Static analysis security tools are part of Qiwi's Secure Development Lifecycle (QSDL) process to automate security testing. The QSDL was implemented to address issues like low test coverage, vulnerabilities found after release, and a lack of security resources. It incorporates threat modeling, security reviews, static application security testing (SAST), fuzz testing, and penetration testing at various stages. SAST tools work by parsing code to build an abstract model and check for vulnerabilities, but have limitations with dynamic code, dependencies, and unsupported languages that require additional configuration.
[FullStack NYC 2019] Effective Unit Tests for JavaScriptHazem Saleh
Unit testing coverage is a great way to show us the amount of tested lines and branches of code, but is this really enough? The answer is "no" since unit testing coverage does not really fully measure the efficiency of the unit tests. This is why there is a need for using techniques that can improve unit tests efficiency. Mutation testing is one of these powerful techniques. The main idea of mutation testing is to automatically insert bugs (mutants) into production code and then run unit tests to check if they are strong enough to fail as a result of these mutations.
This session discusses mutation testing techniques and demonstrates Stryker as a powerful mutation testing tool for JavaScript applications.
Jenkins Pipelining and Gatling IntegrationKnoldus Inc.
Jenkins is a continuous integration server written in Java. A Jenkins Pipeline (or simply "Pipeline" with a capital "P") is a suite of plugins which supports implementing and integrating continuous delivery pipelines into Jenkins.
Implementing code-based load tests in JavaScript with the k6 performance testing tool.
Svetlin Nakov @ QA Challenge Accepted 2021
Load and performance testing aims to determine whether software meets speed, scalability and stability requirements under expected workloads. Old school performance testing tools like Apache JMeter are complex and heavy and are not well aligned with the modern QA automation and continuous integration trends.
In this talk Svetlin presents and demonstrates the "k6 framework" - a modern open-source load testing tool, which describes the load tests as JavaScript code. The k6 tool is very powerful, high-performance and developer-friendly. It allows load testing of Web apps and APIs, accessed through the HTTP protocol.
Svetlin also demonstrates how to install and use k6, how to run its test recorder, how to edit the recorded scripts at the k6 cloud and how to write k6 scripts in JavaScript (execute HTTP requests, write checks, define thresholds), and execute the scripts with certain number of virtual users for certain duration.
It is always tough to test a complex API comprehensively. The additional level of complexity brings us to the question “How can we validate that our API is working as intended?”
In this talk I will explain how to use test driven development for APIs to solve this problem and even further how TDD can drive an API Design towards a more usable design. I will outline my practical approach with an implementation example based on django. And finally I will give you a brief summary of my lessons learned using this approach in customer projects.
Unit Testing your React / Redux app (@BucharestJS)Alin Pandichi
React and Redux took the world by storm. These JavaScript libraries allow you to write applications consisting of reusable components while avoiding bugs related to side-effects. But I suspect that developers do not unit test their React/Redux code. Or at least not as much as they could. During this talk, I will showcase the unit tests we have written for our eventriX product. These tests run fast and cover the most important aspects of our client-side code running in the browser. These practical real-world examples could inspire you to write more and better unit tests for your own React/Redux application.
[FullStack NYC 2019] Effective Unit Tests for JavaScriptHazem Saleh
Unit testing coverage is a great way to show us the amount of tested lines and branches of code, but is this really enough? The answer is "no" since unit testing coverage does not really fully measure the efficiency of the unit tests. This is why there is a need for using techniques that can improve unit tests efficiency. Mutation testing is one of these powerful techniques. The main idea of mutation testing is to automatically insert bugs (mutants) into production code and then run unit tests to check if they are strong enough to fail as a result of these mutations.
This session discusses mutation testing techniques and demonstrates Stryker as a powerful mutation testing tool for JavaScript applications.
Jenkins Pipelining and Gatling IntegrationKnoldus Inc.
Jenkins is a continuous integration server written in Java. A Jenkins Pipeline (or simply "Pipeline" with a capital "P") is a suite of plugins which supports implementing and integrating continuous delivery pipelines into Jenkins.
