Build secure!

Stefan Hildebrandt / @hildebrandttk

me

• from Oldenburg (Oldb)
• married, 3 kids
• agile software developer
  • business analysis
  • coding
  • testing
  • operations
• 10+ years in it
• co-lead der JUG Bremen/Oldenburg

intro

Pen(etration) testing

process testing an system for vulnerabilities

1. Find an exploitable vulnerability
2. Design an attack around it
3. Test the attack
4. Seize a line in use
5. Enter the attack
6. Exploit the entry for information recovery

traditional security process

1. create spec
   • create security spec (most time optional)
2. develop app (don't care about security)
3. test app
   • some external pen tester tests security
4. do a lot of security fixes
5. be a little bit late
6. approved for train stations and airports a well

faster release cycles

more speed

• no waterfall process like before
• no security testing?
• continuous manual pen testing?
• continuous automated testing
• ... AND manual pen testing from time to time?

alignment

THREAT MODELING

• risk base security concept development
  • Where are the high-value assets?
  • Where am I most vulnerable to attack?
  • What are the most relevant threats?
  • Is there an attack vector that might go unnoticed?
• with all players in your business!
• Microsoft Threat Modeling Tool 2016

parameters

• financial loss
  • direct
  • monetary fine
  • share holder value
• reputation loss
• laws (for example BDSG, §203 StGB)

target:

make hacking more expensive then
possible return for attacker

Common Weakness Enumeration

• long lists of problems and attacks
• rated top 25

OWASP Top 10

1. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
9. Using Components with Known Vulnerabilities
10. Unvalidated Redirects and Forwards

OWASP Proactive Controls Top 10

1. Verify for Security Early and Often
2. Parameterize Queries
3. Encode Data
4. Validate All Inputs
5. Implement Identity and Authentication Controls
6. Implement Appropriate Access Controls
7. Protect Data
8. Implement Logging and Intrusion Detection
9. Leverage Security Frameworks and Libraries
10. Error and Exception Handling

build security integration

low hanging fruits

build security integration

catch them in the early beginning

Static Library Checks

Motivation

• very low hanging
• simple task
  • check all dependencies against security vulnerability databases
• high potential

Static Library Checks

Example: commons-collections

• remote code execution
• affected: 3.x < 3.2.2
• 3.2.2 released in november 2015
• affected: WebSphere, JBoss, Jenkins, WebLogic, and OpenNMS
• for some weeks on every tech news site

OWASP dependency check

• Support for Java and .NET
• experimental support for Ruby, Node.js and Python
• maven and gradle plugin

OWASP dependency check

example

OWASP dependency check

conclusion

• quality of base data
  • false positives
• initial data retrieval
  • require some attention (proxy, cache directory)
• manual interpretation of result required
• good alarming

github

• dependency graph
  • with security alerts
• Ruby or JavaScript Support (at the moment)

Docker Trusted Repository

• analyse all layers of all containers
  • focus: operating system libraries
• configurable actions on this database

Nexus IQ Server

• stop risky components from entering software supply chain
• audit software

Nexus Repository health check

• security and licence reports based on Sonatype’s data services (SDS)
• based on full proxy content
  • central risk management
  • no direct link to affected builds

[:] SourceClear

• cloud based
• AI
  • scanning of open sources repos
• validated database
• free hobby plan (many limitations)
• cloud & hybrid on-premises ($$)

version eye

• cloud based database
• validated database
• maven plugin
• on-premises possible ($$)
• service discontinued on end of 2017

Find Security Bugs

• a findbugs plugin
• support over 100 security bug patterns
• maven/gradle/ide as frontend
  • suppression handling in codebase for false positives

retire.js

• javascript security scanner
• support for many javascript libraries
• some of the latest frameworks are missing

SonarQube

• some security checks in normal check base
• security checks must not follow the "no false positives"-Rule
  • manual reviewing and flagging required
• reporting and flagging in web interface
• support for java, jsp, C#, javascript, php
• java: findbugs rules with different (most times better) results

SonarQube

example

ZAP Proxy

• proxy mode:
  • passive analyses
  • training for navigation
• discover
  • classic roboter
  • ajax spider (based on full browser)
• attacks
  • forced scanning
  • fuzzing

ZAP Proxy

example

ZAP Proxy

build integration

• maven plugin
• jenkins plugin
• standalone workflow:
  • setup project with ui
  • scan app

ZAP Proxy

integrate with automated UI Tests

• spider is limited
  • passive scan
  • use ui tests as base for attacks

ZAP Proxy

api

• script your full attack setup
  • powerful cli
  • REST API
• ...

Arachni

• powerful automated tests
• proxy only for login and initial training
• powerful cli
• ruby based
  • extended scriptability
• no integration with java workflows

fuzzapi

• pen testing REST-Services

burp

• very good tool for manual pen testing
• some support for automation and regression (not in free edition)

(Auto) Nessus

• focus on general port tests

BDD Security

• create bdd description for security tests
• use tools like ZAP
• integrate setup of tools and applications with selenium, ...
• result uses junit frontend

applications in production

ensure for deployed environments

• some systems are deployed for weeks or months without update
• library and operation system:
  • execute checks on separated ci jobs for deployed versions
• monitor docker trusted repository with test container instantiations

conclusion

• security is a process
• tools didn't replace any security specialist
  • tools are only an add-on
  • but help to focus on more sophisticated tests
• security testing within an docker enviroment is nice

next steps

• password security
• signing artifacts
• intrusion detection
• adapted monitoring
• application intrusion detection
• ...

Slides

Stefan Hildebrandt - consulting.hildebrandt.tk

• Beratung, Coaching und Projektunterstützung
• Java EE
• Buildsysteme gradle und maven/ant-Migration
• Testautomatisierung
• Coach in agilen Projekten
• DevOps

Links

• OWASP WebGoat Project
• easybuggy app
• easybuggy app with examples
• Library Checks
• javascript dangerous functions
• pen testing rest
• Security DevOps - Free pentesters' time to focus on high-hanging fruits