What are the families of tools used to secure your application? How are those placed in the SLDC process? What tools are available in the Java ecosystem? We will try to answer these questions through some basic explanation and few live workshops!
Please note that this was a workshop and those are only the guiding slides: for detailed information about the session please visit https://bbossola.wordpress..
5. @bbossola
Fixing problems early
● a security problem is a bug
● the late we fix a bug,
the more costly it is
● the cost of a bug
found in production is 30
times more expensive!
● Recalling cars anyone?
Minimizing Code Defects to Improve Software Quality and Lower Development Costs. IBM, 2008
6. @bbossola
Isn't this just an insurance policy?
● Well, in a sense. What about...
yup, sometimes is more expensive than 30 times!
7. @bbossola
If cars were built like applications...
“Cars would have no airbags, mirrors, seat belts, doors,
roll-bars, side-impact bars, or locks, because no-one had
asked for them. But they would all have at least six cup
holders.”
The OWASP foundation - “Integration into the SDLC”
8. @bbossola
If cars were built like applications...
“Many safety features originally included might be removed
before the car was completed, because they might
adversely impact performance.”
The OWASP foundation - “Integration into the SDLC”
9. @bbossola
If cars were built like applications...
“A MOT inspection would consist of counting the wheels
and making recommendations on wheel quantity.”
The OWASP foundation - “Integration into the SDLC”
15. @bbossola
SAST sub-families
● Static Code Analysis
– Analysis of the sources or the binaries
● Static Dependency Analysis (or Static Component Analysis)
– 20% of the code is your code
– 80% of code comes from external libraries
● better check it, yeah?
WARNING!!!
SHAMELESS
PLUG
HERE!
16. @bbossola
SAST sub-families
● Static Code Analysis
– Analysis of the sources or the binaries
● Static Dependency Analysis (or Static Component Analysis)
– 20% of the code is your code
– 80% of code comes from external libraries
● Sensitive Information Scanners
– Any AWS key committed in your repo?
– What about the commit comments?
17. @bbossola
DAST tools
● Dynamic Application Security Testing
● Testing an application in an operating state
– uses fault injection techniques
– automated black box testing
● Interacts with exposed interfaces
– HTML
– APIs
– Other specific protocols
18. @bbossola
RASP tools
● Run-time Application Self-Protection
● an agent is embedded into the application
– usually “melted” through code instrumentation
● it analyses the application behaviour
● a RASP can:
– shutdown a user session
– stop executing the application
– deploy code fixes at runtime
– provide detailed reports and runtime monitoring
19. @bbossola
IAST tools
● Interactive Application Security Testing
● As RASP they embed an agent in the application
● However they are not used in production
● It's a testing tool, not a security tool
20. @bbossola
Anything else?
● WAF – Web Application Firewalls
– a perimeter control solution
– basicallly a reverse proxy
– applies a set of rules to an HTTP conversation
– cover common attacks such as cross-site scripting (XSS) and
SQL injection
Introduce meterian clearly“we help companies to ship software without vulnerabilities”
startup, I am a cofounder with Vivian (PM)
Let's look at a simple SQL injection example. A naive application simply has no defense and gets exploited. An application that uses PreparedStatements is safe against injection, but has no idea whether it is being attacked or not. Let's see how this works with RASP. I'm describing Contrast's instrumentation approach here.
First, the RASP is installed into the application. In this case, simply adding the RASP agent to the environment is enough. When the code loads, the RASP uses dynamic binary instrumentation to add new security sensors and analysis capability to the application.
When the attack arrives at the application, RASP uses gathers data about the request, the user, the session, and any other contextual information. The attacker's request data is tracked through the application. If it looks like an attack, but never reaches a SQL query, it gets reported as a probe. This is a major difference from what a WAF can do, as WAFs are not able to see what happens inside the application and must overblock.
If the attack actually reaches a SQL query and modifies the meaning of that query, only then does RASP block the attack. This is essentially enforcing the definition of SQL Injection, as only attacks that successfully modify the meaning of SQL queries are blocked. This is why RASP implementation can be deployed without much configuration or training