Implementing code-based load tests in JavaScript with the k6 performance testing tool.
Svetlin Nakov @ QA Challenge Accepted 2021
Load and performance testing aims to determine whether software meets speed, scalability and stability requirements under expected workloads. Old school performance testing tools like Apache JMeter are complex and heavy and are not well aligned with the modern QA automation and continuous integration trends.
In this talk Svetlin presents and demonstrates the "k6 framework" - a modern open-source load testing tool, which describes the load tests as JavaScript code. The k6 tool is very powerful, high-performance and developer-friendly. It allows load testing of Web apps and APIs, accessed through the HTTP protocol.
Svetlin also demonstrates how to install and use k6, how to run its test recorder, how to edit the recorded scripts at the k6 cloud and how to write k6 scripts in JavaScript (execute HTTP requests, write checks, define thresholds), and execute the scripts with certain number of virtual users for certain duration.
It is always tough to test a complex API comprehensively. The additional level of complexity brings us to the question “How can we validate that our API is working as intended?”
In this talk I will explain how to use test driven development for APIs to solve this problem and even further how TDD can drive an API Design towards a more usable design. I will outline my practical approach with an implementation example based on django. And finally I will give you a brief summary of my lessons learned using this approach in customer projects.
Unit Testing your React / Redux app (@BucharestJS)Alin Pandichi
React and Redux took the world by storm. These JavaScript libraries allow you to write applications consisting of reusable components while avoiding bugs related to side-effects. But I suspect that developers do not unit test their React/Redux code. Or at least not as much as they could. During this talk, I will showcase the unit tests we have written for our eventriX product. These tests run fast and cover the most important aspects of our client-side code running in the browser. These practical real-world examples could inspire you to write more and better unit tests for your own React/Redux application.
Arquillian: Effective tests from the client to the serverLukáš Fryč
Tools like Selenium, an outstanding tool for UI test automation, and Arquillian, an award-winning integration testing framework, offer a base for high-quality tests which are crucial for a web app development. However writing UI tests and covering server-side logic leaves many questions open:
* Does Selenium cover everything? Page transitions, simple JavaScript interaction and a portion of DOM. Is it really enough?
* Mocking requests for testing server-side code is pain. Is it necessary?
* Are you able to detect that your component’s visual representation changes?
* Does investigating these changes involve a disproportionate amount of effort?
* Isn’t manual test development too expensive?
Gatling is a project that can be used as a load testing tool for analyzing and measuring the performance of a variety of services, with a focus on web applications. It is Scala-based, high performance load and stress test tool.
Slides from my talk discussing how DBI frameworks such as Frida can be used in understanding the runtime or in-process operations in case of heavily obfuscated android applications.
Slides from my beginner level talk on FRIDA and its usage while Pentesting Android Applications. Covers topics like Installation of Frida and Bypassing Pinning and Root Detection using Frida.
New abstractions for concurrency make writing programs easier by moving away from threads and locks, but debugging such programs becomes harder. The call-stack, an essential tool in understanding why and how control flow reached a certain point in the program, loses meaning when inspected in traditional debuggers. Futures, actors or iteratees make code easier to write and reason about, and in this talk I'll show a simple solution to make them easier to debug. The tool I present integrates well with the Eclipse plugin for Scala, and shows how a "reactive debugger" might look like.
This is an overview of watchOS 2 designed to give you the head start you need to start building! Learn about how to design for the Apple Watch, the different UI components included, how your Apple Watch works together (and independently) with your iOS app, and more!
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ZongXian Shen
The design memo and hack note of ProbeDroid
A dynamic binary instrumentation kit targeting Android(Lollipop) 5.0 and above
This is the first complete draft.
Improved version will be updated in a few days.
So, what is PVS-Studio? PVS-Studio is a ecosystem that provides you static code analyzer for C, C++, C# and Java programming languages and utilities to make life with static code analyzer easier. PVS-Studio works on Windows, Linux and macOS platforms.
