interact differently: get more from your tools through exposed apis

Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com

Interact Differently:Get More from your Tools through Exposed APIs OWASP LASCON

Austin, TXNov. 4, 2016

Application security that just works

©2015 Aspect Security. All Rights Reserved 2

ABOUT ME

Kevin FealeyPrincipal Consultant & Practice Lead,

Automation & Integration ServicesNever a “developer”

Key Interests:• Process efficiency/effectiveness (Sec + Dev + Ops)• Learning about cool tools



SLIDES WILL BE AVAILABLE…

We may never finish…

https://www.linkedin.com/in/kfealey

http://www.slideshare.net/kfealey



APPLICATION SECURITY LANDSCAPE



APPLICATION SECURITY LANDSCAPE

None of these tools solve the whole application security problem on their own

Most of these tools provide or are a proprietary dashboard

Most of these tools do not import/export data in a format other tools can easily understand


COMMON PROBLEMS INVOLVING APPSEC TOOLS



FIRST WORLD PROBLEMS

• I am wasting time searching for things tools can findManual Testers

• I need to integrate X tool into my CI/CD pipeline Architects

• I have X tools and Y dashboards, and none of them shows what I need Managers/Execs

• The reports from my tools suck• I have this data, but not in tool X’s format…Everyone



AUTOMATE SIMPLE TESTING


Cross-domain configurations vs policy: CSP, Framing, etc.HTTPS page accessible via HTTPFile metadata (ex. Exif data) scannerObviously verbose error messages (ex. ORA-#####)PII Displayed on Screen (ex. SSN, CCs)Cookie security flags, cache controls, autocomplete enabledOutdated [JavaScript] librariesInsecure encryption algorithm/mode detectedHard-Coded encryption keyPOST=GET





Kevin Fealey

Update image to show map from Geolocation





If a tool can find it quickly and with high accuracy, detection should be automated.





Generally not a good ideaAllows login.jsp?username=hacked&password=whocares



AUTOMATE TOOL EXECUTION

• I need to integrate X tool into my CI/CD pipeline Architects

• When evaluating tools, consider if there is a CLI/SDK – even if you don’t plan to automate today

• Make integration as fool-proof as possible

or



CUSTOM DASHBOARDS


Bulky installations

Non-intuitive UIs

Lack of flexibility for tracking metrics that matter to you

Limited support for 3rd party tools

Results from pen test and SAST don’t go in the same place• Unless it’s a huge, ugly, spreadsheet

Most dashboards have:



CUSTOM DASHBOARDS




CUSTOM REPORTS/VIEWS

• The reports from my tools suckEveryone

• If the dashboard/view you want does not exist, have you tried to create it?


GOTO: <CODE>



CUSTOM REPORTS/VIEWS

• The reports from my tools suckEveryone

• If the dashboard/view you want does not exist, have you tried to create it?



CUSTOM TOOL INTEGRATIONS

• I have this data, but not in tool X’s format…Everyone


GOTO: <CODE>


I’M ON BOARD.. HOW DO I BEGIN?



GETTING STARTED

• Doesn’t have to be a good idea

Have an idea

• Use existing Parsers

Clone an existing plugin/configuration

• Vendor documentation• Mailing lists• Dev forums• Blog posts

Use



KEY TAKEAWAYS

You have the power to solve your own problems• It’s probably easier than you think

Don’t start from scratch

XPath is beastmode

Contribute your stuff to GitHub so I can use it



CODE FROM TODAY

https://github.com/aspectsecurity/ImageLocationScanner

https://github.com/kevinfealey/PMDRuleForLASCON2016

https://github.com/kevinfealey/PMDCodeExampleForLASCON2016

https://github.com/jenkinsci/ibm-security-appscansource-scanner-plugin

https://github.com/kevinfealey/ELK-for-AppSec

https://github.com/kevinfealey/vagrant-ELK-stack

https://github.com/kevinfealey/XSLT_AppScan_Standard_Report

https://github.com/kevinfealey/Burp_Custom_Site_Exporter

interact differently: get more from your tools through exposed apis

Technology