Writing Secure Code Utilizing DevSecOps Pipelines Lab

121 Launches
Solution Overview

This lab demonstrates a day in the life of a developer, testing and deploying code with a secure DevSecOps framework consisting of GitLab Enterprise, HashiCorp Vault Enterprise and HashiCorp Terraform Enterprise. This DevSecOps pipeline driven by GitLab CI/CD utilizes its built-in security features such as Container scanning, static application security testing (SAST) and secrets scanning. OSCAP STIG scan is available through the pipeline security testing stage and all reports are available through the Gitlab security dashboard for every run of the pipeline.

HashiCorp Vault Enterprise is used as a centralized secrets management solution, integrates with Gitlab over JWT authentication and provides a secure secret store for the sensitive pipeline variables. HashiCorp Terraform Enterprise provides the automation to deploy the infrastructure following the industry's best practices for Infrastructure as Code (IaC). Terraform Enterprise's Sentinel policy and governance framework provides the guard rails around the infrastructure provisioning following policy as a code (PaC) approach.

Goals & Objectives

  • Familiarize user with vSphere, GitLab Enterprise, Terraform Enterprise, Vault Enterprise and OSCAP.
  • Dive into the various stages of a DevSecOps CI/CD pipeline.
  • Cover several examples of security testing including artifacts.
    • Static Application Security Testing (SAST)
    • Secrets Scanning
    • Container Image Scanning
    • Open Security Content Automation Scan (OSCAP)
  • Utilizing consumable infrastructure as part of a pipeline.
    • IaC Validation
    • IaC Application & Deploy
    • Docker Deploy
    • Applying PaC
  • Utilizing centralized secrets management solution.

Hardware & Software

  • GitLab Enterprise 13.9.2-ee
  • Hashicorp Terraform Enterprise v202102-2
  • Hashicorp Vault Enterprise v1.6.3+ent
  • VMware vSphere 7.1
  • Red Hat RHEL 8.1