►
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
Security as Code: A DevSecOps Approach - Joseph Katsioloudes, GitHub
Virtual Track
Speakers: Joseph Katsioloudes
Security as Code (SaC) is the methodology of codifying security tests, scans and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security issues. Adopting SaC tightly couples application development with security and vulnerability management, while enabling developers to focus on functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization. In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, i.e how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that allows security checks with code, and will demo how we can code queries for vulnerabilities so they can be identified as soon as they hit your CI/CD pipeline.
A
My
part
in
that
mission
is
to
make
security
easy
for
developers,
and
this
is
why
I'm
here
today
to
use
those
30
minutes
to
give
you
the
super
power
of
securing
your
code
like
nasa
did
well.
This
is
not
a
science
fiction
or
a
netflix
scenario.
10
years
ago,
when
nasa's
curiosity
was
landing.
On
the
surface
of
mars,
nasa
engineers
performed
a
code
review
mid-flight.
A
A
This
means
that
the
looping
lines,
two
and
three
will
read
the
correct
memory,
coordinates
just
for
the
first
three
elements,
but
then
it
will
go
out
of
bounds
leading
to
random
behavior.
The
nasa
team
found
out
that
this
course
would
prevent
the
parachute
opening
during
the
landing
phase
and
lead
to
the
crash
of
the
curiosity
rover.
A
A
What
we
call
a
variant
is
another
occurrence
of
the
same
back
pattern
at
another
place
in
the
code
and
they
found
30
other
variants.
They
analyzed
that
some
of
those
would
also
result
in
catastrophic
consequences,
such
as
the
crash
of
the
robber
they
fixed.
All
the
variants
and
curiosity
was
able
to
land
safely
on
the
surface
of
mars
of
mars.
A
If
we
now
see
the
bigger
picture
and
compare
this
scenario
of
fixing
it
back
mid
flight
to
that
of
fixing
a
bug
in
production,
then
I'm
sure
you
will
agree
that
it
is
very
late
in
the
process
of
software
development
life
cycle
last
year,
nasa
send
another
rover
to
mars,
but
what
they
have.
But
what
have
they
done
differently?
A
Codeq
is
free
for
open
source
and
you
can
benefit
from
the
continuously
growing
query
set
contributed
by
github
by
the
community
and
by
top
security
teams
like
nasa's.
That's
already
nice
as
you
can
consume
the
worst,
the
worst
security
knowledge
to
secure
your
code.
But
in
today's
presentation
I
will
show
you
how
you
can
not
only
consume
but
be
an
actor
in
your
use
of
codeql.
A
A
One
of
the
main
levels
of
devops
adoption
was
the
introduction
of
infrastructure
as
code
where
developers
use
code
for
setting
up
their
own
infra
without
the
need
to
open
tickets
to
operations
teams
the
fact
that
developers
were
writing
code,
empowered
them
with
further
benefits
such
as
reading
contributing
and
understanding
what
they
were
doing
same
for
the
world
of
testing
in
the
pre-agile
days,
developers
and
testers
belong
to
two
separate
teams.
Qa
will
find
the
box
and
report
them
back
to
devs.
A
This
sharing
helps
developers,
read,
understand
and
contribute
to
the
code,
which
facilitates
a
security.
Culture
therefore
think
about
security
becoming
a
seamless
observer
of
the
day-to-day
devops
that
doesn't
intervene
or
affect
devops
speed
security
as
code
will
be
integrated
and
automated
to
the
pipelines
so
that
every
time
a
security
related
violation
exists,
actionable
feedback
will
be
generated
by
the
way
you
hear
more
and
more
people
talking
about
their
segues
nowadays
right.
A
The
vulnerability
covered
by
our
demo
is
an
sql
injection
or
sql
injection.
It
depends
where
you're
from-
and
I
just
want
to
introduce
it
here,
for
those
that
might
not
have
might
not
be
familiar
with
it
as
per
the
minimum
screen.
This
happens
when
a
user
is
able
to
execute
arbitrary
queries
on
a
database
using
sql.
A
A
This
is
a
very
simple
example,
but
in
real
life
user
input
flows
in
different
places
of
your
code
base
through
files
and
functions
before
reaching
the
sql
execution
in
our
demo.
We
will
build
a
query
that
automatically
finds
sql
injections
in
those
complex
scenarios
just
before
the
demo.
Let's
define
two
important
concepts
for
our
data
flow.
Query
sources
and
syncs
sources
are
places
in
the
program
that
receive
untrusted
user
input.
A
A
The
question
we
need
to
ask
is
a
data
flow
one.
Does
this
untrusted
data
ever
flow
to
the
point
of
executing
a
potentially
vulnerable
action?
We
can
answer
this
question
by
identifying
all
paths
from
sources
to
things
by
using
codeql
notice
that
code12
allows
users
to
query
code
in
general,
not
necessarily
for
vulnerabilities.
A
You
can
use
it
for
any
type
of
box
or
just
to
explore
your
code.
We
try
to
make
these
queries.
