Smals, profile picture
Uploaded bySmals
PPTX, PDF2,531 views

Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools

The document discusses using open source tools for security test automation in software development. It describes FindBugs, PMD and Zed Attack Proxy as tools for static source code analysis and automated testing. These tools can find bugs and vulnerabilities but have some limitations. Commercial tools may perform better in a more integrated environment. Manual security reviews by experts can produce the best results but are also the most expensive option and performed late in the process. Overall, open source tools provide a good starting point for security test automation in an agile development process.

Embed presentation

Downloaded 16 times
Information Security Web Application Security Security Test Automation in Software Development using Open Source Tools Information Security
About Smals vzw-asbl One of Belgium's largest ICT-organisations: 1750 people "ICT for Society" Work: ex. Dimona-DmfA Salary & labour prestations Health: ex. eHealth-platform Secure exchange of medical data in Belgium Family life: ex. VESTA Home care for elderly (financial / operational support) In-house ICT-service, working exclusively for the government High priority for ICT Security & Privacy Information Security
Introduction  Security Test Automation in Software Development using Open Source Tools  Can we do it?  What do we need?  Source code  Working parts of the application  Selenium tests for the functional part 33 Information Security
Application Security Disclaimer Hacking is illegal and can be punished under the legal framework of the information criminality laws (Law issued on the 28 of november 2000 about informatica criminality). So the methods we show here are illegal if used without consent of the victim. 4 Information Security 4
Hacking is illegal under Belgium Law  5 Article 550bis § 1 A person who, while he knows that he is not yet entitled to it, gain access to a computer system, or in it maintains, shall be punished with imprisonment from three months to one year and a fine of twenty-six [euro] to twenty-five thousand [euro] or with one of these penalties. If the crime referred to in the first paragraph, committed with fraudulent intent, the maximum six months imprisonment to two years. Information Security
Security myths Firewalls … • Firewalls are always configured to allow web traffic -> HTTP(S) • Attacker appears to the web application as a normal user Information Security
Security myths SSL secures the application… • Server-side SSL only guarantees confidentiality on transport level • Attacker also uses the SSL tunnel 7 Information Security
Security myths The Application framework solves that… • Frameworks Don't Solve Security Issues • Some frameworks facilitate, but not by default • Some frameworks do, by default Workarounds exist to develop the security problems 8 Information Security
OWASP Top Ten (2013 Edition) 9
SQL Injection User: John xxxx password: secret ' or 1=1;-- SELECT user FROM SELECT user FROMWHERE users users WHERE AND user='xxx' user='John' AND password='' or 1=1;--'; password='secret'; John Aaron Welkom, Aaron John Information Security
Stored XSS <script> Coming home Steal password at 5 o'clock </script> passwords Information Security11
Reflected XSS http://site.com/index?<script>steal password</script> http://site.com/index?<script>steal password</script> Error: reason (<script>steal password</script>) unknown passwords Information Security12
Sensitive Data Exposure Clear text transmission • Confidential information is just sent back to the User Improper web application implementation Secure and non-secure sections Improper analysis of the information Improper configuration Unsecured SESSION cookies 13 Information Security
Sensitive Data Exposure Error messages • Error messages for developers carry a lot information to find the problem causing the error message Stack traces in JAVA SQL Error messages from Database PHP error messages … • Those error messages can give a lot information to the hacker, when displayed to him/her Information of dataflow in the Web application Database layout Operating System information Network information Application frameworks used 14 Information Security
