Create a secure DevSecOps pipeline
This section explains how to create a secure DevSecOps Build Pipeline for a Python Application using CircleCI and the Crashtest Security Suite.
The DevSecOps Example is a simple web application written with Django. It implements a single view that will return everything the user inputs. The templating engine disables the automatic XSS protection feature, optimizing the information. In addition, the XSSDisableMiddleware disables the XSS protection feature implemented in modern web browsers.
Tutorial
This application contains a build file for CircleCI to deploy the vulnerable application to Heroku. Additionally, build jobs are defined to do a dependency check for the python application using safety and a dynamic application security test using the Crashtest Security Suite. This application is used within workshops held by Crashtest Security. This tutorial contains the steps to follow in the workshop. If you want to attend one of those workshops, contact Veracode Technical Support.
Create Accounts
- GitHub: Create an account to get access to the source code of this example project.
- CircleCI: Login using GitHub to grant CircleCI access to your GitHub projects.
- Heroku: Create an account to deploy the example application there.
- Crashtest Security: Create an account to conduct a dynamic vulnerability scan.
Fork the Repository
To access the repository code, click Fork to fork the repo: https://github.com/crashtest-security/devsecops-example-heroku.
This will create your copy of the code repository and redirect you to the repository page.
Configure Heroku for This Project
Create a new application within Heroku: https://dashboard.heroku.com/new-app. You may choose any name and region you like. Just remember the name of your new Heroku app. For this tutorial, the name of your Heroku app is
HEROKU\APP\NAME
. For this tutorial, the application name issigs-devsecops-example
.Go to the app settings, click Reveal Config Vars and add a new environment variable,
DISABLE\COLLECTSTATIC = 1
. This is needed for the Django application to run correctly on Heroku. If you miss setting this environment variable, you will see an error message later during the corresponding build step.Click Open App to see a default page from Heroku that states that you have no application running.
Retrieve your Heroku API key here: https://dashboard.heroku.com/account (At the bottom of the page). It would help if you had this API key to grant CircleCI access to deploy your application. For this tutorial, the variable is
HEROKU_API_KEY
.
Link GitHub Repository with CircleCI Workflow
Open the CircleCI dashboard: https://circleci.com/dashboard. When asked for login credentials, log in using your GitHub account. This grants CircleCI access permissions to get the code from your repository.
To add your GitHub repository to Circle CI, select Add Projects from the left menu. Then, select Set Up Project.
Select Workflows in the left menu bar and then select the gear symbol next to your project.
Configure the following two environment variables:
HEROKU\APP\NAME
: enter the name that you previously chose.HEROKU\API\KEY
: enter the API Key as provided by Heroku.
Commit a Change to the Repository
To start a fresh build in CircleCI, Crashtest Security triggers a change in the repository. Therefore, it adds a submit button to the form in the application.
In your GitHub repository, navigate to
devsecops-example-heroku/vulnerable/templates/index.html
and click the pencil icon to edit the file.Add a button to the form by adding the following code before the form closing tag (line 11).
<input type="submit" value="Send!" />
When the file is saved, the change is committed to the repository, and a new build is triggered in CircleCI automatically.
The build deploys the application, and you can now access it from Heroku by selecting Open App.
You can see that the application contains a Cross-Site-Scripting vulnerability by typing the following as your name within the application. This will make the browser show an alert box as it is interpreting your provided JavaScript:
<script>alert("XSS")</script>
Enable Python Safety (SAST) Build Step
To enable the dependency check of all python dependencies in the build, add the following lines at the end of the file
devsecops-example-heroku/vulnerable/.circleci/config.yml
. Ensure the indentation matches.# Run python safety check
- python-safetyThe new build step must fail, as there are known vulnerabilities in the Django version used.
To fix the build, figure out the latest Django version and update it in the file
devsecops-example-heroku/requirements.txt
. You can find the latest Django version here: https://www.djangoproject.com/download/.
Enable Crashtest Security (DAST) Build Step
To integrate a dynamic vulnerability scan using the Crashtest Security Suite, log in on https://crashtest.cloud and create a new project with the following settings:
- Project Type: Multipage Application
- Title: Choose a title you like
- Protocol: HTTPS
- URL: The URL your application runs (Copy from your browser address bar after clicking on Open App in Heroku).
Click on Verify Project to download the verification file. You need this file to allow the Crashtest Security Suite to scan your application.
In GitHub, within the root directory of your project, select Create a new file. Then, name the file similar to the downloaded verification file and fill it with the same content.
Generate a Webhook within the Crashtest Security Suite. Go to the project preferences and click Generate in the Webhook section.
Add a new environment variable in the project settings in CircleCI:
CRASHTEST_WEBHOOK
: enter the webhook ID you just generated, but do not include the URL path.Now enable the dynamic vulnerability scan for your application by adding the following lines at the end of the file
devsecops-example-heroku/vulnerable/.circleci/config.yml
. Ensure that the indentation matches. For example, the linerequires
has four additional whitespaces of indentation compared to the bar before.# Start Crashtest Security Suite
- dast:
requires:
- heroku/deploy-via-gitThe build fails because of several more detected vulnerabilities, such as the Cross-Site-Scripting Vulnerability.
Resolve Vulnerabilities
- To resolve the Cross-Site-Scripting vulnerability open the file
devsecops-example-heroku/vulnerable/templates/index.html
and remove thepipe | safe
in line 4. - You should get a successful build again and have a much more secure application than before.