SlideShare a Scribd company logo

Continuous Integration - Live Static Analysis with Puma Scan

Puma Security, LLC
Puma Security, LLC

Puma Scan is a software security Visual Studio analyzer extension providing real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.

Software
1 of 50
Download to read offline
Continuous Integration Live Static Analysis with Roslyn Eric Johnson Twitter: @emjohn20 Principal Security Engineer Puma Security
Eric Johnson, CISSP, GSSP, GWAPT • Puma Security • Principal Security Engineer • Modern static code analysis • DevSecOps automation • Secure Development Lifecycle • SANS Institute • Certified Instructor – DEV541: Secure Coding in Java – DEV534: Secure DevOps • Course Author – DEV531: Mobile App Security Essentials – DEV544: Secure Coding in .NET
Roadmap • .NET Static Analysis Options • The Roslyn API • Code Analyzer • Additional Files Analyzer • Puma Scan • Future Enhancements
Free / Open Source .NET Options • CAT.NET • FxCop • Visual Studio Code Analysis • Web Config Security Analyzer
Widget Town Target App • Purposely vulnerable eCommerce application • Contains over 50 different vulnerabilities • Across two different versions: – Web Forms – .NET MVC • Contributors: – Louis Gardina – Eric Johnson
Microsoft CAT.NET v1.1 • Microsoft Code Analysis Tool (CAT) • Promising start but fizzled quickly • Version 1.1 published – April 2009 • Version 2.0 beta never published – November 2009 • https://www.microsoft.com/en- us/download/details.aspx?id=19968
CAT.NET v1.1 Security Benchmark • Widget Town scan results: – 2 XSS, 1 Unvalidated Redirect issues • CAT.NET is a very limited security scanner
FxCop • GUI and command line binary static analysis of dotNET code • Rules primarily target design, naming, performance, interoperability, globalization, usage • Basic security rules exist – SQL Injection, XSS
Visual Studio Code Analysis • FxCop wrapper baked into Visual Studio • Security rules covered by the “Microsoft Security Rules” rule set • Custom rules can be created using the BaseFxCopRule • https://msdn.microsoft.com/en- us/library/3z0aeatx(v=vs.140).aspx
Code Analysis Security Benchmark • Rule target results from the “Microsoft Security Rules” rule set • Widget Town scan results: – 2 SQL Injection instances, 1 is a false positive
• Widget Town combined CAT.NET and VS Code analysis scan results: Scan Result Summary Category Valid False Positive Cross-Site Scripting 2 0 SQL Injection 1 1 Unvalidated Redirect 1 0
• Widget Town combined CAT.NET and VS Code analysis scan results: Scan Result Summary Category Valid False Positive Cross-Site Scripting 2 0 SQL Injection 1 1 Unvalidated Redirect 1 0
Roadmap • .NET Static Analysis Options • The Roslyn API • Code Analyzer • Additional Files Analyzer • Puma Scan • Future Enhancements
Introducing Roslyn • Open-source C# and Visual Basic compilers with code analysis APIs • Capable of producing warnings in code as you type:
Getting Started • Prerequisites: – Visual Studio 2015 – Visual Studio 2015 Extensibility Tools – .NET Compiler Platform ("Roslyn") SDK • Described in detail in this MSDN Magazine article by Alex Turner: – https://msdn.microsoft.com/en- us/magazine/dn879356.aspx
Creating a Code Analyzer Project • File > New Project • Templates > Visual C# > Extensibility • Select Analyzer with Code Fix (NuGet + VSIX) template
Roslyn Syntax Visualizer • Included in the .NET Compiler Platform SDK • Facilitates inspection of a syntax tree for any C# or VB code file open inside Visual Studio • Each node displays a properties grid for the item selected in the tree including: – Semantics, symbols, types, values, etc.
Roadmap • .NET Static Analysis Options • The Roslyn API • Code Analyzer • Additional Files Analyzer • Puma Scan • Future Enhancements
Code Analyzer 101 • Roslyn exposes the following API’s to simplify code analysis: –DiagnosticAnalyzer –DiagnosticDescriptor –AnalysisContext –SyntaxKinds
• Decorate the custom analyzer with the DiagnosticAnalyzer attribute • Inherit from the DiagnosticAnalyzer base class Diagnostic Analyzer Class [DiagnosticAnalyzer(LanguageNames.CSharp)] public class MyAwesomeAnalyzer : DiagnosticAnalyzer { //Insert awesome analyzer logic here } 1 2 3 4 5
• Define the diagnostic’s id, title, message, severity, and description Diagnostic Descriptor Class […] private static DiagnosticDescriptor Rule = new DiagnosticDescriptor(Id, Title, MessageFormat, Category, DiagnosticSeverity.Warning, isEnabledByDefault: true, description: Description); public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics { get { return ImmutableArray.Create(Rule); } } 1 2 3 4 5 6 7 8 9 10
