Pawel Krawczyk, profile picture
Uploaded byPawel Krawczyk
ODP, PPTX413 views

Effective DevSecOps

- Modern web application frameworks have powerful security features built-in like template escaping, database abstraction, session management, and authentication that help prevent vulnerabilities like XSS and SQL injection. These features are standard, well-tested, and usually more robust than custom code. - Libraries and dependencies make up a large portion of modern applications. It is important to keep dependencies up-to-date with security patches and be careful about dependencies from untrusted sources like some examples on StackOverflow. - Different security scanners like SAST, DAST, and IAST scan applications in different ways and at different stages, but an important factor is how well they understand the specific programming languages, frameworks, and technologies used in the application being

Technology
Related topics:
Information Security

Embed presentation

Download as ODP, PPTX
Effective Security Lifecycle in DevOps Pawel Krawczyk
Intro ● In application security since 90’s – Worked for Motorola, Aon, Goldman-Sachs, HSBC – OWASP, open-source https://github.com/kravietz – Created https://webcookies.org/ ● Contact me at pawel.krawczyk@hush.com
Three Riders of the Apocalypse ● Custom code exploits ● Framework and library exploits ● Infrastructure that allows all that
Self-defending web applications 4 • Modern web application frameworks have powerful security features − Template escaping and sanitization by design − Database abstraction − Session management − Authentication − Web security features • Advantages − They come for free − They’re standard − They’re thoroughly tested for QA and security audited − Usually more robust than home-brewed ones
Self-defending web applications 5 • Modern web application frameworks have powerful security features − Template escaping and sanitization by design → prevent XSS − Database abstraction → prevent SQLi − Session management → prevent session fixation, CSRF − Authentication → prevent admin/admin1 − Web security features → protect client-side • Advantages − They come for free − They’re standard − They’re thoroughly tested for QA and security audited − Usually more robust than home-brewed ones
Primary „do not repeat at home” areas 6 • Input validation, sanitization and escaping • Cryptography • Authentication, authorization • A lot of libraries on GitHub − Most are of poor quality! − Many users != quality code − Be very careful when using samples from StackOverflow!
9
SAP Java
Freemarker Templates Auto-Escaping
Freemarker Templates Auto-Escaping
13 Toxic dependencies
Libraries and Dependencies 14 What really makes your application? 1. The code you wrote ● “our code”, “custom code” 2. Platform API and standard libraries ● Django, ASP.NET, DropWizard, JAX-WS, Node.js 3. 3rd party libraries ● Include a dozen, you’ll get hundreds – chain reaction
Libraries and Dependencies 15 What really makes your application? 1. The code you wrote ● “our code”, “custom code” 2. Platform API and standard libraries ● Django, ASP.NET, DropWizard, JAX-WS, Node.js 3. 3rd party libraries ● Include a dozen, you’ll get hundreds – chain reaction
Libraries and Dependencies 16 What really makes your application? 1. The code you wrote ● “our code”, “custom code” 2. Platform API and standard libraries ● Django, ASP.NET, DropWizard, JAX-WS, Node.js 3. 3rd party libraries ● Include a dozen, you’ll get hundreds – chain reaction
Libraries and Dependencies 17 What really makes your application? 1. The code you wrote ● “our code”, “custom code” 2. Platform API and standard libraries ● Django, ASP.NET, DropWizard, JAX-WS, Node.js 3. 3rd party libraries ● Include a dozen, you’ll get hundreds – chain reaction
Vulnerabilities in client-side libraries 18
Dependency watchers
OWASP Dependency Check (Java) 20
OWASP Dependency Check 21
npm audit (previously: Node Security Platform) 22
Safety (Python) 23
Retire.js (JavaScript) 24
Snyk.io (JavaScript) 25
Keeping up to date ● Abandon the “n-1” nonsense ● Always upgrade libraries with security patches – Even if they are not exploitable right now ● Prefer to install any bugfix updates – If you hold, you only accumulate tech debt – Twice the work when a security update comes
Custom code scanners
