Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST)...

28
Application Security SAST & DAST in the Secure SDLC Paul Kitor Fortify Solution Architect

Transcript of Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST)...

Page 1: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Application Security SAST & DASTin the Secure SDLCPaul KitorFortify Solution Architect

Page 2: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Static Application Security Testing (SAST)

Page 3: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Static Application Security Testing (SAST)

Inspect the source codeTaint, trace, analyze, report

“White box testing” Full visibility into the code

Method level testsLook at execution paths

Inside-out

Results

XML

Java

T-SQL

JSP

User Input

SQL Injection

Page 4: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Static Application Security Testing (SAST)SQL Injection

Source of attack Source of problem Source of data

Page 5: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Static Application Security Testing (SAST)SQL Injection

Untrusted Input Source

Execution Path Parameterization Sensitive Sink

Execution Path Sensitive Sink

‘ or ‘a’=‘a‘ or ‘a’=‘a

where name=“{0}”;

‘ or ‘a’=‘a where name=‘’ or ‘a’=‘a’;

where name=“‘’ or ‘a’=‘a”;‘ or ‘a’=‘a where name=“{0}”;

‘ or ‘a’=‘a

select * from user where name=‘ + param + ‘;

Page 6: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Dynamic Application Security Testing (DAST)

Page 7: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Dynamic Application Security Testing (DAST)

Inspect the application while it is runningDiscover, Attack, Observe, Exploit

“Black Box Testing” No assumptions about implementation

System-level testsLook at the system together

Outside-InEmulate attacker

Web server

‘%20or%201=1--

Attack!

Tester

Page 8: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Dynamic Application Security Testing (DAST)SQL Injection

Source of attack Source of problem Source of data

Page 9: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Issues you don’t care about

Application Context

Organizational Preference

Security Expertise

Causes

Not an Issue

Audited Scan Results

Raw Scan Results Possible Vulnerabilities

Critical High Medium LowNot an Issue

Not Exploitable

Mitigations in place

Not Reachable

Code not reachable

Noise

Scan Configuration

Policy

Organizational choice

False Positive

Not a real vulnerability

Contextual awareness and expertise required to validate findings

Page 10: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Why is Security so critical?

Page 11: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

FORTIFY

Security must be integrated into the New SDLC

Improve SDLC Policies

Application security for the SDLC

Continuous Monitoring and ProtectionMonitor and protect software running in Production

3

Security TestingEmbed scalable security into the development tool chain

2

Secure DevelopmentContinuous feedback on the developer’s desktop at DevOps speed

1

11

Page 12: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

FORTIFY

DevOps teams recognize the importance of integrating security

Collaborating with security ranked as the most important strategy for DevOps in regulated industries

Source: “10 Things to Get Right for Successful DevSecOps,” Gartner, Inc., 2017

12

Page 13: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

FORTIFY

Development teams are growing at an 80:1 ratio to security teams

Reference: Micro Focus 2017 Application Security Research Update

VS

13

Page 14: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Security is in the DNA of DevOps

• DevOps institutes a culture of

communication and collaboration.

• Specialists work to understand each

other’s concerns in order to reduce friction

in the SDLC.

• Shift Left describes the effort to move

activities and information to the earliest

possible point in the lifecycle increasing

effectiveness of the development process.

• Quality rises as an effect of DevOps. This

is also true for Application Security.

Page 15: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Understanding the SDLCSome background

Page 16: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Provisioning & Deployment

puppet

Testing

UFT Pro

Source Code Management

GIT TFS

Build Systems

What is DevOps?

16

Build Server

Page 17: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Why DevOps?

17

Code Unit TestValidateSecurity Integration

FunctionalTesting Deploy

Email Supervisor Email Tech Lead Assign toSystem Team

Assign to QA Deliver to Operations

Time Spent

Time Wasted

120 min

15 min ½ week

30 min

2 weeks

15 min

2 weeks 1 week

45 min 60 min

240 min ½ week

180 min

Touch Time: 7 hours 30 mins

Cycle Time: 6+ weeks

Page 18: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

What is Manual Integration?

18

▪ Developers work independently on their code in their IDE

▪ They work on their own, and “check in” code to the source control system when they are done – i.e. when the code compiles in their IDE and passes their unit tests

▪ However, they can introduce changes that conflict with one another, and until all changes from multiple branches are merged and compiled, there is no way to know if there are integration issues

▪ Often, merging multiple changes together leads to significant rework to find and fix problems

▪ When errors are fixed and the build is successful, the output is stored in an asset repository

Bryan

Susan

Jason

Version Control System

accountservice.java

accountservice.java

Asset Repository

Page 19: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

What is Manual Integration?

19

▪ The assets in the asset repository are then installed into an environment for testing

▪ This is often a manual process that must account for differences between environmentsBryan

Susan

Jason

Version Control System

Asset Repository

ManualDeployment

ManualDeployment

ManualDeployment

ManualDeployment

Development Quality Assurance Staging Production

Page 20: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

What is Continuous Integration?

20

▪ Every time code is checked in, it triggers a build

▪ Every change is integrated into the main code path, or trunk, continuously

▪ Errors are identified and dealt with extremely quickly

Bryan

Susan

Jason

Version Control System

Asset Repository

ManualDeployment

ManualDeployment

ManualDeployment

ManualDeployment

Development Quality Assurance Staging Production

CI Server

Page 21: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

What is Continuous Delivery?

21

Bryan

Susan

Jason

Version Control System

Asset Repository

ManualDeployment

ManualDeployment

ManualDeployment

ManualDeployment

Development Quality Assurance Staging Production

CI Server

Delivery Server

Au

tom

ated

Dep

loym

ent

Page 22: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

What is Continuous Deployment?

22

Bryan

Susan

Jason

Version Control System

Asset Repository

Development Quality Assurance Staging Production

CI Server

Delivery Server

Au

tom

ated

Dep

loym

ent

Page 23: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

What is Continuous Testing?

23

Bryan

Susan

Jason

Version Control System

Asset Repository

Development Quality Assurance Staging Production

CI Server

Delivery Server

Test Server

Page 24: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Security defects found via IDE Plugin

Design or Programming defects found via TDD

Length of feedback cycle

CO

ST

Programming defects found via CI

Requirement or design defect found via Active Stakeholder Participation

Programming Defect Found via traditional System Test

Design Defect Found via traditional System Test

Requirement defect found via traditional acceptance Criteria

Security defect found during periodic application scanning

What is Continuous Security?

24

Page 25: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

What is Secure DevOps?

Page 26: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Dynamic Application

Security Testing

Static Code Analysis

Build Server

Where does Security fit in DevOps?

Real-time

Application Self

Protection

Light Weight Static Code

Analysis

Fortify Security Assistant

Page 27: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Highlight vulnerabilities during coding

Level of criticality

Type of vulnerability, explanation and detailed remediation guidanceAll issues detected

in the project

Vulnerable line of code is highlighted as developer code & provides tips for additional information

Fortify menu for additional options

27

Page 28: Application Security SAST & DAST in the Secure SDLC · Static Application Security Testing (SAST) Inspect the source code Taint, trace, analyze, report “White box testing” Full

Thank youwww.microfocus.com