Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 1

Document created by Sean Nicholson Employee on Sep 16, 2019Last modified by Robert Dell'Immagine on Apr 23, 2020
Version 6Show Document
  • View in full screen mode

Who is this written for? 

This document is to provide a flow of how to integrate Qualys Virtual Scanner Appliance into your DevOps pipelines. This is a tool, vendor, and cloud environment agnostic approach that will outline what calls you need to make to perform specific actions in your pipeline for building images, scanning them, and make approval decisions based on the scan results via API calls. This document focuses on the instance and virtual machine image building, while the logic behind some of the calls listed are similar to a container image pipeline, the endpoints for Qualys API for Container Security are different than those shown here. The Container Image Build Pipeline documentation and flow will be covered in another document. 

 

Summary 

This document outlines how to implement vulnerability and compliance scanning in your CICD pipeline using a Qualys Scanner Appliance, physical or virtual. Looking at where in the pipeline to integrate and how to set thresholds for ensuring virtual machine builds adhere to your security governance requirements. This document will cover what API calls are needed, what information is needed for the Qualys API calls, and how to process the responses. 

Depending on your internal processes and requirements there may be a need to scan more than once. You may implement scanning as part of the virtual machine image building phases or in your testing and validation phase. The idea is to implement a set of standards that must be met for an image build to pass. This helps ensure that machines deployed from these approved images are free of critical vulnerabilities and meet the company's security configuration benchmarks. 

 

Design Considerations 

When to perform scans? 

 Vulnerability and compliance scanning may be integrated into the test or verify phases of your CI/CD pipelines. Almost all will need to build vulnerability and compliance scanning into testing and validation steps of the image building process to help ensure that the virtual machines that are deployed from those images contain the latest software patches, are as free as possible of critical vulnerabilities, meet the security configuration requirements, and contain all the agents required by both ops and security. If the required minimums are met for image building requirements, then the image will pass and can then be used for deploying images.  

 

Base Images 

It is recommended to implement scanning as part of the base image creation processes and use the results to pass or fail a build. If a build fails because of the vulnerability scan results, the virtual machine can have patches applied and rescanning of the system X number of times. This iterative approach will ensure the base image builds contain all available OS patches at build time and ensure the virtual machines images do not contain vulnerabilities that violate the established thresholds for image approval.   

This is a great opportunity to ensure virtual machine used to create base images are also hardened to the security benchmarks used by the company for configuration compliance. This can be accomplished by using Qualys Policy Compliance scanning in the pipeline and using the results to assist in determining pass/fail of build jobs for virtual machine images. If a virtual machine passes the compliance scan, this will ensure the images created from the virtual machine will already be hardened to the organization’s configuration compliance standards. 

Scanning in the build pipeline 

As part of the application team build processes, just like the virtual machine base OS image building process, vulnerability and compliance scanning should be implemented. This will help ensure that the virtual machines being built contains no known critical vulnerabilities and that no configuration changes are made that violate the established security governance standards. This will ensure that the virtual machines being built, are compliant with the organization’s information security requirements.  

 

Scanner Placement 

It is recommended to follow best practices for deploying Qualys scanners in your environment. This includes not having a firewall between the scanner and the virtual machine, if this is not possible, allowing full ingress to the virtual machine from the scanner is recommended as well as ensuring the number of firewalls between the scanner and virtual machine is kept to a minimum. To ensure faster scan times, it is recommended to place a scanner in the network or as close as possible to the network where the virtual machines will be created is recommended. Placing a scanner on the same network or in the same VPC of the virtual machines that will be scanned will help ensure the most accurate scan results and will simplify troubleshooting of any encountered issues with performing scans.  

 

Where Qualys API commands run 

Decide how Qualys API commands will run in your virtual machine image creation pipeline. Some options are to run the commands on the virtual machine, via the pipeline management scripts, or via a serverless function, or a tool such as Jenkins. Defining where the Qualys API commands will run will create the framework of the settings and command options needed to execute the commands.  

Running Scans 

Vulnerability Management Host Assets  

In order to perform IP address scans on target instances, the IP address must be added to or already included in the Qualys subscription. You can check if the IP is in your Qualys subscription host assets by pulling a list of the IPs as shown below. Iterate the list for IP and IP_RANGE entries. If the IP to be scanned is not in your subscription, then it can be added as shown below.

Static IP Address Space 

If the subnet where images are being built and instantiated is known, this subnet / CIDR block can be added to the Qualys subscription host assets. This is the recommended approach which provides coverage of known network configuration information for the area where instances will be scanned. If your build pipelines are run in multiple networks, network segments, or cloud environments and the IP address subnets are known, then all should be added to your host assets licenses.  

