Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Integration von Security-Checks in die CI-Pipeline

383 views

Published on

Dass eine Anwendung gegen Angriffe von Außen abgesichert werden muss, ist in der heutigen Zeit keine Frage mehr. Die OWASP Top10 sind in aller Munde. Um so verwunderlicher ist es, dass in den meisten Projekten die Suche nach Sicherheitslücken frühestens nach Fertigstellung der Software angegangen wird. Dabei gibt es ein paar Möglichkeiten, bekannte Security-Probleme bereits während der Entwicklung automatisiert zu erkennen und dem Entwickler so durch geeignetes Feedback die Möglichkeit zu geben, diese zeitnah zu beheben.

In dem Talk werden verschiedene Tools vorgestellt und gezeigt, welche Security-Probleme schon während der Entwicklung durch Continous Integration vermieden werden können.

Published in: Software
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Integration von Security-Checks in die CI-Pipeline

  1. 1. Integration von Security-Checks in die CI-Pipeline @_openknowledge #WISSENTEILEN
  2. 2. ÜBER MICH • Software-Entwickler • Speaker • CI / CD Flüsterer • Angular(-ität) • Java EE Christian Schulz #WISSENTEILEN
  3. 3. ÜBER OPEN KNOWLEDGE Branchenneutrale Softwareentwicklung und IT-Beratung #WISSENTEILEN
  4. 4. Warum?
  5. 5. Bekannte Vorfälle • 2018 Mariott 500 Millionen • 2017 Equifax 143 Millionen • 2016 Adult Friend Finder 422 Millionen • 2015 Anthem 78 Millionen • 2014 eBay 145 Millionen JP Morgan Chase 76 Millionen OOPSIE! #WISSENTEILEN
  6. 6. Softwarelebenszyklus Product Design Development Testing Deployment Production Product Design Development #WISSENTEILEN
  7. 7. Software Entwicklung … #WISSENTEILEN
  8. 8. … ist eine unendliche Geschichte #WISSENTEILEN
  9. 9. Security? #WISSENTEILEN
  10. 10. WORKED FINE IN DEV NOW OPS PROBLEM #WISSENTEILEN
  11. 11. Softwarelebenszyklus Product Design Development Testing Deployment Production Penetration Tests Real-Time Application Self Protection oder Web Application Firewall #WISSENTEILEN
  12. 12. Doppelter Boden? #WISSENTEILEN
  13. 13. Doppelter Boden Web Application Firewall Anwendung ?! #WISSENTEILEN
  14. 14. Warum? • ca 90% der Anwendungen sind verwundbar • Netzwerklösungen sind nicht dafür entworfen worden auf Anwendungslevel zu schützen • Moderne Webanwendungen erhöhen die Sicherheitsrisiken enorm • Angriffe passieren im Geheimen #WISSENTEILEN
  15. 15. Der richtige Zeitpunkt Während der Entwicklung Nach dem Release Nach dem Datenverlust Kosten Erneut liefern Auswirkungsanalys Version Rollback Rufschaden Entschädigungen Monitoring Verzögerungen Entwicklungs- kosten Erneut liefern Auswirkungsanalyse Version Rollback Verzögerungen Entwicklungs- kosten Entwicklungs- kosten Anwaltskosten #WISSENTEILEN
  16. 16. Aber wie?!
  17. 17. OWASP & Co
  18. 18. OWASP & Co • Open Web Application Security Project (OWASP) • Non-Profit-Organisation mit dem Ziel WWW Anwendungen sicherer zu machen • OWASP Top10 • Web Application Security Consortium (WASC) • Non-Profit-Organisation mit dem Ziel WWW Anwendungen sicherer zu machen • Best Practices in der Implementierung und Abwehr • SysAdmin, Networking and Security (SANS) Institut • Anbieter für Cybersicherheitsschulungen und –zertifizierungen • SANS Top20 • MITRE Corporation • Non-Profit-Organisation für die Verwaltung von Forschungsinstituten in den USA • CWE (Common Weakness Enumeration) • Common Attack Pattern Enumeration and Classification (CAPEC) #WISSENTEILEN
  19. 19. Selbsttraining
  20. 20. WebGoat • Entwickelt von OWASP • Java Spring • Unsichere Webanwendung mit Sicherheitslücken • Spielwiese zum Lernen https://github.com/WebGoat/WebGoat #WISSENTEILEN
  21. 21. WebGoat – Beispiel #WISSENTEILEN
  22. 22. Damn Vulnerable Web Application (DVWA) • Entwickelt von RandomStorm • PHP • Unsichere Webanwendung mit Sicherheitslücken • Spielwiese zum Lernen https://github.com/ethicalhack3r/DVWA #WISSENTEILEN