• Add the diagnostic descriptor to the rule’s list of supported diagnostics Diagnostic Descriptor List […] private static DiagnosticDescriptor Rule = new DiagnosticDescriptor(Id, Title, MessageFormat, Category, DiagnosticSeverity.Warning, isEnabledByDefault: true, description: Description); public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics { get { return ImmutableArray.Create(Rule); } } 1 2 3 4 5 6 7 8 9 10
• Determines when Roslyn calls back to your analyzer code • http://bit.ly/2dStJru Analysis Context Events Context Registration Options RegisterCodeBlockAction RegisterSymbolAction RegisterCompilationAction RegisterSyntaxNodeAction RegisterCompilationStartAction RegisterSyntaxTreeAction RegisterSemanticModelAction
• Determines the syntax nodes or symbol the analyzers are inspecting • Hundreds of options are available, some commonly used items: Symbol / Syntax Kind Options Syntax Kinds Symbol Kinds MethodDeclaration Event ObjectCreationExpression Field InvocationExpression Method SimpleAssignmentExpression Parameter
• Believe it or not, this is all you need to build a real analyzer • WARNING: Intense Roslyn code flagging ASP.NET Identity for weak password length coming next! Password Length Analyzer Example
• Override the Initialize method • Register the SyntaxNodeAction event listener • Target the ObjectCreateExpression nodes Initializing an Analysis Context [DiagnosticAnalyzer(LanguageNames.CSharp)] public class MyAwesomeAnalyzer : DiagnosticAnalyzer { […] public override void Initialize(AnalysisContext context) { context.RegisterSyntaxNodeAction(AnalyzeSyntaxNode ,SyntaxKind.ObjectCreationExpression); } } 1 2 3 4 5 6 7 8 9 10
• Retrieve the incoming object creation node Identity Password Length Analyzer […] private static void AnalyzeSyntaxNode(SyntaxNodeAnalysisContext context) { var statement=context.Node as ObjectCreationExpressionSyntax; if(string.Compare(statement?.Type.ToString() , "PasswordValidator", StringComparison.Ordinal) != 0) return; var symbol = context.SemanticModel.GetSymbolInfo(statement) .Symbol as ISymbol; if (string.Compare(symbol?.ContainingNamespace.ToString() ,"Microsoft.AspNet.Identity", StringComparison.Ordinal) != 0) return; 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
• Check the object type’s name Identity Password Length Analyzer […] private static void AnalyzeSyntaxNode(SyntaxNodeAnalysisContext context) { var statement=context.Node as ObjectCreationExpressionSyntax; if(string.Compare(statement?.Type.ToString() , "PasswordValidator", StringComparison.Ordinal) != 0) return; var symbol = context.SemanticModel.GetSymbolInfo(statement) .Symbol as ISymbol; if (string.Compare(symbol?.ContainingNamespace.ToString() ,"Microsoft.AspNet.Identity", StringComparison.Ordinal) != 0) return; 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
• Verify the symbol is in the Identity namespace Identity Password Length Analyzer […] private static void AnalyzeSyntaxNode(SyntaxNodeAnalysisContext context) { var statement=context.Node as ObjectCreationExpressionSyntax; if(string.Compare(statement?.Type.ToString() , "PasswordValidator", StringComparison.Ordinal) != 0) return; var symbol = context.SemanticModel.GetSymbolInfo(statement) .Symbol as ISymbol; if (string.Compare(symbol?.ContainingNamespace.ToString() ,"Microsoft.AspNet.Identity", StringComparison.Ordinal) != 0) return; 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
• Retrieve the initializer expressions Identity Password Length Analyzer […] var initializer = statement.Initializer as InitializerExpressionSyntax; if (initializer?.Expressions.Count == 0) return; int minLength = 0; foreach (AssignmentExpressionSyntax expression in initializer.Expressions) { var value = context.SemanticModel.GetConstantValue (expression.Right); if (value.HasValue && expression.Left.ToString().Equals("RequiredLength")) minLength = (int)value.Value; } 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
• Find and read the expression’s constant value Identity Password Length Analyzer […] var initializer = statement.Initializer as InitializerExpressionSyntax; if (initializer?.Expressions.Count == 0) return; int minLength = 0; foreach (AssignmentExpressionSyntax expression in initializer.Expressions) { var value = context.SemanticModel.GetConstantValue (expression.Right); if (value.HasValue && expression.Left.ToString().Equals("RequiredLength")) minLength = (int)value.Value; } 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
