Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Implementation of SAST for Android Application

264 vues

Publié le

This is the reference guide for implementing the SAST tool findSecurityBugs tool with IDE and JENKINS.

Publié dans : Logiciels
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Implementation of SAST for Android Application

  1. 1. MOBILE SAST IMPLEMENTATION
  2. 2. TABLE OF CONTENT  INTRODUCTION  OVERVIEW OF DEVSECOPS  SECURE SDLC BENEFITS  ADVANTAGES & DISADVANTAGES OF SAST  INTEGRATION OF SAST IN IDE  INTEGRATION OF SAST INTO CI/CD  REFERENCES
  3. 3. SSDLC BENEFITS  Build secure software  Creates Awareness of security  Early Detection of vulnerabilities  Overall reduction of risks for the organization
  4. 4. ADVANTAGES & DISADVANTGES OF SAST ADVANTAGES  Largely usable in developer IDEs to detect issues even before CI.  Easy to trigger from CI/CD  Early Detection of vulnerabilities  Building the Secure Software DISADVANTAGES  Take a considerable amount of effort if tool is adopted mid- project.  Integration effort  Non-Functional requirement  Requires time to analyze the false positive
  5. 5. IDE INTEGRATION & customize  Click on ANDROID STUDIO and then select Preferences  Click on Plugins and then click on browse repository  Search and Install FindBugs-IDEA (Restart your IDE)  Navigate to other settings under preference tab.  Click on FindBugs-IDEA and add it by clicking + icon  Navigate to Report tab and select SECURITY  Finally click on Apply and Save.  Just right click on the project and select Analyze Project Files under FindBugs  Reports can be exported to both HTML & XML format.
  6. 6. INTEGRATION WITH CICD Add the below code under build.gradle file (present under app directory) dependencies { implementation fileTree(include: ['*.jar'], dir: 'libs') implementation 'com.google.android.gms:play-services:7.5.0' implementation 'com.github.marcohc:Toasteroid:2.1.4' findbugs 'com.google.code.findbugs:findbugs:3.0.1' findbugs configurations.findbugsPlugins.dependencies findbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.4.4' } //FindBugs task that load security rules only task findSecurityBugs(type: FindBugs) { classes = fileTree("$project.buildDir/app/build/intermediates/javac/release/compileReleaseJavaWithJavac/classes/com/android/insecurebankv2/") source = fileTree('/src/main/java/') classpath = files() pluginClasspath = project.configurations.findbugsPlugins findbugs { toolVersion = "3.0.1" ignoreFailures = true reportsDir = file("$project.buildDir/findbugsReports") effort = "max" reportLevel = "low" includeFilter = file("$project.rootDir/fsb-include.xml") excludeFilter = file("$project.rootDir/fsb-exclude.xml") }
  7. 7. Adding NEW FILES  Create a File by name ’fsb-include.xml’ and ‘fsb-exclude.xml’  Add both of these files into the project directory  Add the below content into ‘fsb-exclude.xml’ file. <FindBugsFilter> </FindBugsFilter>  Add the below content into ‘fsb-include.xml file. <FindBugsFilter> <Match> <Bug category="SECURITY"/> </Match> </FindBugsFilter>  Execute the gradle by running the below commands. ./gradlew build ./gradlew findSecurityBugs
  8. 8. Folder Structure
  9. 9. CONFIGURE JENKINS JOB
  10. 10. Publish REPORTS
  11. 11. Reference  https://www.owasp.org/index.php/Source_Code _Analysis_Tools  https://find-sec-bugs.github.io/  https://github.com/find-sec-bugs/find-sec- bugs/wiki/Gradle-configuration  https://github.com/sanjeevakuamr/InsecureBan kv2-FindBugs

×