec, system, passthru, and backticks) to run system commands. $ grep -r --include=\*.php "\(exec\|shell_exec\|system\|passthru\|`\)" . This command will search for any of the mentioned functions in PHP files. Note the use of backslashes to escape certain characters and the use of \| to indicate an "OR" condition. Searching for Suspicious Base64 Encodings Malicious code is often encoded in Base64 to obfuscate its presence. Searching for Base64 encoded strings can sometimes uncover hidden malicious code. $ grep -r --include=\*.{php,js} "base64_decode" . The post DevSecOps: scanning remote hosts on the internet for security vulnerabilities appeared first on DevOpsSchool.com. View the full article
-
About The Certified DevSecOps Engineer course is designed to equip participants with the skills and knowledge needed to integrate security practices within the DevOps process. This comprehensive training will cover essential security principles and tools, enabling engineers to build safer software in a fast-paced environment. Course Features Interactive Learning: Engage in hands-on sessions with real-world scenarios. Expert Instructors: Learn from industry professionals with extensive experience. Comprehensive Materials: Receive materials that cover all aspects of DevSecOps. Certification: Obtain a certification upon completion, validating your expertise in DevSecOps. Training Objectives Understand the importance of integrating security into the DevOps culture. Master the use of tools and techniques for securing applications and infrastructure. Learn to automate security within the CI/CD pipeline. Develop skills to assess, remediate, and prevent vulnerabilities in software development. Target Audience DevOps Engineers looking to specialize in security Security Professionals seeking to understand DevOps practices IT Managers aiming to implement DevSecOps in their teams Software Developers interested in security aspects of software development Training Methodology Hands-On Labs: Practical exercises and real-world simulations. Group Discussions: Collaborative learning through sharing experiences and ideas. Case Studies: Analysis of real-world security incidents and practices. Daywise Agenda Day 1 Introduction to DevSecOps Security Principles in DevOps Setting up a Secure DevOps Environment Day 2 Tools and Technologies for DevSecOps Automating Security in CI/CD Vulnerability Management Day 3 Infrastructure as Code (IaC) Security Compliance and Governance Incident Response and Monitoring Day 4 Security in Application Development DevSecOps Best Practices and Strategies Preparing for the Certification Exam Trainers Rajesh Kumar: An experienced DevSecOps professional with over a decade of experience in integrating security into development processes. FAQs Who should attend this course? Anyone interested in learning how to integrate security into the DevOps process. What are the prerequisites for this course? A basic understanding of DevOps and software development is beneficial but not mandatory. How is the certification obtained? The certification is awarded upon passing an exam at the end of the course. Is this course suitable for beginners? Yes, it is designed to accommodate participants with varying levels of experience in DevOps and security. How to contact us? The post Certified DevSecOps Engineer Course appeared first on DevOpsSchool.com. View the full article
-
BizDevSecOps might sound like a mouthful, but it marks a necessary evolution. As business goals and technology efforts continue to converge, organizations need to ensure teams are performing to their full potential. Business considerations are now part of the security, operations, and development framework. During a session at Dynatrace Perform 2024, Dynatrace colleagues Kristof Renders, director of innovation services, and Brian Chandler, principal solutions architect, demonstrated four BizDevSecOps use cases for the Dynatrace unified observability and security platform. Additionally, the pair illustrated the effect users can expect after implementation. Getting granular with user experience It all starts—and ends—with user experience. When users encounter issues with applications or services, performance and productivity drop. As a result, organizations need complete visibility into the user experience both individually and at scale. The Dynatrace real-time user experience dashboard helps organizations discover where issues are happening and how they’re affecting users. “You can see where drop-off happens,” Chandler said. “You can see where people can do business KPIs [key performance indicators], and you can see where downticks happen. We’ve built the ability to track all business SLOs [service-level objectives].” And with Dynatrace Site Reliability Guardian, all teams across the organization can understand how their specific silo operates in relation to critical systems. Triaging BizDevSecOps problems using segmentation Equipped with data that offers insight into the user experience, organizations are better prepared to triage potential problems using PurePath distributed traces. This starts with segmentation. “You can segment by user session,” Chandler said. “This lets you jump right into triage. You can get an overview of the individual user—from what ISP they’re using, to where they’re connecting, to their screen