I’ll focus more on C/C++ features. So, we support modern and famous compilers such as: MSVC, GCC, Clang - and several compiler for Embedded systems: ARM GCC/Clang, Keil, IAR, TI.
We also have several plugins for modern IDEs for convenient work: Visual Studio 2010-2019, JetBrains Rider and IntelliJ IDEA. Compilation monitoring. We provide a tool that may help you to check your project with “exotic” build system (e.g. SCons, Bazel, etc).
Suppress files. After you’ve checked your project, you may get tons of warnings on your legacy code. There is a solution – you push all your warnings in some file called suppress base, and in the next run you’ll get 0 warnings.
Incremental analysis. If you modify some files in your project, you want only them to be checked as the compiler recompiles them. We have scenery for that. We call it incremental analysis.
A Long-Awaited Check of Unreal Engine 4Andrey Karpov
On March 19, 2014, Unreal Engine 4 was made public available. Subscription costs only $19 per month. The source codes have also been published at the github repository. Since that moment, we have received quite a number of e-mails, twitter messages, etc., people asking to check this game engine. So we are fulfilling our readers' request in this article; let's see what interesting bugs the PVS-Studio static code analyzer has found in the project's source code.
Testing JSF with Arquillian and SeleniumLukáš Fryč
Testing of web applications is significant part of development cycle from perspective of both, application development and quality assurance.
JSF concepts makes testing of applications simple by separation of concerns, but enforces employing of specific tools for testing business logic and user interface.
Lukas covers testing pitas and introduce frameworks which make testing of JSF application a breeze and motivate developers to follow concepts of test-driven development.
This is the deck presented at the Test Fanatics Meetup in San Francisco. Most of the presentation was live demo -- so, if you'd like to see that, I'm always happy to give one. :) Or head over to GhostInspetor.com and try it yourself.
The SonarQube Platform is made of 4 components:
- Server, Database, Plugins and Scanner
One or more SonarQube Scanners running on your Build / Continuous Integration Servers to analyze projects
Continous UI testing with Espresso and JenkinsSylwester Madej
Talk from Droidcon Zagreb 2015 about approach to Continous Integration and integration testing we are using in Outline.
In short: we use Jenkins CI on Intel NUC to build, analyse and test apps. To speed up tests we are using Spoon with some devices connected to our CI server via USB hub.
Arquillian: Effective tests from the client to the serverLukáš Fryč
Tools like Selenium, an outstanding tool for UI test automation, and Arquillian, an award-winning integration testing framework, offer a base for high-quality tests which are crucial for a web app development. However writing UI tests and covering server-side logic leaves many questions open:
* Does Selenium cover everything? Page transitions, simple JavaScript interaction and a portion of DOM. Is it really enough?
* Mocking requests for testing server-side code is pain. Is it necessary?
* Are you able to detect that your component’s visual representation changes?
* Does investigating these changes involve a disproportionate amount of effort?
* Isn’t manual test development too expensive?
Gatling is a project that can be used as a load testing tool for analyzing and measuring the performance of a variety of services, with a focus on web applications. It is Scala-based, high performance load and stress test tool.
Slides from my talk discussing how DBI frameworks such as Frida can be used in understanding the runtime or in-process operations in case of heavily obfuscated android applications.
Slides from my beginner level talk on FRIDA and its usage while Pentesting Android Applications. Covers topics like Installation of Frida and Bypassing Pinning and Root Detection using Frida.
New abstractions for concurrency make writing programs easier by moving away from threads and locks, but debugging such programs becomes harder. The call-stack, an essential tool in understanding why and how control flow reached a certain point in the program, loses meaning when inspected in traditional debuggers. Futures, actors or iteratees make code easier to write and reason about, and in this talk I'll show a simple solution to make them easier to debug. The tool I present integrates well with the Eclipse plugin for Scala, and shows how a "reactive debugger" might look like.
This is an overview of watchOS 2 designed to give you the head start you need to start building! Learn about how to design for the Apple Watch, the different UI components included, how your Apple Watch works together (and independently) with your iOS app, and more!
