Tools to create a secure pipeline

•Download as ODP, PDF•

0 likes•2,296 views

What are the families of tools used to secure your application? How are those placed in the SLDC process? What tools are available in the Java ecosystem? We will try to answer these questions through some basic explanation and few live workshops! Please note that this was a workshop and those are only the guiding slides: for detailed information about the session please visit https://bbossola.wordpress..

Software

Tools to create a secure build pipeline
Bruno Bossola

@bbossola
About me
● Developer 1988+
● XP coach 2000+
● Co-founder Jug Torino

@bbossola
Agenda
● Why do we need a security pipeline?
● Security tools: SAST, DAST, RASP, IAST
● Workshops: a closer look to the tools
● Q&A

@bbossola
Why should we build a security pipeline?

@bbossola
Fixing problems early
● a security problem is a bug
● the late we fix a bug,
the more costly it is
● the cost of a bug
found in production is 30
times more expensive!
● Recalling cars anyone?
Minimizing Code Defects to Improve Software Quality and Lower Development Costs. IBM, 2008

@bbossola
Isn't this just an insurance policy?
● Well, in a sense. What about...
yup, sometimes is more expensive than 30 times!

@bbossola
If cars were built like applications...
“Cars would have no airbags, mirrors, seat belts, doors,
roll-bars, side-impact bars, or locks, because no-one had
asked for them. But they would all have at least six cup
holders.”
The OWASP foundation - “Integration into the SDLC”

@bbossola
If cars were built like applications...
“Many safety features originally included might be removed
before the car was completed, because they might
adversely impact performance.”
The OWASP foundation - “Integration into the SDLC”

@bbossola
If cars were built like applications...
“A MOT inspection would consist of counting the wheels
and making recommendations on wheel quantity.”
The OWASP foundation - “Integration into the SDLC”

@bbossola
The SDLC process
Requirements
Design
Coding
Testing
Evaluation
LIVE
Planning

@bbossola
The families of security tools
Requirements
Design
Coding
Testing
Evaluation
LIVE
Planning
SAST
IAST
DAST
RASP
Security, please!

@bbossola
SAST tools
● Static Application Security Testing
● Tools that statically analyse the code base to find security
flaws
● Either source code or compiled code
● Three families:
– Static Code Analysis
– Static Dependency Analysis (or Static Component Analysis)
– Sensitive Information Scanners

@bbossola
SAST sub-families
● Static Code Analysis
– Analysis of the sources or the binaries

@bbossola
SAST sub-families
● Static Code Analysis
– Analysis of the sources or the binaries
● Static Dependency Analysis (or Static Component Analysis)
– 20% of the code is your code
– 80% of code comes from external libraries
● better check it, yeah?
WARNING!!!
SHAMELESS
PLUG
HERE!

@bbossola
DAST tools
● Dynamic Application Security Testing
● Testing an application in an operating state
– uses fault injection techniques
– automated black box testing
● Interacts with exposed interfaces
– HTML
– APIs
– Other specific protocols

@bbossola
RASP tools
● Run-time Application Self-Protection
● an agent is embedded into the application
– usually “melted” through code instrumentation
● it analyses the application behaviour
● a RASP can:
– shutdown a user session
– stop executing the application
– deploy code fixes at runtime
– provide detailed reports and runtime monitoring

@bbossola
IAST tools
● Interactive Application Security Testing
● As RASP they embed an agent in the application
● However they are not used in production
● It's a testing tool, not a security tool

@bbossola
Anything else?
● WAF – Web Application Firewalls
– a perimeter control solution
– basicallly a reverse proxy
– applies a set of rules to an HTTP conversation
– cover common attacks such as cross-site scripting (XSS) and
SQL injection

@bbossola
Workshop time!
● Get your computer
● Make sure your internet
connection works :)

@bbossola
A closer look to SAST tools
● Static Code Analysis
– PMD
– Spotbugs
– Errorprone

@bbossola
A closer look to SAST tools
● Static Dependency Analysis (or Static Component Analysis)
– dependency-check
– meterian
WARNING!!!
SHAMELESS
PLUG
HERE!

