SlideShare a Scribd company logo

Статический анализ кода в контексте SSDL

Positive Hack Days
Positive Hack Days

Ведущий: Иван Ёлкин Ведущий фаст-трека расскажет об опыте внедрения Static Analysis Security Tool в QIWI, о сложностях, с которыми сталкивались разработчики. Писать «костыли» или рефакторить код? Что делать, когда мнения клиента и разработчика расходятся? Поведает, сколько строк кода пришлось прочитать и написать до и после запуска сканера, и предложит краткий обзор найденных и упущенных уязвимостей.

Technology
1 of 48
Static Analysis Security Tools in QIWI Secure Development Life Cycle Ivan Elkin Application Security Expert Qiwi
~$ whoamI - Qiwi, Application Security - Developer - Vulners.com team - JBFC Member
More than Two Years ago...
Qiwi Development Lifecycle Business QA Support ISEC TASK DEV Testing Regress testing Bug Programming Functional bug New TASK Release
Qiwi OLD Development Lifecycle SA QA TRBL ISEC TASK DEV Testing Regress testing Release Bug Programming Functional bug New TASK ISEC ISEC tests
Qiwi OLD Development Lifecycle Testing Regress testing Release Functional bug New TASK ISEC ISEC tests First standard steps were: - Periodical Pentests - Bug bounty program - Deep dive into code of each release - Some Fuzz scans on several projects - …. - …. - Lots of other standard sec-staff
Qiwi OLD Development Lifecycle Testing Regress testing Release Functional bug New TASK ISEC ISEC tests But: - Low test coverage - Manual testing takes time - You have no time - Some functionality you didn’t hear before bug found - More than 30 big projects/applications!
Sometimes it was like a fire fighting… - Hackerone - Real Attacks Qiwi OLD Development Lifecycle First hours after BugBounty program open
Task: - More than 30 projects and applications - 6 main programming languages - Horde of programmers - Infinity of business tasks - 1-2 AppSec specialist … How to protect the internet from ourselves?
Something should be changed… we want SDLC! So we expected:
Secure Development Lifecycle by MS
Secure Development Lifecycle by MS
Secure Development Lifecycle by MS
Secure Development Lifecycle by MS
Automate all the things!!
Things we’ve done
QSDL SA QA TRBL ISEC TASK Refactoring Testing Regress testing Release Bug Programming Functional bug New TASK SAST ISEC SD
SA QA TRBL ISEC TASK Refactoring QSDL - New Task In case of new task - Threat modeling - First security review - If task relates on side project, makes security review and testing of it
Testing Bug Programming QSDL - Design and Programming - Now programmers know what does it mean: XSS and so on, so design and development with a concept of secure programming - Trigger on TeamCity test-deploys will start SAST after programmer merge pull request to release-branch - Emailing about new found vulnerabilities by SAST - Automotive tasks in Jira - Anytime review of previous scans with detailed inspection of scan alert This concept is actual for project with short lifecycle (release several time in a week)
Testing Regress testingBug Programming QSDL - Pre-Release Cycle - Verification by SAST, trigger on TeamCity before release deploy - Auto Fuzz-tests - Manual pentests, extra scanners - Security code-review This concept is actual for project with long lifecycle (release one time in a two week)
QSDL - Release - In the context of a short release cycle we check the opportunity of release (the results of the intermediate Autotest), and provides recommendations for changes - Monitoring of releases by ourselves Release
QSDL SA QA TRBL ISEC TASK Refactoring Testing Regress testing Release Bug Programming Functional bug New TASK Scanner ISEC SD
SAST
