prep work exercises - carahsoft...how do i fix sql injection? input validation –yes detect...

Prep Work Exercises

▪ Open Your VM c:\VM Images\2017\windows 10 x64 (2).vmx

▪ UID: Admin

▪ PWD: P@ssword1

▪ Check Access to http://6.94.185.35.bc.googleusercontent.com:8080/ssc/#/

▪ UID: Admin

▪ PWD: Fortify@01

▪ Command Line Scan – open a dos prompt

▪ cd c:\share\Trainer Material\Code\Java\riches_java_src

▪ sourceanalyzer -b riches-class –clean

▪ sourceanalyzer -b riches-class -sql-language PL/SQL -source 1.6 -cp ./WEB-INF/lib/*.jar;./lib/*.jar ./**/*java ./**/*jsp ./**/*sql ./**/*xml ./**/*js./**/*html

▪ sourceanalyzer -b riches-class -source 1.6 -Xmx3200M -64 –scan –f richesresults.fpr

http://6.94.185.35.bc.googleusercontent.com:8080/ssc/#/

Application SecurityFortify-On-Demand | Application Defender | Fortify | WebInspect

Sameer Kamani

Security Solutions Architect

[email protected]

Jeffrey Hsiao

Security Solutions Architect

[email protected]

Agenda

▪ Prep Work Exercises

▪ Introductions

▪ Application Security Overview

▪ Fortify SCA Overview and Exercises

▪ Fortify SSC Overview and Exercises

▪ DevOps and Solution Architecture

▪ Putting It All Together – Team Exercise

▪ Wrap-Up

Introductions

▪ Name and organization

▪ Role and duties

▪ Secure coding background

LaptopsPrinters

EnterpriseServices

ServersNetworkStorage

HPE Software is now Micro Focus!

EnterpriseSoftware

The Software Security Problem

1 2 3 4 5 6 7 8

Existing network and perimeter based security is insufficient

84% of breaches exploit vulnerabilities in the application layerYet the ratio of spending between perimeter security and application security is 23-to-1

- Gartner Maverick Research: Stop Protecting Your Apps; It’s Time for Apps to Protect Themselves (2014)

Vulnerabilities in SoftwareWhat is a software or application vulnerability?

A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application.

So How Bad Can It Be?

Vulnerabilities in SoftwareOWASP

▪ The Open Web Application Security Project is a worldwide free and open community focused on improving the security of application software.

www.owasp.org

▪ This community routinely publishes a list of the top-10 application security vulnerabilities.

▪ New list published in 2017.

▪ Previous list was published in 2013.

http://www.owasp.org/

OWASP Top 10As of 2017, OWASP lists the following top-10 categories:

1) Injection2) Broken Authentication3) Sensitive Data Exposure4) XML External Entities (XXE) 5) Broken Access Control 6) Security Misconfiguration7) Cross-Site Scripting (XSS)8) Insecure Deserialization 9) Using Components with Known Vulnerabilities10) Insufficient Logging & Monitoring

OWASP A1 – Injection Flaws

• Multiple Types of Vulnerabilities

• SQL Injection

• LDAP Injection

• XPath Injection

• XSLT Injection

• HTML Injection

• OS Command Injection

• Basic Definition: Interpreters execute unintended commands on a server

OWASP A1 – Injection Flaws

• SQL Injection – The Worst of the Worst

• Has been on the top of the OWASP Top 10 since the beginning

• The favorite vulnerability of Anonymous, LulzSec, and Black Hats

• Pretty easy to detect and exploit

• Easy access to your data

• What is it?

• Data from an untrusted source is mixed into a SQL query allowing an attacker to change the query.

Injection AttackGeneral Algorithm

1. Generate dynamic string to be used by an interpreter

– Append raw data to string

– Raw data is unexpected

2. Pass string to interpreter to be executed

3. Interpreter performs some other operation as a result of unexpected data

SQL Injection AttackConceptual Example and Flow

1. dynamic query against a SQL database such as:

Select * from USERS where name = ‘+userName+’

2. User sets userName = x'; drop table members; --

3. SQL database query has now changed meaning:

Select * from USERS where name = ‘x'; drop table members; --’

4. Database will now delete the members table instead of querying user table

Perform a

Preventing SQL InjectionsAnother Exploit - incorrect filtered escape character

String query = "SELECT * FROM acct_trans WHERE acct_num = ‘" +

request.getParameter(“AcctNum") + “’";

…

1) SQL Statement intended to retrieve the user’s account transactions:

2) Exploit: AcctNum = ‘12345’ or ‘1’ = ‘1’ --

3) Result: SELECT * FROM acct_trans

WHERE acct_num = ‘12345’ or ‘1’ = ‘1’ --

How Do I Fix SQL Injection?

