simplify dev with complicated security tools

Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com

Simplify Devwith Complicated Security Tools

Application security that just works

©2015 Aspect Security. All Rights Reserved 2

ASPECT SECURITY

Founded in 2002• Headquartered in Columbia, MD• 50 employees• Founding member of OWASP

Application Security Experts• Created or contributed to industry-leading standards

including: OWASP Top 10• Millions of lines of code verified per month• Hundreds of applications tested per year• Training and eLearning



ABOUT US

• Principal Consultant & Practice Lead,• Automation & Integration Services

• 8 years in security• Key Interests:

• Process efficiency/effectiveness (Sec + Dev + Ops)

• Learning about cool tools

Kevin Fealey

• Application Security Engineer• Penetration Testing• Automation & Integration Services

• 7 years a dev• 5 years in security• Key Interests:

• AppSec• SecDevOps

Josh Wallace



SPOT THE VULN!



ABOUT YOU

Raise your hand….

Are you a developer?

Are you a security

engineer?

Have you ever used security

tools before?

What about a web proxy like Fiddler?



IMAGINE A WORLD

• SQL Injection• Libraries with known vulnerabilities• Cross-Site Scripting

You spent the last year developing a new app

for your company

Before moving to production, your

company required a security test

Several issues were found, including:



NOW IMAGINE THE IMPACT

• Re-working solved problems (boring)• Risk of regressions• Doesn’t look good

… for you

• Project is more expensive• May lose first-to-market advantage• Reputation damage with customer

… for the business

• Missing/delayed features/fixes• Potentially increased cost• Risk of regressions/bugs

… for the customer



OUR GOAL: PREVENT THAT SCENARIO

Enable and motivate you to

be the first to security test your

code



LET’S APPLY LOGIC!

Let’s learn how to identify security issues sooner to make you less bored!

Writing secure code can save you time, frustration, and boredom

You are a developer, not a security expert

But

So…



LEGAL DISCLAIMER

“Hacking” is illegal and should not be performed without written permission under any circumstances

Do not perform any security testing unless you own the systems in question or have written permission

Use of these tools/techniques could lead to job termination,financial liability, and/or criminal penalties

Have fun!


TIME FOR THE MEAT



PROBLEM: SQL INJECTION

SQL Injection is a vulnerability that occurs when untrusted data is sent to the database and executed as part of a command or query• ‘• ‘or ‘1’=‘1• ‘or 2=2--• Robert’); DROP TABLE Students;--



Account Summary

Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-0293

Account:

SKU:

"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"

Account Summary

Acct:lkjaqe12easlakslkmca=Acct:afws2123mlkdfslkmlf==Acct:m,nnxcvjks210a9joan==Acct:lfjmlnasd0190fjfnfnw=

Account:

SKU:

SQL INJECTION DEMONSTRATEDFi

rew

all

Hardened OS

Web Server

App ServerFi

rew

all

Data

base

sLe

gacy

Sys

tem

sW

eb S

ervi

ces

Dire

ctor

ies

Hum

an R

esrc

sBi

lling

Custom Code

APPLICATIONATTACK

Net

wor

k La

yer

Appl

icat

ion

Laye

r

Acco

unts

Fina

nce

Adm

inist

ratio

nTr

ansa

ctio

nsCo

mm

unic

atio

nKn

owle

dge

Mgm

tE-

Com

mer

ceBu

s. F

unct

ions

HTTP

requestSQL

queryDB Table

HTTP

response

1. Application presents a form to the attacker

2. Attacker sends an attack in the form data

3. Application forwards attack to the database in a SQL query

4. Database runs query containing attack and sends encrypted results back to application

5. Application decrypts data as normal and sends results to the user



ENTER SQL MAP

• Python• Lightweight• Easy to use• Easy to setup

• No installation

Automatic SQL Injection and Database Takeover



USAGE

GET request: check all parameters• Python sqlmap.py –u

https://vulnerablesite.com/login?user=test&pass=password

Saved POST request: check single parameter• Python sqlmap.py –l request.log –p user

Wiki is your friend• https://github.com/sqlmapproject/sqlmap/wiki/Usage

http://vulnerablesite.com/login?user=test&pass=password


DEMO TIME!



OBLIGATORY LITTLE BOBBY TABLES

 https://xkcd.com/327/



SQLI PREVENTION

Parameterize Untrusted Query InputString custname = request.getParameter("customerName"); String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";PreparedStatement pstmt = connection.prepareStatement( query );pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( );

Prevents this



BLINDSPOT - LIBRARIES

The amount of custom codein an application hasn’t changedvery much in the past 10 years.



TRANSFORMATION

80% Libraries But library

use is growing at a

staggering rate

20% Custom Code



EVERYONE USES VULNERABLE LIBS

GWT

Apache Xerce

s

Sprin

g MVC

Struts

1.x

Apache CXF

Struts2

Apache Axis

Sprin

g Secu

rity

Tapestry

Wicket

Lift

Apache Sa

ntuario

BouncyCastl

eTile

s

Hibernate

Apache Sh

iro

Java Se

rver F

aces

AntiSamy

100

1,000

10,000

100,000

1,000,000

10,000,000

100,000,00029 MILLION vulnerable

downloads in 2011

Libraries 31Library Versions 1,261Organizations 61,807Downloads 113,939,358

Vulnerable Download

26%Safe

Download

74%

https://www.aspectsecurity.com/news/press/the-unfortunate-reality-of-insecure-libraries



ENTER OWASP DEPENDENCY CHECKER

•Available at https://www.owasp.org/index.php/OWASP_Dependency_Check

https://www.owasp.org/index.php/OWASP_Dependency_Check

https://www.owasp.org/index.php/OWASP_Dependency_Check



ONE COMMAND TO RULE THEM ALL

dependency-check.bat --project "My App Name" --scan "c:\java\application\

lib” --out c:\reportingDir



EASY TO READ REPORT



AUTOMATE IT!

• Ant• Maven• Jenkins• SonarQube

Community plugins available

• It’s just a single command. Parameterize and automate!• dependency-check.bat --project {proj} --scan {libDir} --out

{reportDir}

Roll your own



PROBLEM: CROSS-SITE SCRIPTING (AND MANY OTHERS)



EASY DYNAMIC SECURITY SCANNING

Dynamic scanning tools can discover common vulnerabilities in running web applications by inspection of

HTTP requests/responses

Looks for known patterns• Cross-Site Scripting (XSS)• SQL Injection• Command Injection• Path Traversal • Etc.



ENTER OWASP ZAP

Free dynamic security scanner

Checks for many common OWASP Top 10 vulnerabilities

Cross-Platform (Java)

Many other features• CSRF POC generator• Web Proxy• Etc.


DEMO TIME!



ZAP HINTS AND TIPS

Be sure to set up any credentials

Be careful• Scanners can cause serious damage!

Do no harm• Some pages may perform dangerous

functionality (e.g. deleting users). Beware!



IN SUMMARY

Free, open-source security tools exist that can be useful to developers

Tools can be intimidating but do not have to be hard to use

Eliminate re-work and frustration at the end of a project

Automate and integrate tools for efficiency and transparency



AND…

 Help keep the hackers out



QUESTIONS?

 Josh Wallace [email protected]

 Kevin Fealey [email protected]

 #EverydayVuln

mailto:[email protected]

mailto:[email protected]

Thank you!


simplify dev with complicated security tools

Technology