Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

Vulnerabilities  Are  Bugs  Let’s  Test  for  Them!

VAddy Continuous Security Testing Service

1

Bitforest  Co.,  Ltd.  Yasushi  Ichikawa

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

Web Security Tests

• White-­‐box  testing  • Analyze  source  code  (e.g.  with  brakeman)  

• Black-­‐box  testing  • Send  HTTP  requests  with  attack  payloads  and  check  responses  

• Examples:  VAddy,  OWASP  ZAP,  AppScan

2

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

Current Issues with Web Security Tests

3

Development  team

External  security  firm  Internal  security  team

Coding

Unit  tests

Integration  tests

Vulnerability  assessment

Development  team

Revisions

Release

Current  practice  is  to  conduct  only  one  vulnerability  assessment  prior  to  release  !• If  a  large  number  of  vulnerabilities  are  

found  immediately  before  release,  they  

will  have  a  big  impact  on  the  release  

schedule  

• From  both  a  time  and  cost  perspective,  

it’s  difficult  to  conduct  vulnerability  

assessments  for  every  revision  and  new  

feature  introduced  after  an  application  is  

released

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

Current Issues with Web Security Tests

[Scenario:  Using  a  Security  Firm]  Cost:  Thousands  of  dollars  (or  more)  Duration:

4

This  is  difficult  to  do  continuously

Over  one  week  until  the  results  of  an  investigation  are  delivered

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

5

We  need  continuous  security  tests

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

6

Run  from  the  beginning  of  development  until  release,  

just  like  unit  tests

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

What Are Continuous Web Security Tests?

7

Development  team

External  security  firm  Internal  security  team

Coding

Unit  tests

Integration  tests

Vulnerability  assessment

Development  team

Revisions

Release

Continuous  Security  Tests

Development  team

Coding

Unit  tests

Integration  tests

Release

Vulnerability  assessments

Development  teams  can  run  security  tests  as  often  as  they  like.

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

Issues with Continuous Web Security Tests

• Existing  scanning  tools  • are  difficult  to  add  to  continuous  integration  workflows  

• cost  both  time  and  money  to  set  up  and  maintain  yourself  

• have  many  settings  and  require  accumulated  expertise

8

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

Important Points

9

It’s  important  to  tell  your  scanning  tools  how  your  web  application  works

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

Important Points

10

For  example:  If,  while  testing  an  authenticated  page,  

your  session  expires  and  you  are  returned  to  the  login  screen,  test  the  login  screen  

and  continue

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

Important Points

11

You  need  to  configure  your  tools  to  behave  appropriately  when  their  sessions  

expire  and  they  are  logged  out

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

12

This  keeps  you  from  focusing  on  business-­‐critical  software  

development

Scanning  tools  aren’t  very  effective  unless  you  continue  to  learn  how  to  configure  them

Issues with Continuous Web Security Tests

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

13

Simple  setup  Maintenance  free Effective  scanningCI  cycle  automation

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

14

Continuous Web Security Testing Service

Vulnerability  Assessment  is  your  Buddy

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

15

Continuous Web Security Testing Service

http://vaddy.net

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

VAddy’s Features

• No  tool  to  install  (SaaS)  • Unlimited  free  scanning  • Support  for  continuous  integration  

• Web  API  • Jenkins  plugin  • Works  with  Travis,  CircleCI,  etc.

16

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

Common Configurations

17

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

VAddy’s Features

18

VAddy  can  figure  out  how  your  application  works  and  scan  it  correctly  

without  any  special  settings

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

VAddy’s Policy

19

Software  developers  should  focus  on    

software  development!

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

VAddy’s Features

20

Proprietary  security  scanning  engine  that  uses  machine  learning

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

VAddy’s List of Scan Results

21

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

Types of Vulnerabilities and Vulnerable Parameters

22

You  can  see  the  type  of  vulnerability  (e.g.  SQL  injection)  that  was  found  along  with  the  vulnerable  URL  and  parameter  name.  This  example  shows  that  there  is  a  SQL  injection  vulnerability  in  the  parameter  "ID"  used  at  the  URL  "search",  so  you  can  figure  out  which  lines  of  code  are  at  fault.

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

Request Data for Reproducing Attacks

23

VAddy  shows  you  the  request  data  it  sent  so  you  can  reproduce  the  attack  in  your  own  development  environment

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

Currently Supported Scans (SQLi, XSS)• GET/POST/PUT/DELETE  parameters  

• Rest  APIs  with  JSON  parameters  • Parameters  in  URL  paths  

• www.example.com/item/view/1  

• Form  authentication  (login  screens)  • CSRF  tokens  (including  Angular.js)  • SSL  applications

24

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

25

Continuous  security  tests  are  an  up-­‐and-­‐coming  trend    in  software  development

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

26

Twitter:  @vaddy_support  Email:          info@vaddy.net  

Contacts

Copyright  (c)    Bitforest  Co.,  Ltd.

　

　

27

http://vaddy.net