Static code analysis tool: - searching security bugs by creating DOM-model of program code calls - one of key spec is searching of second order injections, stored injections and so on by walking through DOM- tree - Some Vendors sells it as a main tool of SDLC flow
Other good features - Best Coding Practice - Deprecated methods - Syntax sugar - Seraching of logic errors => performance improvement - Infinite loop - Switch without Break - Inline If - Buffer size which depends on user input - Empty exceptions - Syntax errors - Bad Classcasts
Not so ideal...
CX
SAST Scanner - Under the hood 1. How to start scan
Vendor told: “.. Scanner should receive only clear code” And he is right! Ok, but what about Libraries Dependencies Maven Dynamic Code Injection SAST Scanner - Under the hood
- source pulling - compile - code injecting - custom flow - monitoring - mail - tags Control Server SAST Scanner - Under the hood Welcome! Project which compress project for another project to scan second project!
Common process of deploy and scans - Developer start task in TC (hook, or manual) - TC build-agent start client-script which send request about branch to Control Server (CVS, brunch, build-id) - Control Server - Fetch source from VCS - Compile code - Fetch dependency from VCS or Maven (if you have sources) - Make own Dependency injection flow (if SAST not support it) - Make own program langs flow - Monitoring everything works - Results - TC tags for builds (if build is vulnerable, we can’t pass it to release) - Email to ISEC and Developer - Monitoring everything done
SAST Scanner - Under the hood 2. I want to see full flow from client to server
So, I Expect
Vendor told: “.. Each part of code should be independent ..” And he is right! SAST Scanner - Under the hood JS JAVA PLSQLJAVA
SAST Scanner - Under the hood 3. I want to write dynamic code!!!
All we are love a dynamic code with Dependency Injections Generics and so on public interface FieldsChanger { Collection<FormField> change(FieldsChangerDTO fieldsChangerDTO); } <bean id="fieldsChanger" class="ru.mw.webui.person.form.changer. ExtendableFieldsChanger"> <constructor-arg> <map key-type="ru.mw.webui.person.data.FieldSetRule"> <entry key-ref="mainFieldSetRule"> <bean class="ru.mw.webui.person.form.changer.PlaceHolderFieldsChanger"/> </entry>
Vendor told: “.. Not all code can be static analysed ..” And he is right!
But we can do: dynamic -> static public interface FieldsChanger { Collection<FormField> change(FieldsChangerDTO fieldsChangerDTO); } public interface FieldsChanger1 { Collection<DefaultFormField> change(DefaultFieldsChangerDTO fieldsChangerDTO); }
SAST Scanner - Under the hood 4. I want to write on Scala, Go and use all new Frameworks!
Vendor told: “.. You are so modern … everything for your money! ..” And he is right!
SAST Scanner - Under the hood 5. It found only one XSS and 100500 strange things!? What happen???
Vendor told: “.. Each project is unique and each has own bicycles! ..” And he is right!
Be ready to read tons of code!
Bad news: - while we set up scanner, some guys found two real good bugs first :( Remember: - look into all types of bugs some could be signed as low-level - some frameworks still not supported out of the box
So, To start it - Put all your libraries to own CDN - Write 20k lines of code for Control Server and Client - Invent your own compiling system - Write your own monitoring system To make code ‘scannable’ - Read kilometers of code - Find each input and output points - Write more than 100 own rules of scans
Achieved: - Found about 25 bugs in main projects - XXE, RCE, XSS, SQLi - 32 projects were added to autoscan - Full SDLC in you company! - It was made by 2 people !!
Thanx! Questions? @vankyv3r