Security Scanners 28 • Huge market with very inconsistent quality and maturity − Good salesmen with nearly useless products − Mature products with too many bells-and-whistles − Ancient scanning engines poorly handling modern code − Expensive, but price unrelated to quality • Key segments − SAST („static application security testing”) − DAST („dynamic”) − IAST („interacive”) − RASP (“run-time application self-protection”) • Security scanner buyer’s guide − Always evaluate scanner for specific project
What various scanners see? 29 API #1 API #2 Nginx Load balancer SAML
DAST Different scopes of SAST/DAST/IAST 30 API #1 API #2 Nginx Load balancer SAML
DAST Different scopes of SAST/DAST/IAST 31 API #1 API #2 Nginx Load balancer SAML DAST – dynamic scanning “curl on steroids” HTTP crawler & scanner + sees whole app - requires working app - noisy - false positives
SAST DAST Different scopes of SAST/DAST/IAST 32 API #1 API #2 Java Nginx Load balancer SAML
SAST DAST Different scopes of SAST/DAST/IAST 33 API #1 API #2 Java Nginx Load balancer SAML SAST – source code “grep on steroids” + no binary required + all exec paths - very noisy - false positives - very expensive
SAST DAST IAST Different scopes of SAST/DAST/IAST 34 API #1 API #2 Nginx Load balancer SAML
SAST DAST IAST Different scopes of SAST/DAST/IAST 35 API #1 API #2 Nginx Load balancer SAMLIAST – run-time scan “strace on steroids” + low false positives + high precision - limited to one service - expensive
SAST DAST Different scopes of SAST/DAST/IAST 36 API #1 API #2 Nginx Load balancer SAML RASP IAST
SAST DAST Different scopes of SAST/DAST/IAST 37 API #1 API #2 Nginx Load balancer SAML RASP IAST RASP – run-time protection “AppArmor for Java” + high precision + better than WAF
Scanners parade
DefenseCode ThunderScan (SAST)
40 FindSecurityBugs (SAST)
41 SpotBugs (SAST)
42 Formerly FindBugs and FindSecBugs SpotBugs (SAST)
Contrast Security (IAST)
OWASP ZAP (DAST)
45 Bandit (SAST)
Security scanner buyer’s guide 46 • Programming language support − Language version and syntax supported • Supports JavaScript, but what about ES6? − Framework support • Nobody writes web apps in pure Java or Python • Frameworks provide key HTTP, templating, SQL abstraction • Scanner must know framework entry and exit points • Scanner supports JavaScript, but does it know about Node.js? • Understands Java, but what about JAX, Jackson, DropWizard? • Play Framework is part Java, part Scala, compiles to Java bytecode
Rule updates ● How frequently updated? – Vulnerability detection rules are the heart of each scanner – Not much joy from ASP.NET 2.0 rules ● Compiled binaries required? – Advantage of SAST is source-code only scanning – Compiled improve precision but limits deployment to developer environment
48 Integration with build pipeline ● Inline scan vs dedicated scan server ● Headless (command line only) run vs GUI ● How much resources taken by the scanner? ● Some scanners require resource-intensive servers ● Integration with continuous integration tools (Jenkins plugins, API) ● Effectiveness of web crawling (DAST only, AngularJS apps)
Result analysis ● Precision of results ● Thousands of false positives render scanner useless ● Does it find actual vulnerabilities? (false sense of security) ● Can you rate and comment findings? ● Can you whitelist false positives or accepted risk? ● Can you report false positives to vendor? ● Does it integrate into IDE? ● Plugins for IntelliJ, Eclipse, Visual Studio?
 Systems unpatched for years − “for security reasons we don’t install any security patches” − “we’re not target”  No OS-level hardening − “for security reasons we keep all SUID binaries”  Flat huge LANs − “it’s been like this since 80’s”  No host-level firewalls − “our perimeter has three expensive firewalls”  No intrusion detection − “why would anyone run a SSH scan against us for weeks?” Infrastructure horror
Blacklisting
OSSEC/Wazuh Intrusion Detection
 apt install unattended-upgrades  InSpec https://www.inspec.io/  Lynis https://cisofy.com/lynis/  SSH and OS hardening roles − https://dev-sec.io/ − Ansible, Chef, Puppet Operating system hardening
Questions ● pawel.krawczyk@hush.com ● Signal: +44 7879 180015 ● Telegram, XMPP, SSB etc

More Related Content

PDF
AppSec in an Agile World
byDavid Lindner
 
PDF
SecDevOps
byPeter Lamar
 
PPTX
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
PDF
Devops security-An Insight into Secure-SDLC
bySuman Sourav
 