Cross Site Request Forgery http://bank.com/transaction?amoun t=10000&acc=001.1234567.27 http://bank.com/transaction?amount= 10000&acc=001.1234567.27 Transaction successfull Online to her bank Information Security
Secure SDLC Security requirements Design Review Risk analysis Requirements and use cases Iterative approach Design Risk-based security tests Test plans Code Review 16 Static analysis (tools) Code Penetration testing Test results Information Security Field feedback
Findbugs  Static Source code analyzer  Works on Java byte code  Source must compile!  Searches for bug patterns  Find bugs  Find false warnings  Eclipse plugin  By default almost all enabled 17 Information Security
Findbugs  For security patterns:  DMI_CONSTANT_DB_PASSWORD Hardcoded constant database password  DMI_EMPTY_DB_PASSWORD Empty database password  EI_EXPOSE_REP May expose internal representation by returning reference to mutable objects  EI_EXPOSE_REP2 May expose internal representation by incorporating reference to mutable object  EI_EXPOSE_STATIC_REP2 May expose internal static state by storing a mutable object into a static field  MS_EXPOSE_REP Public static method may expose internal representation by returning array 18 Information Security
Findbugs  SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE Nonconstant string passed to execute method on an SQL statement  SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_ST RING A prepared statement is generated from a nonconstant String  XSS_REQUEST_PARAMETER_TO_SEND_ERROR JSP reflected cross site scripting vulnerability  XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER Servlet reflected cross site scripting vulnerability in error page  RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE Nullcheck of value previously dereferenced  NP_NULL_ON_SOME_PATH Possible null pointer dereference  NP_NULL_ON_SOME_PATH_EXCEPTION Possible null pointer dereference in method on exception path 19 Information Security
Demo Findbugs  Eclipse 20 Information Security
PMD     Static Source code analyzer Runs against the Java source code Also searches for bug patterns There are no real security patterns included  Gotham Digital Science has a security rule set 21 Information Security
PMD  For security patterns:         22 ArrayIsStoredDirectly AvoidCatchingThrowable AvoidPrintStackTrace AvoidThrowingNullPointerException DoNotCallSystemExit ExceptionAsFlowControl MethodReturnsInternalArray MisplacedNullCheck Information Security
Demo PMD  Eclipse 23 Information Security
Zed Attack Proxy        24 Intercepting Proxy Traditional and AJAX spiders Automated scanner Forced Browsing Fuzzer Dynamic SSL Certificates Smartcard and Client Digital Certificates support Information Security
Zed Attack Proxy  Web sockets support  Support for wide range of scripting languages  Plug-n-Hack support  Authentication and Session Support  Powerful REST based API  Automatic updating option  Integrated and growing marketplace of add-ons 25 Information Security
Demo Zaproxy  Eclipse 26 Information Security
Demo: Automatic Build Proces  Maven  Findbugs  PMD  Zaproxy 27 Information Security
TODO’s  Maven  Zed Attack Proxy and site phase integration  SONAR integration of Zed Attack Proxy  How about Agile development?  Can we ingrate this process in TDD and BDD? 28 Information Security
Links FindBugs™ - Find Bugs in Java Programs PMD – Don’t shoot the Messenger OWASP Zed Attack Proxy Project - OWASP ZAP Maven Plugin Automated Security Testing of web applications using OWASP Zed Attack Proxy  Belgium - OWASP  Gotham Digital Science      29 Information Security
Resources … • Books: Software Security Microsoft Secure Development Lifecycle Enterprise Security Architecture 30 Information Security30
Reflection  Open Source  Good start  Commercial Tools  Are more integrated in their environment  Perform better  Comes with a price  Manual review by experts     31 Best results Expensive Non constant reviews Very late in the process Information Security
Questions 32 Information Security