@bbossola
A closer look to SAST tools
● Sensitive Information Scanners
– gitleaks
– trufflehog
● Mentioned:
– git-secrets
– gitrob

@bbossola
A closer look to a RASP tool
● An opensource RASP tool
– OpenRASP

Recently uploaded

Breaking the Code : A Guide to WhatsApp Business API.pdf

Meon Technology

IT Software Development Resume, Vaibhav jha 2024

vaibhav130304

Scenarios are the central artifact of the Behaviour Driven Development (BDD) process. Although many teams use scenarios and tools like Cucumber or SpecFlow to automate them, in many cases their scenarios contain a lot of details, particularly test data, and therefore they become too complicated to support collaboration with the business. The "essential" principle of scenario writing (scenario formulation) states that only those details should be included in the scenario that are relevant for the outcome. This talk provides help for those who struggle implementing this principle or would be interested to learn how you can create brief and maintainable scenarios.

Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)

Gáspár Nagy

Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf

Victor Lopez

Migrating your customer service data from Zendesk to Re:amaze can significantly enhance your support operations, but it requires careful planning and execution. "A Guideline to Zendesk to Re:amaze Data Migration" is designed to assist businesses in managing this transition smoothly and efficiently. This comprehensive guide covers all aspects of the data migration process, ensuring that your data is transferred accurately and effectively.

A Guideline to Zendesk to Re:amaze Data Migration

Help Desk Migration

OpenChain @ LF Japan Executive Briefing - May 2024

Shane Coughlan

Agnieszka Andrzejewska - BIM School Course in Kraków

bim.edu.pl

Studiovity film pre-production and screenwriting software

info611746

Migrating your customer service data from Gorgias to Re:amaze can greatly enhance your support operations, but it requires detailed planning and precise execution. "A Guideline to Gorgias to Re:amaze Data Migration" is crafted to help businesses manage this transition smoothly and efficiently. This comprehensive guide ensures that all aspects of the data migration process are covered, from initial planning to post-migration support.

A Guideline to Gorgias to to Re:amaze Data Migration

Help Desk Migration

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?

XfilesPro

"Introduction to Windows 7" serves as the foundational chapter in our guide, setting the stage for understanding the key features and functionalities of this operating system. Windows 7, released by Microsoft in 2009, quickly became one of the most popular and widely used versions of Windows due to its user-friendly interface, stability, and performance improvements over its predecessor, Windows Vista. This chapter begins by providing an overview of the Windows 7 operating system, highlighting its key attributes and improvements compared to earlier versions of Windows. It introduces users to the visual enhancements such as Aero Glass, the revamped taskbar (also known as the Superbar), and the redesigned Start menu, which all contribute to a more intuitive and streamlined user experience. Furthermore, "Introduction to Windows 7" delves into the architecture and system requirements of the operating system, helping users understand what hardware specifications are necessary for optimal performance. It covers topics such as processor requirements, RAM, disk space, and graphics capabilities, ensuring that readers have a clear 3 understanding of the hardware prerequisites for running Windows 7 smoothly. Additionally, this chapter explores the various editions of Windows 7, including Home Premium, Professional, Ultimate, and Enterprise, outlining the differences between them and helping users choose the edition that best suits their needs and requirements. Moreover, "Introduction to Windows 7" provides an overview of the installation process, guiding users through the steps required to install or upgrade to Windows 7 on their computers. It covers topics such as preparing for installation, choosing the installation type (upgrade or custom), partitioning disks, and configuring initial settings. In summary, "Introduction to Windows 7" serves as a comprehensive primer for users who are new to the operating system or seeking to refresh their understanding. By familiarizing themselves with the core concepts and features of Windows 7, readers can lay a solid foundation for exploring more advanced topics covered in subsequent chapters of this guide.