PDF
Are Agile And Secure Development Mutually Exclusive?
bySource Conference
 
PPTX
Making Security Agile
byOleg Gryb
 
PDF
A Secure DevOps Journey
byVeracode
 
PPTX
Web Application Security: Beyond PEN Testing
byRobert Grupe, CSSLP CISSP PE PMP
 
AppSec in an Agile World
byDavid Lindner
 
SecDevOps
byPeter Lamar
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
Devops security-An Insight into Secure-SDLC
bySuman Sourav
 
Are Agile And Secure Development Mutually Exclusive?
bySource Conference
 
Making Security Agile
byOleg Gryb
 
A Secure DevOps Journey
byVeracode
 
Web Application Security: Beyond PEN Testing
byRobert Grupe, CSSLP CISSP PE PMP
 

What's hot

PPTX
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
PPTX
Simplify Dev with Complicated Security Tools
byKevin Fealey
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PPTX
Static Analysis Security Testing for Dummies... and You
byKevin Fealey
 
PDF
Proactive Security AppSec Case Study
byAndy Hoernecke
 
PPTX
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
PDF
SecDevOps - The Operationalisation of Security
byDinis Cruz
 
PPSX
Agile AppSec DevOps
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
byDenim Group
 
PPT
Code Quality - Security
bysedukull
 
PPTX
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
byKevin Fealey
 
PPTX
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 
PPTX
Secure Software Development Life Cycle
byMaurice Dawson
 
PPTX
Integrating security into Continuous Delivery
byTom Stiehm
 
PPTX
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
byPositive Hack Days
 
PPTX
Agile and Secure Development
byNazar Tymoshyk, CEH, Ph.D.
 
PDF
Building Your Application Security Data Hub - OWASP AppSecUSA
byDenim Group
 
PPTX
we45 SecDevOps Presentation - ISACA Chennai
byAbhay Bhargav
 
PDF
Shift Left Security
bygjdevos
 
PPTX
Static Application Security Testing Strategies for Automation and Continuous ...
byKevin Fealey
 
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
Simplify Dev with Complicated Security Tools
byKevin Fealey
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
Static Analysis Security Testing for Dummies... and You
byKevin Fealey
 
Proactive Security AppSec Case Study
byAndy Hoernecke
 
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
SecDevOps - The Operationalisation of Security
byDinis Cruz
 
Agile AppSec DevOps
byRobert Grupe, CSSLP CISSP PE PMP
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
byDenim Group
 
Code Quality - Security
bysedukull
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
byKevin Fealey
 
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 
Secure Software Development Life Cycle
byMaurice Dawson
 
Integrating security into Continuous Delivery
byTom Stiehm
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
byPositive Hack Days
 
Agile and Secure Development
byNazar Tymoshyk, CEH, Ph.D.
 
Building Your Application Security Data Hub - OWASP AppSecUSA
byDenim Group
 
we45 SecDevOps Presentation - ISACA Chennai
byAbhay Bhargav
 
Shift Left Security
bygjdevos
 
Static Application Security Testing Strategies for Automation and Continuous ...
byKevin Fealey
 

Similar to Effective DevSecOps

PDF
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
PDF
Benchmarking Web Application Scanners for YOUR Organization
byDenim Group
 
PPTX
Skillful scalefull fullstack security in a state of constant flux
byEoin Keary
 
PPTX
Security by the numbers
byEoin Keary
 
PDF
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
byBlack Duck by Synopsys
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PDF
Including security in devops
byJérémy Matos
 
PDF
Application Security Guide for Beginners
byCheckmarx
 
PDF
Application Security Program Management with Vulnerability Manager
byDenim Group
 
PPTX
Web Application Scanning Flow and features.pptx
byalphaa2test
 
PDF
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
bySecurity Bootcamp
 
PDF
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
byDenim Group
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PPTX
Hide and seek - Attack Surface Management and continuous assessment.
byEoin Keary
 
PDF
edgescan vulnerability stats report (2018)
byEoin Keary
 
PDF
The Final Frontier, Automating Dynamic Security Testing
byMatt Tesauro
 
PDF
Rolling Out An Enterprise Source Code Review Program
byDenim Group
 
PDF
Integracia security do ci cd pipelines
byJuraj Hantak
 
PPT
Scanning web vulnerabilities
byMohit Dholakiya
 
PPTX
Full stack vulnerability management at scale
byEoin Keary
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
Benchmarking Web Application Scanners for YOUR Organization
byDenim Group
 