More Related Content

PDF
Secure Code the Cyber Pandemic Vaccine - Wayne Burke
byEC-Council
 
PPT
Software Security Testing
bysrivinayak
 
PDF
Cv gulam rasool
byGulam Rasool
 
PPTX
Sql injection
byDilan Warnakulasooriya
 
PPT
Owasp top 10 & Web vulnerabilities
byRIZWAN HASAN
 
DOCX
Proposal
bywilcbrowning
 
PDF
Nii sample pt_report
byChandan Bagai, GWAPT, CEHv8, CCNA
 
PPTX
A Security Overview of OWASP's Top 10 Vulnerabilities
bymilagerova
 
Secure Code the Cyber Pandemic Vaccine - Wayne Burke
byEC-Council
 
Software Security Testing
bysrivinayak
 
Cv gulam rasool
byGulam Rasool
 
Sql injection
byDilan Warnakulasooriya
 
Owasp top 10 & Web vulnerabilities
byRIZWAN HASAN
 
Proposal
bywilcbrowning
 
Nii sample pt_report
byChandan Bagai, GWAPT, CEHv8, CCNA
 
A Security Overview of OWASP's Top 10 Vulnerabilities
bymilagerova
 

What's hot

PPTX
WAP Hack (Windows Password Hacking)
byAshishKakne
 
PPTX
Parameter tampering
byDilan Warnakulasooriya
 
DOC
SalemPhilip_ResearchReport
byPhilip Salem
 
ODP
Pen test methodology
byCahyo Darujati
 
PPT
Database Security
byalraee
 
PPTX
Web Application Vulnerabilities
byPreetish Panda
 
DOCX
Surelog Intelligence
byErtugrul Akbas
 
ODT
Kioptrix 2014 5
byJayesh Patel
 
PDF
Web PenTest Sample Report
byOctogence
 
PDF
Security in the cloud protecting your cloud apps
byCenzic
 
DOCX
ANKUR AGGARWAL
byAnkur Aggarwal
 
PDF
[Fortifier] Reliable Software Engineering (Daria)
byFortifier. IT Company
 
PDF
Penetration and hacking training brief
byBill Nelson
 
PPT
Windows network
byJithesh Nair
 
PPTX
Don't get stung - an introduction to the OWASP Top 10
byBarry Dorrans
 
PPT
Web attacks
byhusnara mohammad
 
PPTX
Secure Hash Algorithm (SHA)
byShahDhruv21
 
ODP
Multi-Agent System for APT Detection
byThibault Debatty
 
PPTX
Security Testing for Web Application
byPrecise Testing Solution
 
PPT
Op Sy 03 Ch 61a
by Google
 
WAP Hack (Windows Password Hacking)
byAshishKakne
 
Parameter tampering
byDilan Warnakulasooriya
 
SalemPhilip_ResearchReport
byPhilip Salem
 
Pen test methodology
byCahyo Darujati
 
Database Security
byalraee
 
Web Application Vulnerabilities
byPreetish Panda
 
Surelog Intelligence
byErtugrul Akbas
 
Kioptrix 2014 5
byJayesh Patel
 
Web PenTest Sample Report
byOctogence
 
Security in the cloud protecting your cloud apps
byCenzic
 
ANKUR AGGARWAL
byAnkur Aggarwal
 
[Fortifier] Reliable Software Engineering (Daria)
byFortifier. IT Company
 
Penetration and hacking training brief
byBill Nelson
 
Windows network
byJithesh Nair
 
Don't get stung - an introduction to the OWASP Top 10
byBarry Dorrans
 
Web attacks
byhusnara mohammad
 
Secure Hash Algorithm (SHA)
byShahDhruv21
 
Multi-Agent System for APT Detection
byThibault Debatty
 
Security Testing for Web Application
byPrecise Testing Solution
 
Op Sy 03 Ch 61a
by Google
 

Viewers also liked

PDF
Acuril 2016: Transition to customer focused Information services
byGO opleidingen
 
PPT
Radiation reactors
byjmocherman
 
PPTX
Viral is a Dirty Word
byOgilvy
 
PDF
Targets as tools, not talismans - Don Williams
byHELIGLIASA
 
PDF
Content Curation; or how to be an Information Hero
byGO opleidingen
 
PPT
禽流感和人流感簡介
byhonan4108
 
PDF
13-07-2015 Greenlight (Visualisations removed)
byMarius Lazauskas
 
PDF
Engage All The Things: Rethinking Online Engagement
byFarra Trompeter, Big Duck
 
PDF
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...
byDra. Roxana Silva Ch.
 
PDF
Content Marketing Master Class - San Francisco: Epilogue
byContent Marketing Institute
 
PPTX
Measuring change presentation
byNinti_One
 
PDF
名人美食經
byhonan4108
 
PPTX
Drongo: Zoeken in Audiovisuele Documenten
byNOTaS
 
PDF
Código de Planificación y Finanzas Públicas Ecuador
byDra. Roxana Silva Ch.
 
PDF
2
bySzymon Konkol - Publikacje Cyfrowe
 
PPT
Dimension política de las redes sociales
byCristina Juesas
 
PDF
Hiscox case study
byNewsworks
 
PDF
Виховна робота
bykpschool7
 
PDF
My influences
byBeth Johnson
 
PDF
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...
byChile Sustentable
 
Acuril 2016: Transition to customer focused Information services
byGO opleidingen
 
Radiation reactors
byjmocherman
 
Viral is a Dirty Word
byOgilvy
 
Targets as tools, not talismans - Don Williams
byHELIGLIASA
 
Content Curation; or how to be an Information Hero
byGO opleidingen
 
禽流感和人流感簡介
byhonan4108
 
13-07-2015 Greenlight (Visualisations removed)
byMarius Lazauskas
 
Engage All The Things: Rethinking Online Engagement
byFarra Trompeter, Big Duck
 
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...
byDra. Roxana Silva Ch.
 
Content Marketing Master Class - San Francisco: Epilogue
byContent Marketing Institute
 
Measuring change presentation
byNinti_One
 
名人美食經
byhonan4108
 
Drongo: Zoeken in Audiovisuele Documenten
byNOTaS
 
Código de Planificación y Finanzas Públicas Ecuador
byDra. Roxana Silva Ch.
 
