continuous security: zap security bugs now codemotion-2015
TRANSCRIPT
![Page 1: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/1.jpg)
MILAN 20/21.11.2015
Continuous Security: ZAP your security issues now!
Carlo Bonamico & Gabriele [email protected] [email protected] @carlobonamico @gabrieleguasco
NIS s.r.l.http://www.nispro.it
![Page 2: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/2.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
![Page 3: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/3.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
define Security requirements at the start
do some security tests at the end
write your code … faster than light
What’s in this Security Sandwich?
https://www.thoughtworks.com/radar/techniques/security-sandwich
Application Security Ensuring Application guarantees
● Confidentiality● Integrity● Availability● Accountability
of the Information it processes
![Page 4: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/4.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
why this sandwich is not so good?
![Page 5: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/5.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Usually it’ just half-a-sandwich
no security design
no security tests
![Page 6: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/6.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Does not keep up with Agile processes where new Design choices, and even Requirements, emerge through the project lifespan
and this includes their impact on Security
![Page 7: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/7.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
When problems are discovered... there is no more time ...or no more $$$
bug fixing starts after final PenTestnear planned release date
# of vulnerabilities # of vulnerabilities
theory sad reality
![Page 8: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/8.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
The more time passes the more cost-to-fix increases
● because the change implies revising components writtens months before
● possibly by developers no more with the team
● because the complexity of the project has increased
● steep cost / delay increase after release to production
![Page 9: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/9.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
With the security sandwich it’s often too late
![Page 10: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/10.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Continuous Security
Embed Security validation (bread) across the entire Software Development Lifecycle
![Page 11: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/11.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Continuous Security - Analysis & Design
At project start- evaluate Risk Level and potential threats (Threat Model)- define high level Security Requirements and guidelines- evaluate Team need for Security Training
High level Architecture Review - ask for security expert as an advisor - good ROI because you can solve root cause on many security problems in
design phase
Design Reviews- when changing security sensitive parts
![Page 12: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/12.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Continuous Security - ImplementationDetail Design and Implementation
- follow Secure Coding Principles
At first “vertical slice” prototype - Vulnerability Assessment & Pen Test- check for implementation errors
on design decisions, - avoid errors in future implementation
add feature / component 1 - non-regression security tests
...add feature / component N
- non-regression security tests
Secure Coding Principles
Do not trust inputsMinimize attack surface area (and window of opportunity) Establish secure defaultsPrinciple of Least privilegePrinciple of Defense in depthFail securelyDon’t trust servicesSeparation of dutiesAvoid security by obscurityKeep security simpleFix security issues correctlyIf you can't protect, detectGet your users involved
![Page 13: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/13.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Continuous Security - Test & ProductionAt pre-production stage
- full Vulnerability Assessment & Pen Test- pre-allocate time for final fixing
In production- log application - level Security Events
- failed logins, unauthorized requests- accesses from unusual clients
- Keep Users Involved- give them information needed to detect potential threats
Updates and new releases- non-regression security tests
![Page 14: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/14.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Why is this better?
Identify Design flaws and vulnerabilities as they occur
Easier (and cheaper) to fix within their context
vs
The team constantly learns about security issues and fixes and can apply this experience in the rest of the project
vs
There are 15 vulnerabilities in your 50kloc codebase
There is 1 vulnerability in feature X that you committed yesterday
Nice VA report, but starting tomorrow I’ll move to another project
That’s interesting… we’ll avoid this in the next features
![Page 15: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/15.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
lines of code
security bugs
end-of-projectvulnerability assessment
security bugs to be fixed … in no time :-)
Security sandwich approach
![Page 16: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/16.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
lines of code security bugs
vulnerability assessment
Continuous Security: tests & fix during SDLC
![Page 17: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/17.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Security tests during SDLC types of bugs
lines of code
non regression security tests
d-day for pre-production release(pentest)
security bugs found with “simple” test and/or with known solution
security bugs discovered during vuln. assesment
![Page 18: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/18.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Residual Vulnerabilities will never be 0
Residual vulnerabilities- detected but to
complex to fix- NOT detected by
VA- there is no
magic see-it-all tool!
Need a Risk Management approach minimize probability - minimize impact
![Page 19: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/19.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Continuous Security recipe in short
● Security throughout the whole SDLC
● Complementary techniques and tools (again, sorry there ‘s no single-magic-silver-bullet)
● Synergy of the whole Team + external security Experts
![Page 20: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/20.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
![Page 21: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/21.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Objections:Security through the whole SDLC
● I don’t have time to do security tests too● Security is an overhead
Different techniques and instruments ● I don’t have the tools● Tools costs $$$
Synergy of the whole team + external security experts● team doesn’t have the skills● cannot hire Security Experts for a long time
![Page 22: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/22.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
To stay healthy….in many cases you can check on your own
sometimes you need super-experts
periodically you need an advice/review
![Page 23: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/23.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
To stay secure...in many cases you can check on your own
sometimes you need super-experts
periodically you need an advice/review
Developer , IDE,C.I. server
Professional PenTester
Security-trained Architect
Besides, many checks can also be automatic or semi-automatic
![Page 24: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/24.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Manual validation
● Better Security Requirements with OWASP Application Security Verification Standard (ASVS)○ standardized criteria for common security Use Cases: authentication,
authorization, …○ increasing levels of protection
■ web portals vs medical records
● Review by Security Architect
Promising approach to partially automate Security Requirement definition and tracking http://securitycompass.com/sdelements
![Page 25: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/25.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Manual validations & test
● Design review
● Full Vulnerability Assessment & Penetration Test ○ at 1st prototype ○ at pre-production stage
● Focused Vulnerability Assessment everytime a new “integration point” is introduced
![Page 26: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/26.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Automatic testStatic Analysis with FindSecurityBugs
Integrated with IDERun by the developer while writing code
Very reliable for SQL Injections and dangerous API calls
Can annotate and disable false positives
![Page 27: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/27.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Automatic test - Owasp ZAP ProxyIntercepts and analyzes all requests to the application, then:
● spidering (with context)
● passive scan
● active attack
● ….and more
![Page 28: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/28.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Automatic test with ZAP
Use of ZAP to check http security headers (X-XSS protection, X-Frame-options, Content-Security-Policy, etc.)