• Minimum length requirement check Identity Password Length Analyzer […] //Warn if length < 12 chars if(minLength < 12) { var diagnostic = Diagnostic.Create(Rule, statement.GetLocation()); context.ReportDiagnostic(diagnostic); } } } } 36 37 38 39 40 41 42 43 44 45 46
• Report the diagnostic to the compiler Identity Password Length Analyzer […] //Warn if length < 12 chars if(minLength < 12) { var diagnostic = Diagnostic.Create(Rule, statement.GetLocation()); context.ReportDiagnostic(diagnostic); } } } } 36 37 38 39 40 41 42 43 44 45 46
• Proof that 34 lines of code can create a static analysis rule flagging poor password management policies Identity Password Length Analyzer
Roadmap • .NET Static Analysis Options • The Roslyn API • Code Analyzer • Additional Files Analyzer • Puma Scan • Future Enhancements
Non-Code Files • What about non-code files? • Security issues commonly exist in non-code files: – Configuration files (.config, .json) – View markup files (.cshtml, .html, .aspx, .ascx) – External references (.js, .css) – Non-compiled languages (SQL, node, python, rails)
Additional Files • Additional files were designed to feed configuration data to code analyzers – Password complexity rules, authentication timeout values, etc.
Additional Files Analyzer • But, we need to analyze and create diagnostic warnings in non-code files – .config, .json, .cshtml, .aspx, .ascx, etc. • Not officially supported as of Visual Studio 2015 Update 3 • Open git issue – https://github.com/dotnet/roslyn/issues/11097
Additional Files Analyzer Roadblocks • Additional files are not automatically loaded into the analysis context • Creating a diagnostic with an additional file location causes the error to disappear
Additional File Item Names • Each project file targeted for analysis must set its additional file item names property group to all content files: <PropertyGroup> […] <AdditionalFileItemNames> $(AdditionalFileItemNames);Content </AdditionalFileItemNames> </PropertyGroup>
Additional File Diagnostic • Do not include the source location in additional file diagnostics • Workaround: leverage the message arguments parameter to display path and line info in the error list: string messageFormat = "Debug compilation is enabled. {0}({1}): {2}”; context.ReportDiagnostic(Diagnostic.Create(Rule, Location.None, path, lineNumber, line));
Additional File Analyzer Diagnostics • Diagnostics reported on web.config vulnerabilities in the error list:
Additional Files Analyzer Limitations • Additional files are not automatically loaded after installing the NuGet package – Open ticket to correct this in the NuGet installer • Manual edits required to project files when using the extension (.vsix) installer • Error list double click navigation is not supported • No spellcheck (squiggles) in non-code files
Demo Code Repo • Sample analyzers from this talk are available in git: – https://github.com/ejohn20/puma-scan-demo
Roadmap • .NET Static Analysis Options • The Roslyn API • Code Analyzer • Additional Files Analyzer • Puma Scan • Future Enhancements
Introducing the Puma Scan • Open source Visual Studio Roslyn security source code analyzer extension • Over 40 application security-specific rules • Version 1.0 is available via NuGet & Visual Studio Marketplace • Install, rule docs, source code: – https://www.pumascan.com – https://github.com/pumasecurity – @puma_scan
• Widget Town Puma scan results: – 54 valid issues, 10 false positives Puma Scan Result Summary Category Valid False Positive Cross-Site Scripting 19 3 SQL Injection 2 3 Misconfiguration 16 0 Path Tampering 3 0 Unvalidated Redirect 2 4 Cross-Site Request Forgery 8 0 Poor Password Management 3 0 Certificate Validation Disabled 1 0
Future Enhancements • Welcoming contributors! • Gather feedback and address edge cases • Continue to build out additional rule categories – Crypto, cleartext secrets, XML processing, etc. • Further refine results using data flow analysis to eliminate false positives • Identify rules that can apply suggested code fixes
Acknowledgements • Eric Mead – Cypress Data Defense • Tom Meschter – Microsoft • Manish Vasani – Microsoft • Gitter Rosyln Channel
Thank you for attending! Email: eric.johnson@pumascan.com Twitter: @emjohn20