Mastering Windows 7 A Comprehensive Guide for Power Users .pdf

mbmh111980

JustNaik Solution Deck (stage bus sector)

Max Lee

AI/ML Infra Meetup May. 23, 2024 Organized by Alluxio For more Alluxio Events: https://www.alluxio.io/events/ Speaker: - Eric Wang (Software Engineer, @Uber) Uber has numerous deep learning models, most of which are highly complex with many layers and a vast number of features. Understanding how these models work is challenging and demands significant resources to experiment with various training algorithms and feature sets. With ML explainability, the ML team aims to bring transparency to these models, helping to clarify their predictions and behavior. This transparency also assists the operations and legal teams in explaining the reasons behind specific prediction outcomes. In this talk, Eric Wang will discuss the methods Uber used for explaining deep learning models and how we integrated these methods into the Uber AI Michelangelo ecosystem to support offline explaining.

AI/ML Infra Meetup | ML explainability in Michelangelo

Alluxio, Inc.

Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...

Abortion Clinic

Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.

TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR

Tier1 app

INGKA DIGITAL: Linked Metadata by Design

Neo4j

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

WSO2

CompTIA Security+ (Study Notes) for cs.pdf

Furqanuddin10

Microsoft 365 Copilot is available to Enterprise customers and smaller organizations from January 16, 2024. It goes for the price set at $30 per user/month across all purchasing channels and customer types. Microsoft 365 Copilot gives users experiences allowing for the composition and replying of emails, chats, documents, contacts, and meeting minutes.    Microsoft 365 Copilot is available across all sales channels including Enterprise Agreement and Cloud Solution Provider (CSP).  Also, for commercial customers with:   • Microsoft 365 E3  • Microsoft 365 E5  • Office 365 E3  • Office 365 E5  • Microsoft 365 Business Standard  • Microsoft 365 Business Premium  They will be able to purchase Copilot for Microsoft 365 add-on SKU across all Microsoft sales channels. See below the full list of the Microsoft sales channels for Copilot:  • Enterprise Agreement  • Enterprise Agreement Subscription  • Cloud Solution Provider (CSP)  • Microsoft Customer Agreement – Enterprise (MCA-E)  • Direct from Microsoft  • Education customers through Enrollment for Education Solutions  You can reach out to our team of Microsoft licensing experts concerning any on-premises or cloud related questions seeking for clarity. Send us an email…info@q-advise.com

Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf

Q-Advise

10 Essential Software Testing Tools You Need to Know About.pdf

kalichargn70th171

Recently uploaded (20)

Breaking the Code : A Guide to WhatsApp Business API.pdf

IT Software Development Resume, Vaibhav jha 2024

Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)

Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf

A Guideline to Zendesk to Re:amaze Data Migration

OpenChain @ LF Japan Executive Briefing - May 2024

Agnieszka Andrzejewska - BIM School Course in Kraków

Studiovity film pre-production and screenwriting software

A Guideline to Gorgias to to Re:amaze Data Migration

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?

Mastering Windows 7 A Comprehensive Guide for Power Users .pdf

JustNaik Solution Deck (stage bus sector)

AI/ML Infra Meetup | ML explainability in Michelangelo

Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...

TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR

INGKA DIGITAL: Linked Metadata by Design

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

CompTIA Security+ (Study Notes) for cs.pdf

Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf

10 Essential Software Testing Tools You Need to Know About.pdf

Featured

https://www.hubspot.com/state-of-marketing · Scaling relationships and proving ROI · Social media is the place for search, sales, and service · Authentic influencer partnerships fuel brand growth · The strongest connections happen via call, click, chat, and camera. · Time saved with AI leads to more creative work · Seeking: A single source of truth · TLDR; Get on social, try AI, and align your systems. · More human marketing, powered by robots

2024 State of Marketing Report – by Hubspot

Marius Sescu

ChatGPT is a revolutionary addition to the world since its introduction in 2022. A big shift in the sector of information gathering and processing happened because of this chatbot. What is the story of ChatGPT? How is the bot responding to prompts and generating contents? Swipe through these slides prepared by Expeed Software, a web development company regarding the development and technical intricacies of ChatGPT!

