Tata AIG General Insurance Company - Insurer Innovation Award 2024
Vulnerabilities are bugs, Let's Test For Them!
1. Copyright
(c)
Bitforest
Co.,
Ltd.
Vulnerabilities
Are
Bugs
Let’s
Test
for
Them!
VAddy
Continuous Security Testing Service
1
Bitforest
Co.,
Ltd.
Yasushi
Ichikawa
2. Copyright
(c)
Bitforest
Co.,
Ltd.
Web Security Tests
• White-‐box
testing
• Analyze
source
code
(e.g.
with
brakeman)
• Black-‐box
testing
• Send
HTTP
requests
with
attack
payloads
and
check
responses
• Examples:
VAddy,
OWASP
ZAP,
AppScan
2
3. Copyright
(c)
Bitforest
Co.,
Ltd.
Current Issues with Web Security Tests
3
Development
team
External
security
firm
Internal
security
team
Coding
Unit
tests
Integration
tests
Vulnerability
assessment
Development
team
Revisions
Release
Current
practice
is
to
conduct
only
one
vulnerability
assessment
prior
to
release
!
• If
a
large
number
of
vulnerabilities
are
found
immediately
before
release,
they
will
have
a
big
impact
on
the
release
schedule
• From
both
a
time
and
cost
perspective,
it’s
difficult
to
conduct
vulnerability
assessments
for
every
revision
and
new
feature
introduced
after
an
application
is
released
4. Copyright
(c)
Bitforest
Co.,
Ltd.
Current Issues with Web Security Tests
[Scenario:
Using
a
Security
Firm]
Cost:
Thousands
of
dollars
(or
more)
Duration:
4
This
is
difficult
to
do
continuously
Over
one
week
until
the
results
of
an
investigation
are
delivered
5. Copyright
(c)
Bitforest
Co.,
Ltd.
5
We
need
continuous
security
tests
6. Copyright
(c)
Bitforest
Co.,
Ltd.
6
Run
from
the
beginning
of
development
until
release,
just
like
unit
tests
7. Copyright
(c)
Bitforest
Co.,
Ltd.
What Are Continuous Web Security Tests?
7
Development
team
External
security
firm
Internal
security
team
Coding
Unit
tests
Integration
tests
Vulnerability
assessment
Development
team
Revisions
Release
Continuous
Security
Tests
Development
team
Coding
Unit
tests
Integration
tests
Release
Vulnerability
assessments
Development
teams
can
run
security
tests
as
often
as
they
like.
8. Copyright
(c)
Bitforest
Co.,
Ltd.
Issues with Continuous Web Security Tests
• Existing
scanning
tools
• are
difficult
to
add
to
continuous
integration
workflows
• cost
both
time
and
money
to
set
up
and
maintain
yourself
• have
many
settings
and
require
accumulated
expertise
8
9. Copyright
(c)
Bitforest
Co.,
Ltd.
Important Points
9
It’s
important
to
tell
your
scanning
tools
how
your
web
application
works
10. Copyright
(c)
Bitforest
Co.,
Ltd.
Important Points
10
For
example:
If,
while
testing
an
authenticated
page,
your
session
expires
and
you
are
returned
to
the
login
screen,
test
the
login
screen
and
continue
11. Copyright
(c)
Bitforest
Co.,
Ltd.
Important Points
11
You
need
to
configure
your
tools
to
behave
appropriately
when
their
sessions
expire
and
they
are
logged
out
12. Copyright
(c)
Bitforest
Co.,
Ltd.
12
This
keeps
you
from
focusing
on
business-‐critical
software
development
Scanning
tools
aren’t
very
effective
unless
you
continue
to
learn
how
to
configure
them
Issues with Continuous Web Security Tests
14. Copyright
(c)
Bitforest
Co.,
Ltd.
14
Continuous Web Security Testing Service
Vulnerability
Assessment
is
your
Buddy
15. Copyright
(c)
Bitforest
Co.,
Ltd.
15
Continuous Web Security Testing Service
http://vaddy.net
16. Copyright
(c)
Bitforest
Co.,
Ltd.
VAddy s Features
• No
tool
to
install
(SaaS)
• Unlimited
free
scanning
• Support
for
continuous
integration
• Web
API
• Jenkins
plugin
• Works
with
Travis,
CircleCI,
etc.
16
17. Copyright
(c)
Bitforest
Co.,
Ltd.
Common Configurations
17
18. Copyright
(c)
Bitforest
Co.,
Ltd.
VAddy s Features
18
VAddy
can
figure
out
how
your
application
works
and
scan
it
correctly
without
any
special
settings
19. Copyright
(c)
Bitforest
Co.,
Ltd.
VAddy s Policy
19
Software
developers
should
focus
on
software
development!
20. Copyright
(c)
Bitforest
Co.,
Ltd.
VAddy s Features
20
Proprietary
security
scanning
engine
that
uses
machine
learning
21. Copyright
(c)
Bitforest
Co.,
Ltd.
VAddy s List of Scan Results
21
22. Copyright
(c)
Bitforest
Co.,
Ltd.
Types of Vulnerabilities and Vulnerable Parameters
22
You
can
see
the
type
of
vulnerability
(e.g.
SQL
injection)
that
was
found
along
with
the
vulnerable
URL
and
parameter
name.
This
example
shows
that
there
is
a
SQL
injection
vulnerability
in
the
parameter
"ID"
used
at
the
URL
"search",
so
you
can
figure
out
which
lines
of
code
are
at
fault.
23. Copyright
(c)
Bitforest
Co.,
Ltd.
Request Data for Reproducing Attacks
23
VAddy
shows
you
the
request
data
it
sent
so
you
can
reproduce
the
attack
in
your
own
development
environment