  23. 23. Juice Shop • Entwickelt von OWASP • JavaScript • AngularJS • NodeJS • Unsichere Webanwendung mit Sicherheitslücken • Spielwiese zum Lernen https://github.com/bkimminich/juice-shop #WISSENTEILEN
  24. 24. Juice Shop – Beispiel #WISSENTEILEN
  25. 25. Game of Hacks • Checkmarx • http://www.gameofhacks.com/ #WISSENTEILEN
  26. 26. Schwachstellenanalyse #WISSENTEILEN
  27. 27. Softwarelebenszyklus Product Design Development Testing Deployment Production Static Application Security Testing Dynamic Application Security Testing Real-Time Application Self Protection oder Web Application FirewallSicherheitsanforderungen Penetration Tests #WISSENTEILEN
  28. 28. Anforderungen • Integration • IDE • BuildTools • CI Server • Automatisiert ausführbar #WISSENTEILEN
  29. 29. Static Application Security Testing
  30. 30. Static Application Security Testing Vorteile ✓Skalierbarkeit ✓Präzise Fehlerbeschreibungen ✓Benötigt keine laufende Instanz ✓Entdeckt SQL Injection, Buffer Overflows, NPE und ähnliches ✓Keine Auswirkungen auf (Test-)Umgebungen Nachteile − False Positives − Entdeckt nicht alle Fehler z.B. in der Konfiguration oder bei der Authentifizierung #WISSENTEILEN
  31. 31. Static Application Security Testing • Abhängigkeitsanalyse • OWASP Dependency Check • Source Code Analyse • PMD • Byte Code Analyse • findbugs • SpotBugs • find-sec-bugs #WISSENTEILEN
  32. 32. SAST – Verwundbare Bibliotheken CVE-2017-15708 Apache Commons Collection Remote Code Execution während der Object Deserialisierung in Version 3.2.2 und 4.1 behoben CVE-2018-11771 Apache Commons Compress Denial of Service beim Archiv lesen durch einen unendlichen Stream in Version 1.18 behoben #WISSENTEILEN
  33. 33. OWASP Dependency Check • Analysiert Abhängigkeiten • Sucht nach bekannten CVE (Common Vulnerabilities and Exposures) • Build Tool Integration • Jenkins Integration • Auch für Repository Server verfügbar • Nexus Repository (Nexus Firewall) • Artifactory (JFrog Xray) https://jeremylong.github.io/DependencyCheck/ #WISSENTEILEN
  34. 34. SAST @GET @Path("/images/{image}") @Produces("images/*") public Response getImage(@PathParam("image") String image) { File file = new File("resources/images/", image); if (!file.exists()) { return Response.status(Response.Status.NOT_FOUND).build(); } return Response.ok().entity( new FileInputStream(file) ).build(); } #WISSENTEILEN
  35. 35. SAST – Potential Path Traversal @GET @Path("/images/{image}") @Produces("images/*") public Response getImage(@PathParam("image") String image) { File file = new File("resources/images/", image); if (!file.exists()) { return Response.status(Response.Status.NOT_FOUND).build(); } return Response.ok().entity( new FileInputStream(file) ).build(); } #WISSENTEILEN
  36. 36. SAST – Potential Path Traversal @GET @Path("/images/{image}") @Produces("images/*") public Response getImage(@PathParam("image") String image) { File file = new File("resources/images/", FilenameUtils.getName(image) ); if (!file.exists()) { return Response.status(Response.Status.NOT_FOUND).build(); } return Response.ok().entity( new FileInputStream(file) ).build(); } #WISSENTEILEN
  37. 37. PMD • Sourcecode Analyse • Keine dedizierten Sicherheitsregeln • CLI • Build Tool Integration • IDE Integration • Jenkins Integration https://pmd.github.io/ #WISSENTEILEN
  38. 38. findbugs • Bytecode Analyse • Bis Java 8 • CLI mit GUI • Build Tool Integration • IDE Integration • Jenkins Integration http://findbugs.sourceforge.net/ #WISSENTEILEN
  39. 39. SpotBugs • Bytecode Analyse • findbugs Nachfolger • Plugin System • CLI mit GUI • Build Tool Integration • IDE Integration • Jenkins Integration https://spotbugs.github.io/ #WISSENTEILEN
  40. 40. SpotBugs Beispiel public boolean authenticate() { boolean authenticated = true; try { authenticated = ldapService.isUserAuthenticated(...); } catch (SomeException e) { } return authenticated; } #WISSENTEILEN
  41. 41. SpotBugs Beispiel public boolean authenticate() { boolean authenticated = true; try { authenticated = ldapService.isUserAuthenticated(...); } catch (SomeException e) { } return authenticated; } #WISSENTEILEN