▪ Input Validation – Yes

▪ Detect unauthorized input before processed by application

▪ Parameterized Queries (prepared stmt) – Even Better

▪ Define SQL code and then pass in each parameter to the query later

▪ Parameters are placeholders for values

Parameterized Query

NOT

Injection Attack Costly ExampleHeartland Payment Systems – Jan, 2009

HRMAC III(cmd_procEnabled)

PaymentProcessingMAC I

Jan. 200994M records stolen$130M +

SQL Injection

One Vulnerability To Rule Them AllHeartland Payment Systems

The method used to compromise Heartland’s network was ultimately determined to be SQL injection. Code written eight years ago for a web form allowed access to Heartland’s corporate network. This code had a vulnerability that (1) was not identified through annual internal and external audits of Heartland’s systems or through continuous internal system-monitoring procedures, and (2) provided a means to extend the compromise from the corporate network to the separate payment processing network. Although the vulnerability existed for several years, SQL injection didn’t occur until late 2007…. the intruders spent almost six months and many hours hiding their activities while attempting to access the processing network, bypassing different anti-virus packages used by Heartland. After accessing the corporate network, the fraudsters installed sniffer software that was able to capture payment card data, including card numbers, card expiration dates, and, in some cases, cardholder names as the data moved within Heartland’s processing system.

Heartland Payment Systems: Lessons Learned from a Data Breach Julia S. Cheney, January 2010 Federal Reserve Bank of Philadelphia

Injection Attack – Government ExampleIllinois State Election Board

“The successful hack of the Illinois system began with a scan of the state election board's site with Acunetix, a commercial vulnerability scanning tool used to discover SQL injection vulnerabilities and other site weaknesses. The attacker used information on an SQL injection bug to then use SqlMap, an open source tool, to access user credentials and data, and the DirBuster tool to discover hidden files and directories on the Web server. Yahoo reports that officials suspected "foreign hackers" for the attack.”

After Illinois hack, FBI warns of more attacks on state election board systems

ARS Technica

Reported on 8/29/2016

https://arstechnica.com/security/2016/08/after-illinois-hack-fbi-warns-of-more-attacks-on-state-election-board-systems/

21

Exercise 1: Start the Fortify DemoEnvironment Setup

▪ Start the Fortify Demo Server

▪ There’s a “Launch the Riches Demo App” Shortcut on your desktop

▪ **It should already be started. You Should see some Command Prompt Windows.

Demo: SQL Injection

▪ Open Internet Explorer and browse to http://localhost:8080/riches(there should also be a shortcut)

▪ Click the Locations Button at the top.

▪ There is SQL Injection in this form. See if you can find it!

▪ Valid Zip Codes (94404, 10005, 94123)

http://localhost:8080/riches

Demo: SQL Injection


▪ Click the Locations Button at the top.

▪ There is SQL Injection in this form. See if you can find it!

▪ Valid Zip Codes (94404, 10005, 94123)

Try entering

' or '1'='1in the Find ATMs/Locations field


OWASP A7 – Cross Site Scripting (XSS)

• The Most Prevalent Vulnerability on the OWASP Top 10

• Was at the top until the ranking methodology changed

• Very easy to detect and exploit

• What is it?

• Your application is used as a platform to attack your users.

• Allows an attacker to insert malicious code into the user’s session

• Used to deface web sites, hijack sessions, steal credentials, and install malware

OWASP A7 – Cross Site Scripting (XSS)

• Reflected XSS

• Requires a user to execute an action that contains the attack payload. (Such as clicking a link in a phishing email)

• The attack only affects the user that executes the action

• Persistent XSS

• Attack payload is injected into a data store, such as a database.

• The attack affects every user that uses the application.

• The most impactful variant of XSS

Preventing XSS – Input/Output Validation

• Blacklisting – Developing a naughty list of characters/tags

• Nearly impossible to write black lists that cover all attack vectors

• Many ways to obfuscate attack payloads

• Using case, null characters, and flaws in browser rendering

• Using alternate tags, such as IMG, IFRAME, links, body, etc

• Using alternate encodings and languages

• Check out: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

• Whitelisting – Using regular expressions

• [A-Za-z0-9]{5,25} – Possible regex for a username

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Preventing XSS – Output Encoding

• Encoding – Making Malicious Code Unexecutable

• <script> becomes <script>

• HTML Encoding for all data rendered in plain HTML

• Special care should be taken for data inserted into JavaScript and as tag attributes

• Many Standard Encoding Libraries are not sufficient

• Use the AntiXSS Library from Microsoft for .NET (now included in 4.5)

• OWASP Enterprise Security API (ESAPI)

Cross Site Scripting Famous ExamplePayPal, circa 2004 - 2006

▪ Steal credit card numbers

1. Users access URL on genuine PayPal site

2. Page modified via XSS attack to silently redirect user to external server

3. Fake PayPal Member log-in page

4. User supplies login credentials to fake site

▪ Exploitable for two years

Exercise 2: XSS Injection

▪ Click the submit button on the login form.