Recommended

Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzerDmitry Vyukov
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Biblioteca Nacional de España
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 

Recommended

Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzerDmitry Vyukov
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Biblioteca Nacional de España
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugsDmitry Vyukov
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Developer support/process automation tools
Developer support/process automation toolsDeveloper support/process automation tools
Developer support/process automation toolsDmitry Vyukov
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
[COSCUP 2021] A trip about how I contribute to LLVM
[COSCUP 2021] A trip about how I contribute to LLVM[COSCUP 2021] A trip about how I contribute to LLVM
[COSCUP 2021] A trip about how I contribute to LLVMDouglas Chen
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesCODE BLUE
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolzAlexey Sintsov
 
Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Michal Balinski
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueChong-Kuan Chen
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCanSecWest
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-FrameworkVeilFramework
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Целевые атаки: прицелься первым
Целевые атаки: прицелься первымЦелевые атаки: прицелься первым
Целевые атаки: прицелься первымPositive Hack Days
 

More Related Content

What's hot

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugsDmitry Vyukov
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Developer support/process automation tools
Developer support/process automation toolsDeveloper support/process automation tools
Developer support/process automation toolsDmitry Vyukov
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
[COSCUP 2021] A trip about how I contribute to LLVM
[COSCUP 2021] A trip about how I contribute to LLVM[COSCUP 2021] A trip about how I contribute to LLVM
[COSCUP 2021] A trip about how I contribute to LLVMDouglas Chen
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesCODE BLUE
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolzAlexey Sintsov
 
Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Michal Balinski
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueChong-Kuan Chen
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCanSecWest
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 

What's hot (20)

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
 
Developer support/process automation tools
Developer support/process automation toolsDeveloper support/process automation tools
Developer support/process automation tools
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
[COSCUP 2021] A trip about how I contribute to LLVM
[COSCUP 2021] A trip about how I contribute to LLVM[COSCUP 2021] A trip about how I contribute to LLVM
[COSCUP 2021] A trip about how I contribute to LLVM
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolz
 
Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Practical non blocking microservices in java 8
Practical non blocking microservices in java 8
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 

Viewers also liked

Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Целевые атаки: прицелься первым
Целевые атаки: прицелься первымЦелевые атаки: прицелься первым
Целевые атаки: прицелься первымPositive Hack Days
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализаPositive Hack Days
 
Вирусы есть? А если найду?
Вирусы есть? А если найду?Вирусы есть? А если найду?
Вирусы есть? А если найду?Positive Hack Days
 
Псевдобезопасность NFC-сервисов
Псевдобезопасность NFC-сервисовПсевдобезопасность NFC-сервисов
Псевдобезопасность NFC-сервисовPositive Hack Days
 
Метод машинного обучения для распознавания сгенерированных доменных имен
Метод машинного обучения для распознавания сгенерированных доменных именМетод машинного обучения для распознавания сгенерированных доменных имен
Метод машинного обучения для распознавания сгенерированных доменных именPositive Hack Days
 
Страх и ненависть в телеком-операторах
Страх и ненависть в телеком-операторахСтрах и ненависть в телеком-операторах
Страх и ненависть в телеком-операторахPositive Hack Days
 
Мобильная связь небезопасна. Аргументы, подкрепленные фактами
Мобильная связь небезопасна. Аргументы, подкрепленные фактамиМобильная связь небезопасна. Аргументы, подкрепленные фактами
Мобильная связь небезопасна. Аргументы, подкрепленные фактамиPositive Hack Days
 
Доставка зловредов через облака
Доставка зловредов через облакаДоставка зловредов через облака
Доставка зловредов через облакаPositive Hack Days
 
Device Fingerprint — лекарство от мошенничества. Все дело в дозировке
Device Fingerprint — лекарство от мошенничества. Все дело в дозировкеDevice Fingerprint — лекарство от мошенничества. Все дело в дозировке
Device Fingerprint — лекарство от мошенничества. Все дело в дозировкеPositive Hack Days
 
Город никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never SleepsГород никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never SleepsPositive Hack Days
 
Ковбой Энди, Рик Декард и другие охотники за наградой
Ковбой Энди, Рик Декард и другие охотники за наградойКовбой Энди, Рик Декард и другие охотники за наградой
Ковбой Энди, Рик Декард и другие охотники за наградойPositive Hack Days
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
Как начать бизнес в ИБ
Как начать бизнес в ИБКак начать бизнес в ИБ
Как начать бизнес в ИБPositive Hack Days
 
Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Positive Hack Days
 
Возможно, время не на твоей стороне. Реализация атаки по времени в браузере
Возможно, время не на твоей стороне. Реализация атаки по времени в браузереВозможно, время не на твоей стороне. Реализация атаки по времени в браузере
Возможно, время не на твоей стороне. Реализация атаки по времени в браузереPositive Hack Days
 
Нейронечёткая классификация слабо формализуемых данных | Тимур Гильмуллин
Нейронечёткая классификация слабо формализуемых данных | Тимур ГильмуллинНейронечёткая классификация слабо формализуемых данных | Тимур Гильмуллин
Нейронечёткая классификация слабо формализуемых данных | Тимур ГильмуллинPositive Hack Days
 
Waf.js: как защищать веб-приложения с использованием JavaScript
Waf.js: как защищать веб-приложения с использованием JavaScriptWaf.js: как защищать веб-приложения с использованием JavaScript
Waf.js: как защищать веб-приложения с использованием JavaScriptPositive Hack Days
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructurePositive Hack Days
 
Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation
Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege EscalationJanitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation
Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege EscalationPositive Hack Days
 

Viewers also liked (20)

Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
Целевые атаки: прицелься первым
Целевые атаки: прицелься первымЦелевые атаки: прицелься первым
Целевые атаки: прицелься первым
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
 
Вирусы есть? А если найду?
Вирусы есть? А если найду?Вирусы есть? А если найду?
Вирусы есть? А если найду?
 
Псевдобезопасность NFC-сервисов
Псевдобезопасность NFC-сервисовПсевдобезопасность NFC-сервисов
Псевдобезопасность NFC-сервисов
 
Метод машинного обучения для распознавания сгенерированных доменных имен
Метод машинного обучения для распознавания сгенерированных доменных именМетод машинного обучения для распознавания сгенерированных доменных имен
Метод машинного обучения для распознавания сгенерированных доменных имен
 
Страх и ненависть в телеком-операторах
Страх и ненависть в телеком-операторахСтрах и ненависть в телеком-операторах
Страх и ненависть в телеком-операторах
 
Мобильная связь небезопасна. Аргументы, подкрепленные фактами
Мобильная связь небезопасна. Аргументы, подкрепленные фактамиМобильная связь небезопасна. Аргументы, подкрепленные фактами
Мобильная связь небезопасна. Аргументы, подкрепленные фактами
 
Доставка зловредов через облака
Доставка зловредов через облакаДоставка зловредов через облака
Доставка зловредов через облака
 
Device Fingerprint — лекарство от мошенничества. Все дело в дозировке
Device Fingerprint — лекарство от мошенничества. Все дело в дозировкеDevice Fingerprint — лекарство от мошенничества. Все дело в дозировке
Device Fingerprint — лекарство от мошенничества. Все дело в дозировке
 
Город никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never SleepsГород никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never Sleeps
 
Ковбой Энди, Рик Декард и другие охотники за наградой
Ковбой Энди, Рик Декард и другие охотники за наградойКовбой Энди, Рик Декард и другие охотники за наградой
Ковбой Энди, Рик Декард и другие охотники за наградой
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минуту
 
Как начать бизнес в ИБ
Как начать бизнес в ИБКак начать бизнес в ИБ
Как начать бизнес в ИБ
 
Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!
 
Возможно, время не на твоей стороне. Реализация атаки по времени в браузере
Возможно, время не на твоей стороне. Реализация атаки по времени в браузереВозможно, время не на твоей стороне. Реализация атаки по времени в браузере
Возможно, время не на твоей стороне. Реализация атаки по времени в браузере
 
Нейронечёткая классификация слабо формализуемых данных | Тимур Гильмуллин
Нейронечёткая классификация слабо формализуемых данных | Тимур ГильмуллинНейронечёткая классификация слабо формализуемых данных | Тимур Гильмуллин
Нейронечёткая классификация слабо формализуемых данных | Тимур Гильмуллин
 
Waf.js: как защищать веб-приложения с использованием JavaScript
Waf.js: как защищать веб-приложения с использованием JavaScriptWaf.js: как защищать веб-приложения с использованием JavaScript
Waf.js: как защищать веб-приложения с использованием JavaScript
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
 
Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation
Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege EscalationJanitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation
Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation
 

Similar to Статический анализ кода в контексте SSDL

Continous UI testing with Espresso and Jenkins
Continous UI testing with Espresso and JenkinsContinous UI testing with Espresso and Jenkins
Continous UI testing with Espresso and JenkinsSylwester Madej
 
Analysis of merge requests in GitLab using PVS-Studio for C#
Analysis of merge requests in GitLab using PVS-Studio for C#Analysis of merge requests in GitLab using PVS-Studio for C#
Analysis of merge requests in GitLab using PVS-Studio for C#Andrey Karpov
 
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017Codemotion
 
Serverless in production, an experience report (codemotion milan)
Serverless in production, an experience report (codemotion milan)Serverless in production, an experience report (codemotion milan)
Serverless in production, an experience report (codemotion milan)Yan Cui
 
Boost your productivity with Scala tooling!
Boost your productivity with Scala tooling!Boost your productivity with Scala tooling!
Boost your productivity with Scala tooling!MeriamLachkar1
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017Amazon Web Services
 
Serverless in production, an experience report
Serverless in production, an experience reportServerless in production, an experience report
Serverless in production, an experience reportYan Cui
 
Serverless in production (O'Reilly Software Architecture)
Serverless in production (O'Reilly Software Architecture)Serverless in production (O'Reilly Software Architecture)
Serverless in production (O'Reilly Software Architecture)Yan Cui
 
Gitlab and Lingvokot
Gitlab and LingvokotGitlab and Lingvokot
Gitlab and LingvokotLingvokot
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 
Serverless in production, an experience report (BuildStuff)
Serverless in production, an experience report (BuildStuff)Serverless in production, an experience report (BuildStuff)
Serverless in production, an experience report (BuildStuff)Yan Cui
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...Amazon Web Services
 
Serverless in production, an experience report (microservices london)
Serverless in production, an experience report (microservices london)Serverless in production, an experience report (microservices london)
Serverless in production, an experience report (microservices london)Yan Cui
 
Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)Yan Cui
 
AWS Lambda from the trenches (Serverless London)
AWS Lambda from the trenches (Serverless London)AWS Lambda from the trenches (Serverless London)
AWS Lambda from the trenches (Serverless London)Yan Cui
 
Serverless in Production, an experience report (AWS UG South Wales)
Serverless in Production, an experience report (AWS UG South Wales)Serverless in Production, an experience report (AWS UG South Wales)
Serverless in Production, an experience report (AWS UG South Wales)Yan Cui
 
PVS-Studio in the Clouds: CircleCI
PVS-Studio in the Clouds: CircleCIPVS-Studio in the Clouds: CircleCI
PVS-Studio in the Clouds: CircleCIAndrey Karpov
 

Similar to Статический анализ кода в контексте SSDL (20)

Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
Continous UI testing with Espresso and Jenkins
Continous UI testing with Espresso and JenkinsContinous UI testing with Espresso and Jenkins
Continous UI testing with Espresso and Jenkins
 
Analysis of merge requests in GitLab using PVS-Studio for C#
Analysis of merge requests in GitLab using PVS-Studio for C#Analysis of merge requests in GitLab using PVS-Studio for C#
Analysis of merge requests in GitLab using PVS-Studio for C#
 
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017
 
Serverless in production, an experience report (codemotion milan)
Serverless in production, an experience report (codemotion milan)Serverless in production, an experience report (codemotion milan)
Serverless in production, an experience report (codemotion milan)
 
Boost your productivity with Scala tooling!
Boost your productivity with Scala tooling!Boost your productivity with Scala tooling!
Boost your productivity with Scala tooling!
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
 
Serverless in production, an experience report
Serverless in production, an experience reportServerless in production, an experience report
Serverless in production, an experience report
 
