Slides from our talk @Devoxx MA 2018.
We discuss Secure Software Development Lifecycle practices, recommendations, and tools, and we show practical examples of bad progamming habits that can be mitigated.
DevoxxFR 2024 Reproducible Builds with Apache Maven
Secure Software Development Lifecycle - Devoxx MA 2018
1. SSDLC - Secure Software
Development Lifecycle
L. Molari – S. Monti – A. Proscia
@imolinfo
https://www.imolainformatica.it
2. How much does it cost?
if (multiWrapper.hasErrors()) {
for (LocalizedMessage error : multiWrapper.getErrors()) {
if (validation != null) {
validation.addActionError(
LocalizedTextUtil.findText(error.getClazz(),
error.getTextKey(),
ActionContext.getContext().getLocale(),
error.getDefaultMessage(),
error.getArgs()));
}
}
}
#SSDLC@imolinfo
3. How much does it cost?
if (multiWrapper.hasErrors()) {
for (LocalizedMessage error : multiWrapper.getErrors()) {
if (validation != null) {
validation.addActionError(
LocalizedTextUtil.findText(error.getClazz(),
error.getTextKey(),
ActionContext.getContext().getLocale(),
error.getDefaultMessage(),
error.getArgs()));
}
}
}
source Reuters: https://reut.rs/2QsGivt
#SSDLC@imolinfo
20. SAST - Static Application Security Testing
SAST lets you find flaws in source code
using the best known patterns
of bad programming habits
#SSDLC@imolinfo
21. SAST - Static Application Security Testing
String query = "select count(*) as number "+
" from required_documents rd, "+
" required_documents_quotations rdq, "+
" quotations q, documents d "+
" where rd.id = rdq.id_document "+
" and rd.id = d.id "+
" and rdq.id_quotation = q.id "+
" and q.end_date > sysdate "+
" and rd.status = 'EXP' "+
" and q.quotation_number = " + quotation;
#SSDLC@imolinfo
22. SAST - Static Application Security Testing
String query = "select count(*) as number "+
" from required_documents rd, "+
" required_documents_quotations rdq, "+
" quotations q, documents d "+
" where rd.id = rdq.id_document "+
" and rd.id = d.id "+
" and rdq.id_quotation = q.id "+
" and q.end_date > sysdate "+
" and rd.status = 'EXP' "+
" and q.quotation_number = " + quotation;
Thank you
guys!
#SSDLC@imolinfo
23. SAST - Static Application Security Testing
String key = “A Fixed Password"; // 128 bit key
// Create key and cipher
Key aesKey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES");
// encrypt the text
cipher.init(Cipher.ENCRYPT_MODE, aesKey);
byte[] encrypted = cipher.doFinal(password.getBytes());
#SSDLC@imolinfo
24. SAST - Static Application Security Testing
String key = “A Fixed Password"; // 128 bit key
// Create key and cipher
Key aesKey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES");
// encrypt the text
cipher.init(Cipher.ENCRYPT_MODE, aesKey);
byte[] encrypted = cipher.doFinal(password.getBytes());
#SSDLC@imolinfo
25. SAST - Static Application Security Testing
String key = “A Fixed Password"; // 128 bit key
// Create key and cipher
Key aesKey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES");
// encrypt the text
cipher.init(Cipher.ENCRYPT_MODE, aesKey);
byte[] encrypted = cipher.doFinal(password.getBytes());
What’s wrong with you bro’???
#SSDLC@imolinfo
29. Equifax Data Breach
#SSDLC@imolinfo
On march 2017 a serious flaw on Apache Struts 2.x was
disclosed (CVE-2017-5638)
▪ Vulnerability allows Remote Code Execution
▪ Equifax Inc., a large USA credit reporting agency, was
victim of an attack via this flaw
▪ Data of 145.5 milions of US citizens were stolen
31. Software Component Analysis
Know your software and
its vulnerable components!
“OWASP TOP 10 2017:
A9:2017-Using Components with Known Vulnerabilities”
#SSDLC@imolinfo
Any lesson learnt from the Equifax data breach?
32. Software Component Analysis
Answer to questions such as…
…what components am I using?
…what vulnerabilities am I inheriting?
…where am I using this component?
#SSDLC@imolinfo
39. Reverse proxy uses ZAP
as HTTP proxy
for connection to application
Automated
Tests
HTTP Proxy ZAP Proxy Application
CI Suite
Zed Attack Proxy
#SSDLC@imolinfo
1
2 3
6
4
Users and automated
tests reach application
through a reverse proxy
ZAP passively records and
scan requests of users
and automated tests
5
A CI job fires ZAP
active scan tests
ZAP tries to attack
application exploiting
recorded requests
A CI job collects reports
from ZAP
40. Don’t rely only on tools…
Perform routine
code reviews
#SSDLC@imolinfo
Security is a matter of
people and processes
Build awareness
through education
42. CVSS – Common Vulnerability Score System
#SSDLC@imolinfo
Temporal Metric Group
Exploit Code Maturity
Remediation Level
Report Confidence
Modified Base Metrics
Exploit Code Maturity
Remediation Level
Environmental Metric Group
Report Confidence
Exploitable Metrics
Scope
Impact Metrics
Attack Vector (AV)
Attack Complexity (AC)
Privileges Required (PR)
User Interaction (UI)
Scope (S)
Confidentiality Impact (C)
Integrity Impact (I)
Availability Impact (A)
Base Metric Group
43. CVSS - Common Vulnerability Score System
#SSDLC@imolinfo
Severity CVSSv2 CVSSv3
None N/A 0.0
Low 0.0-3.9 0.1-3.9
Medium 4.0-6.9 4.0-6.9
High 7.0-10.0 7.0-8.9
Critical N/A 9.0-10
Base Score Range
44. CVSS - An example?
CVSS 10
CVE-2017-5638
(Equifax Data Breach Vulnerability)
#SSDLC@imolinfo
45. WRT - Weighted Risk Trend
#SSDLC@imolinfo
Weighted Sum of vulnerabilities
per application risk factor
Example
Blocker: 4 x 2.5
Critical: 133 x 2
Major: 508 x 1.5
Minor: 314 x 1
Application Risk Factor: 1.5
WRT = 2028
46. Security in a CI/CD process
#SSDLC@imolinfo
Software Security Checks Toolchain
Software
Component Analysis
DAST
OWASP
ZAP
SAST
Continuos
Integration
SCM
Issue Tracking
Artifact Repository Container Security
Platform
Application
Collaboration Suite
SIEM
47. Key Takeaway points
TOOLS can help you, but use them WISELY
#SSDLC@imolinfo
Security CAN fit your software development PROCESS
Build security AWARENESS in your organization
Security is TESTABLE and MEASURABLE in an
AUTOMATED fashion
48. Do you have any
question?
42!(*)
(*) If you don’t know why 42 is your answer, I’ve got some bad news
for you… Black Hats are the least of your problems:
Vogons are on the way!
#SSDLC@imolinfo