Hands-On: A Great Way to End #DOES18
This year’s DevOps Enterprise Summit in Vegas was awesome! It’s amazing to see the conference grow each year. This year was no exception, with about 2000 attendees. Gene Kim opened the event with a definition of DevOps (taken from Johnathan Smart, Barclays): “Better Value Faster, Safer, Happier” and ‘safer’ is becoming more and more key. That’s why Electric Cloud teamed up with Sonatype to host a hands-on DevSecOps workshop with John Willis the day after #DOES18. What better way to end the conference than spending time with over 20 DevOps practitioners learning how to deliver safer software faster?
The mantra for DevSecOps is “You Build It, You Secure It”, and that was the theme for the workshop, which we held at the Bellagio the Thursday following DevOps Enterprise Summit from 9AM to 4PM.
The workshop started with a great overview of DevSecOps by John Willis. John’s practical and grounded perspective on DevOps is refreshing. He emphasized that not only is software eating the world, it’s infecting the world. Integrating security into the software delivery pipeline as well as integrating security teams in the DevOps process is critical to delivering value to customers faster.
In a recent DevSecOps webinar that John Wills hosted with Electric Cloud (listen here) he says,
“You have to put your metadata, policy, and automation in the delivery chain. We want the security folks… to give us more gates. We start to create security hygiene in the way we deliver software.”
Diving in to DevSecOps
After learning from John Willis and sharing our DevOps stories over a nice lunch, we dove into the hands-on portion of the workshop. During this time we gave workshop attendees the experience of building a vulnerable Java J2EE struts application and then securing the vulnerability in their own CI/CD pipeline. We used the same vulnerability that lead to the 2017 Equifax breach, called CVE-2017-5638. This vulnerability is found in certain versions of the open source Apache Struts web-framework, widely used by common tools like Jenkins.
Workshop participants created their own sample Struts based J2EE web application and connected it to a CI/CD pipeline running on Electric Cloud ElectricFlow. The CI/CD pipeline used Jenkins to build the app, then ran the application through the common pipeline stages, deploying the application to QA, Stage, and Production environments.
From here, students configured each of their release pipelines to trigger a security scan on Sonatype’s Nexus IQ server. Using automated gating in ElectricFlow, they were able to detect the vulnerability in early stages of the pipeline so that teams would be aware of the vulnerability without slowing down the pipeline. Then at the the Staging to Production stage, students set a hard gate that would prevent deployment to production if any critical vulnerabilities were detected. Students had a lively discussion about how to handle security vulnerabilities early in the pipeline – some preferring to continue the pipeline, others to shut it down, others to generate a warning and notify the appropriate stake holders.
Having secured the threat – Sonatype spent some time walking students through the details of the threat report. It’s always a huge reality check to see how many downloads of a vulnerable library occur even *after* that vulnerability has been detected. The Struts2 vulnerability that lead to the Equifax breach is no exception.
Hacker for a Day
After building a vulnerable application and securing it in their own CI/CD pipeline, students became “hackers for a day” and learned some of the basic approaches a malicious hacker might use to exploit a vulnerability like the Struts 2. Here, students installed Docker on their laptops, deployed their Struts v2 based web applications, and used a simple exploit tool that leveraged common tools like nmap, skipfish, and metsploit to hack into their J2EE based web application.
Here’s what it looked like when I hacked my own laptop, running a vulnerable J2EE web app on port 8080. Running a ‘whoami’ command and getting ‘root’ – that should scare you!
We had a great time getting hands on experience with the reality of how security vulnerabilities threaten our ability to innovate and deliver value to customers. Hearing a talk is one thing, doing it yourself is another. If you have good tools in place and a flexible platform for creating release pipelines you’ll be well prepared to incorporate security into your overall DevOps process.
If you’d like more technical details on the workshop, take a look at the blog post for the workshop we ran in London after DOESUK. To hear John Willis and Electric Cloud’s CTO Anders Wallgren discuss DevSecOps in depth – check out our recent DevSecOps webinar.