Vulnerabilities are bugs, Let's Test For Them!

1. Copyright (c) Bitforest Co., Ltd. Vulnerabilities Are Bugs Let’s Test for Them! VAddy Continuous Security Testing Service 1 Bitforest Co., Ltd. Yasushi Ichikawa

2. Copyright (c) Bitforest Co., Ltd. Web Security Tests • White-‐box testing • Analyze source code (e.g. with brakeman) • Black-‐box testing • Send HTTP requests with attack payloads and check responses • Examples: VAddy, OWASP ZAP, AppScan 2

3. Copyright (c) Bitforest Co., Ltd. Current Issues with Web Security Tests 3 Development team External security firm Internal security team Coding Unit tests Integration tests Vulnerability assessment Development team Revisions Release Current practice is to conduct only one vulnerability assessment prior to release ! • If a large number of vulnerabilities are found immediately before release, they will have a big impact on the release schedule • From both a time and cost perspective, it’s difficult to conduct vulnerability assessments for every revision and new feature introduced after an application is released

4. Copyright (c) Bitforest Co., Ltd. Current Issues with Web Security Tests [Scenario: Using a Security Firm] Cost: Thousands of dollars (or more) Duration: 4 This is difficult to do continuously Over one week until the results of an   investigation are delivered

5. Copyright (c) Bitforest Co., Ltd. 5 We need continuous security tests

6. Copyright (c) Bitforest Co., Ltd. 6 Run from the beginning of development until release, just like unit tests

7. Copyright (c) Bitforest Co., Ltd. What Are Continuous Web Security Tests? 7 Development team External security firm Internal security team Coding Unit tests Integration tests Vulnerability assessment Development team Revisions Release Continuous Security Tests Development team Coding Unit tests Integration tests Release Vulnerability assessments Development teams can run security tests as often as they like.

8. Copyright (c) Bitforest Co., Ltd. Issues with Continuous Web Security Tests • Existing scanning tools • are difficult to add to continuous integration workflows • cost both time and money to set up and maintain yourself • have many settings and require accumulated expertise 8

9. Copyright (c) Bitforest Co., Ltd. Important Points 9 It’s important to tell your scanning tools how your web application works

10. Copyright (c) Bitforest Co., Ltd. Important Points 10 For example: If, while testing an authenticated page, your session expires and you are returned to the login screen, test the login screen and continue

11. Copyright (c) Bitforest Co., Ltd. Important Points 11 You need to configure your tools to behave appropriately when their sessions expire and they are logged out

12. Copyright (c) Bitforest Co., Ltd. 12 This keeps you from focusing on business-‐critical software development Scanning tools aren’t very effective unless you continue to learn how to configure them Issues with Continuous Web Security Tests

13. Copyright (c) Bitforest Co., Ltd. 13 Simple setup Maintenance free  Effective scanning  CI cycle automation

14. Copyright (c) Bitforest Co., Ltd. 14 Continuous Web Security Testing Service Vulnerability Assessment is your Buddy

15. Copyright (c) Bitforest Co., Ltd. 15 Continuous Web Security Testing Service http://vaddy.net

16. Copyright (c) Bitforest Co., Ltd. VAddy s Features • No tool to install (SaaS) • Unlimited free scanning • Support for continuous integration • Web API • Jenkins plugin • Works with Travis, CircleCI, etc. 16

17. Copyright (c) Bitforest Co., Ltd. Common Configurations 17

18. Copyright (c) Bitforest Co., Ltd. VAddy s Features 18 VAddy can figure out how your application works and scan it correctly without any special settings

19. Copyright (c) Bitforest Co., Ltd. VAddy s Policy 19 Software developers should focus on software development!

20. Copyright (c) Bitforest Co., Ltd. VAddy s Features 20 Proprietary security scanning engine that uses machine learning

21. Copyright (c) Bitforest Co., Ltd. VAddy s List of Scan Results 21

22. Copyright (c) Bitforest Co., Ltd. Types of Vulnerabilities and Vulnerable Parameters 22 You can see the type of vulnerability (e.g. SQL injection) that was found along with the vulnerable URL and parameter name. This example shows that there is a SQL injection vulnerability in the parameter "ID" used at the URL "search", so you can figure out which lines of code are at fault.

23. Copyright (c) Bitforest Co., Ltd. Request Data for Reproducing Attacks 23 VAddy shows you the request data it sent so you can reproduce the attack in your own development environment

24. Copyright (c) Bitforest Co., Ltd. Currently Supported Scans (SQLi, XSS) • GET/POST/PUT/DELETE parameters • Rest APIs with JSON parameters • Parameters in URL paths • www.example.com/item/view/1 • Form authentication (login screens) • CSRF tokens (including Angular.js) • SSL applications 24

25. Copyright (c) Bitforest Co., Ltd. 25 Continuous security tests are an up-‐and-‐coming trend in software development

26. Copyright (c) Bitforest Co., Ltd. 26 Twitter: @vaddy_support Email: info@vaddy.net Contacts

27. Copyright (c) Bitforest Co., Ltd. 27 http://vaddy.net

Vulnerabilities are bugs, Let's Test For Them!

Vulnerabilities are bugs, Let's Test For Them!

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Vulnerabilities are bugs, Let's Test For Them!

Similar to Vulnerabilities are bugs, Let's Test For Them!(20)

Recently uploaded

Recently uploaded(20)

Vulnerabilities are bugs, Let's Test For Them!