resolution.” These are all metrics Dynatrace collects directly out of the box. Organizations can also drill deeper to discover what’s happening on the server side. “Dynatrace PurePath can trace hop to hop what went on in a user interaction to give a highly sophisticated root-cause analysis,” Chandler noted. “All of this data can be bubbled up to a unified dashboard.” Users can then connect this dashboard data with underlying technical data, such as service-level agreement metrics. Managing BizDevSecOps incidents quickly and effectively With problems triaged and root causes identified, BizDevSecOps teams are ready for incident management. For Renders, the key to incident management is the ability to connect cause and effect: identifying what’s going wrong, why it’s going wrong, and where it started. In modern IT environments, however, creating these connections isn’t easy. Where organizations used to have a half dozen legacy applications running on premises, they now have hundreds of local and cloud-based applications pulling data from different sources simultaneously. This creates complexity. While the direct effects of IT problems are obvious, the sources are often obscured. “When something goes wrong, you want to get to a solution as quickly as possible,” Renders said. “Dynatrace will tell you that something is wrong and what is wrong. We can connect the root cause to the process owner.” Deploying secure, well-architected applications While many BizDevSecOps use cases center around identifying issues and mitigating their effect, Dynatrace can also help organizations ensure that application design, delivery, and deployment align with industry best practices, such as the six pillars of the AWS Well-Architected Framework. “We can actually go and look at leveraging security information to stop badly performing apps from being released,” Renders noted. “Then, we can ask Dynatrace if an app is adhering to development pillars. We can go into our workflows and map out a well-architected application.” For example, when a new app build is deployed and automated tests are executed, the outcome may trigger a quality gate. Dynatrace then performs automated quality validation through SLOs that either pass or fail the application and provide feedback to developers. Unified observability is key to BizDevSecOps progress From user experience to triage, incident management, and DevSecOps, Dynatrace delivers a unified observability and security platform that combines advanced AI and automation capabilities. The unified observability and security platform presents data in intuitive, user-friendly ways. This enables teams to gather and analyze data, while reducing mean time to repair and improving the performance and availability of applications. To learn more about how Dynatrace enables BizDevSecOps use cases, view the Perform session, “Top use cases for Biz, Dev, Sec, and Ops teams to get started with Dynatrace.” And for more information on news and insights from Perform, check out our guide. The post The benefits of unified observability and security for BizDevSecOps use cases appeared first on Dynatrace news. View the full article
-
Welcome to another insightful discussion on CloudTweaks. Today, we have the privilege of delving into the dynamic intersection of DevOps, Security, and Tokenization with a seasoned expert in the field, Jeremy Smillie. With over 17 years of IT experience, Jeremy acts as VP of DevSecOps for Exact Payments and is an expert in managing strict industry […] Source View the full article
-
There are many benefits to implementing DevSecOps: minimized risk, reduced remediation costs, and faster and more secure product releases. But from a developer’s perspective, there’s a lot to be desired from the day-to-day practice. Developers often experience fragmented tool integration and are forced to take on additional responsibilities that can make the software development lifecycle (SDLC) seem more complex and overwhelming. They can also face development delays while working to understand, prioritize, and resolve different kinds of security alerts. Evaluating and improving DevSecOps to make security a painless part of the current developer workflow is imperative to secure, fast delivery. Below, we’ll look at five tips for improving the experience and making security tools more usable for developers. But first, what is DevSecOps? The “Sec” in DevSecOps stands for security, and its addition to DevOps promotes security as a core component of the SDLC. The DevSecOps approach to software development puts the responsibility of security on everyone at an organization (as opposed to just the security team) by integrating security at the start of code production—or better yet, during the planning phase before the first line of code is written. This way, organizations can catch and fix vulnerabilities in the development process rather than in production or after release. The result: security teams can use their expertise to set security policies, prioritize remediation focus areas, and foster the right behaviors and security teachings across the organization. Meanwhile, developers can interact with security tools, and are the first line of defense in reviewing, understanding, and remediating vulnerabilities. DevSecOps advantages include shipping secure software more quickly and reaping cost-savIng benefits. In fact, IBM’s 2023 Cost of a Data Breach report cites a $1.68M cost savings for organizations with high DevSecOps adoption compared to those with low or no adoption. Check out our full guide to DevSecOps > 5 tips for improving the DevSecOps experience Improving the DevSecOps experience was top-of-mind for many speakers at GitHub Universe 2023. To catch you up, we pulled together the top five tips shared across various talks and interviews at the event. GitHub Universe '23 is on demand Check out our playlist of recorded sessions, and stay updated on the latest in AI, security, and the developer experience. 