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ZongXian Shen
The design memo and hack note of ProbeDroid
A dynamic binary instrumentation kit targeting Android(Lollipop) 5.0 and above
This is the first complete draft.
Improved version will be updated in a few days.
So, what is PVS-Studio? PVS-Studio is a ecosystem that provides you static code analyzer for C, C++, C# and Java programming languages and utilities to make life with static code analyzer easier. PVS-Studio works on Windows, Linux and macOS platforms.
I’ll focus more on C/C++ features. So, we support modern and famous compilers such as: MSVC, GCC, Clang - and several compiler for Embedded systems: ARM GCC/Clang, Keil, IAR, TI.
We also have several plugins for modern IDEs for convenient work: Visual Studio 2010-2019, JetBrains Rider and IntelliJ IDEA. Compilation monitoring. We provide a tool that may help you to check your project with “exotic” build system (e.g. SCons, Bazel, etc).
Suppress files. After you’ve checked your project, you may get tons of warnings on your legacy code. There is a solution – you push all your warnings in some file called suppress base, and in the next run you’ll get 0 warnings.
Incremental analysis. If you modify some files in your project, you want only them to be checked as the compiler recompiles them. We have scenery for that. We call it incremental analysis.
A Long-Awaited Check of Unreal Engine 4Andrey Karpov
On March 19, 2014, Unreal Engine 4 was made public available. Subscription costs only $19 per month. The source codes have also been published at the github repository. Since that moment, we have received quite a number of e-mails, twitter messages, etc., people asking to check this game engine. So we are fulfilling our readers' request in this article; let's see what interesting bugs the PVS-Studio static code analyzer has found in the project's source code.
Testing JSF with Arquillian and SeleniumLukáš Fryč
Testing of web applications is significant part of development cycle from perspective of both, application development and quality assurance.
JSF concepts makes testing of applications simple by separation of concerns, but enforces employing of specific tools for testing business logic and user interface.
Lukas covers testing pitas and introduce frameworks which make testing of JSF application a breeze and motivate developers to follow concepts of test-driven development.
This is the deck presented at the Test Fanatics Meetup in San Francisco. Most of the presentation was live demo -- so, if you'd like to see that, I'm always happy to give one. :) Or head over to GhostInspetor.com and try it yourself.
The SonarQube Platform is made of 4 components:
- Server, Database, Plugins and Scanner
One or more SonarQube Scanners running on your Build / Continuous Integration Servers to analyze projects
Continous UI testing with Espresso and JenkinsSylwester Madej
Talk from Droidcon Zagreb 2015 about approach to Continous Integration and integration testing we are using in Outline.
In short: we use Jenkins CI on Intel NUC to build, analyse and test apps. To speed up tests we are using Spoon with some devices connected to our CI server via USB hub.
Analysis of merge requests in GitLab using PVS-Studio for C#Andrey Karpov
Do you like GitLab and don't like bugs? Do you want to improve the quality of your source code? Then you've come to the right place. Today we will tell you how to configure the PVS-Studio C# analyzer for checking merge requests. Enjoy the reading and have a nice unicorn mood.
Learn how to use AWS services to automate manual tasks, help teams manage complex environments at scale, and keep engineers in control of the high velocity that is enabled by DevOps. In this session, we will provide an overview of the various AWS development and deployment services and when best to use them. We will show how to build a fully automated infrastructure and software delivery pipeline with AWS CodePipeline, AWS CodeBuild, AWS CloudFormation and AWS CodeDeploy. At the end of the session, a GitHub repository of AWS CloudFormation templates will be provided so you can quickly deploy the same pipeline to your AWS account(s).
CI / CD / CS - Continuous Security in KubernetesSysdig
Continuous Delivery helps to keep your software and Docker images updated and deploy new versions in production easily. Microservices are great at reducing the attack vector and limiting the privileges or credentials access of each piece of your application. Containers provide an opportunity to implement better security, small, immutable, single process and purpose.
