Post on 22-May-2020
Application Security SAST & DASTin the Secure SDLCPaul KitorFortify Solution Architect
Static Application Security Testing (SAST)
Static Application Security Testing (SAST)
Inspect the source codeTaint, trace, analyze, report
“White box testing” Full visibility into the code
Method level testsLook at execution paths
Inside-out
Results
XML
Java
T-SQL
JSP
User Input
SQL Injection
Static Application Security Testing (SAST)SQL Injection
Source of attack Source of problem Source of data
Static Application Security Testing (SAST)SQL Injection
Untrusted Input Source
Execution Path Parameterization Sensitive Sink
Execution Path Sensitive Sink
‘ or ‘a’=‘a‘ or ‘a’=‘a
where name=“{0}”;
‘ or ‘a’=‘a where name=‘’ or ‘a’=‘a’;
where name=“‘’ or ‘a’=‘a”;‘ or ‘a’=‘a where name=“{0}”;
‘ or ‘a’=‘a
select * from user where name=‘ + param + ‘;
Dynamic Application Security Testing (DAST)
Dynamic Application Security Testing (DAST)
Inspect the application while it is runningDiscover, Attack, Observe, Exploit
“Black Box Testing” No assumptions about implementation
System-level testsLook at the system together
Outside-InEmulate attacker
Web server
‘%20or%201=1--
Attack!
Tester
Dynamic Application Security Testing (DAST)SQL Injection
Source of attack Source of problem Source of data
Issues you don’t care about
Application Context
Organizational Preference
Security Expertise
Causes
Not an Issue
Audited Scan Results
Raw Scan Results Possible Vulnerabilities
Critical High Medium LowNot an Issue
Not Exploitable
Mitigations in place
Not Reachable
Code not reachable
Noise
Scan Configuration
Policy
Organizational choice
False Positive
Not a real vulnerability
Contextual awareness and expertise required to validate findings
Why is Security so critical?
FORTIFY
Security must be integrated into the New SDLC
Improve SDLC Policies
Application security for the SDLC
Continuous Monitoring and ProtectionMonitor and protect software running in Production
3
Security TestingEmbed scalable security into the development tool chain
2
Secure DevelopmentContinuous feedback on the developer’s desktop at DevOps speed
1
11
FORTIFY
DevOps teams recognize the importance of integrating security
Collaborating with security ranked as the most important strategy for DevOps in regulated industries
Source: “10 Things to Get Right for Successful DevSecOps,” Gartner, Inc., 2017
12
FORTIFY
Development teams are growing at an 80:1 ratio to security teams
Reference: Micro Focus 2017 Application Security Research Update
VS
13
Security is in the DNA of DevOps
• DevOps institutes a culture of
communication and collaboration.
• Specialists work to understand each
other’s concerns in order to reduce friction
in the SDLC.
• Shift Left describes the effort to move
activities and information to the earliest
possible point in the lifecycle increasing
effectiveness of the development process.
• Quality rises as an effect of DevOps. This
is also true for Application Security.
Understanding the SDLCSome background
Provisioning & Deployment
puppet
Testing
UFT Pro
Source Code Management
GIT TFS
Build Systems
What is DevOps?
16
Build Server
Why DevOps?
17
Code Unit TestValidateSecurity Integration
FunctionalTesting Deploy
Email Supervisor Email Tech Lead Assign toSystem Team
Assign to QA Deliver to Operations
Time Spent
Time Wasted
120 min
15 min ½ week
30 min
2 weeks
15 min
2 weeks 1 week
45 min 60 min
240 min ½ week
180 min
Touch Time: 7 hours 30 mins
Cycle Time: 6+ weeks
What is Manual Integration?
18
▪ Developers work independently on their code in their IDE
▪ They work on their own, and “check in” code to the source control system when they are done – i.e. when the code compiles in their IDE and passes their unit tests
▪ However, they can introduce changes that conflict with one another, and until all changes from multiple branches are merged and compiled, there is no way to know if there are integration issues
▪ Often, merging multiple changes together leads to significant rework to find and fix problems
▪ When errors are fixed and the build is successful, the output is stored in an asset repository
Bryan
Susan
Jason
Version Control System
accountservice.java
accountservice.java
Asset Repository
What is Manual Integration?
19
▪ The assets in the asset repository are then installed into an environment for testing
▪ This is often a manual process that must account for differences between environmentsBryan
Susan
Jason
Version Control System
Asset Repository
ManualDeployment
ManualDeployment
ManualDeployment
ManualDeployment
Development Quality Assurance Staging Production
What is Continuous Integration?
20
▪ Every time code is checked in, it triggers a build
▪ Every change is integrated into the main code path, or trunk, continuously
▪ Errors are identified and dealt with extremely quickly
Bryan
Susan
Jason
Version Control System
Asset Repository
ManualDeployment
ManualDeployment
ManualDeployment
ManualDeployment
Development Quality Assurance Staging Production
CI Server
What is Continuous Delivery?
21
Bryan
Susan
Jason
Version Control System
Asset Repository
ManualDeployment
ManualDeployment
ManualDeployment
ManualDeployment
Development Quality Assurance Staging Production
CI Server
Delivery Server
Au
tom
ated
Dep
loym
ent
What is Continuous Deployment?
22
Bryan
Susan
Jason
Version Control System
Asset Repository
Development Quality Assurance Staging Production
CI Server
Delivery Server
Au
tom
ated
Dep
loym
ent
What is Continuous Testing?
23
Bryan
Susan
Jason
Version Control System
Asset Repository
Development Quality Assurance Staging Production
CI Server
Delivery Server
Test Server
Security defects found via IDE Plugin
Design or Programming defects found via TDD
Length of feedback cycle
CO
ST
Programming defects found via CI
Requirement or design defect found via Active Stakeholder Participation
Programming Defect Found via traditional System Test
Design Defect Found via traditional System Test
Requirement defect found via traditional acceptance Criteria
Security defect found during periodic application scanning
What is Continuous Security?
24
What is Secure DevOps?
Dynamic Application
Security Testing
Static Code Analysis
Build Server
Where does Security fit in DevOps?
Real-time
Application Self
Protection
Light Weight Static Code
Analysis
Fortify Security Assistant
Highlight vulnerabilities during coding
Level of criticality
Type of vulnerability, explanation and detailed remediation guidanceAll issues detected
in the project
Vulnerable line of code is highlighted as developer code & provides tips for additional information
Fortify menu for additional options
27
Thank youwww.microfocus.com