  42. 42. SpotBugs Beispiel – Fixed public boolean authenticate() { boolean authenticated = true; try { authenticated = ldapService.isUserAuthenticated(...); } catch (SomeException e) { logger.warn("User authentication failed", e); authenticated = false; } return authenticated; } #WISSENTEILEN
  43. 43. find-sec-bugs • Erweiterung für SpotBugs • Fokus auf Sicherheit https://find-sec-bugs.github.io/ #WISSENTEILEN
  44. 44. find-sec-bugs Beispiel public boolean authenticate(...) { String user = request.getParameter("user"); String pass = request.getParameter("pass"); String query = "SELECT * FROM users WHERE user = '" + user + "' AND pass = '" + pass + "'"; java.sql.Statement statement = connection.createStatement(); java.sql.ResultSet resultSet = statement.executeQuery(query); return resultSet.next(); } #WISSENTEILEN
  45. 45. find-sec-bugs Beispiel public boolean authenticate(...) { String user = request.getParameter("user"); String pass = request.getParameter("pass"); String query = "SELECT * FROM users WHERE user = '" + user + "' AND pass = '" + pass + "'"; java.sql.Statement statement = connection.createStatement(); java.sql.ResultSet resultSet = statement.executeQuery(query); return resultSet.next(); } #WISSENTEILEN
  46. 46. find-sec-bugs Beispiel – Fixed public boolean authenticate(...) { String user = request.getParameter("user"); String pass = request.getParameter("pass"); String query = "SELECT * FROM users WHERE user = ? AND pass = ?"; java.sql.Statement statement = connection.createStatement(); statement.setString(1, user); statement.setString(2, pass); java.sql.ResultSet resultSet = statement.executeQuery(query); return resultSet.next(); } #WISSENTEILEN
  47. 47. find-sec-bugs Beispiel • Unsichere Hash Algorithmen z.B. MD5, SHA1 • Hard kodierte Werte z.B. Passwörter, Secret Keys • Unsichere Cipher Benutzung, z.B. No Padding bei RSA #WISSENTEILEN
  48. 48. SonarQube • Tool Aggregator • Eigene Regeln • IDE Integration (sonarlint) • Build Tool Integration (Sonar Scanner) • Jenkins Integration https://www.sonarqube.org/ #WISSENTEILEN
  49. 49. #WISSENTEILEN
  50. 50. sonarlint • IDE / Editor Integration für SonarQube • Eclipse • Jetbrains Produkte • Visual Studio • VS Code • Atom • Kein Ersatz für PMD, findbugs und Co • Regeln vergleichen! • Manche Regeln laufen nur serverseitig https://www.sonarlint.org/ #WISSENTEILEN
  51. 51. sonarlint im Einsatz #WISSENTEILEN
  52. 52. Integration
  53. 53. Integration IDE Build Tools SonarQube SQ + sonarlint #WISSENTEILEN
  54. 54. Integration IDE Build Tools SonarQube SQ + sonarlint Sichtbarkeit Entwickler CI Unterstützung Konfigurationspflege #WISSENTEILEN
  55. 55. Integration IDE Build Tools SonarQube SQ + sonarlint Sichtbarkeit Entwickler ++ o + (Web) +(+) CI Unterstützung Konfigurationspflege #WISSENTEILEN
  56. 56. Integration IDE Build Tools SonarQube SQ + sonarlint Sichtbarkeit Entwickler ++ o + (Web) +(+) CI Unterstützung -/- + ++ -/- Konfigurationspflege #WISSENTEILEN
  57. 57. Integration IDE Build Tools SonarQube SQ + sonarlint Sichtbarkeit Entwickler ++ o + (Web) +(+) CI Unterstützung -/- + ++ -/- Konfigurationspflege -- -- ++ ++ #WISSENTEILEN
  58. 58. Integration – IDE ✓Sehr hohe Sichtbarkeit für den Entwickler − wird nur lokal beim Entwickler ausgeführt − Keine Garantie der Ausführung − CI muss extra konfiguriert werden − Konfigurationsaufwand / -pflege #WISSENTEILEN
  59. 59. Integration – Build Tools ✓Kann immer ausgeführt werden ✓„native“ CI Unterstützung − Eingeschränkte Sichtbarkeit für den Entwickler − Visualisierung in CI muss extra konfiguriert werden − Konfigurationsaufwand / -pflege #WISSENTEILEN
  60. 60. Integration – SonarQube ✓Hohe Sichtbarkeit für alle Entwickler ✓Zentrale Konfigurationspflege ✓Zentrale Fehlerpflege o Analyse erfolgt verzögert oder Build muss warten o IDE Integration durch eigenes Plugin − Einmaliger Installationsaufwand − Eigener Build Schritt in der CI / Build Tools #WISSENTEILEN