1. Involve developers in security decisions The more developers are involved in creating a security process and making policy decisions, the smoother the collaboration will be between engineering and security teams. So, before you purchase a new tool or change a policy, invite a developer champion into the conversation and ask for their feedback. Here are some questions to get the conversation started: What security practices and tools are currently in place? Understanding what’s in use will help identify areas that need improvement. Do you find current security practices or tools help or hinder your workflow? How? Reducing friction in the DevSecOps pipeline can improve productivity. What security tools or practices would you recommend? Why? Developers may have fresh perspectives to offer on technologies or approaches. How comfortable are you integrating security into your work? This could help to identify gaps in training and support. Are there any specific security measures you feel are redundant or unnecessary in your workflow? This could reveal practices that consume resources without providing substantial benefits. Do you have sufficient communication and collaboration with the security team? Evaluating cross-team interactions can help to create a more collaborative culture. 2. Adapt security features to the developer environment It’s important to acknowledge that many security tools are built for security professionals, and can create friction when bolted onto a developer’s workflow. When trying to integrate a security tool into the SDLC, it can be more effective to extract the desired data from the security tool and natively integrate it into the developer’s workflow—or, even better, use a security tool where the data is already directly embedded into the developer’s flow. Doing so reduces context switching and ultimately helps developers to detect and remediate vulnerabilities earlier. In 2019, we acquired Dependabot and Semmle, which developed CodeQL. While Dependabot was designed for developers, CodeQL was designed for security experts, which we knew would be a barrier to entry for developers. So, we went to work optimizing CodeQL for developers, incorporating its functionalities directly into their workflow. Today, developers don’t have to install or set up these tools separately. They can enable Dependabot alerts from repository settings. Once enabled, alerts go out if an outdated or vulnerable dependency needs to be updated, along with critical details about the vulnerabilities—all in a pull request. Developers can also enable code scanning through CodeQL from repository settings. Doing so will notify them about new and current static analysis alerts in their code. Niroshan Rajadurai, senior director of GTM strategy for AI and DevSecOps, and I discuss the importance of designing security tools for developers in the age of shifting left: https://github.blog/wp-content/uploads/2024/01/GH_Blog_NickLiffen_NiroshanRajadurai_Excerpt_1920x1080_Caps_L3rds.mp4 Another way to reduce context switching and cognitive load is implementing AI tools, like GitHub Copilot. We’ll talk more about AI security capabilities below, but let’s first focus on how they can create a smoother DevSecOps experience within the IDE. When developers receive a security alert, they can use a tool like GitHub Copilot Chat directly in their IDE instead of having to navigate to another website to research what the alert is, and how to fix it. Beyond understanding the theory behind the alert, developers can prompt Copilot Chat to create examples of how to fix that vulnerability tailored to the code in their IDE. As a result, they get a practical, hands-on learning experience that shows how the vulnerability manifests in real code. Joseph Katsioloudes, a developer advocate for GitHub Security Lab, shares how AI can reduce cognitive load for a developer who’s been notified about a secret injection: 3. Maintain a developer’s trust in a security tool with an effective alert system Bringing security into the development process ensures that remediating alerts becomes native to the developer’s workflow. However, developers still need to know what alerts to remediate and by when. Simply asking developers to remediate all alerts is untenable and unrealistic. When developers are shown a long PDF of 500+ alerts that they’re assigned to review and fix (a pain point I’ve written about before), it’s probable that many of the alerts are false positives and only a portion are worth addressing. Why does this matter? For one, the developer has lost valuable time reviewing all of these alerts. Second, as the tool continues to produce these laundry lists, the developer will lose trust in the tool. That could