OWASP DevSecOps Guideline - v-0.2
Infrastructure Vulnerability Scanning
DevOps does a great job in automating the development and deployment process, but since all moving parts (containers, libraries etc.) are being updated frequently, it is imperative to make sure the infrastructure where you deploy your code is safe.
The best way to do that is to incorporate vulnerability scanning into your pipeline.
A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. These scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detection of vulnerabilities arising from mis-configurations or flawed programming within a network-based asset such as a firewall, router, web server, application server, etc. Modern vulnerability scanners allow for both authenticated and unauthenticated scans. Modern scanners are typically available as SaaS (Software as a service); provided over the internet and delivered as a web application. The modern vulnerability scanner often has the ability to customize vulnerability reports as well as the installed software, open ports, certificates and other host information that can be queried as part of its workflow.
-
Authenticated scans allow for the scanner to directly access network based assets using remote administrative protocols such as secure shell (SSH) or remote desktop protocol (RDP) and authenticate using provided system credentials. This allows the vulnerability scanner to access low-level data, such as specific services and configuration details of the host operating system. It’s then able to provide detailed and accurate information about the operating system and installed software, including configuration issues and missing security patches.
-
Unauthenticated scans is a method that can result in a high number of false positives and is unable to provide detailed information about the assets operating system and installed software. This method is typically used by threat actors or security analyst trying determine the security posture of externally accessible assets.
Tools
- SAINT (Security Administrator’s Integrated Network Tool) is computer software used for scanning computer networks for security vulnerabilities, and exploiting found vulnerabilities.
- Nessus scans cover a wide range of technologies including operating systems, network devices, hypervisors, databases, web servers, and critical infrastructure.
- Arachni is a Web Application Security Scanner Network that could be used to scan the vulnerability such a XSS, SQL Injection, NoSQL Injection, Code Injection, File Inclusion variants, etc.
- Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
- Nexpose is one of the main vulnerability evaluation tools which provides a simple to-utilize, useful dashboard, and, as the vast majority of the tools we have seen, it bolsters a broad scope of consistency reporting, including PCI compliance.
- Nikto is a free software command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems.