spinny:~/writing $ vim devsecops-shift-left-security-guide.md
1~2Ang vulnerability na natuklasan habang nagsusulat ng code ay ilang minuto lang ang kailangan ng developer para ayusin. Ang parehong vulnerability na nahuli sa production ay nagkakahalaga ng isang sprint. At kung ang isang attacker ang unang makahanap, milyon-milyon ang halaga nito. Ito ang pangunahing argumento sa likod ng **shift-left security** - ang paglipat ng mga security check sa pinakamaagang posibleng yugto ng development lifecycle.3~4Kinukuha ng DevSecOps ang ideyang ito at ginagawa itong isang practice: ang security ay hindi isang hiwalay na phase sa dulo kundi isang tuloy-tuloy na proseso na hinabi sa bawat yugto ng development, mula sa unang linya ng code hanggang sa production deployment.5~6## Ang Halaga ng Huling Security7~8Ang Cost of a Data Breach Report ng IBM ay patuloy na nagpapakita na ang halaga ng pag-aayos ng mga security issue ay lumalaki nang exponential kapag nahuhuli nang mas late:9~10| Yugto | Halaga ng Pag-aayos | Oras ng Pag-aayos |11|-------|------------|-------------|12| **IDE / Local Dev** | Minuto | Segundo hanggang minuto |13| **Code Review / PR** | Oras | Minuto hanggang oras |14| **CI/CD Pipeline** | Araw | Oras hanggang araw |15| **Staging / QA** | Linggo | Araw |16| **Production** | Buwan | Linggo hanggang buwan |17| **Post-breach** | Milyon-milyon ($) | Buwan hanggang taon |18~19Malinaw ang takeaway: bawat yugto na inilipat mo ang security nang mas maaga ay nakakatipid ng isang order of magnitude sa halaga at oras.20~21## Ang DevSecOps Pipeline22~23Ang isang mature na DevSecOps pipeline ay nag-i-integrate ng mga security check sa bawat yugto:24~25```mermaid26graph LR27 IDE[IDE / Editor] --> PC[Pre-commit Hooks]28 PC --> PR[Pull Request]29 PR --> CI[CI Pipeline]30 CI --> Build[Build / Package]31 Build --> Deploy[Deploy]32 Deploy --> Runtime[Runtime / Production]33~34 IDE -.- S1[SAST\nSecret Detection\nLinting]35 PC -.- S2[Secrets Scan\nFormat Check]36 PR -.- S3[Code Review\nDependency Audit]37 CI -.- S4[SAST\nSCA\nContainer Scan\nSBOM]38 Build -.- S5[Image Signing\nArtifact Verification]39 Deploy -.- S6[Policy Enforcement\nAdmission Control]40 Runtime -.- S7[DAST\nWAF\nMonitoring]41```42~43I-break down natin ang bawat yugto na may mga konkretong tools at configuration.44~45## Yugto 1: Security sa IDE46~47Ang pinakamabilis na feedback loop. Hulihin ang mga vulnerability bago mo pa i-save ang file.48~49### Mga Inirerekomendang Tools50~51- **Semgrep**: magaan na static analysis na may community rules para sa OWASP vulnerabilities52- **Snyk IDE Extension**: real-time dependency vulnerability scanning53- **GitLens + GitLeaks**: mag-detect ng secrets sa iyong editor54- **ESLint Security Plugins**: `eslint-plugin-security` para sa Node.js, `eslint-plugin-no-unsanitized` para sa DOM XSS55~56### Halimbawa: ESLint Security Configuration57~58```json59{60 "extends": ["eslint:recommended"],61 "plugins": ["security", "no-unsanitized"],62 "rules": {63 "security/detect-object-injection": "warn",64 "security/detect-non-literal-regexp": "warn",65 "security/detect-unsafe-regex": "error",66 "security/detect-buffer-noassert": "error",67 "security/detect-eval-with-expression": "error",68 "security/detect-no-csrf-before-method-override": "error",69 "security/detect-possible-timing-attacks": "warn",70 "no-unsanitized/method": "error",71 "no-unsanitized/property": "error"72 }73}74```75~76## Yugto 2: Pre-commit Hooks77~78Ang pangalawang linya ng depensa. Awtomatikong tumatakbo bago ang bawat commit, hinaharangan ang mapanganib na code mula sa pagpasok sa repository.79~80### Gitleaks: Hulihin ang Secrets Bago Makarating sa Git81~82Ang pinakakaraniwang security mistake sa mga codebase ay ang pag-commit ng secrets - API keys, database passwords, tokens. Kapag ang isang secret ay nakapasok na sa git history, napakahirap itong alisin nang ganap (kahit na may force pushes, maaaring mapanatili ito ng mga fork at cache).83~84```yaml85# .pre-commit-config.yaml86repos:87 - repo: https://github.com/gitleaks/gitleaks88 rev: v8.21.089 hooks:90 - id: gitleaks91~92 - repo: https://github.com/semgrep/semgrep93 rev: v1.90.094 hooks:95 - id: semgrep96 args: ['--config', 'auto']97```98~99I-install at i-activate:100~101```bash102pip install pre-commit103pre-commit install104```105~106Ngayon bawat `git commit` ay awtomatikong nag-i-scan para sa mga leaked secret at karaniwang vulnerability. Kung may mahanap, bina-block ang commit.107~108### Custom Gitleaks Rules109~110Maaari kang magdagdag ng mga custom pattern para sa mga secret ng iyong organization:111~112```toml113# .gitleaks.toml114title = "Custom Gitleaks Config"115~116[[rules]]117id = "internal-api-key"118description = "Internal API key detected"119regex = '''INTERNAL_KEY_[A-Za-z0-9]{32}'''120tags = ["key", "internal"]121```122~123## Yugto 3: CI/CD Pipeline Security124~125Dito nangyayari ang mabigat na trabaho. Ang iyong CI pipeline ay dapat magpatakbo ng maraming security scan sa bawat pull request.126~127### SAST (Static Application Security Testing)128~129Sinusuri ng mga SAST tool ang source code nang hindi ito ine-execute, naghahanap ng mga pattern na nagpapahiwatig ng mga vulnerability.130~131```yaml132# .github/workflows/security.yml133name: Security Scan134on:135 pull_request:136 branches: [main]137~138jobs:139 sast:140 name: Static Analysis141 runs-on: ubuntu-latest142 steps:143 - uses: actions/checkout@v4144~145 - name: Run Semgrep146 uses: semgrep/semgrep-action@v1147 with:148 config: >-149 p/owasp-top-ten150 p/typescript151 p/nodejs152 p/react153 generateSarif: true154~155 - name: Upload SARIF156 uses: github/codeql-action/upload-sarif@v3157 with:158 sarif_file: semgrep.sarif159```160~161Ang `p/owasp-top-ten` ruleset ng Semgrep ay nakakahuli ng pinakakaraniwang vulnerability: SQL injection, XSS, SSRF, path traversal, insecure deserialization, at marami pa.162~163### SCA (Software Composition Analysis)164~165Ini-scan ng SCA ang iyong mga dependency para sa mga kilalang vulnerability. Kritikal ito - higit sa 80% ng modernong application code ay nagmumula sa open-source dependencies.166~167```yaml168 dependency-scan:169 name: Dependency Audit170 runs-on: ubuntu-latest171 steps:172 - uses: actions/checkout@v4173~174 - name: Run Snyk175 uses: snyk/actions/node@master176 env:177 SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}178 with:179 args: --severity-threshold=high180~181 - name: npm audit182 run: npm audit --audit-level=high183```184~185### Container Security gamit ang Trivy186~187Kung nagbu-build ka ng Docker images, ang pag-scan sa kanila para sa mga vulnerability ay mahalaga. Ang **Trivy** ang pinakasikat na open-source container scanner.188~189```yaml190 container-scan:191 name: Container Security192 runs-on: ubuntu-latest193 steps:194 - uses: actions/checkout@v4195~196 - name: Build image197 run: docker build -t my-app:${{ github.sha }} .198~199 - name: Run Trivy200 uses: aquasecurity/trivy-action@master201 with:202 image-ref: my-app:${{ github.sha }}203 format: 'sarif'204 output: 'trivy-results.sarif'205 severity: 'CRITICAL,HIGH'206 exit-code: '1'207~208 - name: Upload Trivy SARIF209 uses: github/codeql-action/upload-sarif@v3210 with:211 sarif_file: trivy-results.sarif212```213~214### SBOM Generation215~216Ang **Software Bill of Materials (SBOM)** ay isang kumpletong imbentaryo ng bawat component sa iyong application. Lalong kinakailangan ng mga compliance framework at regulasyon ng gobyerno (ang US Executive Order on Cybersecurity ay nag-uutos ng SBOM para sa federal software).217~218```yaml219 sbom:220 name: Generate SBOM221 runs-on: ubuntu-latest222 steps:223 - uses: actions/checkout@v4224~225 - name: Generate SBOM with Syft226 uses: anchore/sbom-action@v0227 with:228 format: spdx-json229 output-file: sbom.spdx.json230~231 - name: Upload SBOM232 uses: actions/upload-artifact@v4233 with:234 name: sbom235 path: sbom.spdx.json236```237~238## Yugto 4: Secure Docker Images239~240Ang isang production Docker image ay dapat sumunod sa prinsipyo ng least privilege. Ganito ang hitsura ng isang hardened Dockerfile:241~242```dockerfile243# Build stage244FROM node:22-alpine AS builder245WORKDIR /app246COPY package.json package-lock.json ./247RUN npm ci248COPY . .249RUN npm run build250~251# Production stage252FROM node:22-alpine AS runner253WORKDIR /app254~255# Install dumb-init before dropping root256RUN apk add --no-cache dumb-init257~258# Don't run as root259RUN addgroup -S app && adduser -S app -G app260~261# Copy only what's needed262COPY --from=builder --chown=app:app /app/dist ./dist263COPY --from=builder --chown=app:app /app/node_modules ./node_modules264COPY --from=builder --chown=app:app /app/package.json ./265~266# Drop to non-root user267USER app268ENTRYPOINT ["dumb-init", "--"]269~270# Health check271HEALTHCHECK --interval=30s --timeout=3s --retries=3 \272 CMD wget -qO- http://localhost:3000/health || exit 1273~274EXPOSE 3000275CMD ["node", "dist/server.js"]276```277~278Mga pangunahing practice:279~2801. **Gumamit ng multi-stage builds**: ang builder stage ay may dev dependencies; ang runner stage ay mayroon lamang production code2812. **Huwag patakbuhin bilang root**: lumikha ng isang non-root user at lumipat dito2823. **Gumamit ng Alpine images**: mas maliit na attack surface (mas kaunting packages na naka-install bilang default)2834. **I-pin ang image versions**: `node:22-alpine` sa halip na `node:latest` para maiwasan ang supply chain attacks2845. **Gumamit ng `npm ci`**: deterministikong pag-install mula sa lock file, hindi `npm install`285~286## Yugto 5: Secret Management287~288Ang hard-coded secrets ang numero unong dahilan ng mga breach sa mga insidenteng dulot ng developer.289~290### Ang Hindi Dapat Gawin291~292```typescript293// NEVER do this294const API_KEY = "sk-1234567890abcdef";295const DB_PASSWORD = "supersecret123";296~297const client = new Client({298 connectionString: `postgres://admin:${DB_PASSWORD}@db.example.com/prod`299});300```301~302### Ang Dapat Gawin sa Halip303~304```typescript305// Use environment variables306const client = new Client({307 connectionString: process.env.DATABASE_URL308});309~310// Or use a secret manager311import { SecretManagerServiceClient } from '@google-cloud/secret-manager';312~313const client = new SecretManagerServiceClient();314const [version] = await client.accessSecretVersion({315 name: 'projects/my-project/secrets/db-password/versions/latest',316});317const