Serverless in production (O'Reilly Software Architecture)
Serverless in production (O'Reilly Software Architecture)Serverless in production (O'Reilly Software Architecture)
Serverless in production (O'Reilly Software Architecture)
 
Gitlab and Lingvokot
Gitlab and LingvokotGitlab and Lingvokot
Gitlab and Lingvokot
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
Serverless in production, an experience report (BuildStuff)
Serverless in production, an experience report (BuildStuff)Serverless in production, an experience report (BuildStuff)
Serverless in production, an experience report (BuildStuff)
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
 
Serverless in production, an experience report (microservices london)
Serverless in production, an experience report (microservices london)Serverless in production, an experience report (microservices london)
Serverless in production, an experience report (microservices london)
 
Automating the Quality
Automating the QualityAutomating the Quality
Automating the Quality
 
Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)
 
AWS Lambda from the trenches (Serverless London)
AWS Lambda from the trenches (Serverless London)AWS Lambda from the trenches (Serverless London)
AWS Lambda from the trenches (Serverless London)
 
Serverless in Production, an experience report (AWS UG South Wales)
Serverless in Production, an experience report (AWS UG South Wales)Serverless in Production, an experience report (AWS UG South Wales)
Serverless in Production, an experience report (AWS UG South Wales)
 
PVS-Studio in the Clouds: CircleCI
PVS-Studio in the Clouds: CircleCIPVS-Studio in the Clouds: CircleCI
PVS-Studio in the Clouds: CircleCI
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 

Recently uploaded (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Статический анализ кода в контексте SSDL

