“Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base...
Transcript of “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base...
![Page 1: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/1.jpg)
Title in white and bold
“Using the Wisdom of the Crowd to Enhance
Application Security"
![Page 2: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/2.jpg)
Title in white and bold
About myself – Moshe Lerner
• VP Product Strategy – Checkmarx
• Over 20 years of global experience in the software industry
• Prior to Checkmarx, held the position of VP of Product Management and Business Development at ItemField (acquired by Informatica)
• Prior to ItemField was VP of Product and Delivery at Sapiens (Nasdaq: SPNS) .
![Page 3: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/3.jpg)
Title in white and bold
Issues at hand – size, complexity, volume
The biggest challenge of current source code analysis solutions is size!
How to deliver: 1. Usable results
2. Automatically
3. Out-of-the-box
4. Accurately
for extra large code bases with thousands+ of results
![Page 4: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/4.jpg)
Title in white and bold
Agenda
In this presentation I will talk about both ends of that problem:
a. How to automatically detect issues that the user does not even know how to describe, by “extracting knowledge” from large code base (wisdom of the crowd)
b. How to automatically correlate and suggest fixing actions in fraction of the time for extra large code bases
![Page 5: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/5.jpg)
Title in white and bold
Zero-days? Zero-configuration?
• What happens if you do not even know what question to ask?
• What if you do not have the resources to configure the system?
• We want a “guru” that: – asks the questions for us. – Configures the system for us. – Finds the vulnerabilities for us. – Guides us.
• Hold on for a few more slide …
![Page 6: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/6.jpg)
Title in white and bold
Source code analysis History
![Page 7: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/7.jpg)
Title in white and bold
First Generation code analysis
• The system came out of the box with the relevant security knowledge wired into the system.
• Little-to-no adaptation capabilities.
![Page 8: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/8.jpg)
Title in white and bold
![Page 9: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/9.jpg)
Title in white and bold
New Generation code analysis
• The system came out of the box with the relevant security knowledge
• Ability to customize existing security knowledge
• Ability to add you own business logic
• EASY!! Virtual Compiler. No need to compile your code.
• EASY!! Incremental scan.
• SQL Injection -> VAT Change -> Backdoors
![Page 10: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/10.jpg)
Title in white and bold Security
Quality
Business Logic
![Page 11: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/11.jpg)
Title in white and bold
Example
A = Input
DB (C + B)
C = escapeSingleQuotes (A)
B = Input
B
SOQL Injection:
![Page 12: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/12.jpg)
Title in white and bold
Example
CxList Input = All.FindByName(“input”);
CxList DB = All.FindByName(“execute”);
CxList Fix = All.FindByName(“fix”);
Return DB.InfeluencedByAndNotSanitized(input, fix);
![Page 13: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/13.jpg)
Title in white and bold Security
Quality
Business Logic
Application Intelligence
![Page 14: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/14.jpg)
Title in white and bold
SCKD Source Code Knowledge Discovery
“Using Wisdom of the crowd (Big Data)
to identify security vulnerabilities via code irregularities”
![Page 15: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/15.jpg)
Title in white and bold
Zero-days? Zero-configuration?
• What happens if you do not even know what question to ask?
• What if you do not have the resources to configure the system?
• We want a “Guru” that asks the questions for us.
• Configures the system for us.
• Finds the vulnerabilities for us.
• Guides us.
![Page 16: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/16.jpg)
Title in white and bold
There is such a guru
• You
• You
• You
• And you!
• All of you Wisdom of The Crowd
• Most of the developers write good, standard, quality code, most of the time
![Page 17: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/17.jpg)
Title in white and bold
Crowd
• We can set a baseline based on code statistics and find deviations thereof
![Page 18: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/18.jpg)
Title in white and bold
SCKD
• Source Code Knowledge Discovery – an active research (Knowledge Discovery in DB - http://en.wikipedia.org/wiki/Knowledge_extraction )
“Knowledge discovery describes the process of automatically searching large volumes of data for patterns that can be considered knowledge about the data. It is often described as deriving knowledge from the input data. Knowledge discovery developed out of the Data mining domain, and is closely related to it both in terms of methodology and terminology.”
![Page 19: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/19.jpg)
Title in white and bold
Technique
• Building data
• Finding common sequences
• Finding violations
![Page 20: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/20.jpg)
Title in white and bold
Getting Data
S = input();
If (isValid(s))
{
…
response.write(s);
…
}
A = input();
If (isValid(A))
{
…
response.write(A);
…
}
K = input();
If (isValid(k))
{
…
response.write(k);
…
}
M = input();
If (isValid(M))
{
…
response.write(M);
…
}
C = input();
If (isValid(C))
{
…
response.write(C);
…
}
![Page 21: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/21.jpg)
Title in white and bold
Finding Deviations Setting Baseline
* = input();
If (isValid(*))
{
…
response.write(*);
…
}
v = input();
…
response.write(v);
…
?
