Simplify Dev with Complicated Security Tools
-
Upload
kevin-fealey -
Category
Technology
-
view
128 -
download
0
Transcript of Simplify Dev with Complicated Security Tools
Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com
Simplify Devwith Complicated Security Tools
Application security that just works
©2015 Aspect Security. All Rights Reserved 2
ASPECT SECURITY
Founded in 2002• Headquartered in Columbia, MD• 50 employees• Founding member of OWASP
Application Security Experts• Created or contributed to industry-leading standards
including: OWASP Top 10• Millions of lines of code verified per month• Hundreds of applications tested per year• Training and eLearning
Application security that just works
©2015 Aspect Security. All Rights Reserved 3
ABOUT US
• Principal Consultant & Practice Lead,• Automation & Integration Services
• 8 years in security• Key Interests:
• Process efficiency/effectiveness (Sec + Dev + Ops)
• Learning about cool tools
Kevin Fealey
• Application Security Engineer• Penetration Testing• Automation & Integration Services
• 7 years a dev• 5 years in security• Key Interests:
• AppSec• SecDevOps
Josh Wallace
Application security that just works
©2017 Aspect Security. All Rights Reserved 4
SPOT THE VULN!
Application security that just works
©2017 Aspect Security. All Rights Reserved 5
ABOUT YOU
Raise your hand….
Are you a developer?
Are you a security
engineer?
Have you ever used security
tools before?
What about a web proxy like Fiddler?
Application security that just works
©2017 Aspect Security. All Rights Reserved 6
IMAGINE A WORLD
• SQL Injection• Libraries with known vulnerabilities• Cross-Site Scripting
You spent the last year developing a new app
for your company
Before moving to production, your
company required a security test
Several issues were found, including:
Application security that just works
©2017 Aspect Security. All Rights Reserved 7
NOW IMAGINE THE IMPACT
• Re-working solved problems (boring)• Risk of regressions• Doesn’t look good
… for you
• Project is more expensive• May lose first-to-market advantage• Reputation damage with customer
… for the business
• Missing/delayed features/fixes• Potentially increased cost• Risk of regressions/bugs
… for the customer
Application security that just works
©2017 Aspect Security. All Rights Reserved 8
OUR GOAL: PREVENT THAT SCENARIO
Enable and motivate you to
be the first to security test your
code
Application security that just works
©2017 Aspect Security. All Rights Reserved 9
LET’S APPLY LOGIC!
Let’s learn how to identify security issues sooner to make you less bored!
Writing secure code can save you time, frustration, and boredom
You are a developer, not a security expert
But
So…
Application security that just works
©2017 Aspect Security. All Rights Reserved 10
LEGAL DISCLAIMER
“Hacking” is illegal and should not be performed without written permission under any circumstances
Do not perform any security testing unless you own the systems in question or have written permission
Use of these tools/techniques could lead to job termination,financial liability, and/or criminal penalties
Have fun!
©2017 Aspect Security. All Rights Reserved 11
TIME FOR THE MEAT
Application security that just works
©2017 Aspect Security. All Rights Reserved 12
Application security that just works
©2017 Aspect Security. All Rights Reserved 13
PROBLEM: SQL INJECTION
SQL Injection is a vulnerability that occurs when untrusted data is sent to the database and executed as part of a command or query• ‘• ‘or ‘1’=‘1• ‘or 2=2--• Robert’); DROP TABLE Students;--
Application security that just works
©2017 Aspect Security. All Rights Reserved 14
Account Summary
Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-0293
Account:
SKU:
"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"
Account Summary
Acct:lkjaqe12easlakslkmca=Acct:afws2123mlkdfslkmlf==Acct:m,nnxcvjks210a9joan==Acct:lfjmlnasd0190fjfnfnw=
Account:
SKU:
SQL INJECTION DEMONSTRATEDFi
rew
all
Hardened OS
Web Server
App ServerFi
rew
all
Data
base
sLe
gacy
Sys
tem
sW
eb S
ervi
ces
Dire
ctor
ies
Hum
an R
esrc
sBi
lling
Custom Code
APPLICATIONATTACK
Net
wor
k La
yer
Appl
icat
ion
Laye
r
Acco
unts
Fina
nce
Adm
inist
ratio
nTr
ansa
ctio
nsCo
mm
unic
atio
nKn
owle
dge
Mgm
tE-
Com
mer
ceBu
s. F
unct
ions
HTTP
requestSQL
queryDB Table
HTTP
response
1. Application presents a form to the attacker
2. Attacker sends an attack in the form data
3. Application forwards attack to the database in a SQL query
4. Database runs query containing attack and sends encrypted results back to application
5. Application decrypts data as normal and sends results to the user
Application security that just works
©2017 Aspect Security. All Rights Reserved 15
Application security that just works
©2017 Aspect Security. All Rights Reserved 16
ENTER SQL MAP
• Python• Lightweight• Easy to use• Easy to setup
• No installation
Automatic SQL Injection and Database Takeover
Application security that just works
©2017 Aspect Security. All Rights Reserved 17
USAGE
GET request: check all parameters• Python sqlmap.py –u
https://vulnerablesite.com/login?user=test&pass=password
Saved POST request: check single parameter• Python sqlmap.py –l request.log –p user
Wiki is your friend• https://github.com/sqlmapproject/sqlmap/wiki/Usage
©2017 Aspect Security. All Rights Reserved 18
DEMO TIME!
