BSidesIOWA 2015 Track1: Integrating Vuln Scanning into the SDLC by Eric Johnson

e

did anyone see the last talk I didn't BR I apologize I didn't realize that was a requirement to speak this week so we're going to talk about vulnerability scanning integration we're taking a slightly different approach more we'll call it the poor man's version um there's no Jenkins there's no medy Pro Li all these things the idea is let's go open source let's use the tools that are out there and combined they are probably as powerful as a lot of the professional versions that are out there of all these things and we're not really going down the penetration test route either how many of you out there love to break things and love to send reports out to

clients and drop them off on their desks and laugh and walk away right we're on the red team we like to break stuff but we're also going down the path in this top of what if we actually helped our development teams avoid these things before they pushed them to production would it make our lives a little bit easier who's Broken app so bad it took him a week to write the report up how nice would it be to only have 10 issues in the report instead of 35 a lot less screenshot so those are the types of things we're thinking of and what I do with most of my free time when I'm not working um I do some teaching with the

SS Institute in the application security curriculum my name is Eric Johnson I am local here in De Mo as of the last year and a half or so I was out in Vegas for eight years before that learning how to circumvent the uh Casino security operations I'm just kidding don't do that you'll get thrown in jail uh my email address is out up here on the slide we'll show it again at the end if you have interest we have some slides later hoping to invoke some participation from the community go ahead my name

I so I actually teach s with ER and a lot of the stuff my emails up here so my Twitter handle feel free to reach out if I don't know the answer I'll make it up so feel free to ask any question you want our agenda we're going to talk about our problem I've kind of mentioned this already we're going to go through what our requirements are for this scanning framework we'll talk about the solution Aaron has a fun demo he put together and then you can ask all the fun questions that you want so this is a percentage up here 21.6% this has not been released yet but working with SS I have this a little bit

before my webcast when I officially announce it in a month this is the percentage of development teams that are responsible for their own security testing based on the survey that we had five or 600 people answer over the past 3 months so how many developers in the room got one two couple people couple so let's pick on you right do you do your own security testing um somewhat somewhat that's better than no yes uh yes that's so you are in the minority yes two out of three that's good but you're at a security true so it kind of leads me to believe that you know a little bit more about why these things are important than most

of the people that are writing code in our developer Community I'm just guessing so what are the excuses for not doing this number one I hear it all the time security is not my job it's not my job man that's the security team's job have we heard this before how many of you delivered a report to a d and said well you're doing that I don't worry about that it's not my problem that's what QA is for right yeah QA I did a talk at a QA QA group here in De moin last week and tried to teach him how to do some security testing so it's not their job either according to the group that I talked

to so whose job is it everybody it's everyone's job come on I know it's the afternoon's job excuse number two I don't have time I have deployments to me I have features I need to add and they make my company money so I have to do that I don't have time for security that's excuse number two what happens if you get breached how much money is that going to cost your account more than missing a deadline we'll say that much depending on your data and number three and this is my favorite one where the dev team actually says Eric I love this scanner and they're just telling me that so I'll stop asking them about it they're not

actually using it so it's good it's smart license right you're good yeah that fortifi is installed on their machine so that means that they're secure that's good so these are the excuses I run into and then we have our friend at Microsoft does anyone remember when this announcement came out it's pretty powerful coming from one of the biggest companies the CEO of one of the biggest companies in the world and this was back in how I'm blanking on the year when they really hit a low point in security and windows is just so full of issues we started talking about you know what's the next step and he sends this email out to the entire

company and says when we Face a choice between adding features in security from now on we have to choose security have you ever received a communication like that I pretty solid though right that's direction from the top level going down do you think the development teams at that point found time to do security testing I would say so that's probably pretty effective so there's always this method but the problem is not everybody does this so that's our issue that we're trying to solve and then we have our questions okay so let's assume that I now believe I should be doing my security testing and you're just getting started and lots of people in this room

we're at a security conference we know this information but one problem I find in our industry is that we're not very eager to help other people learn about it oh we I know this super secret method to do something and I know it and nobody else does and I'm not going to tell you how to do it because I'm on the security team and I can come over to your desk and I oh check this out get out of the way has anyone seen that SNL skit move and they put they type on the keyboard move right so we need to tell them what type of scans they should run show them how to do it it makes our life easier

