- Modern web application frameworks have powerful security features built-in like template escaping, database abstraction, session management, and authentication that help prevent vulnerabilities like XSS and SQL injection. These features are standard, well-tested, and usually more robust than custom code.
- Libraries and dependencies make up a large portion of modern applications. It is important to keep dependencies up-to-date with security patches and be careful about dependencies from untrusted sources like some examples on StackOverflow.
- Different security scanners like SAST, DAST, and IAST scan applications in different ways and at different stages, but an important factor is how well they understand the specific programming languages, frameworks, and technologies used in the application being
2. Intro
● In application security since 90’s
– Worked for Motorola, Aon, Goldman-Sachs, HSBC
– OWASP, open-source https://github.com/kravietz
– Created https://webcookies.org/
● Contact me at pawel.krawczyk@hush.com
3. Three Riders of the Apocalypse
● Custom code exploits
● Framework and library exploits
● Infrastructure that allows all that
4. Self-defending web applications
4
• Modern web application frameworks have powerful security features
− Template escaping and sanitization by design
− Database abstraction
− Session management
− Authentication
− Web security features
• Advantages
− They come for free
− They’re standard
− They’re thoroughly tested for QA and security audited
− Usually more robust than home-brewed ones
5. Self-defending web applications
5
• Modern web application frameworks have powerful security features
− Template escaping and sanitization by design → prevent XSS
− Database abstraction → prevent SQLi
− Session management → prevent session fixation, CSRF
− Authentication → prevent admin/admin1
− Web security features → protect client-side
• Advantages
− They come for free
− They’re standard
− They’re thoroughly tested for QA and security audited
− Usually more robust than home-brewed ones
6. Primary „do not repeat at home” areas
6
• Input validation, sanitization and escaping
• Cryptography
• Authentication, authorization
• A lot of libraries on GitHub
− Most are of poor quality!
− Many users != quality code
− Be very careful when using samples from StackOverflow!
14. Libraries and Dependencies
14
What really makes your application?
1. The code you wrote
●
“our code”, “custom code”
2. Platform API and standard libraries
●
Django, ASP.NET, DropWizard, JAX-WS, Node.js
3. 3rd party libraries
●
Include a dozen, you’ll get hundreds – chain reaction
15. Libraries and Dependencies
15
What really makes your application?
1. The code you wrote
●
“our code”, “custom code”
2. Platform API and standard libraries
●
Django, ASP.NET, DropWizard, JAX-WS, Node.js
3. 3rd party libraries
●
Include a dozen, you’ll get hundreds – chain reaction
16. Libraries and Dependencies
16
What really makes your application?
1. The code you wrote
●
“our code”, “custom code”
2. Platform API and standard libraries
●
Django, ASP.NET, DropWizard, JAX-WS, Node.js
3. 3rd party libraries
●
Include a dozen, you’ll get hundreds – chain reaction
17. Libraries and Dependencies
17
What really makes your application?
1. The code you wrote
●
“our code”, “custom code”
2. Platform API and standard libraries
●
Django, ASP.NET, DropWizard, JAX-WS, Node.js
3. 3rd party libraries
●
Include a dozen, you’ll get hundreds – chain reaction
26. Keeping up to date
● Abandon the “n-1” nonsense
● Always upgrade libraries with security patches
– Even if they are not exploitable right now
● Prefer to install any bugfix updates
– If you hold, you only accumulate tech debt
– Twice the work when a security update comes
33. SAST
DAST
Different scopes of SAST/DAST/IAST
33
API #1
API #2
Java
Nginx
Load balancer
SAML
SAST – source code
“grep on steroids”
+ no binary required
+ all exec paths
- very noisy
- false positives
- very expensive
35. SAST
DAST
IAST
Different scopes of SAST/DAST/IAST
35
API #1 API #2
Nginx
Load balancer
SAMLIAST – run-time scan
“strace on steroids”
+ low false positives
+ high precision
- limited to one service
- expensive
37. SAST
DAST
Different scopes of SAST/DAST/IAST
37
API #1
API #2
Nginx
Load balancer
SAML
RASP
IAST
RASP – run-time protection
“AppArmor for Java”
+ high precision
+ better than WAF
46. Security scanner buyer’s guide
46
• Programming language support
− Language version and syntax supported
• Supports JavaScript, but what about ES6?
− Framework support
• Nobody writes web apps in pure Java or Python
• Frameworks provide key HTTP, templating, SQL abstraction
• Scanner must know framework entry and exit points
• Scanner supports JavaScript, but does it know about Node.js?
• Understands Java, but what about JAX, Jackson, DropWizard?
• Play Framework is part Java, part Scala, compiles to Java bytecode
47. Rule updates
● How frequently updated?
– Vulnerability detection rules are the heart of each scanner
– Not much joy from ASP.NET 2.0 rules
● Compiled binaries required?
– Advantage of SAST is source-code only scanning
– Compiled improve precision but limits deployment to developer environment
48. 48
Integration with build pipeline
● Inline scan vs dedicated scan server
● Headless (command line only) run vs GUI
● How much resources taken by the scanner?
● Some scanners require resource-intensive servers
● Integration with continuous integration tools (Jenkins plugins, API)
● Effectiveness of web crawling (DAST only, AngularJS apps)
49. Result analysis
● Precision of results
● Thousands of false positives render scanner useless
● Does it find actual vulnerabilities? (false sense of security)
● Can you rate and comment findings?
● Can you whitelist false positives or accepted risk?
● Can you report false positives to vendor?
● Does it integrate into IDE?
● Plugins for IntelliJ, Eclipse, Visual Studio?
50. Systems unpatched for years
− “for security reasons we don’t install any security patches”
− “we’re not target”
No OS-level hardening
− “for security reasons we keep all SUID binaries”
Flat huge LANs
− “it’s been like this since 80’s”
No host-level firewalls
− “our perimeter has three expensive firewalls”
No intrusion detection
− “why would anyone run a SSH scan against us for weeks?”
Infrastructure horror