Download - Application Security SAST & DAST in the Secure SDLC · 2020. 7. 23. · Application Security SAST & DAST in the Secure SDLC Paul Kitor Fortify Solution Architect. Static Application

Transcript
  • Application Security SAST & DASTin the Secure SDLCPaul KitorFortify Solution Architect

  • Static Application Security Testing (SAST)

  • Static Application Security Testing (SAST)

    Inspect the source codeTaint, trace, analyze, report

    “White box testing” Full visibility into the code

    Method level testsLook at execution paths

    Inside-out

    Results

    XML

    Java

    T-SQL

    JSP

    User Input

    SQL Injection

  • Static Application Security Testing (SAST)SQL Injection

    Source of attack Source of problem Source of data

  • Static Application Security Testing (SAST)SQL Injection

    Untrusted Input Source

    Execution Path Parameterization Sensitive Sink

    Execution Path Sensitive Sink

    ‘ or ‘a’=‘a‘ or ‘a’=‘a

    where name=“{0}”;

    ‘ or ‘a’=‘a where name=‘’ or ‘a’=‘a’;

    where name=“‘’ or ‘a’=‘a”;‘ or ‘a’=‘a where name=“{0}”;

    ‘ or ‘a’=‘a

    select * from user where name=‘ + param + ‘;

  • Dynamic Application Security Testing (DAST)

  • Dynamic Application Security Testing (DAST)

    Inspect the application while it is runningDiscover, Attack, Observe, Exploit

    “Black Box Testing” No assumptions about implementation

    System-level testsLook at the system together

    Outside-InEmulate attacker

    Web server

    ‘%20or%201=1--

    Attack!

    Tester

  • Dynamic Application Security Testing (DAST)SQL Injection

    Source of attack Source of problem Source of data

  • Issues you don’t care about

    Application Context

    Organizational Preference

    Security Expertise

    Causes

    Not an Issue

    Audited Scan Results

    Raw Scan Results Possible Vulnerabilities

    Critical High Medium LowNot an Issue

    Not Exploitable

    Mitigations in place

    Not Reachable

    Code not reachable

    Noise

    Scan Configuration

    Policy

    Organizational choice

    False Positive

    Not a real vulnerability

    Contextual awareness and expertise required to validate findings

  • Why is Security so critical?

  • FORTIFY

    Security must be integrated into the New SDLC

    Improve SDLC Policies

    Application security for the SDLC

    Continuous Monitoring and ProtectionMonitor and protect software running in Production

    3

    Security TestingEmbed scalable security into the development tool chain

    2

    Secure DevelopmentContinuous feedback on the developer’s desktop at DevOps speed

    1

    11

  • FORTIFY

    DevOps teams recognize the importance of integrating security

    Collaborating with security ranked as the most important strategy for DevOps in regulated industries

    Source: “10 Things to Get Right for Successful DevSecOps,” Gartner, Inc., 2017

    12

  • FORTIFY

    Development teams are growing at an 80:1 ratio to security teams

    Reference: Micro Focus 2017 Application Security Research Update

    VS

    13

  • Security is in the DNA of DevOps

    • DevOps institutes a culture of

    communication and collaboration.

    • Specialists work to understand each

    other’s concerns in order to reduce friction

    in the SDLC.

    • Shift Left describes the effort to move

    activities and information to the earliest

    possible point in the lifecycle increasing

    effectiveness of the development process.

    • Quality rises as an effect of DevOps. This

    is also true for Application Security.

  • Understanding the SDLCSome background

  • Provisioning & Deployment

    puppet

    Testing

    UFT Pro

    Source Code Management

    GIT TFS

    Build Systems

    What is DevOps?

    16

    Build Server

  • Why DevOps?

    17

    Code Unit TestValidateSecurity Integration

    FunctionalTesting Deploy

    Email Supervisor Email Tech Lead Assign toSystem Team

    Assign to QA Deliver to Operations

    Time Spent

    Time Wasted

    120 min

    15 min ½ week

    30 min

    2 weeks

    15 min

    2 weeks 1 week

    45 min 60 min

    240 min ½ week

    180 min

    Touch Time: 7 hours 30 mins

    Cycle Time: 6+ weeks

  • What is Manual Integration?

    18

    ▪ Developers work independently on their code in their IDE

    ▪ They work on their own, and “check in” code to the source control system when they are done – i.e. when the code compiles in their IDE and passes their unit tests

    ▪ However, they can introduce changes that conflict with one another, and until all changes from multiple branches are merged and compiled, there is no way to know if there are integration issues

    ▪ Often, merging multiple changes together leads to significant rework to find and fix problems

    ▪ When errors are fixed and the build is successful, the output is stored in an asset repository

    Bryan

    Susan

    Jason

    Version Control System

    accountservice.java

    accountservice.java

    Asset Repository

  • What is Manual Integration?

    19

    ▪ The assets in the asset repository are then installed into an environment for testing

    ▪ This is often a manual process that must account for differences between environmentsBryan

    Susan

    Jason

    Version Control System

    Asset Repository

    ManualDeployment

    ManualDeployment

    ManualDeployment

    ManualDeployment

    Development Quality Assurance Staging Production

  • What is Continuous Integration?

    20

    ▪ Every time code is checked in, it triggers a build

    ▪ Every change is integrated into the main code path, or trunk, continuously

    ▪ Errors are identified and dealt with extremely quickly

    Bryan

    Susan

    Jason

    Version Control System

    Asset Repository

    ManualDeployment

    ManualDeployment

    ManualDeployment

    ManualDeployment

    Development Quality Assurance Staging Production

    CI Server

  • What is Continuous Delivery?

    21

    Bryan

    Susan

    Jason

    Version Control System

    Asset Repository

    ManualDeployment

    ManualDeployment

    ManualDeployment

    ManualDeployment

    Development Quality Assurance Staging Production

    CI Server

    Delivery Server

    Au

    tom

    ated

    Dep

    loym

    ent

  • What is Continuous Deployment?

    22

    Bryan

    Susan

    Jason

    Version Control System

    Asset Repository

    Development Quality Assurance Staging Production

    CI Server

    Delivery Server

    Au

    tom

    ated

    Dep

    loym

    ent

  • What is Continuous Testing?

    23

    Bryan

    Susan

    Jason

    Version Control System

    Asset Repository

    Development Quality Assurance Staging Production

    CI Server

    Delivery Server

    Test Server

  • Security defects found via IDE Plugin

    Design or Programming defects found via TDD

    Length of feedback cycle

    CO

    ST

    Programming defects found via CI

    Requirement or design defect found via Active Stakeholder Participation

    Programming Defect Found via traditional System Test

    Design Defect Found via traditional System Test

    Requirement defect found via traditional acceptance Criteria

    Security defect found during periodic application scanning

    What is Continuous Security?

    24

  • What is Secure DevOps?

  • Dynamic Application

    Security Testing

    Static Code Analysis

    Build Server

    Where does Security fit in DevOps?

    Real-time

    Application Self

    Protection

    Light Weight Static Code

    Analysis

    Fortify Security Assistant

  • Highlight vulnerabilities during coding

    Level of criticality

    Type of vulnerability, explanation and detailed remediation guidanceAll issues detected

    in the project

    Vulnerable line of code is highlighted as developer code & provides tips for additional information

    Fortify menu for additional options

    27

  • Thank youwww.microfocus.com