▪ There is Cross Site Scripting in the login page. See it?

▪ Valid Login (eddie/eddie)


Exercise 2: XSS Injection

▪ Click the submit button on the login form.


▪ There is Cross Site Scripting in the login page. See it?

▪ Valid Login (eddie/eddie)

Try entering

';</script><script>alert('XSS');</script>In the login field


The Solution

Software Security Assurance (SSA & SDLC)

Design Code TestIntegration

- StagingOperate

Security

ProductionSystem

Testing

Integration/ Component

Testing

CodingRequirements

30X

15X

10X

5X

1X

Co

st

30x more costly to secure in Production

Source: NIST

Security Gate

Remediation +

Secure SDLC

Monitoring + Protection

Secure DevelopmentContinuous feedback on the developer’s desktop at DevOps speed

1

Security TestingEmbed scalable security into the development tool chain

2

Continuous Monitoring and ProtectionMonitor and protect software running in Production

3

Improve SDLC Policies

The right approach for the new SDLC – Build it in

This is application security for the new SDLC

Software Security Analysis and Defense• Static Analysis (Fortify): analysis of computer software that is performed without actually executing programs

(i.e. run on source code)

• Dynamic Analysis (WebInspect): analysis of computer software that is performed by executing programs on a real or virtual processor (Pentesting against a running web application)

• RASP (Application Defender): software agent protects and monitors production systems.

Static Dynamic RASP

Requires source code Only Web Applications and services

Only Web Applications and services

Finds most issues Finds fewer issues Protects and monitors applications

Provides line of code level detail

Provides request and response

Requires a software agent to be installed

Preferred by developers Preferred by security and SOC Can protects against zero days

Secure DevelopmentContinuous feedback on the developer’s desktop at DevOps speed

1

Security TestingEmbed scalable security into the development tool chain

2

Continuous Monitoring and ProtectionMonitor and protect software running in Production

3

Improve SDLC Policies

The right approach for the new SDLC – Build it in

This is application security for the new SDLC

Fortify SCASAST

WebInspectDAST

App DefenderRASP

WI AgentIAST

MF Fortify Solutions

Security solutions backed by MF Security Research

Ecosystem Partner

FSRG ESS

• SANS, CERT, NIST, OSVDB, software & reputation vendors

• 3000+ Researchers

• 2000+ Customers sharing data

• Largest commercial IT security research group

• Continuously finds more vulnerabilities than the rest of the market combined (50-75% of publicly reported critical vulnerabilities)

• Frost & Sullivan winner for vulnerability research last four years

• Collaborative effort of market leading teams: ArcSight, Fortify, MF Labs, Application Security Center

• Collect network and security data from around the globe

MF Security Research

Fortify On Demand (FOD) / Vendor Management Application Defender

Software Security Assurance (SSA & SDLC)

Design Code TestIntegration

- StagingOperate

Security

Development

Static Code Analyzer (SCA)

Fortify Static Suite

Audit Workbench (AWB)

IDE Plugin

Software Security Center (SSC)

Testing

Web Inspect (WI)

Fortify Dynamic Suite

WebInspect Enterprise (WIE)Continuous Web Monitoring (CM)

On-demand Web Scans


Application Defender

Visibility & Defense

/ Operations

Hybrid

MF Fortify SCA

Software Security Assurance – Top 2 for WebInspect

Secure Development

Continuous Integration

Assessment

Security Acceptance

Testing

Monitoring

Continuous Monitoring

Protection

Realtime Application Self

Protection

Remediation

Process Driven Triage

MF Fortify Static Code Analyzer (SCA)

Features:

• Automate static application security testing to identify security vulnerabilities in application source code during development

• Pinpoint the root cause of vulnerabilities with line of code details and remediation guidance

• Prioritize all application vulnerabilities by severity and importance

• Supports 24 languages, > 750 vulnerability categories, 840,000 APIs

Benefits:

• Reduces the cost of identifying and fixing vulnerabilities

• Reduces risk that a vulnerability will slip by and cause a

problem later

• Saves valuable development time and effort

Problem it solves:

• Identifies all risks in the source code for applications in development

Securing your application code in development

MF Fortify SCA Process Flow

Translation

Source Code

to

Fortify

Intermediate

Model

Analysis

Fortify Intermediate Model to List of

Possible Vulnerabilities

Audit

Vulnerability

Verification,

Triage

and

Remediation


44

Translation Phase

▪ All Languages

▪ Source code needs to be in a buildable state

▪ C, C++, Objective C

▪ compiler is required to run SCA translator

▪ C#, VB.Net

▪ solutions must be compiled to create pdb files

▪ Java, JavaScript, SQL, PHP, ColdFusion, APEX, . . .

