me
process testing an system for vulnerabilities
- Find an exploitable vulnerability
- Design an attack around it
- Test the attack
- Seize a line in use
- Enter the attack
- Exploit the entry for information recovery
traditional security process
- create spec
- create security spec (most time optional)
- develop app (don't care about security)
- test app
- some external pen tester tests security
- do a lot of security fixes
- be a little bit late
- approved for train stations and airports a well
faster release cycles
more speed
- no waterfall process like before
- no security testing?
- continuous manual pen testing?
- continuous automated testing
- ... AND manual pen testing from time to time?
THREAT MODELING
- risk base security concept development
- Where are the high-value assets?
- Where am I most vulnerable to attack?
- What are the most relevant threats?
- Is there an attack vector that might go unnoticed?
- with all players in your business!
- Microsoft Threat Modeling Tool 2016
parameters
- financial loss
- direct
- monetary fine
- share holder value
- reputation loss
- laws (for example BDSG, §203
StGB)
target:
make hacking more expensive then
possible return for attacker
- long lists of problems and attacks
- rated top 25
- Verify for Security Early and Often
- Parameterize Queries
- Encode Data
- Validate All Inputs
- Implement Identity and Authentication Controls
- Implement Appropriate Access Controls
- Protect Data
- Implement Logging and Intrusion Detection
- Leverage Security Frameworks and Libraries
- Error and Exception Handling
build security integration
build security integration
low hanging fruits
build security integration
catch them in the early beginning
Static Library Checks
Motivation
- very low hanging
- simple task
- check all dependencies against security vulnerability databases
- high potential
Static Library Checks
- remote code execution
- affected: 3.x < 3.2.2
- 3.2.2 released in november 2015
- affected: WebSphere, JBoss, Jenkins, WebLogic, and OpenNMS
- for some weeks on every tech news site
- Support for Java and .NET
- experimental support for Ruby, Node.js and Python
- maven and gradle plugin
conclusion
- quality of base data
- initial data retrieval
- require some attention (proxy, cache directory)
- manual interpretation of result required
- good alarming
- dependency graph
- Ruby or JavaScript Support (at the moment)
Docker Trusted Repository
- analyse all layers of all containers
- focus: operating system libraries
- configurable actions on this database
- stop risky components from entering software supply chain
- audit software
- security and licence reports based on Sonatype’s data services (SDS)
- based on full proxy content
- central risk management
- no direct link to affected builds
- cloud based
- AI
- scanning of open sources repos
- validated database
- free hobby plan (many limitations)
- cloud & hybrid on-premises ($$)
- javascript security scanner
- support for many javascript libraries
- some of the latest frameworks are missing
- some security checks in normal check base
- security checks must not follow the "no false
positives"-Rule
- manual reviewing and flagging required
- reporting and flagging in web interface
- support for java, jsp, C#, javascript, php
- java: findbugs
rules with different (most times better) results
Automated vulnerability scanning
the beginning of pen testing
- proxy mode:
- passive analyses
- training for navigation
- discover
- classic roboter
- ajax spider (based on full browser)
- attacks
integrate with automated UI Tests
- spider is limited
- passive scan
- use ui tests as base for attacks
api
- script your full attack setup
- ...
- powerful automated tests
- proxy only for login and initial training
- powerful cli
- ruby based
- no integration with java workflows
- pen testing REST-Services
- very good tool for manual pen testing
- some support for automation and regression (not in free edition)
- focus on general port tests
- create bdd description for security tests
- use tools like ZAP
- integrate setup of tools and applications with selenium, ...
- result uses junit frontend
applications in production
applications in production
ensure for deployed environments
- some systems are deployed for weeks or months without update
- library and operation system:
- execute checks on separated ci jobs for deployed versions
- monitor docker trusted repository with test container instantiations
conclusion
- security is a process
- tools didn't replace any security specialist
- tools are only an add-on
- but help to focus on more sophisticated tests
- security testing within an docker enviroment is nice
next steps
- password security
- signing artifacts
- intrusion detection
- adapted monitoring
- application intrusion detection
- ...
- Beratung, Coaching und Projektunterstützung
- Java EE
- Buildsysteme gradle und maven/ant-Migration
- Testautomatisierung
- Coach in agilen Projekten
- DevOps