Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools


Published on

Slides from David's presentation at Devoxx on 14/11/2013.

Published in: Technology
  • Login to see the comments

Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools

  1. 1. Information Security Web Application Security Security Test Automation in Software Development using Open Source Tools Information Security
  2. 2. About Smals vzw-asbl One of Belgium's largest ICT-organisations: 1750 people "ICT for Society" Work: ex. Dimona-DmfA Salary & labour prestations Health: ex. eHealth-platform Secure exchange of medical data in Belgium Family life: ex. VESTA Home care for elderly (financial / operational support) In-house ICT-service, working exclusively for the government High priority for ICT Security & Privacy Information Security
  3. 3. Introduction  Security Test Automation in Software Development using Open Source Tools  Can we do it?  What do we need?  Source code  Working parts of the application  Selenium tests for the functional part 33 Information Security
  4. 4. Application Security Disclaimer Hacking is illegal and can be punished under the legal framework of the information criminality laws (Law issued on the 28 of november 2000 about informatica criminality). So the methods we show here are illegal if used without consent of the victim. 4 Information Security 4
  5. 5. Hacking is illegal under Belgium Law  5 Article 550bis § 1 A person who, while he knows that he is not yet entitled to it, gain access to a computer system, or in it maintains, shall be punished with imprisonment from three months to one year and a fine of twenty-six [euro] to twenty-five thousand [euro] or with one of these penalties. If the crime referred to in the first paragraph, committed with fraudulent intent, the maximum six months imprisonment to two years. Information Security
  6. 6. Security myths Firewalls … • Firewalls are always configured to allow web traffic -> HTTP(S) • Attacker appears to the web application as a normal user Information Security
  7. 7. Security myths SSL secures the application… • Server-side SSL only guarantees confidentiality on transport level • Attacker also uses the SSL tunnel 7 Information Security
  8. 8. Security myths The Application framework solves that… • Frameworks Don't Solve Security Issues • Some frameworks facilitate, but not by default • Some frameworks do, by default Workarounds exist to develop the security problems 8 Information Security
  9. 9. OWASP Top Ten (2013 Edition) 9
  10. 10. SQL Injection User: John xxxx password: secret ' or 1=1;-- SELECT user FROM SELECT user FROMWHERE users users WHERE AND user='xxx' user='John' AND password='' or 1=1;--'; password='secret'; John Aaron Welkom, Aaron John Information Security
  11. 11. Stored XSS <script> Coming home Steal password at 5 o'clock </script> passwords Information Security11
  12. 12. Reflected XSS<script>steal password</script><script>steal password</script> Error: reason (<script>steal password</script>) unknown passwords Information Security12
  13. 13. Sensitive Data Exposure Clear text transmission • Confidential information is just sent back to the User Improper web application implementation Secure and non-secure sections Improper analysis of the information Improper configuration Unsecured SESSION cookies 13 Information Security
  14. 14. Sensitive Data Exposure Error messages • Error messages for developers carry a lot information to find the problem causing the error message Stack traces in JAVA SQL Error messages from Database PHP error messages … • Those error messages can give a lot information to the hacker, when displayed to him/her Information of dataflow in the Web application Database layout Operating System information Network information Application frameworks used 14 Information Security
  15. 15. Cross Site Request Forgery t=10000&acc=001.1234567.27 10000&acc=001.1234567.27 Transaction successfull Online to her bank Information Security
  16. 16. Secure SDLC Security requirements Design Review Risk analysis Requirements and use cases Iterative approach Design Risk-based security tests Test plans Code Review 16 Static analysis (tools) Code Penetration testing Test results Information Security Field feedback
  17. 17. Findbugs  Static Source code analyzer  Works on Java byte code  Source must compile!  Searches for bug patterns  Find bugs  Find false warnings  Eclipse plugin  By default almost all enabled 17 Information Security
  18. 18. Findbugs  For security patterns:  DMI_CONSTANT_DB_PASSWORD Hardcoded constant database password  DMI_EMPTY_DB_PASSWORD Empty database password  EI_EXPOSE_REP May expose internal representation by returning reference to mutable objects  EI_EXPOSE_REP2 May expose internal representation by incorporating reference to mutable object  EI_EXPOSE_STATIC_REP2 May expose internal static state by storing a mutable object into a static field  MS_EXPOSE_REP Public static method may expose internal representation by returning array 18 Information Security
  19. 19. Findbugs  SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE Nonconstant string passed to execute method on an SQL statement  SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_ST RING A prepared statement is generated from a nonconstant String  XSS_REQUEST_PARAMETER_TO_SEND_ERROR JSP reflected cross site scripting vulnerability  XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER Servlet reflected cross site scripting vulnerability in error page  RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE Nullcheck of value previously dereferenced  NP_NULL_ON_SOME_PATH Possible null pointer dereference  NP_NULL_ON_SOME_PATH_EXCEPTION Possible null pointer dereference in method on exception path 19 Information Security
  20. 20. Demo Findbugs  Eclipse 20 Information Security
  21. 21. PMD     Static Source code analyzer Runs against the Java source code Also searches for bug patterns There are no real security patterns included  Gotham Digital Science has a security rule set 21 Information Security
  22. 22. PMD  For security patterns:         22 ArrayIsStoredDirectly AvoidCatchingThrowable AvoidPrintStackTrace AvoidThrowingNullPointerException DoNotCallSystemExit ExceptionAsFlowControl MethodReturnsInternalArray MisplacedNullCheck Information Security
  23. 23. Demo PMD  Eclipse 23 Information Security
  24. 24. Zed Attack Proxy        24 Intercepting Proxy Traditional and AJAX spiders Automated scanner Forced Browsing Fuzzer Dynamic SSL Certificates Smartcard and Client Digital Certificates support Information Security
  25. 25. Zed Attack Proxy  Web sockets support  Support for wide range of scripting languages  Plug-n-Hack support  Authentication and Session Support  Powerful REST based API  Automatic updating option  Integrated and growing marketplace of add-ons 25 Information Security
  26. 26. Demo Zaproxy  Eclipse 26 Information Security
  27. 27. Demo: Automatic Build Proces  Maven  Findbugs  PMD  Zaproxy 27 Information Security
  28. 28. TODO’s  Maven  Zed Attack Proxy and site phase integration  SONAR integration of Zed Attack Proxy  How about Agile development?  Can we ingrate this process in TDD and BDD? 28 Information Security
  29. 29. Links FindBugs™ - Find Bugs in Java Programs PMD – Don’t shoot the Messenger OWASP Zed Attack Proxy Project - OWASP ZAP Maven Plugin Automated Security Testing of web applications using OWASP Zed Attack Proxy  Belgium - OWASP  Gotham Digital Science      29 Information Security
  30. 30. Resources … • Books: Software Security Microsoft Secure Development Lifecycle Enterprise Security Architecture 30 Information Security30
  31. 31. Reflection  Open Source  Good start  Commercial Tools  Are more integrated in their environment  Perform better  Comes with a price  Manual review by experts     31 Best results Expensive Non constant reviews Very late in the process Information Security
  32. 32. Questions 32 Information Security