Everything You Need To Know About ChatGPT

Expeed Software

Product Design Trends in 2024 | Teenage Engineerings

Pixeldarts

Mental health has been in the news quite a bit lately. Dozens of U.S. states are currently suing Meta for contributing to the youth mental health crisis by inserting addictive features into their products, while the U.S. Surgeon General is touring the nation to bring awareness to the growing epidemic of loneliness and isolation. The country has endured periods of low national morale, such as in the 1970s when high inflation and the energy crisis worsened public sentiment following the Vietnam War. The current mood, however, feels different. Gallup recently reported that national mental health is at an all-time low, with few bright spots to lift spirits. To better understand how Americans are feeling and their attitudes towards mental health in general, ThinkNow conducted a nationally representative quantitative survey of 1,500 respondents and found some interesting differences among ethnic, age and gender groups. Technology For example, 52% agree that technology and social media have a negative impact on mental health, but when broken out by race, 61% of Whites felt technology had a negative effect, and only 48% of Hispanics thought it did. While technology has helped us keep in touch with friends and family in faraway places, it appears to have degraded our ability to connect in person. Staying connected online is a double-edged sword since the same news feed that brings us pictures of the grandkids and fluffy kittens also feeds us news about the wars in Israel and Ukraine, the dysfunction in Washington, the latest mass shooting and the climate crisis. Hispanics may have a built-in defense against the isolation technology breeds, owing to their large, multigenerational households, strong social support systems, and tendency to use social media to stay connected with relatives abroad. Age and Gender When asked how individuals rate their mental health, men rate it higher than women by 11 percentage points, and Baby Boomers rank it highest at 83%, saying it’s good or excellent vs. 57% of Gen Z saying the same. Gen Z spends the most amount of time on social media, so the notion that social media negatively affects mental health appears to be correlated. Unfortunately, Gen Z is also the generation that’s least comfortable discussing mental health concerns with healthcare professionals. Only 40% of them state they’re comfortable discussing their issues with a professional compared to 60% of Millennials and 65% of Boomers. Race Affects Attitudes As seen in previous research conducted by ThinkNow, Asian Americans lag other groups when it comes to awareness of mental health issues. Twenty-four percent of Asian Americans believe that having a mental health issue is a sign of weakness compared to the 16% average for all groups. Asians are also considerably less likely to be aware of mental health services in their communities (42% vs. 55%) and most likely to seek out information on social media (51% vs. 35%).

How Race, Age and Gender Shape Attitudes Towards Mental Health

ThinkNow

AI Trends in Creative Operations 2024 by Artwork Flow.pdf

marketingartwork

Skeleton Culture Code

Skeleton Technologies

PEPSICO Presentation to CAGNY Conference Feb 2024

Neil Kimberley

Content Methodology: A Best Practices Report (Webinar)