  61. 61. Integration – SonarQube + sonarlint ✓Sehr hohe Sichtbarkeit für den Entwickler ✓Zentrale Konfigurationspflege ✓Offline fähig o Einmaliger minimaler Konfigurationsaufwand #WISSENTEILEN
  62. 62. Und was ist mit der CI?
  63. 63. Integration – CI IDE Build Tools SonarQube SQ + sonarlint Sichtbarkeit Entwickler ++ o + (Web) +(+) CI Unterstützung -/- + ++ -/- Konfigurationspflege -- -- ++ ++ #WISSENTEILEN
  64. 64. #WISSENTEILEN Integration – CI • Analyse so früh wie möglich • Build Tools führen Analyse Tools aus • Visualisierung in CI muss extra konfiguriert werden • Jenkins bietet verschiedene Plugins zur Visualisierung an • Travis CI bietet keine eigene Visualisierung an • Travis CI und GitLab CI unterstützen codeclimate
  65. 65. Integration – CI • Wahrnehmbarkeit schwierig zu realisieren • Build failed – I don‘t care • Builds können länger dauern, beispielsweise mit SonarQube • Analyse passiert asynchron #WISSENTEILEN
  66. 66. Integration – CI Grundsätze: • Genug Metall • Kein Spammen • Dedizierte Channel, z.B. Slack • Aussagekräftige Meldungen • Tickets erstellen #WISSENTEILEN
  67. 67. Softwarelebenszyklus Product Design Development Testing Deployment Production Static Application Security Testing #WISSENTEILEN
  68. 68. War da nicht noch was? Authentifizierung?
  69. 69. Dynamic Application Security Testing
  70. 70. Dynamic Application Security Testing Vorteile ✓Entdeckt Fehler die nur zur Laufzeit passieren können z.B. Fehlkonfigurationen ✓Analyse auf Client- und Serverseite Nachteile − Benötigt laufende Instanz − Kann Teile der Anwendungen verpassen − Manuelles „Zeigen“ − Keine präzise Fehlerbeschreibungen #WISSENTEILEN
  71. 71. OWASP Zed Attack Proxy (ZAP) • Security Scanner • DAST und Penetration Tests • Kann automatisiert eingesetzt werden • Viele Addons • Jenkins Plugin • SonarQube Plugin https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project #WISSENTEILEN
  72. 72. ZAP Demo #WISSENTEILEN
  73. 73. ZAP in CI? • Manuell die URL eingeben? • Spider soll die ganze Anwendung crawlen? • Attacke starten? #WISSENTEILEN
  74. 74. UI Tests Product Design Development Testing Deployment Production Warum nicht wieder verwenden? #WISSENTEILEN
  75. 75. ZAP in CI UI Test Framework ZAP (Proxy Mode) Deployed Application ZAP (Attack Mode) Deployed Application Session #WISSENTEILEN
  76. 76. Softwarelebenszyklus Product Design Development Testing Deployment Production Static Application Security Testing Dynamic Application Security Testing #WISSENTEILEN
  77. 77. Fazit • Entwickler sind (meistens) keine Sicherheitsexperten • Jeder (wirklich jeder) muss sich mit dem Thema Sicherheit beschäftigen • Es muss Teil des Entwicklungsprozess sein • Entwicklerbewusstsein • Sowohl restliches Team • CI Prozess • Niemand mag (Security-) Bugs #WISSENTEILEN
  78. 78. Fazit – CI • Menschen sind faul • AUTOMATISIERUNG! • Separate Pipeline • Hoher Zeitfaktor • So früh wie möglich • „Eigene“ Umgebung #WISSENTEILEN
  79. 79. Menschen die Security-Bugs mögen #WISSENTEILEN
  80. 80. FRAGEN #WISSENTEILEN
  81. 81. KONTAKT Christian Schulz, Enterprise Developer christian.schulz@openknowledge.de +49 (0)441 4082 – 146 OFFENKUNDIGGUT #WISSENTEILEN
  82. 82. BILDNACHWEISE • Folie 7, http://candycrush.wikia.com/wiki/Level_1350?file=Level_1350_Reality.png • Folie 32: https://wiki.jenkins.io/display/JENKINS/OWASP+Dependency-Check+Plugin • Folie 36: https://www.javatips.net/blog/pmd-in-eclipse-tutorial • Folie 37: http://findbugs.sourceforge.net/manual/example-details.png • Folie 42: https://find-sec-bugs.github.io/images/screens/eclipse.png • Folie 47: https://www.sonarqube.org/index/detect-bugs-2@2x.png • Folie 49: https://www.sonarlint.org/static/screenshot-feature-1-07de0778bcba0a0fce549fedb082e187- 9918a.png • Icons in this presentation designed by “Freepik”, “Nice and Serious” and “Elegant Themes” from www.flaticon.com #WISSENTEILEN

×