jeff williams, ceo - owasp · 2020. 1. 17. · static analysis and code review are about to get a...
TRANSCRIPT
![Page 1: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/1.jpg)
Jeff Williams, CEO
OWASP AppSec DC
April 4, 2012
![Page 2: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/2.jpg)
How do
we find
vulns?
Static
Analysis Manual Code
Analysis
Dynamic
Analysis
Manual
Testing
Threat
Modeling
Architecture
Review
![Page 3: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/3.jpg)
Manual Scan
Spend Pray
Portfolio
Assurance
Strategies
![Page 4: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/4.jpg)
5|0|8|http://tester:8888/testapp
/|9E4CB3D5635C548906BFB576DD18C7
10|com.test.app.client.GreetingS
ervice|greetServer|[Ljava.lang.S
tring;/2600011424|hi|there|blah|
1|2|3|4|1|5|5|3|6|7|8|%26ping%20
-n%2020%20127.0.0.1%26
Ajax
Web Services
Serialized Objects
Mobile
WebSocket
Scanning and
pentesting are about
to get a LOT harder.
* GWT message courtesy GDS
![Page 5: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/5.jpg)
Static analysis and
code review are about
to get a LOT harder.
Lines of Code
Libraries and Frameworks
AOP
Custom Controls
DevOps
![Page 6: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/6.jpg)
We can do
better.
![Page 7: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/7.jpg)
We have to do
better.
![Page 8: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/8.jpg)
What does a vuln look like?
DB
![Page 9: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/9.jpg)
Untrusted Input
Source
Propagator
Control (Validator)
Propagator
Propagator
Control (Encoder)
Trigger
![Page 10: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/10.jpg)
Problems
Manual pentesting and DAST can’t see in
SAST and code review can’t see out
No way to map code to HTTP
![Page 11: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/11.jpg)
Reimagining
the pentest.
![Page 12: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/12.jpg)
Security Intel
Application Tests
Parameter use
Session update
Dangerous call
Test for XSS…
…HTML
“Manual”
IAST
![Page 13: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/13.jpg)
https://www.aspectsecurity.com/spyfilter/
Another free
and open
tool!
![Page 14: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/14.jpg)
Spy
Filter
Wrapped request,
response, session, writers,
outputstream
All access to
wrappers
generates
events Adding &spy to
any visited URL
gets the trace!
![Page 15: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/15.jpg)
Better
scanning.
![Page 16: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/16.jpg)
Results
Application Tests
Queries,
Exceptions,
Logs…
Test for SQLi…
…HTML
“Basic”
IAST
![Page 17: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/17.jpg)
HP WebInspect SecurityScope
IBM GlassBox
Acunetix
![Page 18: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/18.jpg)
1. Improve DAST
Coverage
2. Validate DAST
Vulnerabilities
3. Correlate with Code
for DAST Findings
![Page 19: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/19.jpg)
Architecture
review?
![Page 20: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/20.jpg)
Basic IAST plus:
• All libraries used
• Exact SLOC count
• Backend connections
• System configuration
• Security controls
• Directory structure
• Entry points
“Advanced”
IAST
![Page 21: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/21.jpg)
Add calls to source code
Use Aspect-oriented programming
Modify class files on disk
Modify bytecode of running application
with “Instrumentation API”
![Page 22: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/22.jpg)
The Future!
![Page 23: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/23.jpg)
“Pure” IAST
DB
Detailed IAST plus:
• No SAST/DAST
• Powerful rule engine
• Easy install
• Data flow analysis
• Continuous security
• Leverage QA testers Aspect
“Contrast” in
private beta
![Page 24: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/24.jpg)
Continuous
Security!
![Page 25: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/25.jpg)
No More Reports
In the future, security reports are replaced by realtime dashboards with IAST results!
Security Alert!
![Page 26: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/26.jpg)
The Future of IAST
Automatic:
• Portfolio (prioritized)
• Libraries (analyzed)
• Architecture (summary)
• Vulnerabilities (traced)
GOAL: continuous testing
with an enterprise ruleset! Instrumented
Enterprise
![Page 27: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/27.jpg)
![Page 28: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/28.jpg)
NSA Center for Assured Software
• Seven tools
• 13,801 Test Cases
• 527 flaw types
• Various data and control flows
• 85% of problems were not “discriminated” by ANY tools
28
http://www.appsecusa.org/p/nsacas.pdf
No Tools
85%
![Page 29: Jeff Williams, CEO - OWASP · 2020. 1. 17. · Static analysis and code review are about to get a LOT harder. Lines of Code Libraries and Frameworks AOP Custom Controls DevOps](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb64cd937eee380608fbb8/html5/thumbnails/29.jpg)
Results with False Alarms
29