Skillful scalefull fullstack security in a state of constant flux
byEoin Keary
 
Security by the numbers
byEoin Keary
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
byBlack Duck by Synopsys
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
Including security in devops
byJérémy Matos
 
Application Security Guide for Beginners
byCheckmarx
 
Application Security Program Management with Vulnerability Manager
byDenim Group
 
Web Application Scanning Flow and features.pptx
byalphaa2test
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
bySecurity Bootcamp
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
byDenim Group
 
The Future of DevSecOps
byStefan Streichsbier
 
Hide and seek - Attack Surface Management and continuous assessment.
byEoin Keary
 
edgescan vulnerability stats report (2018)
byEoin Keary
 
The Final Frontier, Automating Dynamic Security Testing
byMatt Tesauro
 
Rolling Out An Enterprise Source Code Review Program
byDenim Group
 
Integracia security do ci cd pipelines
byJuraj Hantak
 
Scanning web vulnerabilities
byMohit Dholakiya
 
Full stack vulnerability management at scale
byEoin Keary
 

More from Pawel Krawczyk

PPTX
Top DevOps Security Failures
byPawel Krawczyk
 
PPTX
Authenticity and usability
byPawel Krawczyk
 
ODP
Reading Geek Night 2019
byPawel Krawczyk
 
PPTX
Unicode the hero or villain
byPawel Krawczyk
 
ODP
Get rid of TLS certificates - using IPSec for large scale cloud protection
byPawel Krawczyk
 
PPTX
Presentation from CyberGov.pl 2015
byPawel Krawczyk
 
PDF
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
byPawel Krawczyk
 
PDF
Leszek Miś "Czy twoj WAF to potrafi"
byPawel Krawczyk
 
PPTX
Paweł Krawczyk - Ekonomia bezpieczeństwa
byPawel Krawczyk
 
PPTX
Are electronic signature assumptions realistic
byPawel Krawczyk
 
PPTX
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
byPawel Krawczyk
 
PPTX
Filtrowanie sieci - Panoptykon
byPawel Krawczyk
 
PPTX
Pragmatic view on Electronic Signature directive 1999 93
byPawel Krawczyk
 
PPTX
Why care about application security
byPawel Krawczyk
 
PPT
Source Code Scanners
byPawel Krawczyk
 
PDF
Krawczyk Ekonomia Bezpieczenstwa 2
byPawel Krawczyk
 
PDF
Audyt Wewnetrzny W Zakresie Bezpieczenstwa
byPawel Krawczyk
 
ODP
Kryptografia i mechanizmy bezpieczenstwa
byPawel Krawczyk
 
ODP
Zaufanie W Systemach Informatycznych
byPawel Krawczyk
 
PPT
Real Life Information Security
byPawel Krawczyk
 
Top DevOps Security Failures
byPawel Krawczyk
 
Authenticity and usability
byPawel Krawczyk
 
Reading Geek Night 2019
byPawel Krawczyk
 
Unicode the hero or villain
byPawel Krawczyk
 
Get rid of TLS certificates - using IPSec for large scale cloud protection
byPawel Krawczyk
 
Presentation from CyberGov.pl 2015
byPawel Krawczyk
 
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
byPawel Krawczyk
 
Leszek Miś "Czy twoj WAF to potrafi"
byPawel Krawczyk
 
Paweł Krawczyk - Ekonomia bezpieczeństwa
byPawel Krawczyk
 
Are electronic signature assumptions realistic
byPawel Krawczyk
 
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
byPawel Krawczyk
 
Filtrowanie sieci - Panoptykon
byPawel Krawczyk
 
Pragmatic view on Electronic Signature directive 1999 93
byPawel Krawczyk
 
Why care about application security
byPawel Krawczyk
 
Source Code Scanners
byPawel Krawczyk
 
Krawczyk Ekonomia Bezpieczenstwa 2
byPawel Krawczyk
 
Audyt Wewnetrzny W Zakresie Bezpieczenstwa
byPawel Krawczyk
 
Kryptografia i mechanizmy bezpieczenstwa
byPawel Krawczyk
 
Zaufanie W Systemach Informatycznych
byPawel Krawczyk
 
Real Life Information Security
byPawel Krawczyk
 

Recently uploaded

PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX
Exploring-AI-Basics in Artificial Intelligence
bysharmilas219546
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PPTX
Real-Time KPI Dashboard Playbook: What to Track Live and What Not To
byvictorworkvebo
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab
 