▪ translated directly by the SCA translator

MF Fortify SCA Process FlowTranslation requirements

Analysis


Translation Audit

Source Code to

MF Fortify Intermediate

Model


Model toList of

PossibleVulnerabilities

VulnerabilityVerification,

Triageand

Remediation

Each analyzer has corresponding rule types. MF Security Fortify SCA – Analysis

ScanData flow

Control flow

Structural

Semantic

Configuration

Buffer

ContentNon-trusted input can potentially

control application operation.

Detects potentially dangerous execution sequences

Detects potentially dangerous flaws in the structure or definition of a program

Looks for unsafe function calls

based on their signature

Uses XPath queries and name-

value matching to identify issues

in application’s configuration files

Buffer analyzer detect access to

buffer beyond its boundaries

Searches for security issues

and policy violations in HTML

MF Fortify SCA Process FlowAnalysis Phase

SCA Analysis

Static Application Security TestingAccurately identify root cause and remediate underlying security flaw

XML

Java

JSP

T-SQL

Results

T-SQL

Java

XML

JSP

User Input

SQL Injection22+ Languages

VBScript

HTML ASP

XMLPL/SQL

Java

C#.NETCOBOL

PHP

PythonVisual Basic

ABAP

T-SQL

C/C++

Classic ASP

CFML

VB.NET

JavaScript/AJAX

SCA Frontend


Translation Analysis Audit

Source Code to


Model

VulnerabilityVerification,

Triage,and

Remediation


Model toList of

PossibleVulnerabilities


MF Fortify Utilities

Audit Workbench (AWB)

An MF Fortify Graphical User Interface (GUI) utility

Rich features to review results from MF Fortify SCA analysis

Secure Coding Plug-ins

Very similar functionalities to AWB

Eclipse, Visual Studio


Contains a collaboration module with similar functionalities to AWB

Has a rich reporting interface and stores all findings in the DB

You

Verify and remediate issues found by MF Fortify SCA

Secure Coding PluginsVisual Studio, Eclipse, …

Audit Workbench(AWB)


FPR

Audit Phase = MF Fortify Utilities + You

Audit Phase = MF Fortify Utilities + You

▪ MF Fortify Utilities▪ Audit Workbench (AWB)

▪ An MF Fortify Graphical User Interface (GUI) utility

▪ Rich features to review results from MF Fortify SCA analysis

▪ Secure Coding Plug-ins

▪ Very similar functionalities to AWB

▪ Eclipse, Visual Studio

▪ Software Security Center (SSC)

▪ Contains a collaboration module with similar functionalities to AWB

▪ Has a rich reporting interface and stores all findings in the DB

▪ You▪ Verify and remediate issues found by MF Fortify SCA

MF Fortify Software Security Center

Features:

▪ Specify, communicate and track security activities performed on projects

▪ Role-based, process-driven management of software security program

▪ Flexible repository and exporting platform for security status, trending and compliance

▪ Integrates with Audit Assistant

Benefits:

• Provides a clear, accurate picture of software risk across the

enterprise

• Lowers cost of resolving vulnerabilities

• Identify areas of improvement for accelerated reduction of risk

and costs

Problem it solves:

• Provides visibility into security activities within development

Management, tracking and remediation of enterprise software risk

Static Software Scanning Process

Developers

Security/Tech Lead

Continuous

Integration

Jenkins, TFS,

etc.

Code Repository

Issue Tracking

Check in Code

Scheduled or Triggered

Check-out and Build

(Auto) Deliver

for Analysis

Submit Findings

to Bug Tracker

Developer Fixes

Bug / Finding

REPEAT

AS NECESSARY

Vulnerability

Findings

Integrations

SonarQube, Archer, etc.

Mgmt Portal

(SSC)

Scanning Engine

(SCA)

Scrum

Fortify SCA Suite

• Static source code analysis.Fortify SCA

• Visual interface for analysis of software vulnerabilities.Audit WorkBench (AWB)

• Integrated vulnerability detection into Integrated Development Environments (IDEs).

Secure Coding Plug-ins

• Management for multiple audit projects from a single centralized console.Fortify SSC Server

How to run a Scan

Fortify scanningMultiple ways to scan a project

• IDE Plug-ins

• Build integration (Ant, maven, make, Jenkins,…)

• Command Line

• Audit WorkBench (AWB)

• Scan Wizard

Using the SCA Command Line interface

SCA Command Line Interface

▪ Command Line Interface Help

sourceanalyzer -h

▪ Java Command Line Syntax

sourceanalyzer -b <build_id> -cp <classpath> <file_list>

▪ .NET Command Line Syntax

sourceanalyzer -vsversion 9.0 -b MyBuild -libdirs

ProjOne/Lib;ProjTwo/Lib ProjOne/bin/Debug ProjTwo/bin/Debug

▪ C/C++ Command Line Syntax

sourceanalyzer -b <build_id> <compiler> [<compiler options>]

