Keep Your Code Safe During the Development Path Using Opensource Tools

hello guys welcome aboard and thank you thank you thank you for joining us my name is philippe peers i like this guys in this picture by the way yeah yeah yeah yeah so my name is philippe peters i've been working as a principal security engineer and security research at soup innovation super innovation it's a brazilian company and the focus in uh exponential growing and to give a awesome experience to the developers guy you know and uh the peoples and i am a security research and instructor that's uh hacker secure or hack security whatever and uh this company is responsible to provide some courses of the uh you know pen and uh about the red team blue team and

the purple team and another different courses right so i am hacking is not a crime advocate it's a awesome awesome awesome project and the the idea in this project and to you know to try explain more about this kind of concept and this culture because hacking is is not a crime exactly hacking it's a mindset hacking in uh you know it's a lifestyle and it's about creative mind right so that's our idea about this project and i'm a part of the staff team of the deaf group in sao paulo and as you can see i love to be part of the many different communities because i believe this it's very very very important to be part of this

community because you can share the knowledgement you can share you know the different subjects and topics you can give the uh the knowledge you can receive as well so uh and i'm i've been served as a professor in some universities here in brazil and some colleges like afiyapi and mackenzie and um this kind this name of this university and i am founder and instructor of the the principal the main course in in hacker sake then i need smaller analysis fundamentals right so here my contact is in and telegram and this is my email if you'd like to send me a message to talk with me you know to share acknowledgement i i really appreciate and it's the project that i am

participating it is my homepage in my webpage you know i i want to use uh powerpoint here in this presentations right so here's some open source project projects that i like and i will explain more about the orosec project in this day and here i am i've been working you know in another different projects like rich his opinion source to allows you to create and store and share how to make securely and some formulas right and another project's pickle it's another open source platform it's a frame you work based on server driven ui that's allowed teams to make a change to native mobile or web application it's very very interesting in another one it's a charles it's another open source

too that it deployed quickly continually and securely all the teams simultaneously validate different hypotheses with a specific groups of users right so here we can find another presentations or talks that i did in some events and another in here some articles that i have been published if you'd like to see right so today i would like to before to explain or to do the demo i would like to uh explain about the some differences between this kind of topic right because i would like to explain more about the difference between assessed dust and ast difference as you can see here right so but i would like to share this picture because this picture i think it's

explain better the differences between and dust and sass right so i i pick up this information of the synopsis website it's very interesting because you can see the differences here in this picture right so here you can find the white box security that's uh assassed right so it's the pin of course the test access the two underlying framework designing and implementations and on the other hand you have the black box security testing usually the application is tested from the outside right so this is the different this type this type of testing represents the hacker approach right and when you try to explore something to try this application it's vulnerable right so but how i said outside in right so

another difference it's when you talk about the sas requires the cersei code right so the sas doesn't require a deployed application you understand so it's analyze the search code or binary without execution of the application we can analyze before to deploy the application right so on the other hand in the dust uh tools we need to require the running the application right so that doesn't require the search code just to analyze by executing the application another part here it's finding vulnerabilities early in stlc the the this um it's the process right so the security the developer life cycle of the when you need to uh you have the you know the software development life cycle you have

the line to develop some software right so the scan can be executed as soon as code and demon feature complete when you talk about the dust find vulnerability vulnerabilities tower the end of the cycle right in the end of this sdlc that's a good point here another is less expense to fix take a look at this it's a very important thing because since the gonna beats are found early in the sdlc it's easier right and faster to remediate them but you only underhand when you talk about the dust it's more expensive to fix because you have the application right so the critical nervous may be fixed as an emergency release right and another is can discovery

oops let me put my hand here again another is scans discovery runtime and environment related issues right so and uh since the tools scan statistical it's can't discover runtime vulnerabilities right but in dust you can discover in run time you take a l if you compare both of them you can see what the difference between us in between and and the dust and size right and typically support all kind of software when you talk about the sas and the assistive communities can typically scan only apps like web applications and web services some is different right so this is important thing important concepts that you need to understand before to start the demo right so here we have three two