contently

How to Prepare For a Successful Job Search for 2024

Albert Qian

A report by thenetworkone and Kurio. The contributing experts and agencies are (in an alphabetical order): Sylwia Rytel, Social Media Supervisor, 180heartbeats + JUNG v MATT (PL), Sharlene Jenner, Vice President - Director of Engagement Strategy, Abelson Taylor (USA), Alex Casanovas, Digital Director, Atrevia (ES), Dora Beilin, Senior Social Strategist, Barrett Hoffher (USA), Min Seo, Campaign Director, Brand New Agency (KR), Deshé M. Gully, Associate Strategist, Day One Agency (USA), Francesca Trevisan, Strategist, Different (IT), Trevor Crossman, CX and Digital Transformation Director; Olivia Hussey, Strategic Planner; Simi Srinarula, Social Media Manager, The Hallway (AUS), James Hebbert, Managing Director, Hylink (CN / UK), Mundy Álvarez, Planning Director; Pedro Rojas, Social Media Manager; Pancho González, CCO, Inbrax (CH), Oana Oprea, Head of Digital Planning, Jam Session Agency (RO), Amy Bottrill, Social Account Director, Launch (UK), Gaby Arriaga, Founder, Leonardo1452 (MX), Shantesh S Row, Creative Director, Liwa (UAE), Rajesh Mehta, Chief Strategy Officer; Dhruv Gaur, Digital Planning Lead; Leonie Mergulhao, Account Supervisor - Social Media & PR, Medulla (IN), Aurelija Plioplytė, Head of Digital & Social, Not Perfect (LI), Daiana Khaidargaliyeva, Account Manager, Osaka Labs (UK / USA), Stefanie Söhnchen, Vice President Digital, PIABO Communications (DE), Elisabeth Winiartati, Managing Consultant, Head of Global Integrated Communications; Lydia Aprina, Account Manager, Integrated Marketing and Communications; Nita Prabowo, Account Manager, Integrated Marketing and Communications; Okhi, Web Developer, PNTR Group (ID), Kei Obusan, Insights Director; Daffi Ranandi, Insights Manager, Radarr (SG), Gautam Reghunath, Co-founder & CEO, Talented (IN), Donagh Humphreys, Head of Social and Digital Innovation, THINKHOUSE (IRE), Sarah Yim, Strategy Director, Zulu Alpha Kilo (CA).

Social Media Marketing Trends 2024 // The Global Indie Insights

Kurio // The Social Media Age(ncy)

The search marketing landscape is evolving rapidly with new technologies, and professionals, like you, rely on innovative paid search strategies to meet changing demands. It’s important that you’re ready to implement new strategies in 2024. Check this out and learn the top trends in paid search advertising that are expected to gain traction, so you can drive higher ROI more efficiently in 2024. You’ll learn: - The latest trends in AI and automation, and what this means for an evolving paid search ecosystem. - New developments in privacy and data regulation. - Emerging ad formats that are expected to make an impact next year. Watch Sreekant Lanka from iQuanti and Irina Klein from OneMain Financial as they dive into the future of paid search and explore the trends, strategies, and technologies that will shape the search marketing landscape. If you’re looking to assess your paid search strategy and design an industry-aligned plan for 2024, then this webinar is for you.

Trends In Paid Search: Navigating The Digital Landscape In 2024

Search Engine Journal

From their humble beginnings in 1984, TED has grown into the world’s most powerful amplifier for speakers and thought-leaders to share their ideas. They have over 2,400 filmed talks (not including the 30,000+ TEDx videos) freely available online, and have hosted over 17,500 events around the world. With over one billion views in a year, it’s no wonder that so many speakers are looking to TED for ideas on how to share their message more effectively. The article “5 Public-Speaking Tips TED Gives Its Speakers”, by Carmine Gallo for Forbes, gives speakers five practical ways to connect with their audience, and effectively share their ideas on stage. Whether you are gearing up to get on a TED stage yourself, or just want to master the skills that so many of their speakers possess, these tips and quotes from Chris Anderson, the TED Talks Curator, will encourage you to make the most impactful impression on your audience. See the full article and more summaries like this on SpeakerHub here: https://speakerhub.com/blog/5-presentation-tips-ted-gives-its-speakers See the original article on Forbes here: http://www.forbes.com/forbes/welcome/?toURL=http://www.forbes.com/sites/carminegallo/2016/05/06/5-public-speaking-tips-ted-gives-its-speakers/&refURL=&referrer=#5c07a8221d9b

5 Public speaking tips from TED - Visualized summary

SpeakerHub

Everyone is in agreement that ChatGPT (and other generative AI tools) will shape the future of work. Yet there is little consensus on exactly how, when, and to what extent this technology will change our world. Businesses that extract maximum value from ChatGPT will use it as a collaborative tool for everything from brainstorming to technical maintenance. For individuals, now is the time to pinpoint the skills the future professional will need to thrive in the AI age. Check out this presentation to understand what ChatGPT is, how it will shape the future of work, and how you can prepare to take advantage.

