Information
Security

Web Application Security
Security Test Automation in Software
Development using Open Source Tools

I...
About Smals vzw-asbl
One of Belgium's largest ICT-organisations:
1750 people

"ICT for Society"
Work: ex. Dimona-DmfA
Sala...
Introduction
 Security Test Automation in Software
Development using Open Source Tools
 Can we do it?
 What do we need?...
Application Security Disclaimer
Hacking is illegal and can be punished
under the legal framework of the
information crimin...
Hacking is illegal under Belgium Law


5

Article 550bis § 1
A person who, while he knows that he is not yet entitled
to ...
Security myths
Firewalls …

• Firewalls are always configured to allow web
traffic -> HTTP(S)
• Attacker appears to the we...
Security myths

SSL secures the application…

• Server-side SSL only guarantees
confidentiality on transport level
• Attac...
Security myths

The Application framework solves that…

• Frameworks Don't Solve Security
Issues
• Some frameworks facilit...
OWASP Top Ten (2013 Edition)

9
SQL Injection

User: John
xxxx
password: secret
' or 1=1;--

SELECT user FROM
SELECT user
FROMWHERE
users users
WHERE AND
...
Stored XSS
<script>
Coming home
Steal password
at 5 o'clock
</script>

passwords

Information
Security11
Reflected XSS

http://site.com/index?<script>steal
password</script>

http://site.com/index?<script>steal
password</script...
Sensitive Data Exposure
Clear text transmission

• Confidential information is just sent back to the User
Improper web app...
Sensitive Data Exposure
Error messages

• Error messages for developers carry a lot information
to find the problem causin...
Cross Site Request Forgery

http://bank.com/transaction?amoun
t=10000&acc=001.1234567.27

http://bank.com/transaction?amou...
Secure SDLC

Security
requirements

Design
Review
Risk
analysis

Requirements
and use cases

Iterative approach

Design

R...
Findbugs
 Static Source code analyzer
 Works on Java byte code
 Source must compile!

 Searches for bug patterns
 Fin...
Findbugs
 For security patterns:
 DMI_CONSTANT_DB_PASSWORD
Hardcoded constant database password
 DMI_EMPTY_DB_PASSWORD
...
Findbugs
 SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
Nonconstant string passed to execute method on an SQL
statement
 SQL_...
Demo Findbugs
 Eclipse

20

Information
Security
PMD





Static Source code analyzer
Runs against the Java source code
Also searches for bug patterns
There are no rea...
PMD
 For security patterns:









22

ArrayIsStoredDirectly
AvoidCatchingThrowable
AvoidPrintStackTrace
AvoidT...
Demo PMD
 Eclipse

23

Information
Security
Zed Attack Proxy








24

Intercepting Proxy
Traditional and AJAX spiders
Automated scanner
Forced Browsing
Fuzz...
Zed Attack Proxy
 Web sockets support
 Support for wide range of scripting
languages
 Plug-n-Hack support
 Authenticat...
Demo Zaproxy
 Eclipse

26

Information
Security
Demo: Automatic Build Proces
 Maven
 Findbugs
 PMD
 Zaproxy

27

Information
Security
TODO’s
 Maven
 Zed Attack Proxy and site phase integration

 SONAR integration of Zed Attack Proxy
 How about Agile de...
Links
FindBugs™ - Find Bugs in Java Programs
PMD – Don’t shoot the Messenger
OWASP Zed Attack Proxy Project - OWASP
ZAP Ma...
Resources …
• Books:
Software Security
Microsoft Secure Development Lifecycle
Enterprise Security Architecture

30

Inform...
Reflection
 Open Source
 Good start

 Commercial Tools
 Are more integrated in their environment
 Perform better
 Co...
Questions

32

Information
Security
Upcoming SlideShare
Loading in …5
×

Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools

2,048 views

Published on

Slides from David's presentation at Devoxx on 14/11/2013.

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
  • David Tillemans vorige week gemist op Devoxx? Ontdek zijn slides over application security, test driven development en essentiële open source tools om beveiliging reeds te testen in het ontwikkelproces. Omdat veilige software schrijven zoveel beter is dan achteraf de gaten opvullen.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
2,048
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
15
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools

  1. 1. Information Security Web Application Security Security Test Automation in Software Development using Open Source Tools Information Security
  2. 2. About Smals vzw-asbl One of Belgium's largest ICT-organisations: 1750 people "ICT for Society" Work: ex. Dimona-DmfA Salary & labour prestations Health: ex. eHealth-platform Secure exchange of medical data in Belgium Family life: ex. VESTA Home care for elderly (financial / operational support) In-house ICT-service, working exclusively for the government High priority for ICT Security & Privacy Information Security
  3. 3. Introduction  Security Test Automation in Software Development using Open Source Tools  Can we do it?  What do we need?  Source code  Working parts of the application  Selenium tests for the functional part 33 Information Security
  4. 4. Application Security Disclaimer Hacking is illegal and can be punished under the legal framework of the information criminality laws (Law issued on the 28 of november 2000 about informatica criminality). So the methods we show here are illegal if used without consent of the victim. 4 Information Security 4
  5. 5. Hacking is illegal under Belgium Law  5 Article 550bis § 1 A person who, while he knows that he is not yet entitled to it, gain access to a computer system, or in it maintains, shall be punished with imprisonment from three months to one year and a fine of twenty-six [euro] to twenty-five thousand [euro] or with one of these penalties. If the crime referred to in the first paragraph, committed with fraudulent intent, the maximum six months imprisonment to two years. Information Security
  6. 6. Security myths Firewalls … • Firewalls are always configured to allow web traffic -> HTTP(S) • Attacker appears to the web application as a normal user Information Security
  7. 7. Security myths SSL secures the application… • Server-side SSL only guarantees confidentiality on transport level • Attacker also uses the SSL tunnel 7 Information Security
  8. 8. Security myths The Application framework solves that… • Frameworks Don't Solve Security Issues • Some frameworks facilitate, but not by default • Some frameworks do, by default Workarounds exist to develop the security problems 8 Information Security
  9. 9. OWASP Top Ten (2013 Edition) 9
  10. 10. SQL Injection User: John xxxx password: secret ' or 1=1;-- SELECT user FROM SELECT user FROMWHERE users users WHERE AND user='xxx' user='John' AND password='' or 1=1;--'; password='secret'; John Aaron Welkom, Aaron John Information Security
  11. 11. Stored XSS <script> Coming home Steal password at 5 o'clock </script> passwords Information Security11
  12. 12. Reflected XSS http://site.com/index?<script>steal password</script> http://site.com/index?<script>steal password</script> Error: reason (<script>steal password</script>) unknown passwords Information Security12
  13. 13. Sensitive Data Exposure Clear text transmission • Confidential information is just sent back to the User Improper web application implementation Secure and non-secure sections Improper analysis of the information Improper configuration Unsecured SESSION cookies 13 Information Security
  14. 14. Sensitive Data Exposure Error messages • Error messages for developers carry a lot information to find the problem causing the error message Stack traces in JAVA SQL Error messages from Database PHP error messages … • Those error messages can give a lot information to the hacker, when displayed to him/her Information of dataflow in the Web application Database layout Operating System information Network information Application frameworks used 14 Information Security
  15. 15. Cross Site Request Forgery http://bank.com/transaction?amoun t=10000&acc=001.1234567.27 http://bank.com/transaction?amount= 10000&acc=001.1234567.27 Transaction successfull Online to her bank Information Security
  16. 16. Secure SDLC Security requirements Design Review Risk analysis Requirements and use cases Iterative approach Design Risk-based security tests Test plans Code Review 16 Static analysis (tools) Code Penetration testing Test results Information Security Field feedback
  17. 17. Findbugs  Static Source code analyzer  Works on Java byte code  Source must compile!  Searches for bug patterns  Find bugs  Find false warnings  Eclipse plugin  By default almost all enabled 17 Information Security
  18. 18. Findbugs  For security patterns:  DMI_CONSTANT_DB_PASSWORD Hardcoded constant database password  DMI_EMPTY_DB_PASSWORD Empty database password  EI_EXPOSE_REP May expose internal representation by returning reference to mutable objects  EI_EXPOSE_REP2 May expose internal representation by incorporating reference to mutable object  EI_EXPOSE_STATIC_REP2 May expose internal static state by storing a mutable object into a static field  MS_EXPOSE_REP Public static method may expose internal representation by returning array 18 Information Security
  19. 19. Findbugs  SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE Nonconstant string passed to execute method on an SQL statement  SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_ST RING A prepared statement is generated from a nonconstant String  XSS_REQUEST_PARAMETER_TO_SEND_ERROR JSP reflected cross site scripting vulnerability  XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER Servlet reflected cross site scripting vulnerability in error page  RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE Nullcheck of value previously dereferenced  NP_NULL_ON_SOME_PATH Possible null pointer dereference  NP_NULL_ON_SOME_PATH_EXCEPTION Possible null pointer dereference in method on exception path 19 Information Security
  20. 20. Demo Findbugs  Eclipse 20 Information Security
  21. 21. PMD     Static Source code analyzer Runs against the Java source code Also searches for bug patterns There are no real security patterns included  Gotham Digital Science has a security rule set 21 Information Security
  22. 22. PMD  For security patterns:         22 ArrayIsStoredDirectly AvoidCatchingThrowable AvoidPrintStackTrace AvoidThrowingNullPointerException DoNotCallSystemExit ExceptionAsFlowControl MethodReturnsInternalArray MisplacedNullCheck Information Security
  23. 23. Demo PMD  Eclipse 23 Information Security
  24. 24. Zed Attack Proxy        24 Intercepting Proxy Traditional and AJAX spiders Automated scanner Forced Browsing Fuzzer Dynamic SSL Certificates Smartcard and Client Digital Certificates support Information Security
  25. 25. Zed Attack Proxy  Web sockets support  Support for wide range of scripting languages  Plug-n-Hack support  Authentication and Session Support  Powerful REST based API  Automatic updating option  Integrated and growing marketplace of add-ons 25 Information Security
  26. 26. Demo Zaproxy  Eclipse 26 Information Security
  27. 27. Demo: Automatic Build Proces  Maven  Findbugs  PMD  Zaproxy 27 Information Security
  28. 28. TODO’s  Maven  Zed Attack Proxy and site phase integration  SONAR integration of Zed Attack Proxy  How about Agile development?  Can we ingrate this process in TDD and BDD? 28 Information Security
  29. 29. Links FindBugs™ - Find Bugs in Java Programs PMD – Don’t shoot the Messenger OWASP Zed Attack Proxy Project - OWASP ZAP Maven Plugin Automated Security Testing of web applications using OWASP Zed Attack Proxy  Belgium - OWASP  Gotham Digital Science      29 Information Security
  30. 30. Resources … • Books: Software Security Microsoft Secure Development Lifecycle Enterprise Security Architecture 30 Information Security30
  31. 31. Reflection  Open Source  Good start  Commercial Tools  Are more integrated in their environment  Perform better  Comes with a price  Manual review by experts     31 Best results Expensive Non constant reviews Very late in the process Information Security
  32. 32. Questions 32 Information Security

×