In this session, we will discover real use case examples on how to make your CI/CD pipeline interact with Docker security tools. But security doesn’t stop where your deployment pipeline ends. How can we prepare for 0-days and policy violations that happen at run-time? Can we make it part of the CI/CD process?
Serverless in production, an experience report (codemotion milan)Yan Cui
AWS Lambda has changed the way we deploy and run software, but the serverless paradigm has created new challenges to old problems: How do you test a cloud-hosted function locally? How do you monitor them? What about logging and config management? And how do we start migrating from existing architectures?
Yan Cui shares solutions to these challenges, drawing on his experience running Lambda in production and migrating from an existing monolithic architecture.
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017Codemotion
AWS Lambda has changed the way we deploy and run software, but this new serverless paradigm has created new challenges to old problems - how do you test a cloud-hosted function locally? How do you monitor them? What about logging and config management? And how do we start migrating from existing architectures? In this talk Yan will discuss solutions to these challenges by drawing from real-world experience running Lambda in production and migrating from an existing monolithic architecture.
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
Boost your productivity with Scala tooling!MeriamLachkar1
Our rich ecosystem provides developers with powerful tools that improve productivity on small or huge projects.
In this talk, I will present the tools that allow me to focus on my projects by making tedious tasks easier. From bootstrapping projects, to code linting and refactoring, from continuous integration and automatic publication and documentation rendering, come discover my favorite tools.
Serverless in production, an experience reportYan Cui
AWS Lambda has changed the way we deploy and run software, but this new serverless paradigm has created new challenges to old problems - how do you test a cloud-hosted function locally? How do you monitor them? What about logging and config management? And how do we start migrating from existing architectures?
In this talk Yan and Scott will discuss solutions to these challenges by drawing from real-world experience running Lambda in production and migrating from an existing monolithic architecture.
Serverless in production (O'Reilly Software Architecture)Yan Cui
AWS Lambda has changed the way we deploy and run software, but the serverless paradigm has created new challenges to old problems: How do you test a cloud-hosted function locally? How do you monitor them? What about logging and config management? And how do we start migrating from existing architectures?
Yan Cui shares solutions to these challenges, drawing on his experience running Lambda in production and migrating from an existing monolithic architecture.
How the DevOps company-wide initiative affected the development team in the Bakson, Serbia (a part of Ticketmaster's engineering team). And what tooling were used to automate QA processes.
Presentation was created for DevOps meetup in Belgrade, on 11th October 2016. https://www.facebook.com/SevenBridgesGenomics/photos/?tab=album&album_id=1338738752836488
Serverless in production, an experience report (BuildStuff)Yan Cui
AWS Lambda has changed the way we deploy and run software, but the serverless paradigm has created new challenges to old problems: How do you test a cloud-hosted function locally? How do you monitor them? What about logging and config management? And how do we start migrating from existing architectures?
Yan Cui shares solutions to these challenges, drawing on his experience running Lambda in production and migrating from an existing monolithic architecture.
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...Amazon Web Services
Some of the best businesses today are deploying their code dozens of times a day. How? By making heavy use of automation, smart tools, and repeatable patterns to get process out of the way and keep the workflow moving. Come to this session to learn how you can do this too, using services such as AWS OpsWorks, AWS CloudFormation, Amazon Simple Workflow Service, and other tools. We'll discuss a number of different deployment patterns, and what aspects you need to focus on when working toward deployment automation yourself.
Our tech process, how we make apps using React Native on Gitlab with Gitlab CI (Continuous Integration) and CD (Continuous Delivery)
Reveal JS source on GitHub: https://github.com/Lingvokot/gitlab-and-lingvokot
Serverless in production, an experience report (microservices london)Yan Cui
AWS Lambda has changed the way we deploy and run software, but the serverless paradigm has created new challenges to old problems: How do you test a cloud-hosted function locally? How do you monitor them? What about logging and config management? And how do we start migrating from existing architectures?