PDF
Agent Factory -AIOUG Multicloud - Feb 2026
bySandesh Rao
 
PDF
AI TOOLS FOR PRODUCTIVITY IN MODERN TIMES.pdf
bySantunu
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Exploring-AI-Basics in Artificial Intelligence
bysharmilas219546
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Real-Time KPI Dashboard Playbook: What to Track Live and What Not To
byvictorworkvebo
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab
 
Agent Factory -AIOUG Multicloud - Feb 2026
bySandesh Rao
 
AI TOOLS FOR PRODUCTIVITY IN MODERN TIMES.pdf
bySantunu
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
final.pdf
byomarbishtawi04
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 

Effective DevSecOps

  • 1.
    Effective Security Lifecycle inDevOps Pawel Krawczyk
  • 2.
    Intro ● In applicationsecurity since 90’s – Worked for Motorola, Aon, Goldman-Sachs, HSBC – OWASP, open-source https://github.com/kravietz – Created https://webcookies.org/ ● Contact me at pawel.krawczyk@hush.com
  • 3.
    Three Riders ofthe Apocalypse ● Custom code exploits ● Framework and library exploits ● Infrastructure that allows all that
  • 4.
    Self-defending web applications 4 •Modern web application frameworks have powerful security features − Template escaping and sanitization by design − Database abstraction − Session management − Authentication − Web security features • Advantages − They come for free − They’re standard − They’re thoroughly tested for QA and security audited − Usually more robust than home-brewed ones
  • 5.
    Self-defending web applications 5 •Modern web application frameworks have powerful security features − Template escaping and sanitization by design → prevent XSS − Database abstraction → prevent SQLi − Session management → prevent session fixation, CSRF − Authentication → prevent admin/admin1 − Web security features → protect client-side • Advantages − They come for free − They’re standard − They’re thoroughly tested for QA and security audited − Usually more robust than home-brewed ones
  • 6.
    Primary „do notrepeat at home” areas 6 • Input validation, sanitization and escaping • Cryptography • Authentication, authorization • A lot of libraries on GitHub − Most are of poor quality! − Many users != quality code − Be very careful when using samples from StackOverflow!
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
    Libraries and Dependencies 14 Whatreally makes your application? 1. The code you wrote ● “our code”, “custom code” 2. Platform API and standard libraries ● Django, ASP.NET, DropWizard, JAX-WS, Node.js 3. 3rd party libraries ● Include a dozen, you’ll get hundreds – chain reaction
  • 15.
    Libraries and Dependencies 15 Whatreally makes your application? 1. The code you wrote ● “our code”, “custom code” 2. Platform API and standard libraries ● Django, ASP.NET, DropWizard, JAX-WS, Node.js 3. 3rd party libraries ● Include a dozen, you’ll get hundreds – chain reaction
  • 16.
    Libraries and Dependencies 16 Whatreally makes your application? 1. The code you wrote ● “our code”, “custom code” 2. Platform API and standard libraries ● Django, ASP.NET, DropWizard, JAX-WS, Node.js 3. 3rd party libraries ● Include a dozen, you’ll get hundreds – chain reaction
  • 17.
    Libraries and Dependencies 17 Whatreally makes your application? 1. The code you wrote ● “our code”, “custom code” 2. Platform API and standard libraries ● Django, ASP.NET, DropWizard, JAX-WS, Node.js 3. 3rd party libraries ● Include a dozen, you’ll get hundreds – chain reaction
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
    npm audit (previously:Node Security Platform) 22
  • 23.
  • 24.
  • 25.
  • 26.
    Keeping up todate ● Abandon the “n-1” nonsense ● Always upgrade libraries with security patches – Even if they are not exploitable right now ● Prefer to install any bugfix updates – If you hold, you only accumulate tech debt – Twice the work when a security update comes
  • 27.
  • 28.