Java Source CodeCD C:\Program Files\HPE_Security\Fortify_SCA_and_Apps_17.10\Samples\basic\eightball

Commands

sourceanalyzer -b EightBall -clean

sourceanalyzer -b EightBall –source 1.6 EightBall.java

sourceanalyzer -b EightBall -source 1.6 -Xmx3200M –scan –f EightBall.fpr

sourceanalyzer -b EightBall -show-files

sourceanalyzer -b EightBall -show-build-warnings

Translation Exercise

Exercise 3: Command-Line Scan

Using the AWB

Exercise 4: Scanning With Audit Workbench

Exercise 4: Audit Workbench Scan Exercise

▪ Start Audit Workbench

▪ Select “Advanced Scan…”

▪ Navigate toC:\Users\Workshop\Desktop\Trainer_Materials\ri

ches_wealth_src

▪ Click OK

▪ Specify Java Version 1.6

▪ Click Next >

▪ Add ”-Xmx2700M” to translation and scan command line options

▪ Click Next > then click Scan

Configuring AWB

Configuration – Options

DOWNLOAD rulepacks

UPLOAD scan results

Get SCA updates

Server Configuration – where to …

If you have an SSC instance then rulepacks

can be downloaded from it.

Can automatically check for rulepack updates.

Server Configuration

Typical Configuration – download rulepack

Corporate Network

Software Security CenterInternet

FromUpdate.fortify.com

FromSSC

Typical Configuration – upload scan results

Corporate Network

Software Security Center

Upload scan results to SSC

instance

Security Content Version

Click to manually check for new

security content

Click to import security content (custom rules)

Security Content Management

Control Issue Display

Tweak Issue Summary Display

Merge comments with analysis tag

changes

Audit Configuration - Appearance

Override default Filter Set

Set attribute to use for quick audit

feature

Configure how issues are copied

Audit Configuration - Configuration

Project Save Options

Memory Considerations

▪ SCA is a java application

Can be set using the –Xmx command line option-Xmx10800M

-Xmx8G

▪ You can set the maximum java heap space via environment variableSCA_VM_OPTS=-Xmx4G –used for SCAAWB_VM_OPTS=-Xmx2G –used for Audit Workbench

▪ Value should not be greater that two thirds of total system memory

Using the Eclipse Plugin

MF Fortify SCA – Eclipse IDE Plug-in

Fortify SCA – Eclipse IDE Plug-in

Fortify SCA – Eclipse IDE Plug-in

Noted: you should make sure all libraries are included, and source codes are compliable before you scan.

MF Fortify SCA – Eclipse IDE Plug-in

AnalysisResult

AnalysisTrace

Source Code

Summary and details

Package Explorer

Exercise 5: Eclipse IDE Plugin Scan

▪ In Package Explorer Open Project Riches

▪ Fortify Analyze Project

▪ Start Scan

Remediate/Rescan

Exercise 6: Remediate SQLI and Rescan

▪ SCA Analysis Result Find SQL Injection

▪ Expand SQL Injection Choose

LocationService.Java:121

▪ Determine if the SQLI is exploitable or not

▪ Make change to the code

▪ Rescan

Exercise 6: Remediate SQLI


// String queryStr = "SELECT * FROM location WHERE zip = '" + zip + "'";String queryStr = "SELECT * FROM location WHERE zip = ?";statement = conn.prepareStatement(queryStr);

statement.setString(1, zip);

Using the Visual Studio Plugin

MF Fortify SCA – Visual Studio IDE Plug-in

Exercise 7: Visual Studio IDE Plugin Scan

▪ In Solution Explorer Open Project Riches

▪ Fortify Analyze Project

▪ Start Scan

Working with the Results

Exercise 8: Remediate SQLI and Rescan

▪ SCA Analysis Result Find SQL Injection

▪ Expand SQL Injection Choose LocationDB.cs:30

▪ Determine if the SQLI is exploitable or not

▪ Make change to the code

▪ Rescan


//SqlCeCommand query = new SqlCeCommand("SELECT * FROM [location] where atm = 'Yes' and zip = '" + zip + "'", connection);SqlCeCommand query = new SqlCeCommand("SELECT * FROM [location] where atm = 'Yes' and zip = @postalcode", connection);//query.Parameters.AddWithValue("@postalcode", zip);

Working with the Results

Working with the results . . .

Issues

AnalysisEvidence

Source Code

Issue Auditing

Functions

Issues Panel

Folders: One tab for each folder. The default folders are one for each Fortify Priority and one for all issues.

Critical, High, Medium, Low, ALL

Group By: How the issues are grouped together. The default grouping is by Category.