Recommended

Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
Puma Security, LLC
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
Dinis Cruz
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
Amazon Web Services
 
Barbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStack
jarito030506
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 

Recommended

Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
Puma Security, LLC
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
Dinis Cruz
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
Amazon Web Services
 
Barbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStack
jarito030506
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1
KlaraOrban
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
Priyanka Aash
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
Puma Security, LLC
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementation
sedukull
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
Puma Security, LLC
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
Amazon Web Services
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
Guy Podjarny
 
Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
Puma Security, LLC
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Puma Security, LLC
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
Priyanka Aash
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
Daniel Oh
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOps
James Wickett
 
Améliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies IntelAméliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies Intel
Odinot Stanislas
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
Mario-Leander Reimer
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
Vandana Verma
 
Continuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanContinuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma Scan
Cypress Data Defense
 
Code Generation for Azure with .net
Code Generation for Azure with .netCode Generation for Azure with .net
Code Generation for Azure with .net
Marco Parenzan
 

More Related Content

What's hot

Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1
KlaraOrban
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
Puma Security, LLC
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
Guy Podjarny
 
Améliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies IntelAméliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies Intel
Odinot Stanislas
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
Mario-Leander Reimer
 

What's hot (20)

Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
 
Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementation
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
 
Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOps
 
Améliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies IntelAméliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies Intel
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
 

Similar to Continuous Integration - Live Static Analysis with Puma Scan

Continuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanContinuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma Scan
Cypress Data Defense
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуля
Positive Hack Days
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
Assuring the code quality of share point solutions and apps - Matthias Einig
Assuring the code quality of share point solutions and apps - Matthias EinigAssuring the code quality of share point solutions and apps - Matthias Einig
Assuring the code quality of share point solutions and apps - Matthias Einig
SPC Adriatics
 
Reducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code AnalysisReducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code Analysis
Sebastiano Panichella
 

Similar to Continuous Integration - Live Static Analysis with Puma Scan (20)

Continuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanContinuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma Scan
 
Code Generation for Azure with .net
Code Generation for Azure with .netCode Generation for Azure with .net
Code Generation for Azure with .net
 
