union case Result.Ok: 'T -> Result<'T,'TError>

Security Automation in your Continuous Integration Pipeline

FsReveal

Jimmy Byrd

https://theangrybyrd.github.io/OWASPPipelineSlides

Jimmy Byrd?

Binary Defense Systems

Continuous what now?

Continuous Integration

Continuous Integration is a software development practice where members of a team integrate their work frequently . . . Each integration is verified by an automated build (including test) to detect integration errors as quickly as possible.

Martin Fowler

Why?

To prevent:

Works on my machine

Merging code

Mergeing code

Continuous Integration

  1. Push
  2. Build*
  3. Test
  4. Report
 1: 
 2: 
 3: 
 4: 
 5: 
 6: 
 7: 
 8: 
 9: 
10: 
11: 
12: 
13: 
14: 
15: 

./build.sh

---------------------------------------------------------------------
Build Report
---------------------------------------------------------------------
Target           Duration
------           --------
RestoreNpm       00:00:32.4737389
PackWebAssets    00:00:03.7281990
Linter           00:00:03.3159012
Compile          00:00:22.2821302
RunTests         00:00:04.9936549
ScanCode         00:02:04.0223912
Status:          Ok 
---------------------------------------------------------------------

CI Tools

Software Testing

First test

Automated testing hierarchy

Automated Testing Pyramid

Why aren't we writing security tests?

Baby Rhino Escape

Security is an -ility

Much like accessiblity, scalability, privacy

What are we trying to solve?

Cross Site Scripting

Car fall

Committing the production database password to source control

Pearl freaking out

Storing plain text passwords

Mr Universe

Sql Injection

Lars Fire

Why don't we have both?

Why not both

The Rugged Manifesto

I am rugged and, more importantly, my code is rugged.

I recognize that software has become a foundation of our modern world.

I recognize the awesome responsibility that comes with this foundational role.

I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security.

I recognize these things – and I choose to be rugged.

I am rugged because I refuse to be a source of vulnerability or weakness.

I am rugged because I assure my code will support its mission.

I am rugged because my code can face these challenges and persist in spite of them.

I am rugged, not because it is easy, but because it is necessary and I am up for the challenge.

OWASP/Glue

Glue is a framework for running a series of tools. Generally, it is intended as a backbone for automating a security analysis pipeline of tools.

Github README

Recently renamed

1: 

s/pipeline/glue

Maintainers

Four simple concepts

  • Mounters
  • Tasks
  • Filters
  • Reporters

What's in the box? (MOUNTERS)

  • Docker
  • File System
  • Git
  • ISO
  • URL

What's in the box? (TASKS)

What's in the box? (FILTERS)

  • Jira
  • Zap

What's in the box? (REPORTERS)

  • CSV
  • Jira
  • Json
  • Text

Getting started

Native

1: 

gem install owasp-glue

Docker

1: 
2: 

docker pull owasp/glue
docker run -i -t --entrypoint=/bin/bash owasp/glue

Help

1: 

glue --help

Hello World!

1: 

glue -t eslint,retirejs https://github.com/OWASP/NodeGoat.git

Hello World output

 1: 
 2: 
 3: 
 4: 
 5: 
 6: 
 7: 
 8: 
 9: 
10: 

Finding: NodeGoat.git
Description: Package uglify-js-2.4.24 has known security issues
Timestamp: 2016-06-24 14:43:35 +0000
Source: {:scanner=>"RetireJS", 
         :file=>"owasp-nodejs-goat->swig->uglify-js-2.4.24", 
         :line=>nil, 
         :code=>nil}
Severity: 0
Fingerprint:  041c4f08bd5a3decc502217f15b7787b654b800e092ffadb939bd99e4e2cf26d
Detail:  https://nodesecurity.io/advisories/48

Tasks

Tools vs Labels

Tools vs Labels

Have to go code spelunking

1: 

cd ./lib/glue/tasks

Example from Brakeman.rb

1: 
2: 
3: 
4: 
5: 
6: 
7: 

def initialize(trigger, tracker)
    super(trigger, tracker)
    @name = "Brakeman"
    @description = "Source analysis for Ruby"
    @stage = :code
    @labels << "code" << "ruby" << "rails"
end

Important pieces

  • Name (without spaces) = Tool
  • Labels = Labels

All tools

 1: 
 2: 
 3: 
 4: 
 5: 
 6: 
 7: 
 8: 
 9: 
10: 
11: 
12: 
13: 
14: 
15: 

av.rb:              "av"
brakeman.rb:        "brakeman"
bundle-audit.rb:    "bundleaudit"
checkmarx.rb:       "checkmarx"
dawnscanner.rb:     "dawnscanner"
eslint.rb:          "eslint"
fim.rb:             "fim"
findsecbugs.rb:     "findsecuritybugs"
nsp.rb:             "nodesecurityproject"
owasp-dep-check.rb: "owaspdependencycheck"
pmd.rb:             "pmd"
retirejs.rb:        "retirejs"
scanjs.rb:          "scanjs"
sfl.rb:             "sfl"
zap.rb:             "zap"

Tools example

1: 

glue -t brakeman,eslint

This will run brakeman and eslint

All Labels

 1: 
 2: 
 3: 
 4: 
 5: 
 6: 
 7: 
 8: 
 9: 
10: 
11: 
12: 
13: 
14: 
15: 

av.rb:              "filesystem"
brakeman.rb:        "code", "ruby", "rails"
bundle-audit.rb:    "code", "ruby"
checkmarx.rb:       "code"
dawnscanner.rb:     "code"
eslint.rb:          "code", "javascript"
fim.rb:             "filesystem"
findsecbugs.rb:     "code"
nsp.rb:             "code"
owasp-dep-check.rb: "code", "java", ".net"
pmd.rb:             "code"
retirejs.rb:        "code", "javascript"
scanjs.rb:          "code", "javascript"
sfl.rb:             "code"
zap.rb:             "live"

Labels example

1: 

glue -l ruby

This will run brakeman and bundle-audit

Building your own task/filter/reporter is pretty easy

OWASP/ZAP

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools [...] It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications.

Getting started

Native

Download page

Docker

1: 
2: 
3: 

 [lang=bash]
docker pull owasp/zap2docker-stable
docker run -i -t --entrypoint=/bin/bash owasp/zap2docker-stable

GUI

1: 
2: 
3: 
4: 

docker run -u zap -p 8080:8080 -p 8090:8090 -i \
  owasp/zap2docker-stable zap-webswing.sh

open "http://$(docker-machine ip default):8080/?anonym=true&app=ZAP"

Headless

1: 
2: 

docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable \
  zap-x.sh -daemon -host 0.0.0.0 -port 8080

Rest APIs

zap-cli

1: 
2: 

docker run -i owasp/zap2docker-stable zap-cli quick-scan --self-contained \
--start-options '-config api.disablekey=true' http://target

Results

1: 
2: 
3: 
4: 
5: 
6: 
7: 
8: 
9: 

+----------------------------------+--------+----------+------------------------+
| Alert                            | Risk   |   CWE ID | URL                    |
+==================================+========+==========+========================+
| Cross Site Scripting (Reflected) | High   |       79 | http://web:4000/login  |
+----------------------------------+--------+----------+------------------------+
| Cross Site Scripting (Reflected) | High   |       79 | http://web:4000/signup |
+----------------------------------+--------+----------+------------------------+
| Cross Site Scripting (Reflected) | High   |       79 | http://web:4000/signup |
+----------------------------------+--------+----------+------------------------+

First time on your code

Bug report

Knowing is half the battle

GI Joe

Resources