result in the developer skimming past critical alerts because of low confidence in the tool’s data. A security tool that’s effectively integrated into the SDLC has an alert system that surfaces high-priority alerts directly to the developer. For instance, alert settings based on custom and automated triage rules ensures engineering teams address the most urgent security alerts first. Being able to filter and search code scanning alerts helps developers to sift through a large set of alerts to focus on a particular type. And providing the ability to dismiss an alert—either by fixing or closing it—will reduce noise by stopping the tool from repeatedly generating the same alert on the same code. Combined with processes to address a percentage of critical and high-risk vulnerabilities over a period of time, an effective security alert system helps developers prioritize high-risk alerts and help to clean an organization’s security debt, that is, the vulnerabilities that accumulate over time and therefore become harder and more costly to fix. John Swanson, director of security strategy at GitHub, shares how new technology is creating developer-first security processes that enable developers to fix vulnerabilities earlier in the SDLC: https://github.blog/wp-content/uploads/2024/01/GH_Blog_JohnSwanson_Excerpt_1920x1080_Caps_L3rds.mp4 4. Use AI and automation to help developers find and fix vulnerabilities Limited resources, rapid threat evolution, noisy false positive alerts, and the increasing complexity of systems—along with the continued use of legacy systems—can make it challenging to stay on top of the latest and most urgent vulnerabilities. But here’s some good news: AI and automation can help reduce false positives, enable developers to conduct consistent security checks, and scale security practices all at once. For instance, a feature like code scanning autofix streamlines remediation into the developer workflow by providing, alongside a vulnerability alert, an AI-generated code fix for CodeQL JavaScript and TypeScript in a pull request. Additionally, secret scanning alerts developers if any secrets have been detected in code. This capability can be coupled with AI to detect generic or unstructured secrets and auto-generate custom patterns, which will detect token types unique to an organization. Additionally, AI has the potential to enhance the modeling of an extensive range of open source frameworks and libraries. Security teams traditionally model thousands of packages and APIs by hand. Considering the sheer number and diversity of packages, along with frequent library updates, deprecations, or replacements, it’s a daunting task to keep abreast these changes and scale this modeling capability efficiently. That’s where AI comes in. As the proportion of these frameworks are accurately modeled increases, the likelihood of diminishing false negatives also rises due to a better understanding of data flow within these systems. By turbocharging modeling efforts with AI, security experts can detect more vulnerabilities. In fact, GitHub’s CodeQL team used AI modeling to discover a new security vulnerability. Although this technology is still in the experimental phase at GitHub, we offered a glimpse into its potential during GitHub Universe 2023. Rajadurai and I show how AI can address pressing security challenges, like modeling unknown packages, which could ultimately reduce the number of false positives: Other automation capabilities include: Branch protection rules that trigger code reviews when changes are made to important branches. Status checks that require code to pass all security checks before it’s merged. Code scans in CI/CD pipelines with GitHub Actions. John Ruiz, security operations engineer at GitHub, emphasizes the importance of improving, then automating, basic security processes so developers can focus on what they do best, which is building great software: https://github.blog/wp-content/uploads/2024/01/GH_Blog_JohnRuiz_Excerpt_1920x1080_Caps_L3rds.mp4 5. Create clear expectations around secure coding practices, and communicate them through champions A big part of improving the DevSecOps experience is not introducing more tooling, but getting clear on the process and expectations of how developers should use the tools they already have. Clear communication about policies ensures an organized and consistent approach to implementing security throughout the SDLC. Organizations should work with vendors to create guides for how to use a new tool or product, then select security champions to echo these expectations across engineering teams. Some principles that guide GitHub’s Product Security Engineering team when evaluating tools and designing a rollout plan include: Weighing the security benefits of a new process against the impact on engineering teams. How we can roll out a new process or tool incrementally and gather feedback. Getting clear on expectations for engineers and prioritizing clear communication of those expectations. Clear expectations for secure coding practices help to eliminate ambiguity and increase security consciousness among developers. Selecting champions who can clearly communicate those expectations can help to model desired behavior and drive a DevSecOps culture across the organization. As a result, secure coding standards are more likely