When you want to secure your code there are a variety of tools that you can use, each of them dedicated to a specific stage in the project lifecycle. Of course, there are static code analysis tools (SAST) that you can use sometimes even on your editor, but what about SIS? DAST? IAST? WAF? And, wait, are you still using *just* prepared statements and not a RASP solution? Do not be scared of all these acronyms! Learn which opensource tools are available now, which ones are on the frontier, and what are the techniques available. After a 20 minutes introduction with slides, we will install and run plenty of them, live, so that hopefully you will be able to use them the next day yourself! This is an updated version of the previous speech.

1. Tools to create a secure build
pipeline
Bruno Bossola
Kraków, 15-17 May 2019

2. @bbossola
About me
● Developer 1988+
● XP coach 2000+
● Co-founder Jug Torino
● CTO at Meterian

3. @bbossola
Agenda
● Why do we need a security pipeline?
● Security tools: SAST, DAST, IAST, RASP
● Q&A
– slido.com
– #geecon2019
– room 12

4. @bbossola
Why should we build a secure pipeline?

5. @bbossola
Fixing problems early
● a security problem is a bug
● the late we fix a bug,
the more costly it is
● the cost of a bug
found in production is 30
times more expensive!
● Recalling cars anyone?
Minimizing Code Defects to Improve Software Quality and Lower Development Costs. IBM, 2008

6. @bbossola
Isn't this just an insurance policy?
● Well, in a sense. What about...
yup, sometimes is more expensive than 30 times!

7. @bbossola
If cars were built like applications...
“Cars would have no airbags, mirrors, seat belts, doors,
roll-bars, side-impact bars, or locks, because no-one had
asked for them. But they would all have at least six cup
holders.”
The OWASP foundation - “Integration into the SDLC”

8. @bbossola
If cars were built like applications...
“Many safety features originally included might be removed
before the car was completed, because they might
adversely impact performance.”
The OWASP foundation - “Integration into the SDLC”

9. @bbossola
If cars were built like applications...
“A MOT inspection would consist of counting the wheels
and making recommendations on wheel quantity.”
The OWASP foundation - “Integration into the SDLC”

10. @bbossola
The SDLC process
Requirements
Design
Coding
Testing
Evaluation
LIVE
Planning

11. @bbossola
Security tools

12. @bbossola
The families of security tools
Requirements
Design
Coding
Testing
Evaluation
LIVE
Planning
SAST
IAST
DAST
RASP
Security, please!

13. @bbossola
SAST tools
● Static Application Security Testing
● Tools that statically analyse the code to find security flaws
● Either source code or compiled code
● Three families:
– Static Code Analysis
– Software Component Analysis (or Static Dependency Analysis)
– Sensitive Information Scanners

14. @bbossola
SAST sub-families - SIS
● Sensitive Information Scanners
Scan your repositories for sensitive informations:
– Any AWS key committed in your repo?
– What about the commit comments?
– Any SSH keys in your Ansible scripts?

15. @bbossola
A closer look: SIS tools
● Sensitive Information Scanners
– gitleaks
– trufflehog
● Mentioned:
– git-secrets
– gitrob

16. @bbossola
SAST sub-families: SCA
● Software Composition Analysis (or Static Dependency Analysis)
– 20% of the code is your code
– 80% of code comes from external libraries
● Do you know...
– what components are you using?
– are they up to date?
– what about their licenses? GPL anyone?

17. @bbossola
A closer look: SCA tools
● Software Component Analysis
(or Static Dependency Analysis)
– dependency-check
– meterian
WARNING!!!
SHAMELESS
PLUG
HERE!

18. @bbossola
SAST sub-families: SCA (yes, again, same acronym!)
● Static Code Analysis
– Analysis of the sources or the binaries
– Look for patterns that can lead to exploits
● Downsides
– they need a lot of configuration
– they may produce a lot of false positives

19. @bbossola
A closer look: SCA tools
● Static Code Analysis
– PMD
– Spotbugs
– Errorprone

20. @bbossola
DAST tools
● Dynamic Application Security Testing
● Testing an application in an operating state
– uses fault injection techniques
– automated black box testing
● Interacts with exposed interfaces
– HTML
– APIs
– Other specific protocols
BURP

21. @bbossola
RASP tools
● Run-time Application Self-Protection
● an agent is embedded into the application
– usually “melted” through code instrumentation
● it analyses the application behaviour, it can:
– shutdown a user session
– stop executing the application
– deploy code fixes at runtime
– provide detailed reports and runtime monitoring

22. @bbossola
Demo time!
● An opensource RASP tool
– OpenRASP
(still immature in my view)

23. @bbossola
IAST tools
● Interactive Application Security Testing
● As agent is embedded in the application
● The application is then tested
COMMUNITY EDITION
● Interactive Application Security Testing
● As agent is embedded in the application
● The application is then tested using
a penetration test suite

24. @bbossola
Anything else?
● WAF – Web Application Firewalls
– a perimeter control solution
– basicallly a reverse proxy
– applies a set of rules to an HTTP conversation
– cover common attacks such as cross-site scripting (XSS) and
SQL injection

25. @bbossola
Commercial options

26. @bbossola
Q&A