Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST)...
Transcript of Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST)...
![Page 1: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/1.jpg)
Application Security SAST & DASTin the Secure SDLCPaul KitorFortify Solution Architect
![Page 2: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/2.jpg)
Static Application Security Testing (SAST)
![Page 3: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/3.jpg)
Static Application Security Testing (SAST)
Inspect the source codeTaint, trace, analyze, report
“White box testing” Full visibility into the code
Method level testsLook at execution paths
Inside-out
Results
XML
Java
T-SQL
JSP
User Input
SQL Injection
![Page 4: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/4.jpg)
Static Application Security Testing (SAST)SQL Injection
Source of attack Source of problem Source of data
![Page 5: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/5.jpg)
Static Application Security Testing (SAST)SQL Injection
Untrusted Input Source
Execution Path Parameterization Sensitive Sink
Execution Path Sensitive Sink
‘ or ‘a’=‘a‘ or ‘a’=‘a
where name=“{0}”;
‘ or ‘a’=‘a where name=‘’ or ‘a’=‘a’;
where name=“‘’ or ‘a’=‘a”;‘ or ‘a’=‘a where name=“{0}”;
‘ or ‘a’=‘a
select * from user where name=‘ + param + ‘;
![Page 6: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/6.jpg)
Dynamic Application Security Testing (DAST)
![Page 7: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/7.jpg)
Dynamic Application Security Testing (DAST)
Inspect the application while it is runningDiscover, Attack, Observe, Exploit
“Black Box Testing” No assumptions about implementation
System-level testsLook at the system together
Outside-InEmulate attacker
Web server
‘%20or%201=1--
Attack!
Tester
![Page 8: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/8.jpg)
Dynamic Application Security Testing (DAST)SQL Injection
Source of attack Source of problem Source of data
![Page 9: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/9.jpg)
Issues you don’t care about
Application Context
Organizational Preference
Security Expertise
Causes
Not an Issue
Audited Scan Results
Raw Scan Results Possible Vulnerabilities
Critical High Medium LowNot an Issue
Not Exploitable
Mitigations in place
Not Reachable
Code not reachable
Noise
Scan Configuration
Policy
Organizational choice
False Positive
Not a real vulnerability
Contextual awareness and expertise required to validate findings
![Page 10: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/10.jpg)
Why is Security so critical?
![Page 11: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/11.jpg)
FORTIFY
Security must be integrated into the New SDLC
Improve SDLC Policies
Application security for the SDLC
Continuous Monitoring and ProtectionMonitor and protect software running in Production
3
Security TestingEmbed scalable security into the development tool chain
2
Secure DevelopmentContinuous feedback on the developer’s desktop at DevOps speed
1
11
![Page 12: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/12.jpg)
FORTIFY
DevOps teams recognize the importance of integrating security
Collaborating with security ranked as the most important strategy for DevOps in regulated industries
Source: “10 Things to Get Right for Successful DevSecOps,” Gartner, Inc., 2017
12
![Page 13: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/13.jpg)
FORTIFY
Development teams are growing at an 80:1 ratio to security teams
Reference: Micro Focus 2017 Application Security Research Update
VS
13
![Page 14: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/14.jpg)
Security is in the DNA of DevOps
• DevOps institutes a culture of
communication and collaboration.
• Specialists work to understand each
other’s concerns in order to reduce friction
in the SDLC.
• Shift Left describes the effort to move
activities and information to the earliest
possible point in the lifecycle increasing
effectiveness of the development process.
• Quality rises as an effect of DevOps. This
is also true for Application Security.
![Page 15: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/15.jpg)
Understanding the SDLCSome background
![Page 16: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/16.jpg)
Provisioning & Deployment
puppet
Testing
UFT Pro
Source Code Management
GIT TFS
Build Systems
What is DevOps?
16
Build Server
![Page 17: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/17.jpg)
Why DevOps?