to be understood and consistently implemented by developers, which enables organizations to quickly deliver more secure software. Continuously improving DevSecOps As developers embrace more security responsibility under the DevSecOps and shift-left models, evaluating and improving their user experience needs to be a priority. Organizations that invest in understanding a developer’s DevSecOps pain points and iterating solutions to address them, will see improved collaboration between engineering and security teams and faster delivery of more secure code. More DevSecOps resources Learn from security leaders about creating a safe but flexible developer experience, innovating faster by automating governance, securing the software supply chain with proven practices, and more. Check out our comprehensive guide to DevSecOps. Security training can be game-ified to increase retention. A free interactive training resource, like Secure Code Game, teaches developers how to spot and fix vulnerable patterns in real-world code, build security into workflows, and understand security alerts generated against code. Read more about why making security tools usable for IT professionals is critical to securing the software supply chain. The post 5 ways to make your DevSecOps strategy developer-friendly appeared first on The GitHub Blog. View the full article
-
Despite years of discussing DevSecOps, achieving security and development collaboration remains an uphill battle in most organizations. This article explores why real-world DevSecOps adoption lags behind expectations, common barriers faced, and how the Stream Security platform bridges visibility and policy gaps to foster joint ownership between siloed teams, finally working from a "single source of truth." The Slow March of DevSecOps Evolution While the concept of DevSecOps has been discussed for years as a best practice for integrating security into development lifecycles, actual adoption has been gradual at best. As Or Shoshani, CEO of cloud security provider Stream Security, explains, "In most of the organizations that we have been working with and exposed to, the SecOps and DevOps are still being separated into two different groups." View the full article
-
At KubeCon NA 2023, Alan Shimel talks with David DeSanto from GitLab about the potential for generative AI in DevSecOps.View the full article
-
This is an article from DZone's 2023 Enterprise Security Trend Report. For more: Read the Report DevSecOps — a fusion of development, security, and operations — emerged as a response to the challenges of traditional software development methodologies, particularly the siloed nature of development and security teams. This separation often led to security vulnerabilities being discovered late in the development cycle, resulting in costly delays and rework. DevSecOps aims to break down these silos by integrating security practices into the entire software development lifecycle (SDLC), from planning and coding to deployment and monitoring. View the full article
-
Security is critical in all phases of software development, including conception, creation, and release. DevSecOps is a practice that has grown in popularity as a means of assuring the security of a web application or software product. According to the AWS homepage, "DevSecOps is the practice of integrating security testing into every stage of the software development process. It consists of tools and methods that promote collaboration among developers, security experts, and operational teams in order to create software that is both efficient and secure. DevSecOps brings a cultural shift that makes security a shared responsibility for all software developers." View the full article
-
In this article, we will delve into the crucial concept of an internal DevSecOps platform (IDSP) and why businesses need it. The traditional approach of treating security as an afterthought or as a separate stage in the software development lifecycle is no longer defensible in an age where data breaches, cyberattacks, and compliance concerns loom large. An IDSP is a bridge that brings together development, security, and operations where security is not just an end goal but an ongoing, integral part of the entire software development journey. View the full article
-
Optimizing the software development cycle is becoming increasingly crucial as the world relies more on digital solutions. Rapidly digitizing industries like manufacturing need reliable, feature-rich, and secure platforms, but conventional dev practices can’t always meet these needs. DevSecOps could be the answer. DevSecOps combines development, operations, and security workflows instead of having these teams work one after another in silos. Testing, collaboration, and security tweaks are constants throughout the process instead of the last steps. As a result, this workflow provides the agility and safety manufacturing operations need. View the full article
-
About DevSecCon London is a leading event in the world of DevSecOps. Experts and enthusiasts gather to explore the latest trends and innovations. Sessions include risk-driven security and the importance of security within DevOps. Join the community for an engaging and enlightening experience. Details https://10times.com/devsecops-conference
-
Forum Statistics
67.7k
Total Topics65.6k
Total Posts