Application security that just works
©2017 Aspect Security. All Rights Reserved 19
OBLIGATORY LITTLE BOBBY TABLES
https://xkcd.com/327/
Application security that just works
©2017 Aspect Security. All Rights Reserved 20
SQLI PREVENTION
Parameterize Untrusted Query InputString custname = request.getParameter("customerName"); String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";PreparedStatement pstmt = connection.prepareStatement( query );pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( );
Prevents this
Application security that just works
©2017 Aspect Security. All Rights Reserved 21
BLINDSPOT - LIBRARIES
The amount of custom codein an application hasn’t changedvery much in the past 10 years.
Application security that just works
©2017 Aspect Security. All Rights Reserved 22
TRANSFORMATION
80% Libraries But library
use is growing at a
staggering rate
20% Custom Code
Application security that just works
©2017 Aspect Security. All Rights Reserved 23
EVERYONE USES VULNERABLE LIBS
GWT
Apache Xerce
s
Sprin
g MVC
Struts
1.x
Apache CXF
Struts2
Apache Axis
Sprin
g Secu
rity
Tapestry
Wicket
Lift
Apache Sa
ntuario
BouncyCastl
eTile
s
Hibernate
Apache Sh
iro
Java Se
rver F
aces
AntiSamy
100
1,000
10,000
100,000
1,000,000
10,000,000
100,000,00029 MILLION vulnerable
downloads in 2011
Libraries 31Library Versions 1,261Organizations 61,807Downloads 113,939,358
Vulnerable Download
26%Safe
Download
74%
https://www.aspectsecurity.com/news/press/the-unfortunate-reality-of-insecure-libraries
Application security that just works
©2017 Aspect Security. All Rights Reserved 24
ENTER OWASP DEPENDENCY CHECKER
•Available at https://www.owasp.org/index.php/OWASP_Dependency_Check
Application security that just works
©2017 Aspect Security. All Rights Reserved 25
ONE COMMAND TO RULE THEM ALL
dependency-check.bat --project "My App Name" --scan "c:\java\application\
lib” --out c:\reportingDir
Application security that just works
©2017 Aspect Security. All Rights Reserved 26
EASY TO READ REPORT
Application security that just works
©2017 Aspect Security. All Rights Reserved 27
AUTOMATE IT!
• Ant• Maven• Jenkins• SonarQube
Community plugins available
• It’s just a single command. Parameterize and automate!• dependency-check.bat --project {proj} --scan {libDir} --out
{reportDir}
Roll your own
Application security that just works
©2017 Aspect Security. All Rights Reserved 28
PROBLEM: CROSS-SITE SCRIPTING (AND MANY OTHERS)
Application security that just works
©2017 Aspect Security. All Rights Reserved 29
EASY DYNAMIC SECURITY SCANNING
Dynamic scanning tools can discover common vulnerabilities in running web applications by inspection of
HTTP requests/responses
Looks for known patterns• Cross-Site Scripting (XSS)• SQL Injection• Command Injection• Path Traversal • Etc.
Application security that just works
©2017 Aspect Security. All Rights Reserved 30
ENTER OWASP ZAP
Free dynamic security scanner
Checks for many common OWASP Top 10 vulnerabilities
Cross-Platform (Java)
Many other features• CSRF POC generator• Web Proxy• Etc.
©2017 Aspect Security. All Rights Reserved 31
DEMO TIME!
Application security that just works
©2017 Aspect Security. All Rights Reserved 32
ZAP HINTS AND TIPS
Be sure to set up any credentials
Be careful• Scanners can cause serious damage!
Do no harm• Some pages may perform dangerous
functionality (e.g. deleting users). Beware!
Application security that just works
©2017 Aspect Security. All Rights Reserved 33
IN SUMMARY
Free, open-source security tools exist that can be useful to developers
Tools can be intimidating but do not have to be hard to use
Eliminate re-work and frustration at the end of a project
Automate and integrate tools for efficiency and transparency
Application security that just works
©2017 Aspect Security. All Rights Reserved 34
AND…
Help keep the hackers out
Application security that just works
©2017 Aspect Security. All Rights Reserved 35
QUESTIONS?
Josh Wallace [email protected]
Kevin Fealey [email protected]
#EverydayVuln
Thank you!
©2017 Aspect Security. All Rights Reserved 36