17
Code Unit TestValidateSecurity Integration
FunctionalTesting Deploy
Email Supervisor Email Tech Lead Assign toSystem Team
Assign to QA Deliver to Operations
Time Spent
Time Wasted
120 min
15 min ½ week
30 min
2 weeks
15 min
2 weeks 1 week
45 min 60 min
240 min ½ week
180 min
Touch Time: 7 hours 30 mins
Cycle Time: 6+ weeks
![Page 18: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/18.jpg)
What is Manual Integration?
18
▪ Developers work independently on their code in their IDE
▪ They work on their own, and “check in” code to the source control system when they are done – i.e. when the code compiles in their IDE and passes their unit tests
▪ However, they can introduce changes that conflict with one another, and until all changes from multiple branches are merged and compiled, there is no way to know if there are integration issues
▪ Often, merging multiple changes together leads to significant rework to find and fix problems
▪ When errors are fixed and the build is successful, the output is stored in an asset repository
Bryan
Susan
Jason
Version Control System
accountservice.java
accountservice.java
Asset Repository
![Page 19: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/19.jpg)
What is Manual Integration?
19
▪ The assets in the asset repository are then installed into an environment for testing
▪ This is often a manual process that must account for differences between environmentsBryan
Susan
Jason
Version Control System
Asset Repository
ManualDeployment
ManualDeployment
ManualDeployment
ManualDeployment
Development Quality Assurance Staging Production
![Page 20: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/20.jpg)
What is Continuous Integration?
20
▪ Every time code is checked in, it triggers a build
▪ Every change is integrated into the main code path, or trunk, continuously
▪ Errors are identified and dealt with extremely quickly
Bryan
Susan
Jason
Version Control System
Asset Repository
ManualDeployment
ManualDeployment
ManualDeployment
ManualDeployment
Development Quality Assurance Staging Production
CI Server
![Page 21: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/21.jpg)
What is Continuous Delivery?
21
Bryan
Susan
Jason
Version Control System
Asset Repository
ManualDeployment
ManualDeployment
ManualDeployment
ManualDeployment
Development Quality Assurance Staging Production
CI Server
Delivery Server
Au
tom
ated
Dep
loym
ent
![Page 22: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/22.jpg)
What is Continuous Deployment?
22
Bryan
Susan
Jason
Version Control System
Asset Repository
Development Quality Assurance Staging Production
CI Server
Delivery Server
Au
tom
ated
Dep
loym
ent
![Page 23: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/23.jpg)
What is Continuous Testing?
23
Bryan
Susan
Jason
Version Control System
Asset Repository
Development Quality Assurance Staging Production
CI Server
Delivery Server
Test Server
![Page 24: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/24.jpg)
Security defects found via IDE Plugin
Design or Programming defects found via TDD
Length of feedback cycle
CO
ST
Programming defects found via CI
Requirement or design defect found via Active Stakeholder Participation
Programming Defect Found via traditional System Test
Design Defect Found via traditional System Test
Requirement defect found via traditional acceptance Criteria
Security defect found during periodic application scanning
What is Continuous Security?
24
![Page 25: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/25.jpg)
What is Secure DevOps?
![Page 26: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/26.jpg)
Dynamic Application
Security Testing
Static Code Analysis
Build Server
Where does Security fit in DevOps?
Real-time
Application Self
Protection
Light Weight Static Code
Analysis
Fortify Security Assistant
![Page 27: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/27.jpg)
Highlight vulnerabilities during coding
Level of criticality
Type of vulnerability, explanation and detailed remediation guidanceAll issues detected
in the project
Vulnerable line of code is highlighted as developer code & provides tips for additional information
Fortify menu for additional options
27
![Page 28: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full](https://reader030.fdocuments.net/reader030/viewer/2022040121/5ec96e6df47450059f19c395/html5/thumbnails/28.jpg)
Thank youwww.microfocus.com