2
bySzymon Konkol - Publikacje Cyfrowe
 
Dimension política de las redes sociales
byCristina Juesas
 
Hiscox case study
byNewsworks
 
Виховна робота
bykpschool7
 
My influences
byBeth Johnson
 
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...
byChile Sustentable
 

Similar to Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools

PDF
The Thing That Should Not Be
bymorisson
 
PPTX
Keeping Secrets on the Internet of Things - Mobile Web Application Security
byKelly Robertson
 
PDF
Common Web Application Attacks
byAhmed Sherif
 
KEY
EISA Considerations for Web Application Security
byLarry Ball
 
PDF
Solvay secure application layer v2015 seba
bySebastien Deleersnyder
 
PDF
Code securely
byMaksym Hopei
 
PPTX
Network security, seriously?
byPeter Wood
 
PPTX
State of the information security nation
bySensePost
 
PDF
Security Awareness
byLucas Hendrich
 
PDF
TS-5358
bytutorialsruby
 
PDF
TS-5358
bytutorialsruby
 
PPT
software-security-intro-220901084730-8ed673b9.ppt
byAssadLeo1
 
PPTX
Software Security and IDS.pptx
byMuhib Ahmad Sherwani
 
PPT
Security Testing
byISsoft
 
PDF
Invited Talk - Cyber Security and Open Source
byhack33
 
PPT
software-security.ppt
byPRALHAD MAGADUM
 
PDF
Application Security Guide for Beginners
byCheckmarx
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
OWASP Top Ten in Practice
bySecurity Innovation
 
PPTX
Security engineering
byOWASP Indonesia Chapter
 
The Thing That Should Not Be
bymorisson
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
byKelly Robertson
 
