Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Implementation of SAST for Android Application

255 views

Published on

This is the reference guide for implementing the SAST tool findSecurityBugs tool with IDE and JENKINS.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Implementation of SAST for Android Application

  1. 1. MOBILE SAST IMPLEMENTATION
  2. 2. TABLE OF CONTENT  INTRODUCTION  OVERVIEW OF DEVSECOPS  SECURE SDLC BENEFITS  ADVANTAGES & DISADVANTAGES OF SAST  INTEGRATION OF SAST IN IDE  INTEGRATION OF SAST INTO CI/CD  REFERENCES
  3. 3. SSDLC BENEFITS  Build secure software  Creates Awareness of security  Early Detection of vulnerabilities  Overall reduction of risks for the organization
  4. 4. ADVANTAGES & DISADVANTGES OF SAST ADVANTAGES  Largely usable in developer IDEs to detect issues even before CI.  Easy to trigger from CI/CD  Early Detection of vulnerabilities  Building the Secure Software DISADVANTAGES  Take a considerable amount of effort if tool is adopted mid- project.  Integration effort  Non-Functional requirement  Requires time to analyze the false positive
  5. 5. IDE INTEGRATION & customize  Click on ANDROID STUDIO and then select Preferences  Click on Plugins and then click on browse repository  Search and Install FindBugs-IDEA (Restart your IDE)  Navigate to other settings under preference tab.  Click on FindBugs-IDEA and add it by clicking + icon  Navigate to Report tab and select SECURITY  Finally click on Apply and Save.  Just right click on the project and select Analyze Project Files under FindBugs  Reports can be exported to both HTML & XML format.
  6. 6. INTEGRATION WITH CICD Add the below code under build.gradle file (present under app directory) dependencies { implementation fileTree(include: ['*.jar'], dir: 'libs') implementation 'com.google.android.gms:play-services:7.5.0' implementation 'com.github.marcohc:Toasteroid:2.1.4' findbugs 'com.google.code.findbugs:findbugs:3.0.1' findbugs configurations.findbugsPlugins.dependencies findbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.4.4' } //FindBugs task that load security rules only task findSecurityBugs(type: FindBugs) { classes = fileTree("$project.buildDir/app/build/intermediates/javac/release/compileReleaseJavaWithJavac/classes/com/android/insecurebankv2/") source = fileTree('/src/main/java/') classpath = files() pluginClasspath = project.configurations.findbugsPlugins findbugs { toolVersion = "3.0.1" ignoreFailures = true reportsDir = file("$project.buildDir/findbugsReports") effort = "max" reportLevel = "low" includeFilter = file("$project.rootDir/fsb-include.xml") excludeFilter = file("$project.rootDir/fsb-exclude.xml") }
  7. 7. Adding NEW FILES  Create a File by name ’fsb-include.xml’ and ‘fsb-exclude.xml’  Add both of these files into the project directory  Add the below content into ‘fsb-exclude.xml’ file. <FindBugsFilter> </FindBugsFilter>  Add the below content into ‘fsb-include.xml file. <FindBugsFilter> <Match> <Bug category="SECURITY"/> </Match> </FindBugsFilter>  Execute the gradle by running the below commands. ./gradlew build ./gradlew findSecurityBugs
  8. 8. Folder Structure
  9. 9. CONFIGURE JENKINS JOB
  10. 10. Publish REPORTS
  11. 11. Reference  https://www.owasp.org/index.php/Source_Code _Analysis_Tools  https://find-sec-bugs.github.io/  https://github.com/find-sec-bugs/find-sec- bugs/wiki/Gradle-configuration  https://github.com/sanjeevakuamr/InsecureBan kv2-FindBugs

×