Tools to create a secure pipeline
•Download as ODP, PDF•
0 likes•2,289 views
What are the families of tools used to secure your application? How are those placed in the SLDC process? What tools are available in the Java ecosystem? We will try to answer these questions through some basic explanation and few live workshops! Please note that this was a workshop and those are only the guiding slides: for detailed information about the session please visit https://bbossola.wordpress..
Recommended
More Related Content
Recently uploaded
Recently uploaded (20)
Featured
Featured (20)
Tools to create a secure pipeline
- 1. Tools to create a secure build pipeline Bruno Bossola
- 2. @bbossola About me ● Developer 1988+ ● XP coach 2000+ ● Co-founder Jug Torino
- 3. @bbossola Agenda ● Why do we need a security pipeline? ● Security tools: SAST, DAST, RASP, IAST ● Workshops: a closer look to the tools ● Q&A
- 4. @bbossola Why should we build a security pipeline?
- 5. @bbossola Fixing problems early ● a security problem is a bug ● the late we fix a bug, the more costly it is ● the cost of a bug found in production is 30 times more expensive! ● Recalling cars anyone? Minimizing Code Defects to Improve Software Quality and Lower Development Costs. IBM, 2008
- 6. @bbossola Isn't this just an insurance policy? ● Well, in a sense. What about... yup, sometimes is more expensive than 30 times!
- 7. @bbossola If cars were built like applications... “Cars would have no airbags, mirrors, seat belts, doors, roll-bars, side-impact bars, or locks, because no-one had asked for them. But they would all have at least six cup holders.” The OWASP foundation - “Integration into the SDLC”
- 8. @bbossola If cars were built like applications... “Many safety features originally included might be removed before the car was completed, because they might adversely impact performance.” The OWASP foundation - “Integration into the SDLC”
- 9. @bbossola If cars were built like applications... “A MOT inspection would consist of counting the wheels and making recommendations on wheel quantity.” The OWASP foundation - “Integration into the SDLC”
- 12. @bbossola The families of security tools Requirements Design Coding Testing Evaluation LIVE Planning SAST IAST DAST RASP Security, please!
- 13. @bbossola SAST tools ● Static Application Security Testing ● Tools that statically analyse the code base to find security flaws ● Either source code or compiled code ● Three families: – Static Code Analysis – Static Dependency Analysis (or Static Component Analysis) – Sensitive Information Scanners
- 14. @bbossola SAST sub-families ● Static Code Analysis – Analysis of the sources or the binaries
- 15. @bbossola SAST sub-families ● Static Code Analysis – Analysis of the sources or the binaries ● Static Dependency Analysis (or Static Component Analysis) – 20% of the code is your code – 80% of code comes from external libraries ● better check it, yeah? WARNING!!! SHAMELESS PLUG HERE!
- 16. @bbossola SAST sub-families ● Static Code Analysis – Analysis of the sources or the binaries ● Static Dependency Analysis (or Static Component Analysis) – 20% of the code is your code – 80% of code comes from external libraries ● Sensitive Information Scanners – Any AWS key committed in your repo? – What about the commit comments?
- 17. @bbossola DAST tools ● Dynamic Application Security Testing ● Testing an application in an operating state – uses fault injection techniques – automated black box testing ● Interacts with exposed interfaces – HTML – APIs – Other specific protocols
- 18. @bbossola RASP tools ● Run-time Application Self-Protection ● an agent is embedded into the application – usually “melted” through code instrumentation ● it analyses the application behaviour ● a RASP can: – shutdown a user session – stop executing the application – deploy code fixes at runtime – provide detailed reports and runtime monitoring
- 19. @bbossola IAST tools ● Interactive Application Security Testing ● As RASP they embed an agent in the application ● However they are not used in production ● It's a testing tool, not a security tool
- 20. @bbossola Anything else? ● WAF – Web Application Firewalls – a perimeter control solution – basicallly a reverse proxy – applies a set of rules to an HTTP conversation – cover common attacks such as cross-site scripting (XSS) and SQL injection
- 22. @bbossola Workshop time! ● Get your computer ● Make sure your internet connection works :)
- 23. @bbossola A closer look to SAST tools ● Static Code Analysis – PMD – Spotbugs – Errorprone
- 24. @bbossola A closer look to SAST tools ● Static Dependency Analysis (or Static Component Analysis) – dependency-check – meterian WARNING!!! SHAMELESS PLUG HERE!
- 25. @bbossola A closer look to SAST tools ● Sensitive Information Scanners – gitleaks – trufflehog ● Mentioned: – git-secrets – gitrob
- 26. @bbossola A closer look to a RASP tool ● An opensource RASP tool – OpenRASP
- 27. @bbossola Q&A
Editor's Notes
- Introduce meterian clearly“we help companies to ship software without vulnerabilities” startup, I am a cofounder with Vivian (PM)
- Let's look at a simple SQL injection example. A naive application simply has no defense and gets exploited. An application that uses PreparedStatements is safe against injection, but has no idea whether it is being attacked or not. Let's see how this works with RASP. I'm describing Contrast's instrumentation approach here. First, the RASP is installed into the application. In this case, simply adding the RASP agent to the environment is enough. When the code loads, the RASP uses dynamic binary instrumentation to add new security sensors and analysis capability to the application. When the attack arrives at the application, RASP uses gathers data about the request, the user, the session, and any other contextual information. The attacker's request data is tracked through the application. If it looks like an attack, but never reaches a SQL query, it gets reported as a probe. This is a major difference from what a WAF can do, as WAFs are not able to see what happens inside the application and must overblock. If the attack actually reaches a SQL query and modifies the meaning of that query, only then does RASP block the attack. This is essentially enforcing the definition of SQL Injection, as only attacks that successfully modify the meaning of SQL queries are blocked. This is why RASP implementation can be deployed without much configuration or training