Group Counts: This shows how many issues have been audited and how many total issues for the group. 0/5 means a total of 5 issues with 0 (zero) issues audited.

My Issues: Filter issues to only display issues assigned to current user.

Filter Set: Current Filter being used to display issues.

Issues Panel

Folder Name: Name of the currently selected folder.

Group Icon: A folder graphic is used as the group icon. This should not be confused with the Folders that are represented by the tabs.

Search: Used to search issues. Advanced searching capabilities are available.

Issue Icon: Represents the auditing that has been done for the issue.

Folder Dialog Shortcut: Clicking the … will open the dialog to edit folders.

Issues Panel – analysis tag icons

Not an Issue

Reliability Issue

Bad Practice

Suspicious

Exploitable

Not Audited

Previously Audited

Issue Grouping

Analyzer File Name

RTA Protected DISA STIG

Create Custom Grouping

Issue Grouping - custom

Exercise 9: Issue Grouping

Create a 2-level grouping

FISMA

NIST 800-53


Issues

AnalysisEvidence

Source Code

Issue Auditing

Functions

Trace of analysis evidence usedin identifying the issue.

From source to sink.

Icons are meaningful and documented in the “About the Analysis Evidence Panel”

section of theAudit Workbench User Guide.

Analysis Evidence Panel

source

sink

The issue title is the last node in the analysis trace (sink)


Analysis Evidence PanelShared Sink

Sub-group title is the first lineof the Analysis Evidence (source)

Analysis Evidence PanelShared Sink

Shared sink

Different sources

Two issues

One sink

Multiple paths

One Source

One issue



Issues

AnalysisEvidence

Source Code

Issue Auditing

Functions

Submit to bug tracking system

Set the analysis tagShort description ofthe selected issue

Commit or cancelcurrent commentSuppress the issue

List of saved comments

Enter comments here

Issue Auditing Panel - Summary

Edit tags

Code specific abstract of selected issue.

Detailed description ofthe selected issue.

Issue Auditing Panel - Details

Suggestions and examples of how to secure the vulnerability or remedy the bad practice.

Issue Auditing Panel - Recommendations

Scroll down to see mappings and external research references.

Issue Auditing Panel - Recommendations

Activities such as changing the analysis tag and suppressing an issue are logged.

Comment history.

Issue Auditing Panel - History

Standard UML call graph of the

Analysis Evidence

Red lines in the diagram are the flow of tainted data

Issue Auditing Panel - Diagram

Displays warnings/errors that occurred during the scan.

Issue Auditing Panel - Warnings

Can export individual entries or all entries to a text file.


Issues

AnalysisEvidence

Source Code

Issue Auditing

Functions

Source Code Panel Clicking an issue syncs the source code panel to the file and line

number of the sink.

Source Code Panel

Clicking on a trace node syncs the

source code panel to node’s file and

line number.

Source Code Panel - Project Summary

If someone tries to tamper with the FPR file directly,

result certification will become invalid



The list of all scanned files. Same as # sourceanalyzer -b build_id -show-files

Executable LOC: SCA doesn’t count blank lines and comments

Total LOC: SCA doesn’t include HTML, XML and properties files

Time only for analysis phase



Issues

AnalysisEvidence

Source Code

Issue Auditing

Functions

Package

Class

Search packages, classes and functions

Lists all functions that were declared or called in the source

code scanned.

Function Name

Show all functions or only those not covered by rules.

Group by package, class or just list functions.

Include internal, external, and/or superclass API’s used in the source

code scanned.

Functions Panel

Legend…


Issues

AnalysisEvidence

Source Code

Issue Auditing

Functions

Other Features

Suppression

A way to hide an issue from view and consider it audited.

What might be suppressed?

▪ Issues that you are certain will not be of concern.

▪ Issues that you plan to never fix.

▪ Issues that are warnings concerning code quality or correctness (lower priority).

Suppression

Right clickon an issue

Right clickon a group of issues

Suppress the currentlyselected issue

Three ways to suppress

Suppression

Toggles showing suppressed issues

How to view suppressed issues

Interface will display suppressed issues by default when set.

Suppression

Viewing suppressed issues

The icon for suppressed issue

Total suppressed issues in current folder

Suppression

Unsuppress an issue

While viewing suppressed issues,

right click on a suppressed issue.