three another uh approach not three actually we have the same approach because here you can understand about the sas the statistic application security testing right because you can test or usually perform before the season in production on and only in the source code and by the way i will explain more about this open source project or stock is currently labeling assessed right and on the hand you have the dots i i already explained about this and another is he asked interactive application security test is that another another different test right so eos is a combination of the statistic and dynamic testing model right uh basically you can you know uh putting both of them together and you

can realize both of them right together and another interesting approach and talk to explain the concept it's about the vulnerabilities right so this uh project this platform uh use the vulnerabilities like at three different security branches right the different six types of different security ranks right the first is totally critical it's more high and another it's high before it's medium low and info it's you know it means to give some information about this this kind of vulnerability and another it's unknown probably you don't understand more about this how this means because probably all of us we don't know what it is and or another different you know organization sabi knows what it is right so in another

explanation it's about the false positive because sometimes you have in your company something it's maybe it's a false positive like this you know and the post degree and some information about this database and you can set this information uh has a false positive right another difference you can set it is accept risk because for example that some vulnerabilities some flows you can set this like a receptive risk it's not a exactly of a vulnerability but you can accept this risk right so it's important thing so this is all this explanation it's about the same concepts that i would like to share with you okay so so now we explain more about the or sec right so philippe what is autosec it's

very interesting for exactly it's an open source framework that enhancing the identification of the vulnerabilities in your project with just one or few comments right so basically autosac it's open source a tool that performs a statistical analysis to identify secret flows during the development process this is very important here because the idea here is to give the power of the developer in the hand of the developer to give some uh knowledgement of the security during the development process of the code right and here we have some you know languages and tools supported by orozeki and i will explain more about this uh another thing so you can you you you know you can click here in documentation right so

if you click here you send to the overview what it is warsack so again it's all being searched tool that orchestrate other security to it's here it's very interesting guys it's very very interesting so our sec shows the languages and tools to use to be used in the project according the available stack so check out check all the support language here it's very interesting i will open here and i will take a look at this how many programming languages is supported and tools supported by autosec again it's an open source platform you can you know contribute you can suggest something it's of course is uh it's supported by zoop innovation my company but it's totally totally open

sourcing right so here you can see some language like python uh like a ruby javascript typescript and golang another is c sharp java coupling kubernetes terraform leaks here you can find another different leaks what do you what is this means phillip in this case leaks because you you are talking about the the code not alex you are about the flows in the code and analytics here another interesting point when you talk about the photosec right so where can you use rsec you can use in a cli an intuitive cli you can use here in a ci cd pipeline i will demonstrate you do the demo in the end of this presentation and you can use

any idex station eight station you know integrated development environment and you can set some comments that will explain more this but here it's the resume of the important thing the three mains uh you know steps of the um information that we will receive when you execute the autosec right so here or sec analyzes types performing three different types the principle the main different three analysis right so the first is the assess that i am explaining to you here it means it's it's a static is called analysis right so statistic application security testing another it's very very interesting elix it means the leaks checks the search code your source code for possible leaks of credentials private keys or hard

coded password what do you mean philip in this case it's very very interesting because sometimes when you are a developer you are developing your software you are code your project and sometimes you set some comments in your code because it's a a best practice you come your all those your com your code that you are doing and uh but sometimes you put some sensitive sensitive information inside of your code or some keys of the aws or azure or another cloud provider for example and when do you when when sometimes when you suffering some attacks the first step of the enumeration is tapping the penetration test or the or the the attacker can be used to explore your code the first step