Test box bdd
Test box bddTest box bdd
Test box bdd
 
CBDW2014 - Behavior Driven Development with TestBox
CBDW2014 - Behavior Driven Development with TestBoxCBDW2014 - Behavior Driven Development with TestBox
CBDW2014 - Behavior Driven Development with TestBox
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуля
 
Database Firewall from Scratch
Database Firewall from ScratchDatabase Firewall from Scratch
Database Firewall from Scratch
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Useful practices of creation automatic tests by using cucumber jvm
Useful practices of creation automatic tests by using cucumber jvmUseful practices of creation automatic tests by using cucumber jvm
Useful practices of creation automatic tests by using cucumber jvm
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
 
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis ToolsGNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
 
Code Review with Sonar
Code Review with SonarCode Review with Sonar
Code Review with Sonar
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
 
Improving code quality with Roslyn analyzers
Improving code quality with Roslyn analyzersImproving code quality with Roslyn analyzers
Improving code quality with Roslyn analyzers
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
 
Assuring the code quality of share point solutions and apps - Matthias Einig
Assuring the code quality of share point solutions and apps - Matthias EinigAssuring the code quality of share point solutions and apps - Matthias Einig
Assuring the code quality of share point solutions and apps - Matthias Einig
 
Reducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code AnalysisReducing Redundancies in Multi-Revision Code Analysis
Reducing Redundancies in Multi-Revision Code Analysis
 
Building XWiki
Building XWikiBuilding XWiki
Building XWiki
 
Getting started with titanium
Getting started with titaniumGetting started with titanium
Getting started with titanium
 

Recently uploaded

Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
VictorSzoltysek
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 

Recently uploaded (20)

Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 

Continuous Integration - Live Static Analysis with Puma Scan

  • 1. Continuous Integration Live Static Analysis with Roslyn Eric Johnson Twitter: @emjohn20 Principal Security Engineer Puma Security
  • 2. Eric Johnson, CISSP, GSSP, GWAPT • Puma Security • Principal Security Engineer • Modern static code analysis • DevSecOps automation • Secure Development Lifecycle • SANS Institute • Certified Instructor – DEV541: Secure Coding in Java – DEV534: Secure DevOps • Course Author – DEV531: Mobile App Security Essentials – DEV544: Secure Coding in .NET
  • 3. Roadmap • .NET Static Analysis Options • The Roslyn API • Code Analyzer • Additional Files Analyzer • Puma Scan • Future Enhancements
  • 4. Free / Open Source .NET Options • CAT.NET • FxCop • Visual Studio Code Analysis • Web Config Security Analyzer
  • 5. Widget Town Target App • Purposely vulnerable eCommerce application • Contains over 50 different vulnerabilities • Across two different versions: – Web Forms – .NET MVC • Contributors: – Louis Gardina – Eric Johnson
  • 6. Microsoft CAT.NET v1.1 • Microsoft Code Analysis Tool (CAT) • Promising start but fizzled quickly • Version 1.1 published – April 2009 • Version 2.0 beta never published – November 2009 • https://www.microsoft.com/en- us/download/details.aspx?id=19968
  • 7. CAT.NET v1.1 Security Benchmark • Widget Town scan results: – 2 XSS, 1 Unvalidated Redirect issues • CAT.NET is a very limited security scanner
  • 8. FxCop • GUI and command line binary static analysis of dotNET code • Rules primarily target design, naming, performance, interoperability, globalization, usage • Basic security rules exist – SQL Injection, XSS
  • 9. Visual Studio Code Analysis • FxCop wrapper baked into Visual Studio • Security rules covered by the “Microsoft Security Rules” rule set • Custom rules can be created using the BaseFxCopRule • https://msdn.microsoft.com/en- us/library/3z0aeatx(v=vs.140).aspx
  • 10. Code Analysis Security Benchmark • Rule target results from the “Microsoft Security Rules” rule set • Widget Town scan results: – 2 SQL Injection instances, 1 is a false positive
  • 11. • Widget Town combined CAT.NET and VS Code analysis scan results: Scan Result Summary Category Valid False Positive Cross-Site Scripting 2 0 SQL Injection 1 1 Unvalidated Redirect 1 0
  • 12. • Widget Town combined CAT.NET and VS Code analysis scan results: Scan Result Summary Category Valid False Positive Cross-Site Scripting 2 0 SQL Injection 1 1 Unvalidated Redirect 1 0
  • 13. Roadmap • .NET Static Analysis Options • The Roslyn API • Code Analyzer • Additional Files Analyzer • Puma Scan • Future Enhancements
  • 14. Introducing Roslyn • Open-source C# and Visual Basic compilers with code analysis APIs • Capable of producing warnings in code as you type:
  • 15. Getting Started • Prerequisites: – Visual Studio 2015 – Visual Studio 2015 Extensibility Tools – .NET Compiler Platform ("Roslyn") SDK • Described in detail in this MSDN Magazine article by Alex Turner: – https://msdn.microsoft.com/en- us/magazine/dn879356.aspx
  • 16. Creating a Code Analyzer Project • File > New Project • Templates > Visual C# > Extensibility • Select Analyzer with Code Fix (NuGet + VSIX) template
  • 17. Roslyn Syntax Visualizer • Included in the .NET Compiler Platform SDK • Facilitates inspection of a syntax tree for any C# or VB code file open inside Visual Studio • Each node displays a properties grid for the item selected in the tree including: – Semantics, symbols, types, values, etc.
  • 18. Roadmap • .NET Static Analysis Options • The Roslyn API • Code Analyzer • Additional Files Analyzer • Puma Scan • Future Enhancements
  • 19. Code Analyzer 101 • Roslyn exposes the following API’s to simplify code analysis: –DiagnosticAnalyzer –DiagnosticDescriptor –AnalysisContext –SyntaxKinds
  • 20. • Decorate the custom analyzer with the DiagnosticAnalyzer attribute • Inherit from the DiagnosticAnalyzer base class Diagnostic Analyzer Class [DiagnosticAnalyzer(LanguageNames.CSharp)] public class MyAwesomeAnalyzer : DiagnosticAnalyzer { //Insert awesome analyzer logic here } 1 2 3 4 5
  • 21. • Define the diagnostic’s id, title, message, severity, and description Diagnostic Descriptor Class […] private static DiagnosticDescriptor Rule = new DiagnosticDescriptor(Id, Title, MessageFormat, Category, DiagnosticSeverity.Warning, isEnabledByDefault: true, description: Description); public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics { get { return ImmutableArray.Create(Rule); } } 1 2 3 4 5 6 7 8 9 10