dbPassword = version.payload?.data?.toString();318```319~320### Hierarchy ng Secret Management321~322```mermaid323graph TD324 A[Secret Manager\nAWS Secrets Manager\nGCP Secret Manager\nHashiCorp Vault] --> B[Best: Rotated, audited, centralized]325 C[Environment Variables\nInjected at deploy time] --> D[Good: Not in code, but static]326 E[.env files\nWith .gitignore] --> F[Acceptable: Local development only]327 G[Hard-coded in source] --> H[NEVER: Instant breach risk]328~329 style A fill:#d4edda330 style C fill:#fff3cd331 style E fill:#ffeeba332 style G fill:#f8d7da333```334~335## OWASP Top 10: Isang Mabilis na Sanggunian336~337Dapat malaman ng bawat developer ang OWASP Top 10. Pinaikling bersyon:338~339| # | Vulnerability | Ano Ito | Pag-iwas |340|---|--------------|-----------|------------|341| 1 | **Broken Access Control** | Mga user na nag-a-access ng resources na hindi dapat | I-deny bilang default, i-validate sa server side |342| 2 | **Cryptographic Failures** | Mahinang encryption, plaintext data | Gumamit ng malakas na algorithm (AES-256, bcrypt), TLS sa lahat ng dako |343| 3 | **Injection** | SQL, NoSQL, OS command injection | Parameterized queries, input validation |344| 4 | **Insecure Design** | May depektong architecture | Threat modeling, secure design patterns |345| 5 | **Security Misconfiguration** | Default credentials, bukas na cloud buckets | Hardened defaults, automated config audits |346| 6 | **Vulnerable Components** | Kilalang CVEs sa dependencies | SCA scanning, regular updates |347| 7 | **Auth Failures** | Mahinang passwords, sirang sessions | MFA, rate limiting, secure session management |348| 8 | **Data Integrity Failures** | Unsigned updates, hindi pinagkakatiwalaang CI/CD | Code signing, SBOM, pipeline integrity |349| 9 | **Logging Failures** | Walang audit trail | Structured logging, alerting sa mga anomaly |350| 10 | **SSRF** | Server-side request forgery | I-allowlist ang outbound URLs, i-validate ang inputs |351~352## Kumpletong GitHub Actions Security Workflow353~354Isang kumpleto at production-ready na workflow na pinagsasama ang lahat ng nasa itaas:355~356```yaml357# .github/workflows/security.yml358name: Security Pipeline359on:360 pull_request:361 branches: [main]362 push:363 branches: [main]364~365permissions:366 contents: read367 security-events: write368~369jobs:370 secrets-scan:371 name: Secret Detection372 runs-on: ubuntu-latest373 steps:374 - uses: actions/checkout@v4375 with:376 fetch-depth: 0377 - uses: gitleaks/gitleaks-action@v2378 env:379 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}380~381 sast:382 name: Static Analysis (SAST)383 runs-on: ubuntu-latest384 steps:385 - uses: actions/checkout@v4386 - uses: semgrep/semgrep-action@v1387 with:388 config: p/owasp-top-ten p/typescript p/nodejs389~390 dependency-audit:391 name: Dependency Scan (SCA)392 runs-on: ubuntu-latest393 steps:394 - uses: actions/checkout@v4395 - uses: actions/setup-node@v4396 with:397 node-version: 22398 - run: npm ci399 - run: npm audit --audit-level=high400 - uses: snyk/actions/node@master401 env:402 SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}403 with:404 args: --severity-threshold=high405 continue-on-error: true406~407 container-scan:408 name: Container Scan409 runs-on: ubuntu-latest410 needs: [sast, dependency-audit]411 steps:412 - uses: actions/checkout@v4413 - run: docker build -t app:${{ github.sha }} .414 - uses: aquasecurity/trivy-action@master415 with:416 