Continuous CFML Security with Fixinator
Coding is fun!
But development is hard
We have a lot on our plate
No longer are complicated attacks like buffer overflows necessary
The equifax breach was caused by using a vulnerable java library: Apache Struts
Struts was patched on March 7th 2017
↓
Equifax discovered breach on July 29th 2017
↓
Equifax applied the patch on July 30th, 2017
"As many as 10,801 organizations—including 57% of the Fortune Global 100—have downloaded known-to-be-vulnerable versions of Apache Struts"
One year later...
"Nearly 60% of breaches due to un-patched vulnerability"
-- ServiceNow Survey
Using libraries with known vulnerabilities
makes the attackers job easy
Security is easily forgotten or ignored
We need tools to help us find vulnerable libraries and other vulnerable stuff in our code.
So we built Fixinator
A CFML Code Security Scanner.
- Based on real world experience.
- Finds third party known vulnerabilities in CFML, JS & JAR files.
- Finds security vulnerabilities in your CFML code.
Demo Fixinator
Unique Fixinator Features
- Automatic / Guided Fixing of Vulnerabilities
- Finds known vulnerabilities in CFML libraries
- Scans box.json dependencies as well
- Builtin support for Continuos Integration
ContinuousSecurity?
Running Fixinator on your code is great but...
-
You have to take the time to run it
- Let's not forget how busy you are!
- While you may be excited at first, you will lose interest and forget to scan your code.
If only there was a machine that can do repeatable tasks well without forgettting.
Continuous Integreation (CI)
Code that runs automatically based on some trigger (usually commit to source control)
CI Tools
What CI Tool Should I use?
- You have many choices: CircleCI, TravisCI, Azure DevOps, BitBucket Pipelines, GitHub Actions, GitLab Pipelines, etc.
- Fixinator works on all of them!
- Does your source control have something builtin? GitLab, BitBucket
- If yes, look no further.
- Azure DevOps can connect to any repo, even subversion.
CI Basics
The Setup
- Setup a trigger - usually this is whenever code is committed to the repository, the trigger is fired.
- Setup Variables - all CI tools allow you to se environment variables, most even support secrets (good for API keys, etc).
- Define a build script - this is a sequence of commands that are executed when the trigger is pulled.
image: java:8
before_script:
- curl --location -o /tmp/box.zip https://example.com/box.zip
- unzip /tmp/box.zip -d /tmp/
- chmod a+x /tmp/box
- /tmp/box install fixinator
fixinator:
script:
- /tmp/box fixinator path=. confidence=highgitlab-ci.yml
Example Build Script
CI Execution (trigger)
- CI tool starts a new execution environment (usually a container) and defines the variables you have set.
- The CI tool will checkout a copy of the code from your repository in the container.
- Executes your build script
- Optionally reports test results or a status back to you
Example Results
- BitBucket
Additional CI Guides
- For BitBucket, TravisCI, CircleCI, GitLab Pipelines, Azure DevOps:
-
More Guides in Progress:
- Jenkins
- AWS CodeBuild
- GitHub Actions (beta)
- Missing your CI tool? let me know
Let's get real
Setting up an Azure DevOps Pipeline to run Fixinator
Starter/Fixer
- $64 / $128 per month
- Runs over cloud based API
Enterprise
- $256 per month
- Run locally / internally
- Or over cloud based API
Fixinator
Foundeo Continuous Security Bundle
+
+
Fixinator
FuseGuard
HackMyCF
Pricing Starts at $96/month
Request an API Key
https://fixinator.app/try/
Thank You!
Questions?
Continuous CFML Security with Fixinator
By Pete Freitag
Continuous CFML Security with Fixinator
Learn how to leverage Fixinator (https://fixinator.app/) to achieve continuous ColdFusion / CFML code security scanning.