X
![Page 22: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/22.jpg)
Title in white and bold
Backdoor – if my name is Maty, login
If (isAuthenticated(user)) { …. }
If (isAuthenticated(user)) { …. }
If (isAuthenticated(user)) { …. }
If (isAuthenticated(user)) { …. }
If (isAuthenticated(user)) { …. }
If (isAuthenticated(user) || user.name == “maty”) { …. }
If (isAuthenticated(user) || user.name == “maty”) { …. }
![Page 23: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/23.jpg)
Title in white and bold
VAT – Leveraging cloud of apps?
VAT = 1.05
…
VAT = 1.08
…
VAT = 1.08
…
VAT = 1.08
Find similarities between different applications, to set an intra-corporate standard.
With Zero-Definition! It’s enough that some apps
were fixed to find the ones that were not
![Page 24: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/24.jpg)
Title in white and bold
Works well for
• General: – We can find the hidden knowledge of the crowd, give
it a name and find breaches of it.
• Security: – Make sure the user is authenticated at each page
– Auto-recognize sanitization routines
– Backdoors (“if (isValid(user) or user==“Maty”)…”)
– Business logic (“if (qty > 0) {charge (qty*amnt)}”)
• Quality – Always release a specific resources
– Best coding practices (auto recognize conventions)
– Initialize a variable
![Page 25: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/25.jpg)
Title in white and bold
Also
Wisdom of the crowd works better for larger enterprises and code bases
![Page 26: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/26.jpg)
Title in white and bold
Graph Visualization
Optimized call for action “Using smart graph methods to identify
Vulnerability junctions and best fix locations ”
![Page 27: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/27.jpg)
Title in white and bold
Issue
• Finding thousands of accurate results, does not make us happy …
• Webgoat, for example, has ~220 XXS+SQL Injection
• Assuming 30 minutes to fix each one + 30 minutes to validate will take 220 hours = ~ 1 month of work
• We’ll narrow this down to 16 places
• ~1/14 of the time
• So we have some time to play golf ;)
![Page 28: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/28.jpg)
Title in white and bold
Current situation
• Each result has a data flow, presented independently from other findings.
![Page 29: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/29.jpg)
Title in white and bold
Single Data Flow Path - XSS
String s = Request.QueryString[“param1”]; …
Response.Write(s);
Request.QueryString[“param1”];
s
Response.Write(s);
Request.QueryString[“param1”];
s
Response.Write(s);
![Page 30: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/30.jpg)
Title in white and bold
Current situation
• One is easy.
• What about 14?
![Page 31: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/31.jpg)
Title in white and bold
Many Single-Path – XSS – a lot of work
![Page 32: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/32.jpg)
Title in white and bold
But …
• What do they have in common?
![Page 33: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/33.jpg)
Title in white and bold
Combined paths
![Page 34: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/34.jpg)
Title in white and bold
Can we …
• Point, click and check without even READING the source code?
• “What if I fix here? Or fix here?”
![Page 35: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/35.jpg)
Title in white and bold
What-If I fix here?
![Page 36: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/36.jpg)
Title in white and bold
Here it is more effective
![Page 37: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/37.jpg)
Title in white and bold
And here?
![Page 38: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/38.jpg)
Title in white and bold
Automatic “What-if” => Best Fix Location
![Page 39: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/39.jpg)
Title in white and bold
Compare the two:
![Page 40: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/40.jpg)
Title in white and bold
Benefits
• Gives you the correlation between findings of the same type (SQLi) and different types.
• You are not dealing with individual findings – but with a complete system
• Use your time better
![Page 41: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/41.jpg)
Title in white and bold
220 Fix locations
• At the point of a click we narrow down 220 places into 16.
• The more results, the more effective this solution is
![Page 42: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/42.jpg)
Title in white and bold
Recap
The biggest challenge of current source code analysis solutions is size!
How to deliver: 1. Actionable results
2. Automatically
3. Out-of-the-box
4. Accurately
for extra large code bases with thousands+ of results
![Page 43: “Using the Wisdom of the - Checkmarx · by “extracting knowledge” from large code base (wisdom of the crowd) b. How to automatically correlate and suggest fixing actions in](https://reader033.fdocuments.net/reader033/viewer/2022043016/5f3931b4b9491b31a247dd76/html5/thumbnails/43.jpg)
Title in white and bold
Questions?