© 2014 IBM Corporation
Static Application Security Testing Strategies for Automation and Continuous Delivery
Presented by Aspect Security and IBM
Presenters
Kevin Fealey
• Lead, Automation and Integration Services @ Aspect
Security
• 5+ years of experience with SAST and DAST tools
• @secfealz
William Frontiero
• IBMer
• Senior Worldwide Escalation Engineer AppScan Source
• 10 Years SDLC experience, including 2 years of SAST
tools
1
Takeaways
• What is SAST?
• Common SAST Usage
• SAST Automation
• Provide faster feedback to developers
• Simplify the security analysis workflow
• Incorporating Open Source Tools
• Looking at the AppScan SDK
• Jenkins Plugin
• Next Steps
• Improved AppScan Source API
• Application Server Importer
2
What is SAST and Why Do We Need It?
Why do we need tools?
44
More apps to
review
Flat AppSec
budgets
A need for
scalable, efficient
solutions
Vulnerabilities
are being
introduced
This is starting to change, but slowly…
5
When to Fix Security Issues
Fixing an issue in development is 30x cheaper than when it’s in production!
5
$139.00
$1,390.00
$2,780.00
$4,170.00
$-
$500.00
$1,000.00
$1,500.00
$2,000.00
$2,500.00
$3,000.00
$3,500.00
$4,000.00
$4,500.00
Coding Testing Beta Release
Cost to Fix a Vulnerability Depends on When it is Found
How SAST Works
6
DoPost() {
String username =
request.getParameter("username");
String password =
request.getParameter("password");
String query = "SELECT * from tUsers
where " + "userid='" + username + "' " +
"AND password='" + password + "'";
ResultSet rs =
stmt.executeQuery(query);
}
GetParam
ExecuteQuery
Str.Append
DoPost
DoPost
GetParam
Str.Append
ExecuteQuery
GetParam
ExecuteQuery
Str.Append
DoPost
Apply
vulnerability rules
Compile and translate
7
SAST’s Benefits
• Static Application Security Testing (SAST)
• Analyzes applications at rest (source code/compiled
code)
• Automates code review… to a point
• Data/control flow analysis and advanced grep
• Ex. IBM Security AppScan Source
7
Strengths
• Can traverse millions of lines of code in hours
• If it can find one instance of an issue, it can find all instances in the application
Weaknesses
• Application must build
• Lots of false-positives out-of-the-box
© 2014 IBM Corporation
Common SAST Usage
9
Continuous Improvement Environment
9
CONFIGURE
TRIAGE
ASSIGNREMEDIATE
AppScan Source
•For Analysis
•For Development
•For Automation
AppScan Enterprise
AppScan Source
•For Remediation
•For Development
REPORT
High-confidence findings
>>
> > > > >
AppScan Source
•For Analysis
AppScan Source
•For Analysis
SCAN
Receive a source code archive
Extract code and import into
AppScan Source
Scan, resolve compilation issues
(often many)
Triage scan results
Export or write report
Deliver Report
Begin again with a new application
10
Security Analyst Workflow
Security Professionals using AppScan Source for Security:
10
Total time: 2-3 weeks / application
• Applications are scanned once per year or less
• Minimal carry-over for subsequent scans
Click scan
Wait for scan to complete
Triage scan results
Resolve vulnerabilities
Check code into central
repository
11
Developer Workflow
Any developer using AppScan Source for Development:
11
Total Time: ½ - 1 day
• Developers cannot develop while scanning (can take hours)
• Developers are not security experts
• Scan workflow interrupts agile workflows
SAST Automation
Automation Components
• Continuous Integration (CI) Server (ex. Jenkins)
• AppScan Source (or other SAST tool)
• AppScan Enterprise (or other Dashboard/Reporting tool)
• Source code repositories (SVN, ClearCase, git, etc.)