Adding of the host asset IP address subnets is required in order to scan by IP address or to add to a Qualys Vulnerability Management Authentication Record. Examples of adding or removing IP addresses from Authentication Records is shows below in the Authentication Records section.  

Ephemeral / Non-static 

For environments where this is not a predefined know range of IP addresses that instances will be assigned, the instance IP address will need to be added to the subscription prior to adding the IP address to an Authentication Record or running a vulnerability or compliance scan of the instance. The IP address of the instance can be read from the virtual machine metadata or by extracting this from the virtual machine configuration. Once the IP address is known, it can be added to the Qualys Vulnerability Management and/or Policy Compliance Host Assets. 

Adding Host Asset IP and Enable Vulnerability Management and/or Policy Compliance 

Required headers: 

  • Accept: text/xml 
  • Content-Type: text/xml 

X-Requested-With: Curl Parameters for API request 

Type  

 Parameter List 

Request  

action=add,list 

Enable VM / PC   

enable_vm=1

enable_pc=1

enable_vm=1&enable_pc=1

IP Address(es)   

add_ips=

 

List Host Assets IPs

Example API call for listing IP addresses from Host Assets 

(QualysPlatformURL)/api/2.0/fo/asset/ip/?action=list 

Enable Vulnerability Management Host Assets 

Example API call for adding IP addresses to Vulnerability Management Host Assets 

(QualysPlatformURL)/api/2.0/fo/asset/ip/?action=add&enable_vm=1&ips=10.0.0.1 

Enable Vulnerability Management and Policy Compliance Host Assets 

Example API call for adding IP addresses to Vulnerability Management Host Assets 

(QualysPlatformURL)/api/2.0/fo/asset/ip/?action=add&enable_vm=1&enable_pc=1&ips=10.0.0.1 

Information on administering assets using the Qualys API can be found Qualys API VM & PC User Guide in Chapter 7 - Assets 

 

Authentication Records 

Known IP Address space 

If the CIDR block for building virtual machines is known, the CIDR block can be added to the Qualys Authentication Records 

Ephemeral IP Addresses 

If the build pipeline is running instances in an environment where the IP addresses are being assigned by the public cloud provider, the ephemeral IP address of the instance will need to be added to the authentication record prior to running a vulnerability management or policy compliance scan. It is recommended to perform a cleanup of the authentication record assigned IPs once the pipeline scanning is completed.  

This will also require a lookup of the authentication record ID or specifying this for a specific pipeline and then updating the authentication record target IP address 

API Commands to add and remove IP address(es) or IP address blocks 

Required headers: 

  • Accept: text/xml 
  • Content-Type: text/xml 
  • X-Requested-With: Curl 

Parameters for API request 

Type  

 Parameter List 

Request  

action=update 

Authentication Record ID   

ids=1234567890 

IP Address(es)   

add_ips= 

Information on administering Authentication Records using the Qualys API can be found Qualys API VM & PC User Guide in Chapter 5 – Scan Authentication 

 

Adding IP Addresses 

Unix/Linux 

Examples of adding an IP address to a Unix authentication record 
(Qualys Platform URL)/api/2.0/fo/auth/unix/?action=update&ids=1234567890&add_ips=1.2.3.4 

Windows 

Examples of adding an IP address to a Windows authentication record 
(Qualys Platform URL)/api/2.0/fo/auth/windows/?action=update&ids=1234567890&add_ips=1.2.3.4 

Removing IP Addresses 

Unix/Linux 

Example of removing an IP address to a Unix authentication record 
(Qualys Platform URL)/api/2.0/fo/auth/unix/?action=update&ids=1234567890&remove_ips=1.2.3.4 

Windows 

Examples of removing an IP address to a Windows authentication record 
(Qualys Platform URL)/api/2.0/fo/auth/windows/?action=update&ids=1234567890&remove_ips=1.2.3.4 

 

Vulnerability Management Scans 

Qualys scanner appliances can run vulnerability scans and / or compliance scans on a system’s IP address(es). Once an instance is created from an image and has an IP address, the virtual machine instance can be scanned.  

Vulnerability scans can be run either as an authenticated scan with administrator/root privileges or non-authenticated. Compliance scans will only run via authenticated scans with administrator/root privileges. 