is to try and find any leaks or any uh credentials in your code because it's in unfortunately it's very common right so autosec can check your code if you have some leaks information inside your goods it's very interesting another point is dependence audit you analyze project dependence to check for vulnerabilities in the third party libraries in third party libraries so sometimes you need to put some you know different libraries in your code to call something and maybe this kind of library is vulnerable so it's very interesting here point right so let me explain more oh how can apply this so the first of all i would like to install their sec in my machine you have you

know everywhere they could this so it's very very simple i have here let me check oops let me check here um yes i have here my folder um it's very it's it's interesting here if you'd like to during this presentation or not after this presentation you can uh using the same the same code here you can find in my github here philippe86 slash or dash demo you can find here all those informations you can you know copy you can you know clone it as information here in your environment you can do this the same test here so first of all i will install the horosek here in my machine it's very simple to install or sex client on mac

os for linux you have to run the comment below it's very simple you copy this and i will pass here take a look this and click on enter and i will set the password because my user don't have privilege to sound things and here as you can see actual actual version is stalled right so if i said here called set step version i think version as you can see here and then it's this new version right so it's very simple i have here many projects means actually directories or folders whatever right so it's very simple to use the horoscope here i will set or sec i will you know i can put the help command here

and you can see all those explanations in in the in the cli right so our sex cli prepares a package to be analyzed by the or psych analysis api as you can see here so we need to set the auto sec the flags or commands and something like that here the first example you can saturday start as you can see and you can set dash p equal and here if you see is exactly path of the your project right so it's very very simple so let's put here the other sec again and i will put start and i can set for example dash dash help one more time here because i like to pause it if i don't

know what the commodity to do what they could hear as you can see it's very interesting cli and with many explanation of some comments here about the dash a and you can set the authorization tokey to for the autosec api i will explain after and another point maybe you can ask me if you can think about it so philip i have done sonar cube and i have what the difference between our second and sonar cube so that qb is related itself it's a very interesting framework or tool focusing on quality of the your code but for a sec it's focused on justin only in security right and vulnerabilities flows and uh and keys like you know a

leaks of the keys and um it means you when you if you use for example a sonar cube you can set here dash o and you can set the format for output to be show one option our text st alt or json or sonar cue with the full text head as you can see you can you know integrate both of these disk uh tools right you can using sonarqube to to be if your code is you have a good quality and you you can use this is another open source tool but it's open source two or sec to be if your code is safe right so here if you have this question i answer for you right so

let me explain here let me use a good disk okay i always get this i don't know why but i you know um okay so let me set here the autosec the commodore sec and start and if i don't put any path here i click just in start as you can see i will appear appears this information for me oh the folder selected is take a look this this is the my folder that i am here right so proceed yes oh no i said yes okay and wow it's running now or when you start the analysis we escape the total of the 60 files that are not considered to be analyzed to see more details you can use the flag log 11

debug if you'd like to see why right so i will set here i am not analyzing here my code this many uh folders that i have inside of my uh machine here in this case right so this is my project or sec demo i have here some codes vulnerable and another it's not vulnerable right so let me here explain the result of this scanning right so here uh aurasek ended the analysis the anal analysis with the status of award right so if with the following results analysis started at here in of course and i am recording when i'm talking this uh doing this presentation right so analyze it finish it here so uh i mean is about one minute right so

here take a look this in incredible logs and information here first of all the identification of the language it's the javascript right so the severity it's high do you remember critical high median and low so here the identification take a look at this the line 2 column 13 and here take a look at the security tools or sec nodejs it means here the engine responsible to find this winner reach is provided by oroz sec or sec node.js is an is an engine right of the detection the confidence is slow take a look at this the exactly file that you can find the vulnerability because you have many folders many files inside the folders so this can it will

be realized inside of performance inside of all those projects that you set right so the code flip code it should and the score process to a doc exec so here as you can see the exactly code vulnerable right but philip i am a developer i don't understand more about the security and i would like to understand more about security so here we can find the details right so we're using a show interpreter when executing executing eo os commands arbitrary os commons injection vulnerabilities are more likely when a shell is exponent greater than a new process right he did indeed the shell matchers can be used when parameters are user controlled for instance all those explanation about this vulnerability and