Common Web Application Attacks
byAhmed Sherif
 
EISA Considerations for Web Application Security
byLarry Ball
 
Solvay secure application layer v2015 seba
bySebastien Deleersnyder
 
Code securely
byMaksym Hopei
 
Network security, seriously?
byPeter Wood
 
State of the information security nation
bySensePost
 
Security Awareness
byLucas Hendrich
 
TS-5358
bytutorialsruby
 
TS-5358
bytutorialsruby
 
software-security-intro-220901084730-8ed673b9.ppt
byAssadLeo1
 
Software Security and IDS.pptx
byMuhib Ahmad Sherwani
 
Security Testing
byISsoft
 
Invited Talk - Cyber Security and Open Source
byhack33
 
software-security.ppt
byPRALHAD MAGADUM
 
Application Security Guide for Beginners
byCheckmarx
 
software-security-intro in information security.ppt
byismaeelsahib032
 
OWASP Top Ten in Practice
bySecurity Innovation
 
Security engineering
byOWASP Indonesia Chapter
 

More from Smals

PDF
Wat zijn chatbots en waarvoor gebruiken we ze
bySmals
 
PPTX
Wat is augmented reality en waarvoor gebruiken we het nl
bySmals
 
PPTX
Named entity recognition hoe werkt het wat kunnen we er mee doen nl
bySmals
 
PPTX
Natural language generation nederlands
bySmals
 
PPTX
Wat is ai en wat kan het nl
bySmals
 
PPTX
Realite augmentee
bySmals
 
PPTX
Internet des objets
bySmals
 
PPTX
Chatbots comment ca marche a quoi ca sert
bySmals
 
PPTX
Analyse predictive comment ca marche a quoi ca sert
bySmals
 
PPTX
Traduction vocale quasi instantanee introduction
bySmals
 
PPTX
Automatisation des processus robotises introduction
bySmals
 
PPTX
Interfaces conversationnelle introduction
bySmals
 
PPTX
Reconnaissance d'entites nommees introduction
bySmals
 
PPTX
Generation automatique de textes
bySmals
 
PPTX
Intelligence artificielle etroite introduction
bySmals
 
PPTX
Named entity recognition hoe werkt het wat kunnen we er mee doen
bySmals
 
PPTX
Real time voice translation handig maar hoe ver staat het
bySmals
 
PPTX
Wat is predictive analytics en waarvoor kun je het gebruiken
bySmals
 
PPTX
Wat is robotic process automation en wat kun je er mee doen
bySmals
 
PPTX
Exemples europeens comme source d inspiration
bySmals
 
Wat zijn chatbots en waarvoor gebruiken we ze
bySmals
 
Wat is augmented reality en waarvoor gebruiken we het nl
bySmals
 
Named entity recognition hoe werkt het wat kunnen we er mee doen nl
bySmals
 
Natural language generation nederlands
bySmals
 
Wat is ai en wat kan het nl
bySmals
 
Realite augmentee
bySmals
 
Internet des objets
bySmals
 
Chatbots comment ca marche a quoi ca sert
bySmals
 
Analyse predictive comment ca marche a quoi ca sert
bySmals
 
Traduction vocale quasi instantanee introduction
bySmals
 
Automatisation des processus robotises introduction
bySmals
 
Interfaces conversationnelle introduction
bySmals
 
Reconnaissance d'entites nommees introduction
bySmals
 
Generation automatique de textes
bySmals
 
Intelligence artificielle etroite introduction
bySmals
 
Named entity recognition hoe werkt het wat kunnen we er mee doen
bySmals
 
Real time voice translation handig maar hoe ver staat het
bySmals
 
Wat is predictive analytics en waarvoor kun je het gebruiken
bySmals
 
Wat is robotic process automation en wat kun je er mee doen
bySmals
 
Exemples europeens comme source d inspiration
bySmals
 

Recently uploaded

PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
PDF
AI Driven & AI Native Development AI native development
byZainKarim7
 
PDF
Regenerative Agriculture Finance : Environmental impact
byrose mason
 
PPTX
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
PDF
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
PDF
Navigating the Spectrum of Advanced AI – Agentic, Autonomous, and Autopoietic...
byScott M. Graffius
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknowtechs
 
PDF
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
PPTX
Cesium formate brine - A brief history - prepared by John Downs in May 2011
byJohn Downs
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
PDF
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
PPTX
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
PDF
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
PDF
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
PPTX
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
PPTX
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
PDF
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
AI Driven & AI Native Development AI native development
byZainKarim7
 
Regenerative Agriculture Finance : Environmental impact
byrose mason
 
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
Navigating the Spectrum of Advanced AI – Agentic, Autonomous, and Autopoietic...
byScott M. Graffius
 
Information about Trusted Platform Module(TPM)
bynewtoknowtechs
 
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
Cesium formate brine - A brief history - prepared by John Downs in May 2011
byJohn Downs
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 

Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools

  • 1.
    Information Security Web Application Security SecurityTest Automation in Software Development using Open Source Tools Information Security
  • 2.
    About Smals vzw-asbl Oneof Belgium's largest ICT-organisations: 1750 people "ICT for Society" Work: ex. Dimona-DmfA Salary & labour prestations Health: ex. eHealth-platform Secure exchange of medical data in Belgium Family life: ex. VESTA Home care for elderly (financial / operational support) In-house ICT-service, working exclusively for the government High priority for ICT Security & Privacy Information Security
  • 3.
    Introduction  Security TestAutomation in Software Development using Open Source Tools  Can we do it?  What do we need?  Source code  Working parts of the application  Selenium tests for the functional part 33 Information Security
  • 4.
    Application Security Disclaimer Hackingis illegal and can be punished under the legal framework of the information criminality laws (Law issued on the 28 of november 2000 about informatica criminality). So the methods we show here are illegal if used without consent of the victim. 4 Information Security 4
  • 5.
    Hacking is illegalunder Belgium Law  5 Article 550bis § 1 A person who, while he knows that he is not yet entitled to it, gain access to a computer system, or in it maintains, shall be punished with imprisonment from three months to one year and a fine of twenty-six [euro] to twenty-five thousand [euro] or with one of these penalties. If the crime referred to in the first paragraph, committed with fraudulent intent, the maximum six months imprisonment to two years. Information Security
  • 6.
    Security myths Firewalls … •Firewalls are always configured to allow web traffic -> HTTP(S) • Attacker appears to the web application as a normal user Information Security
  • 7.
    Security myths SSL securesthe application… • Server-side SSL only guarantees confidentiality on transport level • Attacker also uses the SSL tunnel 7 Information Security
  • 8.
    Security myths The Applicationframework solves that… • Frameworks Don't Solve Security Issues • Some frameworks facilitate, but not by default • Some frameworks do, by default Workarounds exist to develop the security problems 8 Information Security
  • 9.
    OWASP Top Ten(2013 Edition) 9
  • 10.
    SQL Injection User: John xxxx password:secret ' or 1=1;-- SELECT user FROM SELECT user FROMWHERE users users WHERE AND user='xxx' user='John' AND password='' or 1=1;--'; password='secret'; John Aaron Welkom, Aaron John Information Security
  • 11.
    Stored XSS <script> Coming home Stealpassword at 5 o'clock </script> passwords Information Security11
  • 12.
  • 13.
    Sensitive Data Exposure Cleartext transmission • Confidential information is just sent back to the User Improper web application implementation Secure and non-secure sections Improper analysis of the information Improper configuration Unsecured SESSION cookies 13 Information Security
  • 14.
    Sensitive Data Exposure Errormessages • Error messages for developers carry a lot information to find the problem causing the error message Stack traces in JAVA SQL Error messages from Database PHP error messages … • Those error messages can give a lot information to the hacker, when displayed to him/her Information of dataflow in the Web application Database layout Operating System information Network information Application frameworks used 14 Information Security
  • 15.
    Cross Site RequestForgery http://bank.com/transaction?amoun t=10000&acc=001.1234567.27 http://bank.com/transaction?amount= 10000&acc=001.1234567.27 Transaction successfull Online to her bank Information Security
  • 16.
    Secure SDLC Security requirements Design Review Risk analysis Requirements and usecases Iterative approach Design Risk-based security tests Test plans Code Review 16 Static analysis (tools) Code Penetration testing Test results Information Security Field feedback
  • 17.
    Findbugs  Static Sourcecode analyzer  Works on Java byte code  Source must compile!  Searches for bug patterns  Find bugs  Find false warnings  Eclipse plugin  By default almost all enabled 17 Information Security
  • 18.
    Findbugs  For securitypatterns:  DMI_CONSTANT_DB_PASSWORD Hardcoded constant database password  DMI_EMPTY_DB_PASSWORD Empty database password  EI_EXPOSE_REP May expose internal representation by returning reference to mutable objects  EI_EXPOSE_REP2 May expose internal representation by incorporating reference to mutable object  EI_EXPOSE_STATIC_REP2 May expose internal static state by storing a mutable object into a static field  MS_EXPOSE_REP Public static method may expose internal representation by returning array 18 Information Security
  • 19.
    Findbugs  SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE Nonconstant stringpassed to execute method on an SQL statement  SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_ST RING A prepared statement is generated from a nonconstant String  XSS_REQUEST_PARAMETER_TO_SEND_ERROR JSP reflected cross site scripting vulnerability  XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER Servlet reflected cross site scripting vulnerability in error page  RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE Nullcheck of value previously dereferenced  NP_NULL_ON_SOME_PATH Possible null pointer dereference  NP_NULL_ON_SOME_PATH_EXCEPTION Possible null pointer dereference in method on exception path 19 Information Security
  • 20.
  • 21.
    PMD     Static Source codeanalyzer Runs against the Java source code Also searches for bug patterns There are no real security patterns included  Gotham Digital Science has a security rule set 21 Information Security
  • 22.
    PMD  For securitypatterns:         22 ArrayIsStoredDirectly AvoidCatchingThrowable AvoidPrintStackTrace AvoidThrowingNullPointerException DoNotCallSystemExit ExceptionAsFlowControl MethodReturnsInternalArray MisplacedNullCheck Information Security
  • 23.
  • 24.
    Zed Attack Proxy        24 InterceptingProxy Traditional and AJAX spiders Automated scanner Forced Browsing Fuzzer Dynamic SSL Certificates Smartcard and Client Digital Certificates support Information Security
  • 25.
    Zed Attack Proxy Web sockets support  Support for wide range of scripting languages  Plug-n-Hack support  Authentication and Session Support  Powerful REST based API  Automatic updating option  Integrated and growing marketplace of add-ons 25 Information Security
  • 26.
  • 27.
    Demo: Automatic BuildProces  Maven  Findbugs  PMD  Zaproxy 27 Information Security
  • 28.
    TODO’s  Maven  ZedAttack Proxy and site phase integration  SONAR integration of Zed Attack Proxy  How about Agile development?  Can we ingrate this process in TDD and BDD? 28 Information Security
  • 29.
    Links FindBugs™ - FindBugs in Java Programs PMD – Don’t shoot the Messenger OWASP Zed Attack Proxy Project - OWASP ZAP Maven Plugin Automated Security Testing of web applications using OWASP Zed Attack Proxy  Belgium - OWASP  Gotham Digital Science      29 Information Security
  • 30.
    Resources … • Books: SoftwareSecurity Microsoft Secure Development Lifecycle Enterprise Security Architecture 30 Information Security30
  • 31.
    Reflection  Open Source Good start  Commercial Tools  Are more integrated in their environment  Perform better  Comes with a price  Manual review by experts     31 Best results Expensive Non constant reviews Very late in the process Information Security
  • 32.