Upload
ichikaway
View
346
Download
0
Tags:
Embed Size (px)
Citation preview
Copyright (c) Bitforest Co., Ltd.
Vulnerabilities Are Bugs Let’s Test for Them!
VAddy Continuous Security Testing Service
1
Bitforest Co., Ltd. Yasushi Ichikawa
Copyright (c) Bitforest Co., Ltd.
Web Security Tests
• White-‐box testing • Analyze source code (e.g. with brakeman)
• Black-‐box testing • Send HTTP requests with attack payloads and check responses
• Examples: VAddy, OWASP ZAP, AppScan
2
Copyright (c) Bitforest Co., Ltd.
Current Issues with Web Security Tests
3
Development team
External security firm Internal security team
Coding
Unit tests
Integration tests
Vulnerability assessment
Development team
Revisions
Release
Current practice is to conduct only one vulnerability assessment prior to release !• If a large number of vulnerabilities are
found immediately before release, they
will have a big impact on the release
schedule
• From both a time and cost perspective,
it’s difficult to conduct vulnerability
assessments for every revision and new
feature introduced after an application is
released
Copyright (c) Bitforest Co., Ltd.
Current Issues with Web Security Tests
[Scenario: Using a Security Firm] Cost: Thousands of dollars (or more) Duration:
4
This is difficult to do continuously
Over one week until the results of an investigation are delivered
Copyright (c) Bitforest Co., Ltd.
6
Run from the beginning of development until release,
just like unit tests
Copyright (c) Bitforest Co., Ltd.
What Are Continuous Web Security Tests?
7
Development team
External security firm Internal security team
Coding
Unit tests
Integration tests
Vulnerability assessment
Development team
Revisions
Release
Continuous Security Tests
Development team
Coding
Unit tests
Integration tests
Release
Vulnerability assessments
Development teams can run security tests as often as they like.
Copyright (c) Bitforest Co., Ltd.
Issues with Continuous Web Security Tests
• Existing scanning tools • are difficult to add to continuous integration workflows
• cost both time and money to set up and maintain yourself
• have many settings and require accumulated expertise
8
Copyright (c) Bitforest Co., Ltd.
Important Points
9
It’s important to tell your scanning tools how your web application works
Copyright (c) Bitforest Co., Ltd.
Important Points
10
For example: If, while testing an authenticated page,
your session expires and you are returned to the login screen, test the login screen
and continue
Copyright (c) Bitforest Co., Ltd.
Important Points
11
You need to configure your tools to behave appropriately when their sessions
expire and they are logged out
Copyright (c) Bitforest Co., Ltd.
12
This keeps you from focusing on business-‐critical software
development
Scanning tools aren’t very effective unless you continue to learn how to configure them
Issues with Continuous Web Security Tests
Copyright (c) Bitforest Co., Ltd.
13
Simple setup Maintenance free Effective scanningCI cycle automation
Copyright (c) Bitforest Co., Ltd.
14
Continuous Web Security Testing Service
Vulnerability Assessment is your Buddy
Copyright (c) Bitforest Co., Ltd.
VAddy’s Features
• No tool to install (SaaS) • Unlimited free scanning • Support for continuous integration
• Web API • Jenkins plugin • Works with Travis, CircleCI, etc.
16
Copyright (c) Bitforest Co., Ltd.
VAddy’s Features
18
VAddy can figure out how your application works and scan it correctly
without any special settings
Copyright (c) Bitforest Co., Ltd.
VAddy’s Policy
19
Software developers should focus on
software development!
Copyright (c) Bitforest Co., Ltd.
VAddy’s Features
20
Proprietary security scanning engine that uses machine learning
Copyright (c) Bitforest Co., Ltd.
Types of Vulnerabilities and Vulnerable Parameters
22
You can see the type of vulnerability (e.g. SQL injection) that was found along with the vulnerable URL and parameter name. This example shows that there is a SQL injection vulnerability in the parameter "ID" used at the URL "search", so you can figure out which lines of code are at fault.
Copyright (c) Bitforest Co., Ltd.
Request Data for Reproducing Attacks
23
VAddy shows you the request data it sent so you can reproduce the attack in your own development environment
Copyright (c) Bitforest Co., Ltd.
Currently Supported Scans (SQLi, XSS)• GET/POST/PUT/DELETE parameters
• Rest APIs with JSON parameters • Parameters in URL paths
• www.example.com/item/view/1
• Form authentication (login screens) • CSRF tokens (including Angular.js) • SSL applications
24
Copyright (c) Bitforest Co., Ltd.
25
Continuous security tests are an up-‐and-‐coming trend in software development