When Continuous Integration Meets Application Security SOFTWARE QUALITY CONFERENCE PACIFIC NW When Continuous Integration Meets Application Security Harish Krishnan & Vasantharaju M.S [10/18/2016]

SOFTWARE QUALITY CONFERENCE PACIFIC NW QUESTION ?

Agenda Problem Statement Continuous Integration (CI) SOFTWARE QUALITY CONFERENCE Agenda PACIFIC NW 1 Problem Statement 2 Continuous Integration (CI) 3 Application Security 4 Security Tools 5 CI + Tools 6 What do we get ?

Security comes LAST Problem Statement SOFTWARE QUALITY CONFERENCE PACIFIC NW Security comes LAST

Continuous Integration (CI) ? SOFTWARE QUALITY CONFERENCE PACIFIC NW Build the Project Deploy /Install Run unit tests Run integration tests Report results Source Repository Continuous Integration Code check-in’s Wikipedia Definition: In software engineering,  continuous integration (CI) is the practice of merging all developer working copies to a shared mainline several times a day.

TeamCity Cruise Control Jenkins Travis CI SOFTWARE QUALITY CONFERENCE PACIFIC NW Cruise Control Jenkins TeamCity Travis CI https://en.wikipedia.org/wiki/Comparison_of_continuous_integration_software

Application Security ? Wikipedia Definition: SOFTWARE QUALITY CONFERENCE PACIFIC NW Wikipedia Definition: Application security encompasses measures taken throughout the code's life-cycle to prevent gaps in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance or database of the application.

3rd Party Libraries Audit Security Tools SOFTWARE QUALITY CONFERENCE PACIFIC NW Static Analysis Coverity FindBugs Dynamic Analysis Nessus XS3canner (in-house) 3rd Party Libraries Audit OWASP Dependency Check

Static Analysis Wikipedia Definition: SOFTWARE QUALITY CONFERENCE PACIFIC NW Wikipedia Definition: Static program analysis is the analysis of computer software that is performed without actually executing programs (analysis performed on executing programs is known as dynamic analysis). In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code.

Coverity: $$$ FindBugs: Free Static Analysis SOFTWARE QUALITY CONFERENCE PACIFIC NW Coverity: $$$ FindBugs: Free

FindBugs configuration SOFTWARE QUALITY CONFERENCE PACIFIC NW <?xml version="1.0" encoding="UTF-8"?> <FindBugsFilter> <Match> <Bug category="SECURITY"/> </Match> </FindBugsFilter> hh

FindBugs configuration (continued…) SOFTWARE QUALITY CONFERENCE PACIFIC NW <project name="FindBugs" default="findbugs" basedir="."> <taskdef name="findbugs" classname="edu.umd.cs.findbugs.anttask.FindBugsTask"/> <property name="findbugs.home" value="${basedir}/findbugs-3.0.1" /> <target name="findbugs"> <findbugs home="${findbugs.home}“ output="xml“ outputFile="result.xml“ includeFilter="${basedir}/filter.xml" > <sourcePath path="${basedir}/src" /> <class location="${basedir}/lib/*.jar" /> </findbugs> </target> </project>

Continuous Integration Integrating FindBugs into CI system SOFTWARE QUALITY CONFERENCE PACIFIC NW Check-Out code Build (If needed) Run Static Analysis Analyze results Report results Source Repository Continuous Integration Code check-in’s <BugInstance category="SECURITY"> <Class classname=""> <SourceLine classname="" sourcepath="" sourcefile="" end="" start=""/> </Class> </BugInstance> Programmatically parse the xml and look for any <BugInstance> elements. Depends on the Static Analysis tools FindBugs : No Coverity : Yes Runs the FindBugs ant script Example: c:\> ant findbugs

Dynamic Analysis Wikipedia Definition: SOFTWARE QUALITY CONFERENCE PACIFIC NW Wikipedia Definition: Dynamic program analysis is the analysis of computer software that is performed by executing programs on a real or virtual processor.

Nessus: $$$ XS3canner: In-house Dynamic Analysis SOFTWARE QUALITY CONFERENCE PACIFIC NW Nessus: $$$ XS3canner: In-house

Nessus Configuration Nessus Nessrest SOFTWARE QUALITY CONFERENCE Free PACIFIC NW Free Nessus REST API Nessrest Python Framework API call

Nessus Configuration (continued…) SOFTWARE QUALITY CONFERENCE Nessus Configuration (continued…) PACIFIC NW from nessrest import ness6rest as nes try: scan = nes.Scanner(url=URL, api_akey=nessus_accessKey, api_skey=nessus_secretKey, insecure=True) except Exception, e: log("Could not connect to Nessus Server: %s" % str(e)) sys.exit(1)

Nessus Configuration (continued…) SOFTWARE QUALITY CONFERENCE Nessus Configuration (continued…) PACIFIC NW scan.policy_set(POLICY) scan.scan_add(targets=TARGETS, name=scan_name) scan.scan_run() content = scan.download_scan()

Continuous Integration Integrating Nessus into CI system SOFTWARE QUALITY CONFERENCE PACIFIC NW Check-Out code Deploy /install Run Dynamic Analysis Analyze results Report results Source Repository Continuous Integration Code check-in’s For Dynamic Analysis, the Application must be running. report = scan.parse(Report) target = report.targets() vulnerabilities = target.vulns Runs the python automation scripts.

3rd Party component security audit SOFTWARE QUALITY CONFERENCE PACIFIC NW OWASP Dependency Check: Free

Dependency Check configuration SOFTWARE QUALITY CONFERENCE PACIFIC NW <target name="dependency-check" description="Dependency-Check Analysis"> <dependency-check projectname="Hello World" reportoutputdirectory="${basedir}" reportformat=“XML"> <fileset dir="lib"> <include name="**/*.jar"/> </fileset> </dependency-check> </target> hh

Continuous Integration Integrating Dependency Check into CI system SOFTWARE QUALITY CONFERENCE PACIFIC NW Check-Out code Group Libraries Run DC Tool Analyze results Report results Source Repository Continuous Integration Code check-in’s Directory containing all our libraries, for scanning. Programmatically parse the xml and look for any vulnerabilities listed. Runs the DC ant script Example: c:\> ant dependency-check

Discover and Fix vulnerabilities early in SDLC What do we get ? SOFTWARE QUALITY CONFERENCE PACIFIC NW Confidence Discover and Fix vulnerabilities early in SDLC

SOFTWARE QUALITY CONFERENCE PACIFIC NW THANK YOU