every Scan they run is one less and then most importantly the third one is what the hell do the results mean cross fite scripting what is that so we have to train everyone on the teams security is everyone's job so that's what we're trying to accomplish we want to get these results down in front of the development teams so they can fix the problem before it actually gets to our desk what a novel concept right okay those are the common questions we see so when we sat down and said let's try to think of something something simple that we can do it'll be a frame work we'll call it for now we have a slide later

where you can all vote on the name for this thing and what should we have it do okay we need some security tools in and they should probably be free because well if we're small shops then we don't have money to spend 20K on a fortifi license or 25k on a lot of these commercial scanners so let's start with the basics let's use zap ssli to look at our SSL config does cost a little bit of money but it's reasonably inexpensive in maps free fine bugs nict toe w3af skip fish we've got all sorts of these scanners that all have some API capabilities that we can run against our sites and try to gather some preliminary

findings so that's step one and the other thing we wanted to do is we wanted to be able to let you write your own plugins so let's say you went out you dropped 25 Grand on a scanner should be able to add into our solution right run it every time you check in so new plugins scalability is important and then the benefits we're scanning as things are being pushed out to the test environment now here as soon as you check in it's going to kick off a build right everybody it's going to run a build that build going to break or not break let's kick off a few more tests let's go ahead and do a deploy on to the test website

let's run all these against it and then let's turn around and bring back a list of all the issues that found that cost us anything not really a couple CPUs time 13 cents wor of power you a whole turkey dinner you can SC I choose turkey second we need a consistent and repeatable process because if we fix everything the first time what happens if we do it differently the next time around so we need to know what the scan results come up as the first time do a diff so we can see the next time around make this a tight iterative process similar to our agile and devox movements we're trying to keep up with the speed

of development because it's impossible doing things the way that we currently are and our in goal of course is to release more secure code production right if there AR security issues before it goes to QA chances getting issues before goes to production are minimiz and we're fixing them in the beginning where it's cheap the developers are writing the code to have them WR is expensive go

backel so what did we come up with well about 12:30 this morning I decided that we could finally land on a solution and so here's where we're going to start we have the name we're not quite sure on this one yet we'll let you all decide we'll come up with the name later it's less important my personal favorite is the secure life cycle usage tool but just like our last tool secure header insertion tool ER wouldn't let me name that one either so we used module instead so we went with shim

in the goal near realtime feedback to development teams so what if they could do this they could push a button and what if it was integrated into their build cycle and it was something they had to do as code was being moved out from test to uat to prod all those types of things plug in I can right click locally real quick give me a quick scan and see if there's anything that's nasty before I go yeah and the other thing we wanted to be repeatable and consistent right everybody remember all the command line options for all the open source tools they use SS I vital D hold your M right turn around three circles right exactly so we wanted

to be automated let's just forget all that stuff and's let the scanner so our server side well of course we're in a rest world so let's create a rest API and what if we called the rest API and it actually returned some information back to us in the same format regardless of whatever tool We call we can call 10 different ones and if they are all speaking the same predefined format then we can start to parse these build some rules around them on the client side and guess what we can display that to whoever it is that called the service so that's what we wanted to start with the other thing is we want to execute all SC server anybody

in an environment where you need to know what IP is bringing this really nasty traffic down yeah once or twice or if we're going to do a scan on our remote server they want to know where it's coming from so they can put some rules in place through the firewall right same kind of thing we want to make sure that everything lives in a safe place or at least we know where it's coming from then our client side is the most exciting because this is really whatever we want to use I wrote a python client last night to pull it down proof a concept this could easily be written in whatever language you want and we'll

talk about some ideas we have for this here in a little bit the idea is let's execute our server side code we retrieve and display the results pretty simple concept make it

