Continous CFML Security with Fixinator
Coding is fun!
But development is hard
We have a lot on our plate
No longer are complicated attacks like buffer overflows necessary
The equifax breach was caused by using a vulnerable java library: Apache Struts
Struts was patched on March 7th 2017
Equifax discovered breach on July 29th 2017
Equifax applied the patch on July 30th, 2017
"As many as 10,801 organizations—including 57% of the Fortune Global 100—have downloaded known-to-be-vulnerable versions of Apache Struts"
One year later...
"Nearly 60% of breaches due to un-patched vulnerability"
-- ServiceNow Survey
Using libraries with known vulnerabilities
makes the attackers job easy
Security is easily forgotten or ignored
We need tools to help us find vulnerable libraries and other vulnerable stuff in our code.
So we built Fixinator
A CFML Code Security Scanner.
- Based on real world experience.
- Finds third party known vulnerabilities in CFML, JS & JAR files.
- Finds security vulnerabilities in your CFML code.
Unique Fixinator Features
- Automatic / Guided Fixing of Vulnerabilities
- Finds known vulnerabilities in CFML libraries
- Scans box.json dependencies as well
- Builtin support for Continuos Integration
Running Fixinator on your code is great but...
You have to take the time to run it
- Let's not forget how busy you are!
- While you may be excited at first, you will lose interest and forget to scan your code.
If only there was a machine that can do repeatable tasks well without forgettting.
Continuous Integreation (CI)
Code that runs automatically based on some trigger (usually commit to source control)
What CI Tool Should I use?
- You have many choices: CircleCI, TravisCI, Azure DevOps, BitBucket Pipelines, GitHub Actions, GitLab Pipelines, etc.
- Fixinator works on all of them!
- Does your source control have something builtin? GitLab, BitBucket
- If yes, look no further.
- Azure DevOps can connect to any repo, even subversion.
- Setup a trigger - usually this is whenever code is committed to the repository, the trigger is fired.
- Setup Variables - all CI tools allow you to se environment variables, most even support secrets (good for API keys, etc).
- Define a build script - this is a sequence of commands that are executed when the trigger is pulled.
image: java:8 before_script: - curl --location -o /tmp/box.zip https://example.com/box.zip - unzip /tmp/box.zip -d /tmp/ - chmod a+x /tmp/box - /tmp/box install fixinator fixinator: script: - /tmp/box fixinator path=. confidence=high
Example Build Script
CI Execution (trigger)
- CI tool starts a new execution environment (usually a container) and defines the variables you have set.
- The CI tool will checkout a copy of the code from your repository in the container.
- Executes your build script
- Optionally reports test results or a status back to you
Additional CI Guides
- For BitBucket, TravisCI, CircleCI, GitLab Pipelines, Azure DevOps:
More Guides in Progress:
- AWS CodeBuild
- GitHub Actions (beta)
- Missing your CI tool? let me know
Let's get real
Setting up an Azure DevOps Pipeline to run Fixinator
- $64 / $128 per month
- Runs over cloud based API
- $256 per month
- Run locally / internally
- Or over cloud based API
Foundeo Continuous Security Bundle
Pricing Starts at $96/month
Request an API Key
Continuous CFML Security with Fixinator
By Pete Freitag