Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Implementation of SAST for Android Application

265 Aufrufe

Veröffentlicht am

This is the reference guide for implementing the SAST tool findSecurityBugs tool with IDE and JENKINS.

Veröffentlicht in: Software
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Implementation of SAST for Android Application

  1. 1. MOBILE SAST IMPLEMENTATION
  2. 2. TABLE OF CONTENT  INTRODUCTION  OVERVIEW OF DEVSECOPS  SECURE SDLC BENEFITS  ADVANTAGES & DISADVANTAGES OF SAST  INTEGRATION OF SAST IN IDE  INTEGRATION OF SAST INTO CI/CD  REFERENCES
  3. 3. SSDLC BENEFITS  Build secure software  Creates Awareness of security  Early Detection of vulnerabilities  Overall reduction of risks for the organization
  4. 4. ADVANTAGES & DISADVANTGES OF SAST ADVANTAGES  Largely usable in developer IDEs to detect issues even before CI.  Easy to trigger from CI/CD  Early Detection of vulnerabilities  Building the Secure Software DISADVANTAGES  Take a considerable amount of effort if tool is adopted mid- project.  Integration effort  Non-Functional requirement  Requires time to analyze the false positive
  5. 5. IDE INTEGRATION & customize  Click on ANDROID STUDIO and then select Preferences  Click on Plugins and then click on browse repository  Search and Install FindBugs-IDEA (Restart your IDE)  Navigate to other settings under preference tab.  Click on FindBugs-IDEA and add it by clicking + icon  Navigate to Report tab and select SECURITY  Finally click on Apply and Save.  Just right click on the project and select Analyze Project Files under FindBugs  Reports can be exported to both HTML & XML format.
  6. 6. INTEGRATION WITH CICD Add the below code under build.gradle file (present under app directory) dependencies { implementation fileTree(include: ['*.jar'], dir: 'libs') implementation 'com.google.android.gms:play-services:7.5.0' implementation 'com.github.marcohc:Toasteroid:2.1.4' findbugs 'com.google.code.findbugs:findbugs:3.0.1' findbugs configurations.findbugsPlugins.dependencies findbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.4.4' } //FindBugs task that load security rules only task findSecurityBugs(type: FindBugs) { classes = fileTree("$project.buildDir/app/build/intermediates/javac/release/compileReleaseJavaWithJavac/classes/com/android/insecurebankv2/") source = fileTree('/src/main/java/') classpath = files() pluginClasspath = project.configurations.findbugsPlugins findbugs { toolVersion = "3.0.1" ignoreFailures = true reportsDir = file("$project.buildDir/findbugsReports") effort = "max" reportLevel = "low" includeFilter = file("$project.rootDir/fsb-include.xml") excludeFilter = file("$project.rootDir/fsb-exclude.xml") }
  7. 7. Adding NEW FILES  Create a File by name ’fsb-include.xml’ and ‘fsb-exclude.xml’  Add both of these files into the project directory  Add the below content into ‘fsb-exclude.xml’ file. <FindBugsFilter> </FindBugsFilter>  Add the below content into ‘fsb-include.xml file. <FindBugsFilter> <Match> <Bug category="SECURITY"/> </Match> </FindBugsFilter>  Execute the gradle by running the below commands. ./gradlew build ./gradlew findSecurityBugs
  8. 8. Folder Structure
  9. 9. CONFIGURE JENKINS JOB
  10. 10. Publish REPORTS
  11. 11. Reference  https://www.owasp.org/index.php/Source_Code _Analysis_Tools  https://find-sec-bugs.github.io/  https://github.com/find-sec-bugs/find-sec- bugs/wiki/Gradle-configuration  https://github.com/sanjeevakuamr/InsecureBan kv2-FindBugs

×