interact differently: get more from your tools through exposed apis
TRANSCRIPT
Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com
Interact Differently:Get More from your Tools through Exposed APIs OWASP LASCON
Austin, TXNov. 4, 2016
Application security that just works
©2015 Aspect Security. All Rights Reserved 2
ABOUT ME
Kevin FealeyPrincipal Consultant & Practice Lead,
Automation & Integration ServicesNever a “developer”
Key Interests:• Process efficiency/effectiveness (Sec + Dev + Ops)• Learning about cool tools
Application security that just works
©2015 Aspect Security. All Rights Reserved 3
SLIDES WILL BE AVAILABLE…
We may never finish…
https://www.linkedin.com/in/kfealey
http://www.slideshare.net/kfealey
Application security that just works
©2015 Aspect Security. All Rights Reserved 4
APPLICATION SECURITY LANDSCAPE
Application security that just works
©2015 Aspect Security. All Rights Reserved 5
APPLICATION SECURITY LANDSCAPE
None of these tools solve the whole application security problem on their own
Most of these tools provide or are a proprietary dashboard
Most of these tools do not import/export data in a format other tools can easily understand
©2015 Aspect Security. All Rights Reserved 6
COMMON PROBLEMS INVOLVING APPSEC TOOLS
Application security that just works
©2015 Aspect Security. All Rights Reserved 7
FIRST WORLD PROBLEMS
• I am wasting time searching for things tools can findManual Testers
• I need to integrate X tool into my CI/CD pipeline Architects
• I have X tools and Y dashboards, and none of them shows what I need Managers/Execs
• The reports from my tools suck• I have this data, but not in tool X’s format…Everyone
Application security that just works
©2015 Aspect Security. All Rights Reserved 8
AUTOMATE SIMPLE TESTING
• I am wasting time searching for things tools can findManual Testers
Cross-domain configurations vs policy: CSP, Framing, etc.HTTPS page accessible via HTTPFile metadata (ex. Exif data) scannerObviously verbose error messages (ex. ORA-#####)PII Displayed on Screen (ex. SSN, CCs)Cookie security flags, cache controls, autocomplete enabledOutdated [JavaScript] librariesInsecure encryption algorithm/mode detectedHard-Coded encryption keyPOST=GET
Application security that just works
©2015 Aspect Security. All Rights Reserved 9
AUTOMATE SIMPLE TESTING
• I am wasting time searching for things tools can findManual Testers
Application security that just works
©2015 Aspect Security. All Rights Reserved 10
AUTOMATE SIMPLE TESTING
• I am wasting time searching for things tools can findManual Testers
If a tool can find it quickly and with high accuracy, detection should be automated.
Application security that just works
©2015 Aspect Security. All Rights Reserved 11
AUTOMATE SIMPLE TESTING
• I am wasting time searching for things tools can findManual Testers
Generally not a good ideaAllows login.jsp?username=hacked&password=whocares
Application security that just works
©2015 Aspect Security. All Rights Reserved 12
AUTOMATE SIMPLE TESTING
• I am wasting time searching for things tools can findManual Testers
Application security that just works
©2015 Aspect Security. All Rights Reserved 13
AUTOMATE SIMPLE TESTING
Application security that just works
©2015 Aspect Security. All Rights Reserved 14
AUTOMATE SIMPLE TESTING
Application security that just works
©2015 Aspect Security. All Rights Reserved 15
AUTOMATE TOOL EXECUTION
• I need to integrate X tool into my CI/CD pipeline Architects
• When evaluating tools, consider if there is a CLI/SDK – even if you don’t plan to automate today
• Make integration as fool-proof as possible
or
Application security that just works
©2015 Aspect Security. All Rights Reserved 16
CUSTOM DASHBOARDS
• I have X tools and Y dashboards, and none of them shows what I need Managers/Execs
Bulky installations
Non-intuitive UIs
Lack of flexibility for tracking metrics that matter to you
Limited support for 3rd party tools
Results from pen test and SAST don’t go in the same place• Unless it’s a huge, ugly, spreadsheet
Most dashboards have:
Application security that just works
©2015 Aspect Security. All Rights Reserved 17
CUSTOM DASHBOARDS
• I have X tools and Y dashboards, and none of them shows what I need Managers/Execs
Application security that just works
©2015 Aspect Security. All Rights Reserved 18
CUSTOM DASHBOARDS
• I have X tools and Y dashboards, and none of them shows what I need Managers/Execs
Application security that just works
©2015 Aspect Security. All Rights Reserved 19
CUSTOM DASHBOARDS
• I have X tools and Y dashboards, and none of them shows what I need Managers/Execs
Application security that just works
©2015 Aspect Security. All Rights Reserved 20
CUSTOM REPORTS/VIEWS
• The reports from my tools suckEveryone
• If the dashboard/view you want does not exist, have you tried to create it?
©2015 Aspect Security. All Rights Reserved 21
GOTO: <CODE>
Application security that just works
©2015 Aspect Security. All Rights Reserved 22
CUSTOM REPORTS/VIEWS
• The reports from my tools suckEveryone
• If the dashboard/view you want does not exist, have you tried to create it?
Application security that just works
©2015 Aspect Security. All Rights Reserved 23
CUSTOM TOOL INTEGRATIONS
• I have this data, but not in tool X’s format…Everyone
©2015 Aspect Security. All Rights Reserved 24
GOTO: <CODE>
©2015 Aspect Security. All Rights Reserved 25
I’M ON BOARD.. HOW DO I BEGIN?
Application security that just works
©2015 Aspect Security. All Rights Reserved 26
GETTING STARTED
• Doesn’t have to be a good idea
Have an idea
• Use existing Parsers
Clone an existing plugin/configuration
• Vendor documentation• Mailing lists• Dev forums• Blog posts
Use
Application security that just works
©2015 Aspect Security. All Rights Reserved 27
KEY TAKEAWAYS
You have the power to solve your own problems• It’s probably easier than you think
Don’t start from scratch
XPath is beastmode
Contribute your stuff to GitHub so I can use it
Application security that just works
©2015 Aspect Security. All Rights Reserved 28
CODE FROM TODAY
https://github.com/aspectsecurity/ImageLocationScanner
https://github.com/kevinfealey/PMDRuleForLASCON2016
https://github.com/kevinfealey/PMDCodeExampleForLASCON2016
https://github.com/jenkinsci/ibm-security-appscansource-scanner-plugin
https://github.com/kevinfealey/ELK-for-AppSec
https://github.com/kevinfealey/vagrant-ELK-stack
https://github.com/kevinfealey/XSLT_AppScan_Standard_Report
https://github.com/kevinfealey/Burp_Custom_Site_Exporter