ChatGPT and the Future of Work - Clark Boyd

Clark Boyd

Getting into the tech field. what next

Tessa Mero

Google's Just Not That Into You: Understanding Core Updates & Search Intent

Lily Ray

How to have difficult conversations

Rajiv Jayarajah, MAppComm, ACC

Introduction to Data Science

Christy Abraham Joy

Time Management & Productivity - Best Practices

Vit Horky

The six step guide to practical project management If you think managing projects is too difficult, think again. We’ve stripped back project management processes to the basics – to make it quicker and easier, without sacrificing the vital ingredients for success. “If you’re looking for some real-world guidance, then The Six Step Guide to Practical Project Management will help.” Dr Andrew Makar, Tactical Project Management

The six step guide to practical project management

MindGenius

Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...

RachelPearson36

Featured (20)

2024 State of Marketing Report – by Hubspot

Everything You Need To Know About ChatGPT

Product Design Trends in 2024 | Teenage Engineerings

How Race, Age and Gender Shape Attitudes Towards Mental Health

AI Trends in Creative Operations 2024 by Artwork Flow.pdf

Skeleton Culture Code

PEPSICO Presentation to CAGNY Conference Feb 2024

Content Methodology: A Best Practices Report (Webinar)

How to Prepare For a Successful Job Search for 2024

Social Media Marketing Trends 2024 // The Global Indie Insights

Trends In Paid Search: Navigating The Digital Landscape In 2024

5 Public speaking tips from TED - Visualized summary

ChatGPT and the Future of Work - Clark Boyd

Getting into the tech field. what next

Google's Just Not That Into You: Understanding Core Updates & Search Intent

How to have difficult conversations

Introduction to Data Science

Time Management & Productivity - Best Practices

The six step guide to practical project management

Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...

Tools to create a secure pipeline

1. Tools to create a secure build pipeline Bruno Bossola

2. @bbossola About me ● Developer 1988+ ● XP coach 2000+ ● Co-founder Jug Torino

3. @bbossola Agenda ● Why do we need a security pipeline? ● Security tools: SAST, DAST, RASP, IAST ● Workshops: a closer look to the tools ● Q&A

4. @bbossola Why should we build a security pipeline?

5. @bbossola Fixing problems early ● a security problem is a bug ● the late we fix a bug, the more costly it is ● the cost of a bug found in production is 30 times more expensive! ● Recalling cars anyone? Minimizing Code Defects to Improve Software Quality and Lower Development Costs. IBM, 2008

6. @bbossola Isn't this just an insurance policy? ● Well, in a sense. What about... yup, sometimes is more expensive than 30 times!

7. @bbossola If cars were built like applications... “Cars would have no airbags, mirrors, seat belts, doors, roll-bars, side-impact bars, or locks, because no-one had asked for them. But they would all have at least six cup holders.” The OWASP foundation - “Integration into the SDLC”

8. @bbossola If cars were built like applications... “Many safety features originally included might be removed before the car was completed, because they might adversely impact performance.” The OWASP foundation - “Integration into the SDLC”

9. @bbossola If cars were built like applications... “A MOT inspection would consist of counting the wheels and making recommendations on wheel quantity.” The OWASP foundation - “Integration into the SDLC”

10. @bbossola The SDLC process Requirements Design Coding Testing Evaluation LIVE Planning

11. @bbossola Security tools

12. @bbossola The families of security tools Requirements Design Coding Testing Evaluation LIVE Planning SAST IAST DAST RASP Security, please!