Required headers: 

  • Accept: text/xml 
  • Content-Type: text/xml 
  • X-Requested-With: Curl 

Parameters 

Type  

 Parameter List 

Request  

action=launch (required), echo_request, runtime_http_header 

Scan Title   

scan_title 

Option Profile   

option_id or option_title 

Scanner Appliance  

iscanner_id or iscanner_name, ec2_instance_ids 

Processing Priority  

priority 

Asset IPs/Groups  

ip, asset_group_ids, asset_groups, exclude_ip_per_scan, default_scanner, scanners_in_ag 

Network  

ip_network_id (when the Network Support feature is enabled) 

Client   

client_id and client_name (only for Consultant type subscriptions) 

Information on running scans using the Qualys API can be found Qualys API VM & PC User Guide in Chapter 3 - Scans 

Example API call 

Vulnerability Scans 

Run Vulnerability Scan on virtual machine using the virtual machine IP address 
(QualysPlatformURL)/api/2.0/fo/scan/?action=launch& iscanner_id=123456789&scan_title=Candidate%20Image%20Scan123456789098&option_id=1234567890&ip=1.2.3.4&priority=5 

Policy Compliance Scans 

 Run Vulnerability Scan on virtual machine using the virtual machine IP address 
(QualysPlatformURL)/api/2.0/fo/scan/compliance/?action=launch& iscanner_id=123456789&scan_title=Candidate%20Image%20Scan123456789098&option_id=1234567890&ip=1.2.3.4&priority=5 

Example Response 

<?xml version="1.0" encoding="UTF-8" ?> 

<!DOCTYPE SIMPLE_RETURN SYSTEM "https://QualysAPI-URL/api/2.0/simple_return.dtd"> 

<SIMPLE_RETURN> 

    <RESPONSE> 

        <DATETIME>2019-06-12T18:10:43Z</DATETIME> 

        <TEXT>New vm scan launched</TEXT> 

        <ITEM_LIST> 

            <ITEM> 

                <KEY>ID</KEY> 

                <VALUE>15737591</VALUE> 

            </ITEM> 

            <ITEM> 

                <KEY>REFERENCE</KEY> 

                <VALUE>scan/1563559842.37591</VALUE> 

            </ITEM> 

        </ITEM_LIST> 

    </RESPONSE> 

</SIMPLE_RETURN> 

 

Check Scan Status 

Use the Reference Value in the response to query for the status of the scan. A loop checking for completed scan status should be run to ensure the scan has completed prior to querying for the scan results. 

Required headers: 

  • Accept: text/xml 
  • Content-Type: text/xml 
  • X-Requested-With: Curl 

Body Parameters 

Type  

 Parameter List 

Request  

action=list(required), echo_request 

Show/Hide Information 

show_ags=0, show_status=1, show_op=0 

Scan List Filters  

scan_ref, state, processed, type, target, user_login, 

launched_after_datetime, launched_before_datetime, 

scan_type=certview, scan_type=ec2certview, client_id and 

client_name (only for Consultant type subscriptions) 

Information on running scans using the Qualys API can be found Qualys API VM & PC User Guide in Chapter 3 - Scans 

Example API Call 

(QualysPlatformURL)/api/2.0/fo/scan/ 

Example Response 

<?xml version="1.0" encoding="UTF-8" ?> 

<!DOCTYPE SCAN_LIST_OUTPUT SYSTEM "https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/scan/scan_list_output.dtd"> 

<SCAN_LIST_OUTPUT> 

    <RESPONSE> 

        <DATETIME>2019-06-12T18:014:16Z</DATETIME> 

        <SCAN_LIST> 

            <SCAN> 

                <REF>scan/1563559842.12365</REF> 

                <TYPE>API</TYPE> 

                <TITLE> 

                    <![CDATA[Pipeline Scan]]> 

                </TITLE> 

                <USER_LOGIN>xxxxxxxxxx</USER_LOGIN> 

                <LAUNCH_DATETIME>2019-06-12T18:10:42Z</LAUNCH_DATETIME> 

                <DURATION>00:15:16</DURATION> 

                <PROCESSING_PRIORITY>0 - No Priority</PROCESSING_PRIORITY> 

                <PROCESSED>1</PROCESSED> 

                <STATUS> 

                    <STATE>Finished</STATE> 

                </STATUS> 

                <TARGET> 

                    <![CDATA[i-1234567890ab]]> 

                </TARGET> 

            </SCAN> 

        </SCAN_LIST> 

    </RESPONSE> 

</SCAN_LIST_OUTPUT> 

<!-- CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2019, Qualys, Inc. //--> 

 

This document continues with Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 2.

 

 

 

3 people found this helpful

Outcomes