here you can find more information information check out this c v e c w e 78 and here the reference that you can read after and you can find more information it's not about the philip says to you or you know or success it's a common weakness enumeration uh explaining all those details about this floor it's very very interesting here the type is vulnerability and here we have the reference hash for example if you do like to remediate of this vulnerability of course you can set you can use this hash reference right so let me explain another two difference between here you can see the language again in java and here the security tools it's another

it's a aurus sec java if you see here below um above actually you can see the or second node.js is two different engines right but here if you see another it's called it's another language right perfectly the severity is median but security tools in this case it's a goldsack as you can see it's another engine which means you have different engines inside this project this platform you know the the the gun it's not a guarantee but you know you can improve more your security code you your code it's can be uh is can be more safe when you developer you can you have different engines inside the same platform right so you can integrate another different ages here another in

the same case languages go severity is median in security tools you can use the some graph the same graph energies you see it's very very very interesting here but let's suppose if you have for example if you use the vs code ide for example right so you just you have here my code again one more time right take it you have the java the kotlin node.js see and uh php and go laying you one more time i just set here my extension i just click and set here autosac take a look this ah saki and you can install these open source tools to improve the notifications whenever it's inside your ide after that you just

need to click let's let's be close here just need to click in start analyze and as you can see here hold on water started the analysis you are cold right and here i think it's is small but you can see ours or sec security analysis running right so it's running the same analysis that you as it could in your cli now here you are executing in your vs code ide you can manage both of them right if you are developing you just using the cli you can run your cli but if you're using the a different for example if you use um or idea like you know vs code you can execute inside of your

vs code so here take a look javascript all those folders and here you find in this code take a look at this if i put the mouse in above the in on the on the code vulnerable you can find here the all those explanation you know as you can see here the correct a path in the file in ap doc java right so high insecure randall number generator right so the app's using is insecure random number generate for more information check out the cwe 330 another reference and here guys take a look this the reference code vulnerable in your project right here another like you know using a shell interactive it's high as i mentioned as i showed and

i show it before by cli right in the same case the explanation about entails about the vulnerability and the end of this you can find the cv the cwe and here you can see another uh interesting point here because take a look at this it's uh it's it's just information in this case take a look at this node.js doc j node uh slashing injection.js info do you remember a critical and median and low and info and uh and unknown do you remember info in this case is info no log sensitive information in console right so the apps logs information since sensitive information should be never should never be logged right for more information check out the cwe 532

because it means the code can be received this kind of sense information in this case don't have but exactly citation it's a warning right so here you can find anothers and then others and uh and it's it's an uh a worm here and another and another it's very very interesting but so maybe you are thinking or philip it's very good very interesting but if i would like to if i had um you know uh web platform to manage it it should be very interesting and you have and i have here the web application right and you're just getting installing click here install with docker compose because this is the requirements by basically that you need to to have in

your environment docker compose docker and linux however you basically this just copy this cool git cloning here and i will return in my demo here yes demo i will pass here git cloning and you clone here it's very very simple take a look this all those informations you can find in your in our documentation you can set you can follow them to the other sec folder right so if you see here all those information that i cloning in from the github right and here if you see i have another examples of the vulnerable codes to you know to try and i you click and i will set actually make install and after that i am install the web application to

manage all those vulnerabilities that i will that i will that i am finding in my environment in my project right so again it's very simple to install as you can see and i'm doing the demonstration again i finished the demonstration and i just i just but i just the next step is to see here take a look at this uh enter the folder yes i did run the command make style yes i did and access the rsx services this is the localhost it just said just for demo right so when you pop the password again one more time is just for demo when you set your environment you need to change this the full password please

