DEV Community

Cover image for 🚀 DevSecOps ⚙️: "Implementing OWASP Scanning on Maven Packages in AWS CodePipeline"💭

🚀 DevSecOps ⚙️: "Implementing OWASP Scanning on Maven Packages in AWS CodePipeline"💭

Hello There!!!
Called Sarvar, I am an Enterprise Architect, Currently working at Deloitte. With years of experience working on cutting-edge technologies, I have honed my expertise in Cloud Operations (Azure and AWS), Data Operations, Data Analytics, and DevOps. Throughout my career, I’ve worked with clients from all around the world, delivering excellent results, and going above and beyond expectations. I am passionate about learning the latest and treading technologies.

I hope today is going well for everyone! As you might guess from the article's title, we are currently looking at OWASP, a DevSecOps tool. Since our customer is from the finance domain, our client insisted on having DevSecOps technologies implemented at every level of CICD process while I was working as an enterprise architect. The client requested that he perform and investigate whether any maven dependency that are pulled from the outside of the internet have vulnerabilities. We have a number of Enterprise and open source products available on the market that are specifically tailored to this requirement, but we have chosen to use an open source tool. After doing some research and analysis, we have chosen OWASP since it has many capabilities and quick scanning options. We will quickly explore what OWAPS is and begin exploring how we use the OWASP tool in Amazon CodePipeline.

What is OWASP?

The Open Web Application Security Project, or OWASP in short, is a nonprofit organization whose mission is to enhance software security. To assist enterprises in creating and maintaining safe web applications, OWASP offers freely accessible security-related resources such as guidelines, tools, and documentation. The OWASP Top Ten is a frequently updated list of the most significant threats to web application security and is one of OWASP's major contributions. Developers, security experts, and organizations can use this list as a useful tool to assist them prioritize their efforts in order to solve the most important security issues.

What we are doing in this Tutorial?

  1. I've Prepared a Sample Spring Boot Application on that Spring Boot application source code we will Perform OWASP Scanning.
  2. We will Integrate OWASP Plugin with Maven POM File. In the Amazon CodeBuild we will run OWASP Check.
  3. OWASP Plugin will Perform Scanning on Dependency Downloaded from the Maven Central Store.
  4. This OWASP will use NVD Database to perform Scanning on Maven Central Store Dependency.
  5. After the scanning is complete, I've set up a mechanism to save the report in zip format, naming it with the build ID, and putting it in an S3 bucket so you can audit it afterward. Please refer to the Buildspec file for this.

Let's See How we can utilize OWASP in Amazon CodePipeline:

We'll walk through the step-by-step process of integrating OWASP with Amazon CodePipeline; I'll do my best to keep things as straightforward as possible to avoid causing you any confusion.

Step 1: Source code
We are utilizing the basic Spring Boot application. The spring boot application and necessary files, including the Buildspec.yml and POM files, are included in this source code. This is the source code's GitHub URL. Please go to look at the source code.
GitHub Repo URL Link

Step 2: Source Code Validation
In this stage we are reviewing the source code, OWASP plugin integration with Maven and lastly we will see the OWASP Check Command.

  • Source Code Review: I've kept all the source code ready so you can use it in CodeBuild straight to see the desired outcomes. I strongly advise you to review the pom.xml and Buildspec files to see the OWASP check command and OWASP Plugin in pom.xml file.

Image description

  • OWASP Plugin Integration: I'll provide the plugin code below; all you have to do is copy it and paste it into the pom.xml file. within the pom.xml file There are several plugins included in the build. By pasting the code below into the plugins, OWASP will carry out the scanning. You can use latest version for latest update.


            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>9.0.7</version>
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <!-- Specify the output directory for reports -->
                    <outputDirectory>${project.build.directory}/dependency-check-reports</outputDirectory>
                </configuration>
            </plugin>


Enter fullscreen mode Exit fullscreen mode
  • OWASP Scanning Command: You just follow below command to perform the OWASP Scanning before the preforming the Builds.


mvn clean install dependency-check:check


Enter fullscreen mode Exit fullscreen mode

Step 3: Build Stage
We will be using Amazon CodeBuild to prepare and execute the build during this phase. There are a few configurations you must make before starting build, and they are as follows:

  • Here is the Buildspec.yml File:


version: 0.2

phases:
  pre_build:
    commands:
      - echo "No Prebuild......"

  build:
    commands:
      - mvn clean install dependency-check:check
      - mv target/dependency-check-reports reports/
      - BUILD_NUMBER=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | tr -d '[:alpha:]')
      - zip -r owasp-report-build-${BUILD_NUMBER}.zip reports/
      - mvn clean install

artifacts:
  files: owasp-report-build-*.zip


Enter fullscreen mode Exit fullscreen mode
  • Use Below Settings for Source Code Checkout from GitHub: Image description


https://github.com/simplynadaf/OWASP.git


Enter fullscreen mode Exit fullscreen mode
  • Use Below Environment for Build: Image description
  • Configure Artifacts for Storing OWASP Report: Image description

Step 4: Lets Perform Build & Check How OWASP Performing Check on Maven Dependency:

  • As you can see below, as soon as we start the Amazon Codebuild, the dependency will begin to download from the Maven Central store.

Image description

  • OWASP has now begun downloading the NVD datasets from NVD; upon a successful download of the NVD databases, OWASP will perform OWASP Scanning on Maven Dependency.

Image description

  • Following the successful download of all NVD datasets, OWASP has begun its dependency scanning on the dependencies that were obtained from the Maven Central Store.

Image description

  • The OWASP dependency scanning has been successfully finished, as you can see below. The OWASP dependency scanning report has also been generated and successfully stored on the S3 bucket.

Image description

Step 5: OWAPS Report Check

  • The OWASP Report can be stored in the S3 Bucket because of to the configuration of the Artifacts. Please refer to the screenshot below, which shows that the OWASP report has been successfully stored in zip format with a build ID associated with it.

Image description

Here is the report screenshot following the Maven Central Store Dependency OWASP Dependency Check Report.

Image description

You can see that the OWASP completed the detailed scanning on the dependencies that were downloaded from the Maven Central Store in the final report. You can see each dependency's severity in this report, and if you continue reading, you'll find more in-depth information on dependencies and their severity.

Conclusion: As this article explains, By adding OWASP resources to your development and testing procedures, you could enhance your web applications' security. By identifying and addressing security concerns early in the development lifecycle, regular vulnerability checks utilizing OWASP principles and tools help lower the risk of security breaches. Remember that maintaining a secure web application environment requires staying up to date on the most recent security threats and best practices. Security is a continuous effort.
— — — — — — — —

Here is the End!

Thank you for taking the time to read my article. I hope you found this article informative and helpful. As I continue to explore the latest developments in technology, I look forward to sharing my insights with you. Stay tuned for more articles like this one that break down complex concepts and make them easier to understand.

Remember, learning is a lifelong journey, and it’s important to keep up with the latest trends and developments to stay ahead of the curve. Thank you again for reading, and I hope to see you in the next article!

Happy Learning!

Top comments (0)