image-ref: app:${{ github.sha }}417 severity: CRITICAL,HIGH418 exit-code: '1'419~420 sbom:421 name: SBOM Generation422 runs-on: ubuntu-latest423 needs: [container-scan]424 steps:425 - uses: actions/checkout@v4426 - uses: anchore/sbom-action@v0427 with:428 format: spdx-json429 output-file: sbom.spdx.json430```431~432```mermaid433graph TD434 PR[Pull Request] --> S1[Secret Detection]435 PR --> S2[SAST - Semgrep]436 PR --> S3[SCA - Snyk + npm audit]437 S2 --> S4[Container Scan - Trivy]438 S3 --> S4439 S4 --> S5[SBOM Generation]440 S5 --> Deploy[Deploy]441~442 S1 -.- F1[Block if secrets found]443 S2 -.- F2[Block on critical vulns]444 S3 -.- F3[Block on high severity]445 S4 -.- F4[Block on critical CVEs]446```447~448## Mga Metrics na Dapat Subaybayan449~450Paano mo malalaman na gumagana ang iyong DevSecOps program? Subaybayan ang mga metrics na ito:451~452- **Mean time to remediate (MTTR)**: gaano kabilis mo inaayos ang mga vulnerability pagkatapos ma-detect453- **Vulnerability escape rate**: porsyento ng mga vulnerability na umabot sa production454- **False positive rate**: masyadong maraming false positive ay nagdudulot ng alert fatigue at mga binabalewala na warning455- **Dependency freshness**: average na edad ng iyong mga dependency (mas matanda = mas malamang na may kilalang CVEs)456- **SBOM coverage**: porsyento ng mga project na may up-to-date na SBOM457~458## Pagsisimula: Isang Praktikal na Roadmap459~460Huwag subukang i-implement ang lahat nang sabay-sabay. Mas gumagana ang phased approach:461~462```mermaid463flowchart TD464 A[Week 1-2: Foundations] --> B[Week 3-4: CI/CD Integration]465 B --> C[Month 2: Container Security]466 C --> D[Month 3+: Advanced]467~468 A --> A1[Add Gitleaks pre-commit hooks]469 A --> A2[Enable npm audit in CI]470 A --> A3[Add .gitignore for .env files]471~472 B --> B1[Add Semgrep to GitHub Actions]473 B --> B2[Add Snyk dependency scanning]474 B --> B3[Set up SARIF upload to GitHub]475~476 C --> C1[Add Trivy container scanning]477 C --> C2[Harden Dockerfiles]478 C --> C3[Generate SBOMs]479~480 D --> D1[Secret manager integration]481 D --> D2[Runtime protection - DAST]482 D --> D3[Policy as code - OPA]483```484~485## Konklusyon486~487Ang DevSecOps ay hindi tungkol sa pagdagdag ng mas maraming tools sa iyong pipeline - tungkol ito sa paggawa ng security bilang natural na bahagi ng kung paano ka nagbu-build ng software. Ang layunin ay hindi i-block ang bawat PR na may security warnings kundi bigyan ang mga developer ng mabilis na feedback para maayos nila ang mga issue habang sariwa pa ang code sa kanilang isipan.488~489Magsimula sa mga basics: pre-commit hooks para sa secrets, dependency scanning sa CI, at container scanning para sa Docker images. Pagkatapos ay mag-iterate batay sa pangangailangan ng iyong team.490~491Ang security ay hindi isang feature na isa lang beses mong ishi-ship. Isa itong practice na binubuo mo sa bawat commit.492~493> **DevSecOps Starter Checklist:**494>495> - [x] Naka-install ang Gitleaks pre-commit hooks496> - [x] .env at secret files sa .gitignore497> - [x] Semgrep SAST sa CI pipeline498> - [x] Snyk o npm audit para sa dependency scanning499> - [x] Trivy para sa container image scanning500> - [x] Non-root user sa Dockerfiles501> - [x] Secrets sa environment variables o secret manager502> - [x] SBOM generation sa bawat release503> - [x] OWASP Top 10 awareness sa buong team504~
NORMAL · devsecops-shift-left-security-guide.md [readonly]504 lines · :q to close