Embed Size (px)
Citation preview
Dynamic Security TestingNovember 2017
@omerlh@yshayy
http://www.align.com/wp-
content/uploads/2017/09/Equifax_Infographic.png
And it affects the stock price...
disclosed
http://www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it-
failed-to-patch-was-to-blame-for-data-breach/
https://nvd.nist.gov/vuln/detail/CVE-2017-5638
Will you be the next Equifax?
What can we do?
● Threat Modeling
● Design/Code review
● Bug bounties
● Security tests
● And many more…
Security Tests in CI
What's a feature management solution?
Let’s try to change the design a bit to
increase engagement
Demo e-commerce app
Example 1 - A/B Testing
Feature flags
Tweek is mission critical
Tweek is open source...
GitHub Flow
Source: GitHub
Checks - Quality Feedback
PR Quality Feedback
Security Department
Source: IT Crowd
Can we add security checks?
The best defense is a good offense
Source: http://community-sitcom.wikia.com/wiki/File:Dual_wielding_Chang.jpg
And run it in CI
Let’s take a hacking tool
OWASP Zaproxy
https://www.openhub.net/p/zaproxy
Free and Open Source hacking tool
Zap has two modes:
Passive Active
Let’s Hack Tweek!
Tweek’s Architecture
Passive Mode
What Zap does?
● Inspecting request and response
● Run passive scan rules:○ Cookies misconfiguration
○ Security HTTP Headers
○ Mixed Content
○ And many more
Setup Proxy
Browse Editor
Many findings
Potential issue
Why?
Zap does not only find the issues
It will also help you fix them!
Active Mode
What Zap does?
● Find all URLS/Paths
● Run active scan rules:○ SQL injections
○ XSS
○ Directory browsing
○ Remote file inclusion
○ And many more
Zap can parse the spec
And now we can attack it…
Let’s push the red button
Now relax and drink some coffee
Massive attack
Many findings
Potential issue
Why?
Questions so far?
And run it in CI
Let’s take a Hacking Tool
Zap has two modes:
Passive Active
Passive Mode
Tweek’s Security Testing
TweekAPI
TweekEditor
IntegrationTests
REST
UI Automation
Tests
Selenium
ZAP Proxy
ZAP Proxy
REST
Selenium
Let’s use Docker
● Tweek is designed as a multi-container app
● Every microservice has an offical Docker image
● Tweek uses Docker-native CI (Codefresh)
● Test suites also run as docker containers
● Zap has an official docker image
Containerized them all!
TweekAPI
TweekEditor
Smoke Tests
REST
UI Automation
Tests
Selenium
ZAP Proxy
ZAP Proxy
REST
Selenium
docker-compose up
docker-compose is widely supported
Running it in CI
Zap API
Curl/CLI/SDK
So we have Security Tests...
But it’s not perfect…
OWASP Glue
Security Tool Filtering Reporting
Free and Open Source CI tool
Let’s add some glue to our CI
Using Glue
ruby /usr/bin/glue/bin/glue -t zap --zap-host http://zap-e2e --zap-port 8090 --zap-passive-mode -f text --exit-on-warn 0 http://editor --finding-file-path /usr/src/wrk/glue.json
Let’s look at the findings…
Zap’s findings for the API
● Insecure cookies
● Missing security headers
● Insecure hash
FIXED
FIXED
IGNORE
Active Mode
Simply docker
docker run -t --net=host -v $(pwd):/zap/wrkowasp/zap2docker-weekly zap-api-scan.py-t http://localhost:4003/api/swagger.json-f openapi-r report.html
Find out more on Zap’s wiki...
And the results...
Questions so far?
So we have dynamic security tests...
Let’s see if it works…
Should I approve this pull request?
Let's review it...
That looks good...
But the tests are failing...
Let's see why...
Source: https://giphy.com/gifs/thisisgiphy-reaction-audience-l4HodBpDmoMA5p9bG
Conclusion
Security Testing Options
Passive (Proxy) Active (OpenAPI)
Simple to integrate Simple to integrate
Wide coverage Wide Coverage
Fast Slow
Mixing tests types Dedicated tests types
GitHub Only?
How can you use it?
Useful links
● Pull Request – adding security tests to Tweek
● Malicious Pull Request – The one show a few slides above
● Demo repo – Adding security tests to vulnerable app - Juice Shop
● Blog Post – how I added security tests to Tweek
@omerlh@yshayy
@omerlh@yshayy
Thank You!
