3. Table of Contents
• Security in projects
• OWASP ASVS
• Examples:
– Unit tests
– Static code analysis
– Dynamic code analysis Sorry, maybe next time…
Only a bit
13. OWASP Application Security
Verification Standard (ASVS)
• Provides a list of requirements for secure
development
• Defines different security assurance levels
(Opportunistic, Standard, Advanced, also
called Level 1, 2, 3)
19. Why do we have to deal with HTTP?
• It’s a trust boundary between the client and
the server
• It offers maximu flexibility by allowing request
manupulation on the text/byte level
• One can fabricate request the client side of
application would never generate
• This is what the hackers are doing :)
20. What does X-XSS-Protection do?
• Offers (reflected) XSS protection
• Turned on by default, but works in the
sanitization mode
• Turn the most rigorous mode on over X-XSS-
Protection: 1; mode=block
21. Preferred type of test
Source: https://blogs.msdn.microsoft.com/visualstudioalmrangers/2017/04/20/set-up-a-cicd-pipeline-to-run-automated-tests-efficiently/
29. I would not call that „easy”
• Understanding security requirements takes time
• We need to deal with traffic on the HTTP level
• Some technologies are easier to automate than
others
• We didn't show how to deal with authentication
or CSRF protection
• But yes, in many cases the code can still be sexy!
30. Example 3, ASVS 10.16
Verify that the TLS settings are in line with
current leading practice, particularly as
common configurations, ciphers, and
algorithms become insecure.
„
„
31. What is TLS?
• It’s the „S” in HTTPS ;)
• It’s actually much more than this, but let’s not
complicate things, because…
35. Example 4, ASVS 1.11
Verify that all application components, libraries,
modules, frameworks, platform, and operating
systems are free from known vulnerabilities.
„
„
36. Case Equifax
(STRUTS 2, CVE-2017-5638)
BTW: Struts 2 had 15 known vulnerabilities in 2016
Source: https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/
37. How to deal with it?
• Update every library every release
• Or use a library scanning tool
– OWASP Dependency Check
– Victims
– Black Duck (Copilot)
– Many other
40. Static code analysis
public List<String> find(String mode) {
String sql = "select text from portfolio where mode = '" + mode + "'";
RowMapper<String> mapper = new RowMapper<String>() {
@Override
public String mapRow(ResultSet rs, int arg1) throws SQLException {
return rs.getString("text");
}
};
List<String> result = jdbcTemplate.query(sql, new Object[] {}, mapper);
return result;
}
41. Static Application Security Testing
(SAST)
Pros
• Good at searching after
certain weakness
categories
Cons
• Commercial tools are
very expensive
• Many false positives
42. Challenge
• Look at the tool list
https://www.owasp.org/index.php/Static_Cod
e_Analysis#OWASP_Tools
• Find the tool for your langauge to try out
• Go for it!
43. Summary
• First step to security assurance - know what is
to be done
• Don't fear HTTP – test implementation is not
necessary hard
• You can even deal with „special cases” like TLS
validation and software composition analysis
on the code level