Exercise 10: Audit and Suppress

▪ Audit all insecure randomness issues

▪ Add a comment to all issues related to:

▪ Suppress all Dead Code

Software Security Center Overview

MF Fortify Software Security CenterManagement, tracking and remediation of enterprise software risk

Problem it solves:

Provides visibility into security activities within development

Features:

▪ Specify, communicate and track security activities performed on projects

▪ Role-based, process-driven management of software security program

▪ Flexible repository and exporting platform for security status, trending and compliance

Benefits:

• Provides a clear, accurate picture of software risk

across the enterprise

• Lowers cost of resolving vulnerabilities

• Identify areas of improvement for accelerated

reduction of risk and costs

MF Security Fortify Software Security CenterVulnerability detail

Remediation explanation and advice

Line of code vulnerability detail

Vulnerabilities identified

in the scan

SSC Functional Areas

▪ SSC Administration

▪ User Access

▪ System Configuration

▪ Issue Template (Project Template)

▪ Application (Project) Administration

▪ Application Management

▪ Attributes Assignment

▪ Program Management

▪ Audit Page (Collaboration Module)

▪ Reporting

Exercise 11: Software Security Center Walk Through

1. Click on “Launch the Fortify SSC Server”

2. Open a web browser

3. Navigate to http://localhost:8180/ssc

4. Login information is in student_logins.txt on your Desktop. Log in as admin.

5. Password is Workshop2017!

http://localhost:8180/ssc

SSC InterfaceHeader

DashboardTask List

ActivityList

Administration

Exercise 12: Create a New Application

Create a New Application

▪ Click on “Launch the Fortify SSC Server”

▪ Open a web browser

▪ Navigate to http://localhost:8180/ssc

▪ Login information is in student_logins.txt on your Desktop. Log in as admin.

▪ Password is Workshop2017!

▪ Click Application

▪ Click New Application

New Application

▪ Name: Riches2

▪ Version: v9

▪ Development Phase: New


Create A New Application

New Application

Application

Exercise 13: Upload FPR

Upload FPR

▪ Launch AWB

▪ Click Tools

▪ Click Configure Upload

▪ Enter SSC Login Credentials

▪ Click Upload Audit Project

Login

▪ SSC URL: http://localhost:8180/ssc

▪ Username: admin

▪ Password: Workshop2017!

▪ Application: Riches2, V9


Upload FPR

▪ You need to setup Server Configuration Upload FPR Configurationbefore you can upload FPR

Select the appropriate project and version

Click Tools then Upload Audit Project.

Enter SSC user and password.

Scan analyticsMachine learning to make AppSec more efficient

152

• Identify true vulnerabilities and prioritize them for remediation faster

• Focus on triaging and investigating high priority vulnerabilities.

• Return value-added time to your developers and auditors

Fortify Scan Analytics

Potent ial

Vulns.

Not an Issue

Exploitable

Indeterminate

Return value-added time to auditors and developersWithout sacrificing scan integrity

False negative

<1%

Non-issue reduction

25% – 90% 80%-98%

Accuracy

Results obtained are based on real world applications and scenarios. Results vary based on training and customization. They are not guarantees of future performance.

Reporting

Data VisualizationDashboards and Reports

Vulnerability status by application

Global dashboard highlights risk across

software portfolio

Reporting Features

AWB/Plugins SSC

BIRT Reporting X X

BIRT Customization X

Simple Layout Configuration X X

PDF X X

HTML X X

DOC X

XLS X

Asynchronous X

Synchronous X

Issues Reports X X

Portfolio Reports X

Application Reports X

Dashboards X

Report Type

▪ CWE/SANS Top 25

▪ DISA STIG

▪ Developer Workbook

▪ FISMA Compliance: FIPS-200

▪ OWASP Mobile Top 10

▪ OWASP Top 10

▪ PCI DSS Compliance Application Security Requirements

Layout

▪ Default Report Layout

▪ Title Page

▪ Table Of Contents

▪ Executive Summary

▪ Project Description

▪ Issue Breakdown

▪ Issue Detail/Summary

Exercise 14: Generate AWB Reports

Generate AWB Reports

▪ Launch AWB

▪ Click Reports

▪ Generate BIRT Report - Security Auditor View

▪ Click Reports

▪ Generate BIRT Report – Quick View

▪ Click Reports

▪ Click Tools->Generate Legacy Report

Features

▪ New BIRT Reporting Engine

▪ Simple Layout Configuration

▪ Saves as DOC,HTML, PDF

▪ Synchronous

AWB Reports: GenerationReports

Exercise 15: Generate SSC Reports

Generate SSC Reports

▪ Click on “Launch the Fortify SSC Server”

▪ Open a web browser

▪ Navigate to http://localhost:8180/ssc

▪ Login information is in student_logins.txt on your Desktop. Log in as admin.

▪ Password is HPpass2017!

▪ Click Reports

▪ Click New Report

Features

▪ New BIRT Reporting Engine

▪ BIRT Customizations

▪ Simple Layout Configuration

▪ Saves as XLS,HTML, PDF

▪ Asynchronous

▪ Dashboard Portfolio and Application Reports


Generate SSC Reports

New Report

Reports

DevOps and Solution Architecture

DevOps – Definition, Principles and Benefits

164

DevOps- A practice that emphasizes the collaboration and communication between

software developers and IT professionals, with the goal of automating the process of

software delivery and infrastructure changes.