Generic
to
find
variants
of
vulnerabilities
like
nasa
did
and
the
biggest
benefit
you
get
is
that
you
will
not
be
able
to
codify
your
knowledge
of
a
whole
security
back
pattern
in
an
expressive
query.
Language
culture
is
declarative
and
logical.
A
A
A
A
A
This
is
because
there
is
no
sanitization
happening
with
the
username
and
password
variable
being
able
to
maliciously
alter
our
database
like
we've
seen
in
our
meme
and
where
this
is
happening
is
in
line
147,
where
we
have
the
raw
query
method,
accepting
a
query.
So
in
that
line,
the
first
argument
is
essentially
our
sql
execution.
A
A
Every
declaration
in
the
from
clause
has
a
variable
type
like
method
access
here,
and
a
variable
name
like
call
here
while
select
specifies
what
the
result
should
be
by
referring
to
the
variables
above
as
per
hour,
scale
injection
explanation.
We
need
to
arrive
at
those
methods
or
functions
in
the
vulnerable
code
base
that
receive
user
input.
How
do
we
do
this?
We
first
need
to
start
by
getting
the
set
of
all
methods
in
the
program
and
then
filter
only
those
that
receive
user
input
in
the
cultural
java
library
to
find
method
invocations.
A
We
can
use
the
type
method
access
in
line
3,
and
then
we
can
use
a
variable
that
I
called
call
here.
You
can
use
any
variable
name
and
if
we
run
that
we
are
expecting
codequil
to
provide
us
with
all
method
invocations
in
the
program.
So
if
I
click
here,
for
example,
we
have
the
make
text
function
being
called,
and
if
I
click
here,
we
can
see
where
the
show
function
is
being
called.
But
the
problem
is
that
these
are
all
the
functions.
We
just
need
to
arrive
to
those
that
receive
user
input.
A
A
I'm
going
to
use
my
variable
from
above
and
the
function
called
get
argument.
Sorry
get
method,
because
we
are
looking
for
methods
followed
by
has
qualified
name
in
order
to
have
the
specific
method
that
I'm
looking
for.
Look
how
I'm
making
use
of
the
autocompletion
and
how
the
inline
dock
helps
me
to
find
the
right
method.
A
In
order
for
me
to
be
productive
and
use
code
12.
inside
the
where
clause,
we
can
also
see
the
object,
oriented
nature
of
code
ql,
because
get
method
is
an
operation
provided
by
the
type
method
axis
which,
through
chaining,
provides
further
options,
for
example,
to
look
for
a
function
with
a
specific
name,
and
this
is
another
feature
that
cultural
brings
on
top
of
sql,
which
is
expressivity
with
chaining.
A
So
if
we
run
this,
we
arrive
at
the
instances
of
get
text
in
our
code
base.
So
far,
what
you
see
is
like
a
grep
command.
F
control,
f,
but
the
true
power
of
ql
is
gonna,
be
visible
in
here
in
the
data
flow.
So
let's
continue
towards
that.
Let's
now
move
to
syncs
to
find
things.
We
can
use
the
same
strategy
with
the
difference
being
that
we
are
looking
for
a
different
method
in
a
different
package
like
we
do
in
line
four,
as
we
saw
raw
query
takes
two
arguments.
A
A
A
Luckily,
the
language
comes
with
a
rich
set
of
standard
libraries
that
have
ready-made
templates.
We
just
have
to
fill
like
the
one
in
front
of
us
on
top
of
the
file.
We
have
some
metadata
that
will
help
coach
ul
to
understand
what
we
are
trying
to
do
ignore
them.
For
now,
we
then
imported
the
10-tracking
library,
which
is
a
template,
configuration
to
try
to
track
untrusted
user
input,
followed
by
the
data
flow
path,
graph
library,
which
is
all
about
the
visualization
of
results.
A
At
the
end,
we
are
defining
a
class
here
on
line
11
to
help
us
out
as
a
10
tracking
configuration
is
a
boilerplate,
so
this
class
is
extending
something
to
help
ourselves
with
inheritance,
composition
and
the
expressiveness
of
the
language,
and
this
is
actually
an
example
of
how
users
can
benefit
from
extensibility
and
through
classes.
The
expressiveness
of
a
language
is
highlighted.
A
A
A
A
A
We
know
that
we
have
untrusted
user
input
entering
our
code
base
and
we
know
that
when
untrusted
user
input
enters
our
code
base,
there's
the
potential
of
that
to
be
malicious,
so
that
was
the
source.
Let's
continue
with
the
thing,
with
the
exact
same
strategy,
there
exists
a
medical
such
that,
so
this
becomes
so
that
when
raw
query
is
called
with
an
argument
in
index
0,
you
know
that
you
have
the
sync:
let's
copy
and
paste
again.
A
So,
let's
analyze
what
this
says,
if
we
click
on
the
first
sql
injection
finding
we
have
two
pathways
to
explore
in
the
first
one.
We
know
that
we
have
the
username
type,
the
user
being
passed
to
the
code
base.
That
was
then
passed
into
the
login
method,
followed
by
the
definition
of
the
login
method
before
being
executed
in
the
database.