Yan Cui shares solutions to these challenges, drawing on his experience running Lambda in production and migrating from an existing monolithic architecture.
This is a new piece of our series of articles about using the PVS-Studio static analyzer with cloud CI systems. Today we are going to look at another service, CircleCI. We'll take the Kodi media player application as a test project and see if we can find any interesting bugs in its source code.
AWS Lambda from the trenches (Serverless London)Yan Cui
AWS Lambda has changed the way we deploy and run software, but this new serverless paradigm has created new challenges to old problems - how do you test a cloud-hosted function locally? How do you monitor them? What about logging and config management? And how do we start migrating from existing architectures?
In this talk Yan will discuss solutions to these challenges by drawing from real-world experience running Lambda in production and migrating from an existing monolithic architecture.
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Christian Schneider
Diese Session zeigt Ihnen, welche Automatisierungsoptionen zur Überwachung bestimmter Sicherheitsaspekte in der agilen Softwareentwicklung bestehen. Ausgehend von dem etablierten DevOps-Konzept, mit dem im Übergang von Entwicklung zu Betrieb Prozesse automatisiert und verzahnt werden, wird mit „Security-DevOps“ dieser Antrieb aufgegriffen und auf die Absicherung von Anwendungen gegen Hackerangriffe übertragen. Durch frühe Rückkopplung sicherheitstechnischer Findings an die Entwicklung im Rahmen der Automatisierung haben Ihre Pentester die Möglichkeit, sich auf die kniffligeren Sicherheitschecks zu konzentrieren – trotz geforderter kurzer Releasezyklen.
Serverless in production, an experience report (FullStack 2018)Yan Cui
AWS Lambda has changed the way we deploy and run software, but this new serverless paradigm has created new challenges to old problems - how do you test a cloud-hosted function locally? How do you monitor them? What about logging and config management? And how do we start migrating from existing architectures?
In this talk Yan and Scott will discuss solutions to these challenges by drawing from real-world experience running Lambda in production and migrating from an existing monolithic architecture.
6. Qiwi OLD Development Lifecycle
Business
QA
Support
ISEC
TASK
DEV
Testing
Regress
testing
Release
Bug
Development
Functional
bug
New
TASK
ISEC
ISEC tests
7. Qiwi OLD Development Lifecycle
Testing
Regress
testing
Release
Functional
bug
New
TASK
ISEC
ISEC tests
First standard steps were:
- Periodical Pentests
- Bug bounty program
- Deep dive into code of each
release
- Some Fuzz scans on several
projects
- ….
- ….
- Lots of other standard sec-staff
8. Qiwi OLD Development Lifecycle
Testing
Regress
testing
Release
Functional
bug
New
TASK
ISEC
ISEC tests
But:
- Low test coverage
- Manual testing takes time
- You have no time
- Some functionality you didn’t
hear before bug found
- More than 30 big
projects/applications!
9. Sometimes it was like a fire
fighting…
- Hackerone
- Real Attacks
Qiwi OLD Development Lifecycle
First hours after BugBounty program open
10. Task:
- More than 30 projects and applications
- 6 main programming languages
- Horde of programmers
- Infinity of business tasks
- 1-2 AppSec specialist
…
How to protect the internet from ourselves?
