Interact Differently: Get More From Your Tools Through Exposed APIs
-
Upload
kevin-fealey -
Category
Technology
-
view
63 -
download
0
Transcript of Interact Differently: Get More From Your Tools Through Exposed APIs
![Page 1: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/1.jpg)
Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com
Interact Differently:Get More from your Tools through Exposed APIs OWASP LASCON
Austin, TXNov. 4, 2016
![Page 2: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/2.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 2
ABOUT ME
Kevin FealeyPrincipal Consultant & Practice Lead,
Automation & Integration ServicesNever a “developer”
Key Interests:• Process efficiency/effectiveness (Sec + Dev + Ops)• Learning about cool tools
![Page 3: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/3.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 3
SLIDES WILL BE AVAILABLE…
We may never finish…
https://www.linkedin.com/in/kfealey
http://www.slideshare.net/kfealey
![Page 4: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/4.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 4
APPLICATION SECURITY LANDSCAPE
![Page 5: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/5.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 5
APPLICATION SECURITY LANDSCAPE
None of these tools solve the whole application security problem on their own
Most of these tools provide or are a proprietary dashboard
Most of these tools do not import/export data in a format other tools can easily understand
![Page 6: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/6.jpg)
©2015 Aspect Security. All Rights Reserved 6
COMMON PROBLEMS INVOLVING APPSEC TOOLS
![Page 7: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/7.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 7
FIRST WORLD PROBLEMS
• I am wasting time searching for things tools can findManual Testers
• I need to integrate X tool into my CI/CD pipeline Architects
• I have X tools and Y dashboards, and none of them shows what I need Managers/Execs
• The reports from my tools suck• I have this data, but not in tool X’s format…Everyone
![Page 8: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/8.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 8
AUTOMATE SIMPLE TESTING
• I am wasting time searching for things tools can findManual Testers
Cross-domain configurations vs policy: CSP, Framing, etc.HTTPS page accessible via HTTPFile metadata (ex. Exif data) scannerObviously verbose error messages (ex. ORA-#####)PII Displayed on Screen (ex. SSN, CCs)Cookie security flags, cache controls, autocomplete enabledOutdated [JavaScript] librariesInsecure encryption algorithm/mode detectedHard-Coded encryption keyPOST=GET
![Page 9: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/9.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 9
AUTOMATE SIMPLE TESTING
• I am wasting time searching for things tools can findManual Testers
![Page 10: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/10.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 10
AUTOMATE SIMPLE TESTING
• I am wasting time searching for things tools can findManual Testers
If a tool can find it quickly and with high accuracy, detection should be automated.
![Page 11: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/11.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 11
AUTOMATE SIMPLE TESTING
• I am wasting time searching for things tools can findManual Testers
Generally not a good ideaAllows login.jsp?username=hacked&password=whocares
![Page 12: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/12.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 12
AUTOMATE SIMPLE TESTING
• I am wasting time searching for things tools can findManual Testers
![Page 13: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/13.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 13
AUTOMATE SIMPLE TESTING
![Page 14: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/14.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 14
AUTOMATE SIMPLE TESTING
![Page 15: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/15.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 15
AUTOMATE TOOL EXECUTION
• I need to integrate X tool into my CI/CD pipeline Architects
• When evaluating tools, consider if there is a CLI/SDK – even if you don’t plan to automate today
• Make integration as fool-proof as possible
or
![Page 16: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/16.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 16
CUSTOM DASHBOARDS
• I have X tools and Y dashboards, and none of them shows what I need Managers/Execs
Bulky installations
Non-intuitive UIs
Lack of flexibility for tracking metrics that matter to you
Limited support for 3rd party tools
Results from pen test and SAST don’t go in the same place• Unless it’s a huge, ugly, spreadsheet
Most dashboards have:
![Page 17: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/17.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 17
CUSTOM DASHBOARDS
• I have X tools and Y dashboards, and none of them shows what I need Managers/Execs
![Page 18: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/18.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 18
CUSTOM DASHBOARDS
• I have X tools and Y dashboards, and none of them shows what I need Managers/Execs
![Page 19: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/19.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 19
CUSTOM DASHBOARDS
• I have X tools and Y dashboards, and none of them shows what I need Managers/Execs
![Page 20: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/20.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 20
CUSTOM REPORTS/VIEWS
• The reports from my tools suckEveryone
• If the dashboard/view you want does not exist, have you tried to create it?
![Page 21: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/21.jpg)
©2015 Aspect Security. All Rights Reserved 21
GOTO: <CODE>
![Page 22: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/22.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 22
CUSTOM REPORTS/VIEWS
• The reports from my tools suckEveryone
• If the dashboard/view you want does not exist, have you tried to create it?
![Page 23: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/23.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 23
CUSTOM TOOL INTEGRATIONS
• I have this data, but not in tool X’s format…Everyone
![Page 24: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/24.jpg)
©2015 Aspect Security. All Rights Reserved 24
GOTO: <CODE>
![Page 25: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/25.jpg)
©2015 Aspect Security. All Rights Reserved 25
I’M ON BOARD.. HOW DO I BEGIN?
![Page 26: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/26.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 26
GETTING STARTED
• Doesn’t have to be a good idea
Have an idea
• Use existing Parsers
Clone an existing plugin/configuration
• Vendor documentation• Mailing lists• Dev forums• Blog posts
Use
![Page 27: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/27.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 27
KEY TAKEAWAYS
You have the power to solve your own problems• It’s probably easier than you think
Don’t start from scratch
XPath is beastmode
Contribute your stuff to GitHub so I can use it
![Page 28: Interact Differently: Get More From Your Tools Through Exposed APIs](https://reader035.fdocuments.in/reader035/viewer/2022062904/5886955f1a28abf6158b71c1/html5/thumbnails/28.jpg)
Application security that just works
©2015 Aspect Security. All Rights Reserved 28
CODE FROM TODAY
https://github.com/aspectsecurity/ImageLocationScanner
https://github.com/kevinfealey/PMDRuleForLASCON2016
https://github.com/kevinfealey/PMDCodeExampleForLASCON2016
https://github.com/jenkinsci/ibm-security-appscansource-scanner-plugin
https://github.com/kevinfealey/ELK-for-AppSec
https://github.com/kevinfealey/vagrant-ELK-stack
https://github.com/kevinfealey/XSLT_AppScan_Standard_Report
https://github.com/kevinfealey/Burp_Custom_Site_Exporter