you need to change so they pay attention this right so i will put here another manage workspace this is a preference of an about another demos and other events that i did i will add this workspace you know i will call by demo very creative this is a my workspace i will set the token i will add the token i will call by demo awesome and when you copy this why i am doing this because all those let me go to the examples here i have many different examples and go to the javascript javascript that's good okay just folder i have one example i will as i could hear the auto set start and you set here the

dash p okay i will put docker slash because i will using this folder okay and i will set here in this case mino uh dash a because this is a talking authentication right so i will pass my talking that i found here do you remember that i create here and i put here and i will all those information that i find here are you sent to my manager right because all those informations i will have inside this manager right so in this uh web application to manage all those informations here so take a look this i just found one vulnerability right in in java because it's just one example so let me hit turn here and i

close up box in this case it's i got it i close here and i will go in the dashboard in the workspace and i need to go in my workspace is a demo workspace demo click here it's one developer i am a developer phone vulnerability it's just a one it's high as you can see okay it's one it's java perfect in this case it's high as you see in the cli you've seen the cli yes you see let's check here java hi about a second java engine this is the file vulnerable right and the total one vulnerability as you can compare here it's the same if you put in your mouse here you can find the

information and secure rambo random number generator the apps used in the a security render right so take a look at this all those informations you can find here so let me as i could one more time but in the different folder here let me go to the home and start demo demo yes in the or second slash demo do you remember here okay so let me set one more time the same or sec starts dash p okay because i was including this folder because i have more than one here you remember and the same token to receive all those information and i think here do you remember how many celebrities do we have here i think it's 15 or 13 i

don't remember the exactly number but i will receive the the code here let's see and because i said here the talking authentications all those informations i will send it to the manager take a look this very very very interesting here right so it's finished here and you that's not 15 it's in this case it's seven possible whenever it's in this case it's too high and uh four medium and one low if you return in my web application take a look at this i will just uh update here it's just the one of course i am a developer because i am doing you know my uh you know registry here in this in this dashboard and as you can see

here more than one different vulnerabilities here oh okay so take a look this is i put correct let me check here is i i think i don't know set at the correct okay let me copy here the token yes it's okay one more time here let me check um before is it good here okay of course i need to click the demo it's not air or tv in demo here and now it's okay here as you can see it's seven do you remember as you can see here seven and another we haven't because when i execute the first one i just received one more bit and after that i executed again and i had seven so seven more one you know it's

it's eight in this case and uh we have here all those on our bits and go and you have the java script and java here and take a look this all those vulnerabilities explained in this dashboard and here take a look if you click here and vulnerabilities take a look this this is the rash reference that you can find right and here is the status the states of the vulnerability because you can you know manage it in your environment you can set the risk accept and a false quality positive you can correct this vulnerability right in for example if you set here the correct because you manage your code you'll put in the correct ads and correct it in

your corrected in your environment because you uh fix this vulnerability right so it's very very interesting but it to go to the end of the our presentation you maybe you are asking about the uh using in a pipeline in your ci cd you have here another possibilities right so here you can install via pipeline you have i have here in the kitchen club actions right so you basically you can cop this you you set your job right you will run the installation of the binary and after that you set the or sec start dash b right the same case and minus a n it's uh you set true because you receive the the error in this case one in this case if

you receive the error you can broke your code right you can broke your pipeline right so after that of course if you would like to send all of those information to your manager you need to set here the api of the manager and the token authentication after so it's very very simple and here you can use in for example aws codes bill you can use in a circle ci you can use in a jenkins you can use in azure devops pipeline and each lab city all those pipelines all those sg you know it was tested by rsac so here i finish my presentation i hope that you like it and in if you have any questions

so please let me know here the uh github of the or seg projects again it's open source project and here it's the roadmap of the product the project and here more informations about the contribution if you'd like you can contribution again uh you can open the the pull request of this project and again if you have any question please please let me know and thank you thank you one more time to be here with me during this conversation again and have a nice day