This example laden talk will show how common tools available in today's enterprise environments can be harnessed to enhance and transform an appsec program. This talk will have example attacks and simple config changes that could make all the difference. Devs, infrastructure sec, ciso, come one come all.
2. whoami
Jason Kent
• Principal Security Consultant – AsTech Consulting
• Tools
• Process
• Secure SDLC
• Various Security Topics Training
• Wireless Sec, Infra Sec
• DIY Enthusiast – CIF member
5. Items Required
Someone with scripting knowledge in Perl, Python, whatever.
A desire to have your tools connect and function as a system.
Someone to architect the thing.
6. Dynamic Scanning
Dynamic Analysis occurs on a web application that is running.
• Can be used to tune a WAF
• Can be used to test security configurations
• Verify parameter security
• Best used for finding new attack vectors
Usually owned by infrastructure security group
• Often no good feedback loop into Dev
• Production is OFTEN too late
7. Dynamic Scanning Products
HP, IBM, Acunetix, Veracode, Qualys WAS, W3AF, NTO Spider, Iron
Wasp, THERE ARE OVER 50 OF THEM!!!
How do you know where to start?
http://www.sectoolmarket.com/
8. Dynamic Scanning – Best Practice
• Scan QA environment as well as Production
• Be permissive with the scanner, let it in
• Send the results to DEV via bug reporting process
• Instrument ThreadFix
9. Dynamic Scanning – WAF Tuning
• Most DAST vendors output XML
• WAF vendors usually work with the DAST vendor
• ModSecurity WAF rule generator (Commercial Version)
Dynamic Scan
?name=<script
>alert({token})
</script>
WAF
param name
{'/^[a-zA-Z]+$/’}
Application
server
XML Data stream
10. Dynamic Scanning
• Do you have a DAST scanner?
• Do you have a WAF?
• Do you have a way to send findings to DEV?
• ThreadFix it and forget it
11. Static Analysis
Static Analyzers look at either source code or a deployable binary/byte
code set.
• Typically run late in the development process
• Results aren’t well understood
• False Positives
12. Static Analysis – Best Practice
• Embed code analysis tool in SDLC
• IDE Integration
• Build Tool Integration
• Defect Tracking Integration
• Analyze Source Code Repo
• Look for Open Source
• Track Versions
Write
code
Scan
code
Deploy
code
Fix
code
13. Static Analysis – example
Continuous integration is the goal. One way to achieve this is via IDE
integration.
It is also possible to build this into the source CI where the repo has a
build path including running the build through a scanner via a build
step and publishing findings in the defect tracking system.
I call upon Demo Cthulhu to allow for my computer to survive this
demo.
14. QA
• This is probably the best SDL integration point for security testing
• QA speaks the language of broken software
• Security bugs can be treated like function bugs
Submit
code to
QA
QA Test
for
function
and
security
QA
Reports
errors
15. QA Security Testing
• Education
• Secure coding training (same as dev)
• Detection of security flaws
• Security tools and their uses
• Instrumentation
• Defect Tracking
• Creating meaningful tests
17. Logs
• All of the web application attacks live here
• Alerting on logs is quite simple
• Most organizations look at their logs as an artifact
18. Logs
Why not use the logs as a “real time” alerting tool?
Potential
Attacker
”probes”
application
Application
Logs the
Request
Log
Correlation
picks up the
”probe”
Security Team
Alerted to
threat
19. Logs - Example
Lets take a quick look at a probe and what it will show in the logs. The
example will be using Splunk but it wouldn’t take much to have a
python script monitor the logs and do the same.
20. Successes
• Financial organization went from covering “the most important apps”
to “all apps”. Target proved the most important app is the one you
missed.
• “Healthcare is often plagued by having to conform to policies, having
security controls is important. Hooking your code up so its constantly
monitored drives the security costs down so the tools pay for
themselves.” - Healthcare CISO
21. Additional Items to Consider
Look at where your libraries come from. (Sonatype, Black Duck)
Have you thought about letting your devs make mistakes and using a
technology like Prevoty to protect them?
22. No matter how you build it…
Your DAST/SAST/SIEM/MEME vendor will probably not tell you, you
need to find out if their stuff works for you.
Spend a few $$ on pro-serve, whether from an independent or the
vendor, its well worth the money.
If you buy a widget, make the vendor train you on it every year.
Plug together all the things!!!