  • 22. • Add the diagnostic descriptor to the rule’s list of supported diagnostics Diagnostic Descriptor List […] private static DiagnosticDescriptor Rule = new DiagnosticDescriptor(Id, Title, MessageFormat, Category, DiagnosticSeverity.Warning, isEnabledByDefault: true, description: Description); public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics { get { return ImmutableArray.Create(Rule); } } 1 2 3 4 5 6 7 8 9 10
  • 23. • Determines when Roslyn calls back to your analyzer code • http://bit.ly/2dStJru Analysis Context Events Context Registration Options RegisterCodeBlockAction RegisterSymbolAction RegisterCompilationAction RegisterSyntaxNodeAction RegisterCompilationStartAction RegisterSyntaxTreeAction RegisterSemanticModelAction
  • 24. • Determines the syntax nodes or symbol the analyzers are inspecting • Hundreds of options are available, some commonly used items: Symbol / Syntax Kind Options Syntax Kinds Symbol Kinds MethodDeclaration Event ObjectCreationExpression Field InvocationExpression Method SimpleAssignmentExpression Parameter
  • 25. • Believe it or not, this is all you need to build a real analyzer • WARNING: Intense Roslyn code flagging ASP.NET Identity for weak password length coming next! Password Length Analyzer Example
  • 26. • Override the Initialize method • Register the SyntaxNodeAction event listener • Target the ObjectCreateExpression nodes Initializing an Analysis Context [DiagnosticAnalyzer(LanguageNames.CSharp)] public class MyAwesomeAnalyzer : DiagnosticAnalyzer { […] public override void Initialize(AnalysisContext context) { context.RegisterSyntaxNodeAction(AnalyzeSyntaxNode ,SyntaxKind.ObjectCreationExpression); } } 1 2 3 4 5 6 7 8 9 10
  • 27. • Retrieve the incoming object creation node Identity Password Length Analyzer […] private static void AnalyzeSyntaxNode(SyntaxNodeAnalysisContext context) { var statement=context.Node as ObjectCreationExpressionSyntax; if(string.Compare(statement?.Type.ToString() , "PasswordValidator", StringComparison.Ordinal) != 0) return; var symbol = context.SemanticModel.GetSymbolInfo(statement) .Symbol as ISymbol; if (string.Compare(symbol?.ContainingNamespace.ToString() ,"Microsoft.AspNet.Identity", StringComparison.Ordinal) != 0) return; 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
  • 28. • Check the object type’s name Identity Password Length Analyzer […] private static void AnalyzeSyntaxNode(SyntaxNodeAnalysisContext context) { var statement=context.Node as ObjectCreationExpressionSyntax; if(string.Compare(statement?.Type.ToString() , "PasswordValidator", StringComparison.Ordinal) != 0) return; var symbol = context.SemanticModel.GetSymbolInfo(statement) .Symbol as ISymbol; if (string.Compare(symbol?.ContainingNamespace.ToString() ,"Microsoft.AspNet.Identity", StringComparison.Ordinal) != 0) return; 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
  • 29. • Verify the symbol is in the Identity namespace Identity Password Length Analyzer […] private static void AnalyzeSyntaxNode(SyntaxNodeAnalysisContext context) { var statement=context.Node as ObjectCreationExpressionSyntax; if(string.Compare(statement?.Type.ToString() , "PasswordValidator", StringComparison.Ordinal) != 0) return; var symbol = context.SemanticModel.GetSymbolInfo(statement) .Symbol as ISymbol; if (string.Compare(symbol?.ContainingNamespace.ToString() ,"Microsoft.AspNet.Identity", StringComparison.Ordinal) != 0) return; 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
  • 30. • Retrieve the initializer expressions Identity Password Length Analyzer […] var initializer = statement.Initializer as InitializerExpressionSyntax; if (initializer?.Expressions.Count == 0) return; int minLength = 0; foreach (AssignmentExpressionSyntax expression in initializer.Expressions) { var value = context.SemanticModel.GetConstantValue (expression.Right); if (value.HasValue && expression.Left.ToString().Equals("RequiredLength")) minLength = (int)value.Value; } 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
  • 31. • Find and read the expression’s constant value Identity Password Length Analyzer […] var initializer = statement.Initializer as InitializerExpressionSyntax; if (initializer?.Expressions.Count == 0) return; int minLength = 0; foreach (AssignmentExpressionSyntax expression in initializer.Expressions) { var value = context.SemanticModel.GetConstantValue (expression.Right); if (value.HasValue && expression.Left.ToString().Equals("RequiredLength")) minLength = (int)value.Value; } 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