![Page 29: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/29.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Automatic test with ZAPUse of ZAP to check http cookie parameters (flag http-only, flag secure, scope, lifetime)
![Page 30: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/30.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Automatic test
SSL settings active test
Open Source: https://github.com/rbsec/sslscan & ZAP plugins
![Page 31: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/31.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Semi-automatic test: components(execution is “simple”, results needs review)
owasp dependency check
![Page 32: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/32.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Semi-automatic test Configuration and deployment check
●● SCREENSHOT
port scanning (nmap)
vulnerability scanningOpenVAS, Nessus (Commercial)
![Page 33: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/33.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Security Tests vs Continuous Integration and Continuous Delivery
DEV IDE C.I / C.D. Server Test EnvSCM
Repo
Artifact Repo
PRE-PROD Env
PROD Env
Internet OSSRepo
![Page 34: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/34.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Continuous Integration - Static Analysis
Jenkins running FindSecurityBugs at each build
Effective for ● avoiding dangerous APIs● detecting SQL injection
Aim at constantly bring down count to zero
![Page 35: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/35.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Continuous Integration - Comp. SecurityJenkins running Dependency Check at each build
C.I / C.D. Server
Artifact Repo
OSSRepo
Even more sophisticated Dependency filtering and analysis in tools like Nexus Lifecycle (Commercial)
![Page 36: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/36.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Continuous Integration - ZAPJenkins running ZAP daily
Jenkins Job
vb
Build WARDeploy
Start ZAP, Webapp
Functional Tests
Trigger ZAP attack
Stop Server ZAP
Publish Report
ZAP Server
(e.g. Tomcat)
WebAppProxy
Spider / Attack
REST API
xml / html
![Page 37: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/37.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Phase Activity Who? Tools / Methods Type
Analysis Define Requirements
Dev, Analyst Security Architect
Owasp ASVSThread Model, Risk review
Manual
Design Architecture - High Level Design Review
Security Architect and/or Expert
Diagrams, Documents, Secure Coding Principles
Manual
Implementation Write Code Developers Secure Coding Principles Manual
Implementation Vuln. Assessment & Pen Test
Security Expert ZAP, Nmap, Nessus (commercial), many others
Manual Semi-AutoAutomatic
Implementation Add other features Developers Static Code Analysis in IDEFindSecBugs, ZAP, DepCheck
Mostly Automatic
Test Vulnerability Assessment & Pen Test
Security Expert ZAP, Nmap, Nessus (commercial), many others
Manual Semi-autoAutomatic
Production Monitoring Sysadmin/DevOps Log Application-Level Security Events
Semi-auto
![Page 38: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/38.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Remember three things
1. Fail Fast …. validate security & perform tests as early as possible
2. Automate where you can … you’ll earn more time to focus on tougher security issues
3. don’t skip periodic expert Design Review
![Page 39: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/39.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
References
Owasp Secure Coding Principles● https://www.owasp.org/index.php/Secure_Coding_Principles
OWASP Testing Guide● https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
OWASP Application Security Verification Standardhttps://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
![Page 40: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/40.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
The Tools - Open SourceZAP
● https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Jenkins● https://jenkins-ci.org/
Plugins● https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin ● https://wiki.jenkins-ci.org/display/JENKINS/Static+Code+Analysis+Plug-ins ● https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin
Find Security Bugs● http://h3xstream.github.io/find-sec-bugs/
Dependency Check● https://www.owasp.org/index.php/OWASP_Dependency_Check
![Page 41: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/41.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
The Tools - Commercial
Coverity● http://www.coverity.com/
Nessus● http://www.tenable.com/products/nessus-vulnerability-scanner
Sonatype Nexus Lifecycle● http://www.sonatype.com/nexus/product-overview/nexus-lifecycle
![Page 42: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/42.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
Leave your feedback on Joind.in!https://m.joind.in/event/codemotion-milan-2015
Interested? ● attend our Web Application Security / Continuous Delivery trainings● engage us for Design/Code Reviews, Vulnerability Assessments & team mentoring● Read more on
○ http://www.nispro.it ○ http://www.slideshare.net/carlo.bonamico
● Follow us on twitter○ @nis_srl @carlobonamico @gabrieleguasco○ updates on Security, AngularJS, Continuous Delivery
Questions? [email protected] - [email protected]
![Page 43: Continuous Security: Zap security bugs now Codemotion-2015](https://reader034.vdocuments.us/reader034/viewer/2022052418/58e661471a28ab8d758b5297/html5/thumbnails/43.jpg)
MILAN 20/21.11.2015 - Carlo Bonamico & Gabriele Guasco
lines of code
security bugs
vulnerability assessment
Security sandwich approachbug growing rate