Left Shift

Cybersecurity

Kevin Wittek

Technical Lead @ GDATA Advanced Analytics

Freelancer @ Styracosoft GbR

Testcontainers Committer

https://groovy-coder.com/

         @Kiview

          https://github.com/kiview

Karsten Tellmann

Manager Web Security Solutions @ GDATA Advanced Analytics

        @gdata_adan

        https://cyber.wtf/

Classic Development Pipeline

Excursion: Pentesting

  • Usually part of a quality gateway
  • Often missplaced in the classical development process:
    • Too early => Nothing productiv to test
    • Too late => Critical findings threaten release date
  • What is the motivation for a pentest?

Motivation

  • Integrate security into fast DevOps cycles
  • Find low hanging fruits by automated tools
  • Use pentests for more complex issues
  • Security awareness in developer context

Modern build pipeline

Stage Available Artifacts
Build Source Code
Byte Code
Dependencies
Docker build Container Image
Staging / Production Container Image
Configured Environment

Modern build pipeline

Dependency Check

Demo

Exkurs: CVE, CPE, GAV

  • CVE: Common Vulnerabilities and Exposures
  • CPE: Common Platform Enumeration
  • GAV: Maven Group:Artifact:Version

Exkurs: CVE, CPE, GAV

  <entry id="CVE-2012-5055">
  ...
    <vuln:vulnerable-software-list>
      <vuln:product>cpe:/a:vmware:springsource_spring_security:3.1.2</vuln:product>
      <vuln:product>cpe:/a:vmware:springsource_spring_security:2.0.4</vuln:product>
      <vuln:product>cpe:/a:vmware:springsource_spring_security:3.0.1</vuln:product>
    </vuln:vulnerable-software-list>
  ...
  </entry>

cpe:/[Entry Type]:[Vendor]:[Product]:[Version]:[Revision]:…

<!-- org.springframework.security:spring-security-core:3.0.1.RELEASE -->
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-core</artifactId>
    <version>3.0.1.RELEASE</version>
</dependency>

Patton

https://github.com/BBVA/patton-server

POST /api/v1/check-dependencies/ HTTP/1.1
Host: patton.owaspmadrid.org
Content-Type: application/json

{
    "method": "auto",
    "source": "auto",
    "libraries" : [
        {
            "library": "django",
            "version": "1.2"
        },
        {
            "library": "postgres",
            "version": "8"
        }
    ]
}
HTTP/1.1 200 OK
Vary: Accept
Content-Type: application/json

{
       "django:1.2": {
           "cpes": [
               "cpe:/a:djangoproject:django:1.2.1",
               "cpe:/a:djangoproject:django:1.2.4",
               "cpe:/a:djangoproject:django:1.2.3",
               "cpe:/a:djangoproject:django:1.2",
               "cpe:/a:djangoproject:django:1.2.2",
               "cpe:/a:djangoproject:django:1.2.6",
               "cpe:/a:djangoproject:django:1.2.2",
               "cpe:/a:djangoproject:django:1.2.3",
               "cpe:/a:djangoproject:django:1.2.4",
               "cpe:/a:djangoproject:django:1.2.4"
           ],
           "cves": [
               {
                   "cve": "CVE-2011-0698",
                   "score": 7.5
               },
               {
                   "cve": "CVE-2011-0698",
                   "score": 7.5
               },
               {
                   "cve": "CVE-2011-0698",
                   "score": 7.5
               },
               {
                   "cve": "CVE-2011-0698",
                   "score": 7.5
               }
           ]
       },
       "postgres:8": {
           "cpes": [
               "cpe:/a:postgresql:postgresql:8.4.15",
               "cpe:/a:postgresql:postgresql:8.3.12",
               "cpe:/a:postgresql:postgresql:8.4.13",
               "cpe:/a:postgresql:postgresql:8.3",
               "cpe:/a:postgresql:postgresql:8.3.4",
               "cpe:/a:postgresql:postgresql:8.3",
               "cpe:/a:postgresql:postgresql:8.3.4",
               "cpe:/a:postgresql:postgresql:8.4.3"
           ],
           "cves": [
               {
                   "cve": "CVE-2013-1902",
                   "score": 10
               },
               {
                   "cve": "CVE-2013-1903",
                   "score": 10
               },
               {
                   "cve": "CVE-2013-1903",
                   "score": 10
               }
           ]
       }
 }

Static Code Analyis

https://www.veracode.com/

https://www.checkmarx.com/

https://find-sec-bugs.github.io/

Demo

Image scanning

http://layeredinsight.com/

https://github.com/coreos/clair/

https://docs.docker.com/docker-cloud/builds/image-scan/

Dynamic Scanner

http://www.zaproxy.org/

https://portswigger.net/burp
http://www.arachni-scanner.com/

ZAP + Docker/testcontainers

Excursion: OWASP Top 10

  • A1:2017-Injection (SQLi, ...)
  • A7:2017-Cross-Site Scripting (XSS)
    • Persistent XSS
    • (Reflected, DOM based, Mutation based)

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project

Demo

Gitlab-CI

Security Features

  • Container Scanning
  • Dependency Scanning
  • Static Application Security Testing
  • Dynamic Application Security Testing
    • OWASP ZAP
    • Kubernetes Deployment

Code checks

Container Scanning

Conclusion

  • Integration into build chain possible
  • Security insights for developers
    • Possible without security experts
  • Open Source tools can only provide a small security benefit
    • Commercial products not evaluated

Outlook

  • Increase security awareness inside developer community
  • Security and developer communities need to work together:
    • Shared goal: Better software
    • Shared language would help
  • CD Security is needed

Source: https://twitter.com/signalsciences/status/647533893617238016

Questions?

Left Shift Cybersecurity (v2)

By Kevin Wittek

Left Shift Cybersecurity (v2)

  • 2,329