Embed Size (px)
Citation preview
AppSec Without Additional Tools
How to get more out of the things you already have.
whoami
Jason Kent
• Principal Security Consultant – AsTech Consulting• Tools
• Process
• Secure SDLC
• Various Security Topics Training
• Wireless Sec, Infra Sec
• DIY Enthusiast – CIF member
Agenda
• Tools – Dynamic Analysis, Static• Extending
• Meaningful Testing - QA
• Finding the attacker
• Successes
THEME
INTEGRATE ALL OF THE THINGS!!!
Items Required
Someone with scripting knowledge in Perl, Python, whatever.
A desire to have your tools connect and function as a system.
Someone to architect the thing.
Dynamic Scanning
Dynamic Analysis occurs on a web application that is running.• Can be used to tune a WAF
• Can be used to test security configurations
• Verify parameter security
• Best used for finding new attack vectors
Usually owned by infrastructure security group• Often no good feedback loop into Dev
• Production is OFTEN too late
Dynamic Scanning Products
HP, IBM, Acunetix, Veracode, Qualys WAS, W3AF, NTO Spider, Iron Wasp, THERE ARE OVER 50 OF THEM!!!
How do you know where to start?http://www.sectoolmarket.com/
Dynamic Scanning – Best Practice
• Scan QA environment as well as Production
• Be permissive with the scanner, let it in
• Send the results to DEV via bug reporting process• Instrument ThreadFix
Dynamic Scanning – WAF Tuning
• Most DAST vendors output XML• WAF vendors usually work with the DAST vendor
• ModSecurity WAF rule generator (Commercial Version)
Dynamic Scan?name=<script>alert({token})
</script>
WAFparam name
{'/^[a-zA-Z]+$/’}
Application server
XML Data stream
Dynamic Scanning
• Do you have a DAST scanner?
• Do you have a WAF?
• Do you have a way to send findings to DEV?• ThreadFix it and forget it
Static Analysis
Static Analyzers look at either source code or a deployable binary/byte code set.
• Typically run late in the development process
• Results aren’t well understood
• False Positives
Static Analysis – Best Practice
• Embed code analysis tool in SDLC• IDE Integration
• Build Tool Integration
• Defect Tracking Integration
• Analyze Source Code Repo• Look for Open Source
• Track Versions
Write code
Scan code
Deploy code
Fix code
Static Analysis – example
Continuous integration is the goal. One way to achieve this is via IDE integration.
It is also possible to build this into the source CI where the repo has a build path including running the build through a scanner via a build step and publishing findings in the defect tracking system.
I call upon Demo Cthulhu to allow for my computer to survive this demo.
QA
• This is probably the best SDL integration point for security testing
• QA speaks the language of broken software
• Security bugs can be treated like function bugs
Submit code to
QA
QA Test for
function and
security
QA Reports errors
QA Security Testing
• Education• Secure coding training (same as dev)
• Detection of security flaws
• Security tools and their uses
• Instrumentation• Defect Tracking
• Creating meaningful tests
QA
Examples of Attack Proxy Testing in QA
Logs
• All of the web application attacks live here
• Alerting on logs is quite simple
• Most organizations look at their logs as an artifact
Logs
Why not use the logs as a “real time” alerting tool?
Potential Attacker ”probes”
application
Application Logs the Request
Log Correlation picks up the
”probe”
Security Team Alerted to
threat
Logs - Example
Lets take a quick look at a probe and what it will show in the logs. The example will be using Splunk but it wouldn’t take much to have a python script monitor the logs and do the same.
Successes
• Financial organization went from covering “the most important apps” to “all apps”. Target proved the most important app is the one you missed.
• “Healthcare is often plagued by having to conform to policies, having security controls is important. Hooking your code up so its constantly monitored drives the security costs down so the tools pay for themselves.” - Healthcare CISO
Additional Items to Consider
Look at where your libraries come from. (Sonatype, Black Duck)
Have you thought about letting your devs make mistakes and using a technology like Prevoty to protect them?
No matter how you build it…
Your DAST/SAST/SIEM/MEME vendor will probably not tell you, you need to find out if their stuff works for you.
Spend a few $$ on pro-serve, whether from an independent or the vendor, its well worth the money.
If you buy a widget, make the vendor train you on it every year.
Plug together all the things!!!