go so what we have quite simply is somewhere here you probably want to see it too huh man that's what you get for using Windows oh knock it out let's start your hating I wrote it in Java so you could use it on your Mac you know how I hate Java all right so our first initial thought of this was let's automate burp right we use burp all the time no we started with burp this whole thing started with burp and we said you know we can a burp plugin that would ex easy for me to say red lips I'm so sorry it's a good thing you don't speak for a Liv I know right so we're going to automate

burp we're going to write a plugin that would Implement export I'm going to stop saying all those words just insert your own word that works there an API that would allow us to automate burp go in and set it and have it automatically spider a sight have it automatically do some of the base attacks right burps a great tool 300 bucks a year can't beat it turns out zap does all that for free it's got a built-in rest API right so if I just go to my local Port against zap whatever the proxy's running on it automatically has a rest API I can go to the local API and I can do things like spidering a

site I can come down here and I can say scan a URL and I can say open cf. CDD exploit. net scan it and and down here in zap it's actually theoretically nice now you need a net at the end shouldn't oh is itet I don't know that's what you said I don't know anyway if I knew how to run the tool you could actually run it from the API but see it's not repeatable and consistent cuz I can't even type the stupid thing so what we decided let's just put a server in front of that let's say that we're going to have a set of processes right and all we're going to do a rest

API that we can do things like spider sight and when I say to spider the site I want you to fire up zap go to a website look up the information run the active scanning against it find any of the alerts and bring them back to me right six steps that I can automate because of that zap API so as you can see we're going to list all those out so we just call processlist if we want to find out what they do we can get the detail again it just comes back in Json so I can run it any way I want format it turn around and play with it this one uses a that proxy

to run a spider on it and then if we actually want to scan it we can just it is done it we can just tell it to process and that calls a scan it's a really simple interface on the inside I'll let this run for a second because it takes a minute to spider the site but you can see that it's already gone into zap it's found that site it started spidering it and it's working on the active scanning so in the code itself it's really simple all you need is a do scan method on your object so in here on the oos code all we do is stand up one of their client apis tell it to go get the data get the

alerts whatever tell it to do an active scan and then bring back the data for us and what we end up with is this neat little list of alerts coming out of the active scans which is going to match our list over here here's all the 36 things that it found which is all great if you like to read Json anybody here got Json eyes after about two minutes all the squigglies become squares become Martian reading and I can't understand anything it's kind of the way I am so Eric was nice enough to run write a little parser for us and it's just a real quick stand up the server hit our rest server call the ssli client against the

domain call the zap spider against the domain and then put it all in a neat little HTML format so if I run that python script it's going to come by it's going to run those pull those same Json objects bring them back and throw them out to an HTML file so now you can see ssli is done one of the things we did with the ssli eyes client anybody here run ssli eyes all the time do you do the same thing over and over over and over you look at an ssli report you look oh look 112 bits cite that look I found out that they're using Dees site that I found out they're using

rc4 site that they're using SSL V1 V2 V3 doesn't matter site that right it's the same thing over and over and over well why not automate that so if you look over here in the ssli eyes code get out of here

you're going to find some basic rules if you find the index of 112 we know that there's a bit problem so we're going to create an alert for that and what we end up with on the back end then on the client system we can pull up the results of this tool and you're going to see ssli found problems right found an RCA Sha rc4 Sha found death issues more rc4 and death issues right and then we have all the alerts that came out of spider sight could we filter those down decide which ones are right those kinds of things yeah sure so now we've got all this information that we can pull and automate and take action on if we

wanted to turn around use that client and instead push it out to TFS create bugs for everything that we found is that difficult no couple lines of code right we want to do the same thing with uh jira or any of the other ticketing systems there's already libraries out there for us to do all that stuff so let's use these automated sources let's push them through and we can add any tool we want all I have to do is add in another command line operator or another python call or whatever we want to do to get that data back and then just parse the results into a format that we can understand over here so any questions about

that good because I'm not going to answer any oh too late sorry I missed your opportunity just kidding what you got

sure so that that's in our future enhancements to be able to take those and say you know on this application this reporting is false that sign and not sure we don't want create ticket every single time I don't know if you've ever used a little tool HS I'm not going to say mortify but if you happen to use that tool every time you run it it reports the same false POS you can turn around and say oh this is not an issue and then it moves by lines and it doesn't sign any and now you got the same FSE yeah that's one of our goals