  • 1. Static Analysis Security Tools in QIWI Secure Development Life Cycle Ivan Elkin Application Security Expert Qiwi
  • 2. ~$ whoamI - Qiwi, Application Security - Developer - Vulners.com team - JBFC Member
  • 3. More than Two Years ago...
  • 5.
  • 6. Qiwi OLD Development Lifecycle SA QA TRBL ISEC TASK DEV Testing Regress testing Release Bug Programming Functional bug New TASK ISEC ISEC tests
  • 7. Qiwi OLD Development Lifecycle Testing Regress testing Release Functional bug New TASK ISEC ISEC tests First standard steps were: - Periodical Pentests - Bug bounty program - Deep dive into code of each release - Some Fuzz scans on several projects - …. - …. - Lots of other standard sec-staff
  • 8. Qiwi OLD Development Lifecycle Testing Regress testing Release Functional bug New TASK ISEC ISEC tests But: - Low test coverage - Manual testing takes time - You have no time - Some functionality you didn’t hear before bug found - More than 30 big projects/applications!
  • 9. Sometimes it was like a fire fighting… - Hackerone - Real Attacks Qiwi OLD Development Lifecycle First hours after BugBounty program open
  • 10. Task: - More than 30 projects and applications - 6 main programming languages - Horde of programmers - Infinity of business tasks - 1-2 AppSec specialist … How to protect the internet from ourselves?
  • 11. Something should be changed… we want SDLC! So we expected:
  • 16. Automate all the things!!
  • 19. SA QA TRBL ISEC TASK Refactoring QSDL - New Task In case of new task - Threat modeling - First security review - If task relates on side project, makes security review and testing of it
  • 20. Testing Bug Programming QSDL - Design and Programming - Now programmers know what does it mean: XSS and so on, so design and development with a concept of secure programming - Trigger on TeamCity test-deploys will start SAST after programmer merge pull request to release-branch - Emailing about new found vulnerabilities by SAST - Automotive tasks in Jira - Anytime review of previous scans with detailed inspection of scan alert This concept is actual for project with short lifecycle (release several time in a week)
  • 21. Testing Regress testingBug Programming QSDL - Pre-Release Cycle - Verification by SAST, trigger on TeamCity before release deploy - Auto Fuzz-tests - Manual pentests, extra scanners - Security code-review This concept is actual for project with long lifecycle (release one time in a two week)
  • 22. QSDL - Release - In the context of a short release cycle we check the opportunity of release (the results of the intermediate Autotest), and provides recommendations for changes - Monitoring of releases by ourselves Release
  • 24. SAST
  • 25. Static code analysis tool: - searching security bugs by creating DOM-model of program code calls - one of key spec is searching of second order injections, stored injections and so on by walking through DOM- tree - Some Vendors sells it as a main tool of SDLC flow
  • 26. Other good features - Best Coding Practice - Deprecated methods - Syntax sugar - Seraching of logic errors => performance improvement - Infinite loop - Switch without Break - Inline If - Buffer size which depends on user input - Empty exceptions - Syntax errors - Bad Classcasts
  • 28. CX
  • 29. SAST Scanner - Under the hood 1. How to start scan
  • 30. Vendor told: “.. Scanner should receive only clear code” And he is right! Ok, but what about Libraries Dependencies Maven Dynamic Code Injection SAST Scanner - Under the hood
  • 31. - source pulling - compile - code injecting - custom flow - monitoring - mail - tags Control Server SAST Scanner - Under the hood Welcome! Project which compress project for another project to scan second project!
  • 32. Common process of deploy and scans - Developer start task in TC (hook, or manual) - TC build-agent start client-script which send request about branch to Control Server (CVS, brunch, build-id) - Control Server - Fetch source from VCS - Compile code - Fetch dependency from VCS or Maven (if you have sources) - Make own Dependency injection flow (if SAST not support it) - Make own program langs flow - Monitoring everything works - Results - TC tags for builds (if build is vulnerable, we can’t pass it to release) - Email to ISEC and Developer - Monitoring everything done
  • 33. SAST Scanner - Under the hood 2. I want to see full flow from client to server
  • 35. Vendor told: “.. Each part of code should be independent ..” And he is right! SAST Scanner - Under the hood JS JAVA PLSQLJAVA
  • 36. SAST Scanner - Under the hood 3. I want to write dynamic code!!!
  • 37. All we are love a dynamic code with Dependency Injections Generics and so on public interface FieldsChanger { Collection<FormField> change(FieldsChangerDTO fieldsChangerDTO); } <bean id="fieldsChanger" class="ru.mw.webui.person.form.changer. ExtendableFieldsChanger"> <constructor-arg> <map key-type="ru.mw.webui.person.data.FieldSetRule"> <entry key-ref="mainFieldSetRule"> <bean class="ru.mw.webui.person.form.changer.PlaceHolderFieldsChanger"/> </entry>
  • 38. Vendor told: “.. Not all code can be static analysed ..” And he is right!
  • 39. But we can do: dynamic -> static public interface FieldsChanger { Collection<FormField> change(FieldsChangerDTO fieldsChangerDTO); } public interface FieldsChanger1 { Collection<DefaultFormField> change(DefaultFieldsChangerDTO fieldsChangerDTO); }
  • 40. SAST Scanner - Under the hood 4. I want to write on Scala, Go and use all new Frameworks!
  • 41. Vendor told: “.. You are so modern … everything for your money! ..” And he is right!
  • 42. SAST Scanner - Under the hood 5. It found only one XSS and 100500 strange things!? What happen???
  • 43. Vendor told: “.. Each project is unique and each has own bicycles! ..” And he is right!
  • 44. Be ready to read tons of code!
  • 45. Bad news: - while we set up scanner, some guys found two real good bugs first :( Remember: - look into all types of bugs some could be signed as low-level - some frameworks still not supported out of the box
  • 46. So, To start it - Put all your libraries to own CDN - Write 20k lines of code for Control Server and Client - Invent your own compiling system - Write your own monitoring system To make code ‘scannable’ - Read kilometers of code - Find each input and output points - Write more than 100 own rules of scans
  • 47. Achieved: - Found about 25 bugs in main projects - XXE, RCE, XSS, SQLi - 32 projects were added to autoscan - Full SDLC in you company! - It was made by 2 people !!