19. SA
QA
TRBL
ISEC
TASK
Refactoring
QSDL - New Task
In case of new task
- Threat modeling
- First security review
- If task relates on side project, makes security
review and testing of it
20. Testing
Bug
Programming
QSDL - Design and Programming
- Now programmers know what does it mean:
XSS and so on, so design and development
with a concept of secure programming
- Trigger on TeamCity test-deploys will start
SAST after programmer merge pull request to
release-branch
- Emailing about new found vulnerabilities by
SAST
- Automotive tasks in Jira
- Anytime review of previous scans with detailed
inspection of scan alert
This concept is actual for project with short lifecycle (release several time in a week)
21. Testing
Regress
testingBug
Programming
QSDL - Pre-Release Cycle
- Verification by SAST, trigger on
TeamCity before release deploy
- Auto Fuzz-tests
- Manual pentests, extra scanners
- Security code-review
This concept is actual for project with long lifecycle (release one time in a two week)
22. QSDL - Release
- In the context of a short release cycle we check the
opportunity of release (the results of the intermediate
Autotest), and provides recommendations for changes
- Monitoring of releases by ourselves
Release
25. Static code analysis tool:
- searching security
bugs by creating DOM-model of
program code calls
- one of key spec is
searching of second order
injections, stored injections and
so on by walking through DOM-
tree
- Some Vendors sells it
as a main tool of SDLC flow
26. Other good features
- Best Coding Practice
- Deprecated methods
- Syntax sugar
- Seraching of logic errors => performance improvement
- Infinite loop
- Switch without Break
- Inline If
- Buffer size which depends on user input
- Empty exceptions
- Syntax errors
- Bad Classcasts
30. Vendor told:
“.. Scanner should receive only clear
code”
And he is right!
Ok, but what about
Libraries
Dependencies
Maven
Dynamic Code Injection
SAST Scanner - Under the hood
31. - source pulling
- compile
- code injecting
- custom flow
- monitoring
- mail
- tags
Control Server
SAST Scanner - Under the hood
Welcome! Project which compress project for another project to scan
second project!
32. Common process of deploy and scans
- Developer start task in TC (hook, or manual)
- TC build-agent start client-script which send request about branch to Control
Server (CVS, brunch, build-id)
- Control Server
- Fetch source from VCS
- Compile code
- Fetch dependency from VCS or Maven (if you have sources)
- Make own Dependency injection flow (if SAST not support it)
- Make own program langs flow
- Monitoring everything works
- Results
- TC tags for builds (if build is vulnerable, we can’t pass it to release)
- Email to ISEC and Developer
- Monitoring everything done
33. SAST Scanner - Under the hood
2. I want to see full flow from
client to server
35. Vendor told:
“.. Each part of code should be
independent ..”
And he is right!
SAST Scanner - Under the hood
JS JAVA PLSQLJAVA
36. SAST Scanner - Under the hood
3. I want to write dynamic code!!!
37. All we are love a dynamic code with
Dependency Injections
Generics and so on
public interface FieldsChanger {
Collection<FormField> change(FieldsChangerDTO fieldsChangerDTO);
}
<bean id="fieldsChanger"
class="ru.mw.webui.person.form.changer.ExtendableFieldsChanger">
<constructor-arg>
<map key-type="ru.mw.webui.person.data.FieldSetRule">
<entry key-ref="mainFieldSetRule">
<bean class="ru.mw.webui.person.form.changer.PlaceHolderFieldsChanger"/>
</entry>
39. But we can do: dynamic -> static
public interface FieldsChanger {
Collection<FormField> change(FieldsChangerDTO fieldsChangerDTO);
}
public interface FieldsChanger1 {
Collection<DefaultFormField> change(DefaultFieldsChangerDTO fieldsChangerDTO);
}
40. SAST Scanner - Under the hood
4. I want to write on Scala, Go and use all
new Frameworks!
41. Vendor told:
“.. You are so modern
… everything for your money! ..”
And he is right!
42. SAST Scanner - Under the hood
5. It found only one XSS and 100500 strange
things!? What happen???
43. Vendor told:
“.. Each project is unique
and each has own bicycles! ..”
And he is right!
45. Bad news:
- while we set up scanner, some guys found two real good bugs first
:(
Remember:
- look into all types of bugs some could be signed as low-level
- some frameworks still not supported out of the box
46. So,
To start it
- Put all your libraries to own CDN
- Write 20k lines of code for Control Server and Client
- Invent your own compiling system
- Write your own monitoring system
To make code ‘scannable’
- Read kilometers of code
- Find each input and output points
- Write more than 100 own rules of scans
47. Achieved:
- Found about 25 bugs in main projects
- XXE, RCE, XSS, SQLi
- 32 projects were added to autoscan
- Full SDLC in you company!
- It was made by 2 people !!