13
Example Architecture
14
Security Analyst WorkflowSecurity Professionals using AppScan Source for Security:
First Scan:
14
Sync CodeImport into AppScanSource
Scan, resolve compilation
issues
Configure scan frequency in CI
server
Total time: 2-3 days
Subsequent Scans:
Log into CI server
Click Scan
Download assessment
file and triage scan results
Total time: 1 day
0
2
4
6
8
10
12
Current Workflow Automation Workflow
Days
Per Application
Subsequent Scans
Scan Configuration
Security Engineer Scan Workflow Time in Days
15
16
Centralized Bundles
16
Use of a centralized environment drastically reduces the time
required for subsequent assessments.
Security Analyst
Only new findings are triaged
(and bundled)
Scan Server
Scan Results
Downloaded
Triaged Scan Results (Bundled)
Security Analyst
Subsequent Scans
Triaged Results
Uploaded
Scan Results
Downloaded
New Vulnerabilities
Already Triaged
Initial Scan
17
Developer Workflow
• Any Developer (IDE Plugin optional)
Total time: Minutes17
Check code into central repository
Receive high-confidence
findings via e-mail
Resolve vulnerabilities
0
0.2
0.4
0.6
0.8
1
1.2
Current Workflow Automation Workflow
Days
Per Application
Developer
Developer Scan Workflow Time in Days
18
19
Potential Scans Per Year
19
26
65
0
10
20
30
40
50
60
70
Current Workflow Automation Workflow
Ap
pli
cati
on
s
Workflow
Per Security Analyst
Security Analyst
(best case scenario)
Enterprise Rollout of AppScan Source: Strategy
20
Application PortfolioLess CriticalMore Critical
Covera
ge /
Assura
nce
Scan
Scan
Scan
Fu
ll S
can/R
evie
w
Remediation
Guidance
Incre
ase C
overa
ge R
ed
uce R
isk
• More time to review critical applications
• More time to find and fix complex issues
Improving Security Visibility
Business andExecutive Management
SoftwareDevelopment Security
and Audit
Visibility
• Developers receive everything they need to resolve issues.
• Managers receive everything they need to make smart business
decisions.
• IT Security receives everything they need to understand
compliance risks.
Build/Release Engineer & Dev Ops
• Automate (CI/scripts) simple security checks before each CD release
• No security expertise required
– If certain vulnerability types are found, do not push release/notify stakeholders
– Only sees actionable results
• Iterative triage to accumulate vulnerable/trusted patterns and APIs
• Incremental vulnerability reporting
• Only investigate new vulnerabilities to reduce remediation time and focus
on what is new and relevant
22
Security
Demo
Scan With No Custom Rules
24
Automation Performed Through Jenkins
25
View of Custom Rules Created
26
Results
27
Jenkins Plugin
29
Open Source Jenkins Plugin
• Available TODAY!
• As a work in progress
• Developed by Aspect Security and IBM
• Hosted on GitHub
• https://github.com/aspectsecurity/sensor-integration-framework
29
Next Steps
31
What’s Next?
• The AppScan Source SDK continues to improve
• Assessment Parsing for External tooling
• Viewing findings in Web Portal
• Diffing at the SDK level
• Improve Jenkins Plugin
• Support Additional Dashboard/Reporting Engines:
– Jenkins
– SonarQube
• AppScan Source App Server Importer Plugin Architecture
• Point and Shoot Discovery of EARs and WARs
• Discover Applications via Import
• Successive scans can be run via automation
31
Questions?
More Questions
William Frontiero: [email protected]
Kevin Fealey: [email protected]
@secfealz
https://github.com/aspectsecurity/sensor-integration-framework
33
34
Notices and DisclaimersCopyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or
transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been
reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM
shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express
or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss
of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms
and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without
notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are
presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual
performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,
programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not
necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither
intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal
counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s
business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or
represent or warrant that its services or products will ensure that the customer is in compliance with any law.
35
Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM expressly disclaims all warranties, expressed or implied, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
Thank YouYour Feedback is
Important!
Access the InterConnect 2015
Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.
Top Related