13. @bbossola SAST tools ● Static Application Security Testing ● Tools that statically analyse the code base to find security flaws ● Either source code or compiled code ● Three families: – Static Code Analysis – Static Dependency Analysis (or Static Component Analysis) – Sensitive Information Scanners

14. @bbossola SAST sub-families ● Static Code Analysis – Analysis of the sources or the binaries

15. @bbossola SAST sub-families ● Static Code Analysis – Analysis of the sources or the binaries ● Static Dependency Analysis (or Static Component Analysis) – 20% of the code is your code – 80% of code comes from external libraries ● better check it, yeah? WARNING!!! SHAMELESS PLUG HERE!

16. @bbossola SAST sub-families ● Static Code Analysis – Analysis of the sources or the binaries ● Static Dependency Analysis (or Static Component Analysis) – 20% of the code is your code – 80% of code comes from external libraries ● Sensitive Information Scanners – Any AWS key committed in your repo? – What about the commit comments?

17. @bbossola DAST tools ● Dynamic Application Security Testing ● Testing an application in an operating state – uses fault injection techniques – automated black box testing ● Interacts with exposed interfaces – HTML – APIs – Other specific protocols

18. @bbossola RASP tools ● Run-time Application Self-Protection ● an agent is embedded into the application – usually “melted” through code instrumentation ● it analyses the application behaviour ● a RASP can: – shutdown a user session – stop executing the application – deploy code fixes at runtime – provide detailed reports and runtime monitoring

19. @bbossola IAST tools ● Interactive Application Security Testing ● As RASP they embed an agent in the application ● However they are not used in production ● It's a testing tool, not a security tool

20. @bbossola Anything else? ● WAF – Web Application Firewalls – a perimeter control solution – basicallly a reverse proxy – applies a set of rules to an HTTP conversation – cover common attacks such as cross-site scripting (XSS) and SQL injection

21. @bbossola Commercial options

22. @bbossola Workshop time! ● Get your computer ● Make sure your internet connection works :)

23. @bbossola A closer look to SAST tools ● Static Code Analysis – PMD – Spotbugs – Errorprone

24. @bbossola A closer look to SAST tools ● Static Dependency Analysis (or Static Component Analysis) – dependency-check – meterian WARNING!!! SHAMELESS PLUG HERE!

25. @bbossola A closer look to SAST tools ● Sensitive Information Scanners – gitleaks – trufflehog ● Mentioned: – git-secrets – gitrob

26. @bbossola A closer look to a RASP tool ● An opensource RASP tool – OpenRASP

27. @bbossola Q&A

Editor's Notes

Introduce meterian clearly“we help companies to ship software without vulnerabilities” startup, I am a cofounder with Vivian (PM)
Let&apos;s look at a simple SQL injection example. A naive application simply has no defense and gets exploited. An application that uses PreparedStatements is safe against injection, but has no idea whether it is being attacked or not. Let&apos;s see how this works with RASP. I&apos;m describing Contrast&apos;s instrumentation approach here. First, the RASP is installed into the application. In this case, simply adding the RASP agent to the environment is enough. When the code loads, the RASP uses dynamic binary instrumentation to add new security sensors and analysis capability to the application. When the attack arrives at the application, RASP uses gathers data about the request, the user, the session, and any other contextual information. The attacker&apos;s request data is tracked through the application. If it looks like an attack, but never reaches a SQL query, it gets reported as a probe. This is a major difference from what a WAF can do, as WAFs are not able to see what happens inside the application and must overblock. If the attack actually reaches a SQL query and modifies the meaning of that query, only then does RASP block the attack. This is essentially enforcing the definition of SQL Injection, as only attacks that successfully modify the meaning of SQL queries are blocked. This is why RASP implementation can be deployed without much configuration or training

Tools to create a secure pipeline

Recommended

Recommended

More Related Content

Recently uploaded

Recently uploaded (20)

Featured

Featured (20)

Tools to create a secure pipeline

Editor's Notes