so our thought with this is to do a lot of The Upfront standing do the Bas

hon do the same thing so I know exactly what you're talking about get through there you get oh I getd results

yeah preconfiguration will be big for those types of sites you'll have to make sure your spider accurate give the tool what it needs to get in there and actually give you some accurate results and flow paths through your application

one of verb and one of the things we're trying to automate here is long saate I'll us

and yes it's pretty project back and honly a lot of

think yeah but they actually have compiled

I wouldn't

know so where are we going next well number one we need to pick a name other than that then we canate

let's let's automate that stuff in our job itself let's push that stuff through and find out hey what can I automate make it easier we want to put an ad on it couple say yes allow and the best part for your question is in this interface it' be nice if you have a spider that's not working we know it's not quite reliable we can go and put all those end points into the app and make sure SC actually hits all of those requests so if you precapture pre-configure then we know the scanner is testing what it needs to test and we only have to iteratively updated as we build out new end points in our app

things of things of that nature like do some plugins Visual Studio you can it your Cod right there run that scanning server let it hit KCK it off find out what's going on and what you just WR while you're doing your Reg

inter going back to your false positives and there's two opportunities for false positive removal here we can go to the server side and in that parsing code we can say okay we know these are bad remove them if for your environment even on the client side that's another opportunity to uh strip those out before you actually display that report out to your users as well

Andel so all kinds of open Stu that anybody to take your input put it in make it a real to concept

hey you should at this I justed

you so how iute now us figure for have figure out name go there Sans maybe put this in here there's their application security curriculum slide if you are or your organization needs training for your software development teams they have an entire curriculum dedicated to that and that looks better and we didn't bring you we didn't bring beer either but we do have whiskey so just saying forget the candy so plenty of time for questions comments does anyone have a good name that's the most important question I know I don't want to put you on

this sure thing you can throttle all these scanners down they all have of so these are again configuration things say we get to the point where we can release this as a Linux distribution for example and you can install it down in your maybe in a network where all of your apps are deployed and we get on there let's configure zap to throttle back or burp to throttle back if we need to I know we've all tripped wafts and all those things before on accident and got ourselves in trouble got ourselves logged out on accident so on accident that's that's why I protect myself um so yeah those are all things to keep in mind and if we do have those things in

place we probably want to disable them in our test environments for this particular purpose because we're not really testing the application very well either if we do that right we're testing a w not our code at that point so great observation there's all sorts of hurdles and we'll have to address those when we get there and that's why we're hoping everyone will jump on board and and help us out with this project because it could be pretty cool I did like the Jenkins idea from the previous talk because that'd be a way to schedule these out and launch them from a more foundational scheduling tool so that could be something to look at also what's we're looking more for Al

yeah is there anything before alpha or

pre- yeah yeah I mean the goal is

toide

fbody there's multiple ways to do it ER lik J idea because it's but you know can

the feature that I'll go to next more to to go down the developer path is I want to plug in for visual studio or eclipse or whatever IDE development teams are using and I want a big green or red button in there that says scan my app after I deploy it and I want those results immediately fed right back to the developer that just checked in and release code PL

all y it won't do static

analysis and back in one of the little boes down the bottom now you got a list of all the things that found I can

yeah because I don't know about you but I'm sick and tired of finding seal injection issues and applications when we could have just showed it to them up front and gotten rid of it six months before we pushed

it right

books the first thing they tell you to do is concate seel to hit a database right I want to do a searchx name plus X plus a injection that's A1 in the top 10 list right we're talk about tomor

right are you coming tomorrow are you coming to the training tomorrow we'll spend the whole day giving you very good demonstrations that you can use to get some funding for security training for your development teams to be

continued why aotu

just put unnamed product in the subject you have a suggestion how about this I think the AC should be of

tovg I have a two-year oldy any other questions yeah keep an eye on our blog too we'll post some stuff on there and maybe we should just create a mailing list so if we create we'll put it

all right we're going to be around for a little bit you got any questions you want to talk you want to chat other than that that's all we got

you don't have to if you want to follow along