  • 32. • Minimum length requirement check Identity Password Length Analyzer […] //Warn if length < 12 chars if(minLength < 12) { var diagnostic = Diagnostic.Create(Rule, statement.GetLocation()); context.ReportDiagnostic(diagnostic); } } } } 36 37 38 39 40 41 42 43 44 45 46
  • 33. • Report the diagnostic to the compiler Identity Password Length Analyzer […] //Warn if length < 12 chars if(minLength < 12) { var diagnostic = Diagnostic.Create(Rule, statement.GetLocation()); context.ReportDiagnostic(diagnostic); } } } } 36 37 38 39 40 41 42 43 44 45 46
  • 34. • Proof that 34 lines of code can create a static analysis rule flagging poor password management policies Identity Password Length Analyzer
  • 35. Roadmap • .NET Static Analysis Options • The Roslyn API • Code Analyzer • Additional Files Analyzer • Puma Scan • Future Enhancements
  • 36. Non-Code Files • What about non-code files? • Security issues commonly exist in non-code files: – Configuration files (.config, .json) – View markup files (.cshtml, .html, .aspx, .ascx) – External references (.js, .css) – Non-compiled languages (SQL, node, python, rails)
  • 37. Additional Files • Additional files were designed to feed configuration data to code analyzers – Password complexity rules, authentication timeout values, etc.
  • 38. Additional Files Analyzer • But, we need to analyze and create diagnostic warnings in non-code files – .config, .json, .cshtml, .aspx, .ascx, etc. • Not officially supported as of Visual Studio 2015 Update 3 • Open git issue – https://github.com/dotnet/roslyn/issues/11097
  • 39. Additional Files Analyzer Roadblocks • Additional files are not automatically loaded into the analysis context • Creating a diagnostic with an additional file location causes the error to disappear
  • 40. Additional File Item Names • Each project file targeted for analysis must set its additional file item names property group to all content files: <PropertyGroup> […] <AdditionalFileItemNames> $(AdditionalFileItemNames);Content </AdditionalFileItemNames> </PropertyGroup>
  • 41. Additional File Diagnostic • Do not include the source location in additional file diagnostics • Workaround: leverage the message arguments parameter to display path and line info in the error list: string messageFormat = "Debug compilation is enabled. {0}({1}): {2}”; context.ReportDiagnostic(Diagnostic.Create(Rule, Location.None, path, lineNumber, line));
  • 42. Additional File Analyzer Diagnostics • Diagnostics reported on web.config vulnerabilities in the error list:
  • 43. Additional Files Analyzer Limitations • Additional files are not automatically loaded after installing the NuGet package – Open ticket to correct this in the NuGet installer • Manual edits required to project files when using the extension (.vsix) installer • Error list double click navigation is not supported • No spellcheck (squiggles) in non-code files
  • 44. Demo Code Repo • Sample analyzers from this talk are available in git: – https://github.com/ejohn20/puma-scan-demo
  • 45. Roadmap • .NET Static Analysis Options • The Roslyn API • Code Analyzer • Additional Files Analyzer • Puma Scan • Future Enhancements
  • 46. Introducing the Puma Scan • Open source Visual Studio Roslyn security source code analyzer extension • Over 40 application security-specific rules • Version 1.0 is available via NuGet & Visual Studio Marketplace • Install, rule docs, source code: – https://www.pumascan.com – https://github.com/pumasecurity – @puma_scan
  • 47. • Widget Town Puma scan results: – 54 valid issues, 10 false positives Puma Scan Result Summary Category Valid False Positive Cross-Site Scripting 19 3 SQL Injection 2 3 Misconfiguration 16 0 Path Tampering 3 0 Unvalidated Redirect 2 4 Cross-Site Request Forgery 8 0 Poor Password Management 3 0 Certificate Validation Disabled 1 0
  • 48. Future Enhancements • Welcoming contributors! • Gather feedback and address edge cases • Continue to build out additional rule categories – Crypto, cleartext secrets, XML processing, etc. • Further refine results using data flow analysis to eliminate false positives • Identify rules that can apply suggested code fixes
  • 49. Acknowledgements • Eric Mead – Cypress Data Defense • Tom Meschter – Microsoft • Manish Vasani – Microsoft • Gitter Rosyln Channel
  • 50. Thank you for attending! Email: eric.johnson@pumascan.com Twitter: @emjohn20