Zachodząca w ostatnich latach transformacja procesów wytwarzania oprogramowania zorientowana jest głównie w kierunku zespołów zwinnych, wykorzystujących podejście DevOps. Następstwem tych zmian jest potrzeba przemyślenia na nowo sposobów zapewniania bezpieczeństwa tworzonych aplikacji.
Krótkie sprinty nie pozostawiają już miejsca na testy manualne. O ile jednak nie znikną one całkowicie, główną osią ochrony projektu stają się testy automatyczne, które zespół projektowy musi zaimplementować i utrzymać. Teraz w kompetencjach developerów i testerów będzie leżeć kwestia znajomości zasad bezpieczeństwa, w kontekście działania ich systemu.
14. OWASP Application Security
Verification Standard (ASVS)
• Provides a list of requirements for secure
development
• Defines different security assurance levels
(Opportunistic, Standard, Advanced, also
called Level 1, 2, 3)
20. Why do we have to deal with HTTP?
• It’s a trust boundary between the client and
the server
• It offers maximum flexibility by allowing
request manipulation on the text/byte level
• One can fabricate request the client side of
application would never generate
• This is what the hackers are doing :)
21. What does X-XSS-Protection do?
• Offers (reflected) XSS protection
• Turned on by default, but works in the
sanitization mode
• Turn the most rigorous mode on over X-XSS-
Protection: 1; mode=block
22. Preferred type of test
Source: https://blogs.msdn.microsoft.com/visualstudioalmrangers/2017/04/20/set-up-a-cicd-pipeline-to-run-automated-tests-efficiently/
30. I would not call that „easy”
• Understanding security requirements takes time
• We need to deal with traffic on the HTTP level
• Some technologies are easier to automate than
others
• We didn't show how to deal with authentication
or CSRF protection
• But yes, in many cases the code can still be sexy!
31. Example 3, ASVS 10.16
Verify that the TLS settings are in line with
current leading practice, particularly as
common configurations, ciphers, and
algorithms become insecure.
„
„
32. What is TLS?
• It’s the „S” in HTTPS ;)
• It’s actually much more than this, but let’s not
complicate things, because…
36. Example 4, ASVS 1.11
Verify that all application components, libraries,
modules, frameworks, platform, and operating
systems are free from known vulnerabilities.
„
„
37. Case Equifax
(STRUTS 2, CVE-2017-5638)
BTW: Struts 2 had 15 known vulnerabilities in 2016
Source: https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/
38. How to deal with it?
• Update every library every release
• Or use a library scanning tool
– OWASP Dependency Check
– Victims
– Black Duck (Copilot)
– Many other
41. Summary
• First step to security assurance - know what is
to be done
• Don't fear HTTP – test implementation is not
necessary hard
• You can even deal with „special cases” like TLS
validation and software composition analysis
on the code level