    Security Scanners 28 • Hugemarket with very inconsistent quality and maturity − Good salesmen with nearly useless products − Mature products with too many bells-and-whistles − Ancient scanning engines poorly handling modern code − Expensive, but price unrelated to quality • Key segments − SAST („static application security testing”) − DAST („dynamic”) − IAST („interacive”) − RASP (“run-time application self-protection”) • Security scanner buyer’s guide − Always evaluate scanner for specific project
  • 29.
    What various scannerssee? 29 API #1 API #2 Nginx Load balancer SAML
  • 30.
    DAST Different scopes ofSAST/DAST/IAST 30 API #1 API #2 Nginx Load balancer SAML
  • 31.
    DAST Different scopes ofSAST/DAST/IAST 31 API #1 API #2 Nginx Load balancer SAML DAST – dynamic scanning “curl on steroids” HTTP crawler & scanner + sees whole app - requires working app - noisy - false positives
  • 32.
    SAST DAST Different scopes ofSAST/DAST/IAST 32 API #1 API #2 Java Nginx Load balancer SAML
  • 33.
    SAST DAST Different scopes ofSAST/DAST/IAST 33 API #1 API #2 Java Nginx Load balancer SAML SAST – source code “grep on steroids” + no binary required + all exec paths - very noisy - false positives - very expensive
  • 34.
    SAST DAST IAST Different scopes ofSAST/DAST/IAST 34 API #1 API #2 Nginx Load balancer SAML
  • 35.
    SAST DAST IAST Different scopes ofSAST/DAST/IAST 35 API #1 API #2 Nginx Load balancer SAMLIAST – run-time scan “strace on steroids” + low false positives + high precision - limited to one service - expensive
  • 36.
    SAST DAST Different scopes ofSAST/DAST/IAST 36 API #1 API #2 Nginx Load balancer SAML RASP IAST
  • 37.
    SAST DAST Different scopes ofSAST/DAST/IAST 37 API #1 API #2 Nginx Load balancer SAML RASP IAST RASP – run-time protection “AppArmor for Java” + high precision + better than WAF
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
    42 Formerly FindBugs andFindSecBugs SpotBugs (SAST)
  • 43.
  • 44.
  • 45.
  • 46.
    Security scanner buyer’sguide 46 • Programming language support − Language version and syntax supported • Supports JavaScript, but what about ES6? − Framework support • Nobody writes web apps in pure Java or Python • Frameworks provide key HTTP, templating, SQL abstraction • Scanner must know framework entry and exit points • Scanner supports JavaScript, but does it know about Node.js? • Understands Java, but what about JAX, Jackson, DropWizard? • Play Framework is part Java, part Scala, compiles to Java bytecode
  • 47.
    Rule updates ● Howfrequently updated? – Vulnerability detection rules are the heart of each scanner – Not much joy from ASP.NET 2.0 rules ● Compiled binaries required? – Advantage of SAST is source-code only scanning – Compiled improve precision but limits deployment to developer environment
  • 48.
    48 Integration with buildpipeline ● Inline scan vs dedicated scan server ● Headless (command line only) run vs GUI ● How much resources taken by the scanner? ● Some scanners require resource-intensive servers ● Integration with continuous integration tools (Jenkins plugins, API) ● Effectiveness of web crawling (DAST only, AngularJS apps)
  • 49.
    Result analysis ● Precisionof results ● Thousands of false positives render scanner useless ● Does it find actual vulnerabilities? (false sense of security) ● Can you rate and comment findings? ● Can you whitelist false positives or accepted risk? ● Can you report false positives to vendor? ● Does it integrate into IDE? ● Plugins for IntelliJ, Eclipse, Visual Studio?
  • 50.
     Systems unpatchedfor years − “for security reasons we don’t install any security patches” − “we’re not target”  No OS-level hardening − “for security reasons we keep all SUID binaries”  Flat huge LANs − “it’s been like this since 80’s”  No host-level firewalls − “our perimeter has three expensive firewalls”  No intrusion detection − “why would anyone run a SSH scan against us for weeks?” Infrastructure horror
  • 51.
  • 52.
  • 54.
     apt installunattended-upgrades  InSpec https://www.inspec.io/  Lynis https://cisofy.com/lynis/  SSH and OS hardening roles − https://dev-sec.io/ − Ansible, Chef, Puppet Operating system hardening
  • 55.
    Questions ● pawel.krawczyk@hush.com ● Signal:+44 7879 180015 ● Telegram, XMPP, SSB etc