2. About Smals vzw-asbl
One of Belgium's largest ICT-organisations:
1750 people
"ICT for Society"
Work: ex. Dimona-DmfA
Salary & labour prestations
Health: ex. eHealth-platform
Secure exchange of medical data in Belgium
Family life: ex. VESTA
Home care for elderly (financial / operational support)
In-house ICT-service, working exclusively for the
government
High priority for ICT Security & Privacy
Information
Security
3. Introduction
Security Test Automation in Software
Development using Open Source Tools
Can we do it?
What do we need?
Source code
Working parts of the application
Selenium tests for the functional part
33
Information
Security
4. Application Security Disclaimer
Hacking is illegal and can be punished
under the legal framework of the
information criminality laws (Law
issued on the 28 of november 2000
about informatica criminality). So the
methods we show here are illegal if
used without consent of the victim.
4
Information
Security 4
5. Hacking is illegal under Belgium Law
5
Article 550bis § 1
A person who, while he knows that he is not yet entitled
to it, gain access to a computer system, or in it
maintains, shall be punished with imprisonment from
three months to one year and a fine of twenty-six
[euro] to twenty-five thousand [euro] or with one of
these penalties. If the crime referred to in the first
paragraph, committed with fraudulent intent, the
maximum six months imprisonment to two years.
Information
Security
6. Security myths
Firewalls …
• Firewalls are always configured to allow web
traffic -> HTTP(S)
• Attacker appears to the web application as a
normal user
Information
Security
7. Security myths
SSL secures the application…
• Server-side SSL only guarantees
confidentiality on transport level
• Attacker also uses the SSL tunnel
7
Information
Security
8. Security myths
The Application framework solves that…
• Frameworks Don't Solve Security
Issues
• Some frameworks facilitate, but not
by default
• Some frameworks do, by default
Workarounds exist to develop the
security problems
8
Information
Security
10. SQL Injection
User: John
xxxx
password: secret
' or 1=1;--
SELECT user FROM
SELECT user
FROMWHERE
users users
WHERE AND
user='xxx'
user='John' AND
password='' or 1=1;--';
password='secret';
John
Aaron
Welkom, Aaron
John
Information
Security
13. Sensitive Data Exposure
Clear text transmission
• Confidential information is just sent back to the User
Improper web application implementation
Secure and non-secure sections
Improper analysis of the information
Improper configuration
Unsecured SESSION cookies
13
Information
Security
14. Sensitive Data Exposure
Error messages
• Error messages for developers carry a lot information
to find the problem causing the error message
Stack traces in JAVA
SQL Error messages from Database
PHP error messages
…
• Those error messages can give a lot information to
the hacker, when displayed to him/her
Information of dataflow in the Web application
Database layout
Operating System information
Network information
Application frameworks used
14
Information
Security
15. Cross Site Request Forgery
http://bank.com/transaction?amoun
t=10000&acc=001.1234567.27
http://bank.com/transaction?amount=
10000&acc=001.1234567.27
Transaction successfull
Online to her bank
Information
Security
17. Findbugs
Static Source code analyzer
Works on Java byte code
Source must compile!
Searches for bug patterns
Find bugs
Find false warnings
Eclipse plugin
By default almost all enabled
17
Information
Security
18. Findbugs
For security patterns:
DMI_CONSTANT_DB_PASSWORD
Hardcoded constant database password
DMI_EMPTY_DB_PASSWORD
Empty database password
EI_EXPOSE_REP
May expose internal representation by returning reference to
mutable objects
EI_EXPOSE_REP2
May expose internal representation by incorporating reference
to mutable object
EI_EXPOSE_STATIC_REP2
May expose internal static state by storing a mutable object
into a static field
MS_EXPOSE_REP
Public static method may expose internal representation by
returning array
18
Information
Security
19. Findbugs
SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
Nonconstant string passed to execute method on an SQL
statement
SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_ST
RING
A prepared statement is generated from a nonconstant String
XSS_REQUEST_PARAMETER_TO_SEND_ERROR
JSP reflected cross site scripting vulnerability
XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER
Servlet reflected cross site scripting vulnerability in error page
RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE
Nullcheck of value previously dereferenced
NP_NULL_ON_SOME_PATH
Possible null pointer dereference
NP_NULL_ON_SOME_PATH_EXCEPTION
Possible null pointer dereference in method on exception path
19
Information
Security
21. PMD
Static Source code analyzer
Runs against the Java source code
Also searches for bug patterns
There are no real security patterns
included
Gotham Digital Science has a security rule set
21
Information
Security
24. Zed Attack Proxy
24
Intercepting Proxy
Traditional and AJAX spiders
Automated scanner
Forced Browsing
Fuzzer
Dynamic SSL Certificates
Smartcard and Client Digital Certificates
support
Information
Security
25. Zed Attack Proxy
Web sockets support
Support for wide range of scripting
languages
Plug-n-Hack support
Authentication and Session Support
Powerful REST based API
Automatic updating option
Integrated and growing marketplace of
add-ons
25
Information
Security
27. Demo: Automatic Build Proces
Maven
Findbugs
PMD
Zaproxy
27
Information
Security
28. TODO’s
Maven
Zed Attack Proxy and site phase integration
SONAR integration of Zed Attack Proxy
How about Agile development?
Can we ingrate this process in TDD and BDD?
28
Information
Security
29. Links
FindBugs™ - Find Bugs in Java Programs
PMD – Don’t shoot the Messenger
OWASP Zed Attack Proxy Project - OWASP
ZAP Maven Plugin
Automated Security Testing of web applications
using OWASP Zed Attack Proxy
Belgium - OWASP
Gotham Digital Science
29
Information
Security
30. Resources …
• Books:
Software Security
Microsoft Secure Development Lifecycle
Enterprise Security Architecture
30
Information
Security30
31. Reflection
Open Source
Good start
Commercial Tools
Are more integrated in their environment
Perform better
Comes with a price
Manual review by experts
31
Best results
Expensive
Non constant reviews
Very late in the process
Information
Security