Continous CFML Security with Fixinator

Coding is fun!

But development is hard

We have a lot on our plate 

No longer are complicated attacks like buffer overflows necessary

The equifax breach was caused by using a vulnerable java library: Apache Struts

Struts was patched on March 7th 2017

Equifax discovered breach on July 29th 2017

Equifax applied the patch on July 30th, 2017

"As many as 10,801 organizations—including 57% of the Fortune Global 100—have downloaded known-to-be-vulnerable versions of Apache Struts"

One year later...

"Nearly 60% of breaches due to un-patched vulnerability"

-- ServiceNow Survey

Using libraries with known vulnerabilities

makes the attackers job easy

Security is easily forgotten or ignored

We need tools to help us find vulnerable libraries and other vulnerable stuff in our code.

So we built Fixinator

A CFML Code Security Scanner.

  • Based on real world experience.
  • Finds third party known vulnerabilities in CFML, JS & JAR files.
  • Finds security vulnerabilities in your CFML code.

Demo Fixinator

Unique Fixinator Features

  • Automatic / Guided Fixing of Vulnerabilities
  • Finds known vulnerabilities in CFML libraries
    • Scans box.json dependencies as well
  • Builtin support for Continuos Integration

ContinuousSecurity? 

Running Fixinator on  your code is great but...

  • You have to take the time to run it
    • Let's not forget how busy you are!
  • While you may be excited at first, you will lose interest and forget to scan your code.

If only there was a machine that can do repeatable tasks well without forgettting.

Continuous Integreation (CI)

Code that runs automatically based on some trigger (usually commit to source control)

CI Tools

What CI Tool Should I use?

  • You have many choices: CircleCI, TravisCI, Azure DevOps, BitBucket Pipelines, GitHub Actions, GitLab Pipelines, etc.
    • Fixinator works on all of them!
  • Does your source control have something builtin? GitLab, BitBucket
    • If yes, look no further.
  • Azure DevOps can connect to any repo, even subversion.

CI Basics

The Setup

  1. Setup a trigger - usually this is whenever code is committed to the repository, the trigger is fired.
  2. Setup Variables - all CI tools allow you to se environment variables, most even support secrets (good for API keys, etc).
  3. Define a build script - this is a sequence of commands that are executed when the trigger is pulled.
image: java:8

before_script:
  - curl --location -o /tmp/box.zip https://example.com/box.zip
  - unzip /tmp/box.zip -d /tmp/
  - chmod a+x /tmp/box
  - /tmp/box install fixinator

fixinator: 
  script:
    - /tmp/box fixinator path=. confidence=high

gitlab-ci.yml

Example Build Script

CI Execution (trigger)

  1. CI tool starts a new execution environment (usually a container) and defines the variables you have set.
  2. The CI tool will checkout a copy of the code from your repository in the container.
  3. Executes your build script
  4. Optionally reports test results or a status back to you

Example Results

Additional CI Guides

Let's get real

Setting up an Azure DevOps Pipeline to run Fixinator

Starter/Fixer

  • $64 / $128 per month
  • Runs over cloud based API

Enterprise

  • $256 per month
  • Run locally / internally
  • Or over cloud based API

Fixinator

Foundeo Continuous Security Bundle

+

+

Fixinator

FuseGuard

HackMyCF

Pricing Starts at $96/month

Request an API Key

https://fixinator.app/try/

Thank You!

Questions?

Continuous CFML Security with Fixinator

By Pete Freitag

Continuous CFML Security with Fixinator

Learn how to leverage Fixinator (https://fixinator.app/) to achieve continuous ColdFusion / CFML code security scanning.

  • 175

More from Pete Freitag