But development is hard

We have a lot on our plate 

No longer are complicated attacks like buffer overflows necessary

The equifax breach was caused by using a vulnerable java library: Apache Struts

Struts was patched on March 7th 2017

↓

Equifax discovered breach on July 29th 2017

↓

Equifax applied the patch on July 30th, 2017

source: https://epic.org/privacy/data-breach/equifax/

"As many as 10,801 organizations—including 57% of the Fortune Global 100—have downloaded known-to-be-vulnerable versions of Apache Struts"

Source: http://fortune.com/2018/05/07/security-equifax-vulnerability-download/

One year later...

"Nearly 60% of breaches due to un-patched vulnerability"

-- ServiceNow Survey

Using libraries with known vulnerabilities

makes the attackers job easy

So we built Fixinator

A CFML Code Security Scanner.

• Based on real world experience.
• Finds third party known vulnerabilities in CFML, JS & JAR files.
• Finds security vulnerabilities in your CFML code.

Demo Fixinator

Unique Fixinator Features

• Automatic / Guided Fixing of Vulnerabilities
• Finds known vulnerabilities in CFML libraries
  • Scans box.json dependencies as well
• Builtin support for Continuos Integration

ContinuousSecurity? 

Running Fixinator on  your code is great but...

• You have to take the time to run it
  • Let's not forget how busy you are!
• While you may be excited at first, you will lose interest and forget to scan your code.

If only there was a machine that can do repeatable tasks well without forgettting.

Continuous Integreation (CI)

Code that runs automatically based on some trigger (usually commit to source control)

CI Tools

What CI Tool Should I use?

• You have many choices: CircleCI, TravisCI, Azure DevOps, BitBucket Pipelines, GitHub Actions, GitLab Pipelines, etc.
  • Fixinator works on all of them!
• Does your source control have something builtin? GitLab, BitBucket
  • If yes, look no further.
• Azure DevOps can connect to any repo, even subversion.

CI Basics

The Setup

1. Setup a trigger - usually this is whenever code is committed to the repository, the trigger is fired.
2. Setup Variables - all CI tools allow you to se environment variables, most even support secrets (good for API keys, etc).
3. Define a build script - this is a sequence of commands that are executed when the trigger is pulled.

gitlab-ci.yml

https://github.com/foundeo/fixinator/wiki/Running-Fixinator-on-GitLab

Example Build Script

CI Execution (trigger)

1. CI tool starts a new execution environment (usually a container) and defines the variables you have set.
2. The CI tool will checkout a copy of the code from your repository in the container.
3. Executes your build script
4. Optionally reports test results or a status back to you

Example Results

• BitBucket
  • Setup Instructions: https://github.com/foundeo/fixinator/wiki/Running-Fixinator-on-Bitbucket
  • Example Pass: https://bitbucket.org/pfreitag/fixinator-example-pass/addon/pipelines/home#!/results/4
  • Example Fail: https://bitbucket.org/pfreitag/fixinator-example-fail/addon/pipelines/home#!/results/4

Additional CI Guides

• For BitBucket, TravisCI, CircleCI, GitLab Pipelines, Azure DevOps:
  • https://github.com/foundeo/fixinator/wiki/Continuous-Integration-Guide
• ​More Guides in Progress:
  • Jenkins
  • AWS CodeBuild
  • GitHub Actions (beta)
  • Missing your CI tool? let me know