Principles• Develop and test in an environment similar to production• Deploy builds frequently• Automate the process of delivering software• Validate quality continuously

Benefits • Faster time to value • Faster time to market with higher quality• Stay ahead in a competitive environment

Static Code Security Analysis for the EnterpriseStart with Assessment, Visibility, and Own the Debt First / DevOps Second

167

Effective / High Velocity DevSecOps

168

Developer

Source Code Mgmt System

Defect Mgmt System

Vulnerability Mngt Platform

Lead Developer New / Critical Issues Exist Alert

1

23

4

5

IDE Security PluginLocal Remediation ScanLight Weight Static Scan

Repair MYIssues

6

8 Check in Secure Code

SecurityAnalysis

Prerequisites:1) Base line scan / audit

performed2) Confidence threshold

defined3) Audit Filters or Rules from

previous scans applied via vuln mngt platform

Static Scan Servers Cluster

Translated Files sent to

available scan server

Upload New Scan

Merged with

Existing

Triage &Assign to Defect Tracking System

Developer is sent ticket with embedded link to issues

7

Build / Translation Job

Time to Value

1

Workstation w/ SCA

Scanning Server

Workstation w/ SCA

Fortify SSC

Scanning Server

Workstation w/ SCA

Fortify SSC

Mobile Build Analyzer

Scanning Server

Workstation w/ SCA

Fortify SSC

Controller

Sensors

Cloud Scan

Scanning Server

Workstation w/ SCA

365 365+Days

Exp

ert

ise

Basic

Advanced

Enterprise

Putting It All Together – Team Exercise

5 Executive ManagementCISO/PM’s and others can view metrics, generate reports and better manage risk

Build / ScanMachine

Build and Scancould be differentphysical machines

Build Manager

3

SCA scan is executed as part of the build process, and all static code analysis results can be uploaded into SSC

Software Security Center (SSC)•Rights and roles•Project Templates•Applications and Versions•Dynamic and Static Scan Results

Code RepositoryConfiguration Management

Check-out, remediate& check-in

SSC Administrator

1Manage users, roles, access, project templates,filters, . . .

MF Fortify Static Code Analyzer (SCA),IDE Plugins,Audit Workbench (AWB)

2 DevelopersWrite Code

SCA Scan on Desktop

Remediate

Development Manager and IA Team4Triage results (as part of the IA review process) and assign tasks via Change Management process

Software Security Assurance – Roles & Workflow

Dynamic scan results published to SSC

Enterprise process where developers have SCA and a build/scan server is in place –

❖ Step 1: All policy, governance (Mitre/CWE (Common Weakness Enumeration), FISMA, etc), roles and responsibilities will be established in the SSC. Including process flow, and use cases, and other “know how” to help each participant understand their role in the process.

❖ Step 2: As Developers go about their “day to day” development tasks, they will scan their code for the Application Security policies established by the IA team. Once the Developer has “checked their code in”, it will uploaded the build server. Developers will have access the SSC server to view activities assigned to them, and to better understand their role, and other helpful tips/techniques.

❖ Step 3: Once the code has been promoted by the developers, an entire scan will be conducted on the application as a whole as part of the build process, and the results file will be uploaded to the SSC.

❖ Step 4: Results from the scans will be triaged/audited by IA, Testers or others, and any issue which needs to be address will be assigned to the appropriate development manager. The development manager will follow the established company Change Control process and assign the work to a developer for remediation (back to step 2).

❖ Step 5: Project Managers, Executives, and others will have access to the HP Fortify SSC server to generate reports, review project metrics; essentially managing risk and activities

User 1

▪ Task 1

▪ Create Users

▪ Create Projects

▪ Task 2

▪ Open Collaborative audit

▪ Audit

User 2

▪ Task 1

▪ Scan Sample Code

▪ Upload

▪ Task 2

▪ Open Collaborative Audit

▪ Review Comments

Group Exercise – Life CycleBreak up into Pairs

Log in SSC• http://6.94.185.35.bc.googleusercontent.com:8080/ssc/#/• Admin/Fortify@01

http://6.94.185.35.bc.googleusercontent.com:8080/ssc/#/

Enterprise Adoption Success ScorecardThe Only Questions You Really Need to Ask

1. Do you have SSC stood-up and operating properly?

2. Are the FPRs of record for active development teams loaded at least once per week?

3. Does your CISO and/or Application Development Director have a login?

4. Does your CISO and/or Application Development Director login to SSC and review the portfolio results at least once per month?

5. Has your CISO and/or Application Development Director specified a remediation policy for Fortify findings?

175

Thank You

prep work exercises - carahsoft...how do i fix sql injection? input validation –yes detect...

Documents