AV-Portal 3.23.3 (4dfb8a34932102951b25870966c61d06d6b97156)

Automated security testing for Software Developers who dont know security!

Video in TIB AV-Portal: Automated security testing for Software Developers who dont know security!

Formal Metadata

Automated security testing for Software Developers who dont know security!
secure your apps and servers through continuous integration
Title of Series
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
i'll show how the average developer (like me) can secure their software and systems by automatically checking for known vulnerabilities and security issues as part of their CI-Toolchain. The Talk will introduce basic security knowhow, then show how you can use Open Source Frameworks to check for vulnerable dependencies, containers and (web-)APIs in a live demo
Software developer Telecommunication Software Projective plane Software testing Chaos (cosmogony) Information security
Software developer Java applet Software Order (biology) Software testing Information security
Context awareness Process (computing) Film editing Arm Software Euler angles Software developer Mereology Information security Physical system
Server (computing) Functional (mathematics) Service (economics) Open source Divisor State of matter Patch (Unix) Port scanner Control flow Product (business) Number Web 2.0 Causality Hacker (term) Software Information security Personal identification number (Denmark) Vulnerability (computing) Key (cryptography) Weight Projective plane Database Hecke operator Voting Software Password Interrupt <Informatik> Video game Information security
Vulnerability (computing) Server (computing) Software developer Digitizing Multiplication sign Patch (Unix) Internet service provider Plastikkarte Plastikkarte Number Product (business) Number Web service Digital rights management Software Personal identification number (Denmark) Computing platform
Web 2.0 Software developer Average Software developer Projective plane Expert system Electronic mailing list Self-organization Software testing Open set Information security Wave packet
Strut Arm Server (computing) Patch (Unix) Projective plane Port scanner Basis <Mathematik> Revision control Component-based software engineering Process (computing) Software Software framework Modul <Datentyp> Information security Gamma function Traffic reporting Library (computing) Vulnerability (computing)
Arm INTEGRAL Patch (Unix) Multiplication sign Projective plane Execution unit Software Speech synthesis Software testing Process (computing) Implementation Information security Information security Vulnerability (computing) Library (computing)
Server (computing) Open source Multiplication sign Mereology Product (business) Web 2.0 Medical imaging Component-based software engineering Software testing Analytic continuation Information security Physical system Arm Run time (program lifecycle phase) Software developer Projective plane Branch (computer science) Unit testing Continuous function Shareware Message passing Process (computing) Software Revision control Website Software testing
Point (geometry) Execution unit Existential quantification Arm Multiplication sign Software developer Patch (Unix) MIDI Port scanner Control flow Menu (computing) Coma Berenices Port scanner Shareware Process (computing) Software testing Information security Information security Online chat Vulnerability (computing) Chi-squared distribution
Arm State of matter Patch (Unix) Feedback Electronic mailing list 1 (number) Branch (computer science) Database Mass Graph coloring Process (computing) Visualization (computer graphics) Software Address space Descriptive statistics Physical system Vulnerability (computing) Library (computing)
Email Server (computing) Metric system Code Denial-of-service attack Parsing Complete metric space Content (media) Thomas Kuhn Revision control Duality (mathematics) Vector space Information Maize Message passing Information security Hydraulic jump Data type Data integrity Vulnerability (computing) Data dictionary Execution unit Information Kolmogorov complexity Lemma (mathematics) Projective plane Length Content (media) Expert system Independence (probability theory) Computer network Core dump Group action Cartesian coordinate system Mathematics Inclusion map Maize Process (computing) Error message Electric current
Computer program Server (computing) Functional (mathematics) Inheritance (object-oriented programming) Code Multiplication sign Maxima and minima Mereology Formal language Product (business) Independence (probability theory) Web 2.0 Spring (hydrology) Web service Repository (publishing) Authorization Cuboid Software framework Software testing Information security Compilation album Vulnerability (computing) Authentication Arm Information Software developer Java applet Stress (mechanics) Core dump Maxima and minima Cartesian coordinate system Digital rights management Process (computing) Spring (hydrology) Software Personal digital assistant Revision control Software framework Right angle Whiteboard Information security Metric system Library (computing) Booting
Information management Spring (hydrology) Multiplication sign Normed vector space Maxima and minima Thomas Kuhn Library (computing) Twitter
Computer program Group action Email Open source Patch (Unix) 1 (number) Set (mathematics) Product (business) Software Repository (publishing) Software framework Information security Physical system Vulnerability (computing) Library (computing)
Open source Patch (Unix) Projective plane Database Open set Client (computing) Web 2.0 Process (computing) Software Repository (publishing) Self-organization Information security Traffic reporting Descriptive statistics Vulnerability (computing) Library (computing) Physical system
Computer program Wechselseitige Information Patch (Unix) Multiplication sign Letterpress printing Host Identity Protocol 2 (number) Twitter Revision control Hexagon CAN bus Goodness of fit Different (Kate Ryan album) Core dump Traffic reporting Information security Vulnerability (computing) Default (computer science) Strut Execution unit Torus Information Online help Building Core dump Database Shareware Component-based software engineering Uniform resource locator Wiki Process (computing) Spring (hydrology) Error message Lie group Information security Row (database)
Strut Server (computing) Mobile app Touchscreen Online help Student's t-distribution Line (geometry) Total S.A. Web 2.0 CAN bus Public-key infrastructure Ring (mathematics) Information security Traffic reporting Installable File System Default (computer science)
Point (geometry) Email Freeware Link (knot theory) Parsing Counting Content (media) Spring (hydrology) Vector space Software Shared memory Motion blur Uniqueness quantification Information output Local ring Message passing Summierbarkeit Traffic reporting Multiplication Descriptive statistics Vulnerability (computing) Default (computer science) Data type Vulnerability (computing) Polymorphism (materials science) Arm Information Server (computing) Confidence interval Length Electronic mailing list Core dump Inclusion map Operations support system String (computer science) Revision control Convex hull Information security Electronic visual display Exception handling Library (computing)
Email Server (computing) Parsing Content (media) Spring (hydrology) Vector space Core dump Limit of a function output Local ring Message passing Traffic reporting Information security Multiplication Descriptive statistics Position operator Vulnerability (computing) Data type Default (computer science) Vulnerability (computing) Polymorphism (materials science) Trail Server (computing) Length Confidence interval Code Core dump Exploit (computer security) Disk read-and-write head Spring (hydrology) String (computer science) Statement (computer science) Information security Electronic visual display Exception handling
Proxy server Computer file Total S.A. Independence (probability theory) Spring (hydrology) Graphical user interface Software Vector space Limit of a function Ranking Default (computer science) Torus View (database) Online help Core dump Menu (computing) Bookmark (World Wide Web) 1 (number) CAN bus Error message Woven fabric Revision control IRIS-T Software framework Configuration space Authorization Information security
Digital filter Student's t-distribution Maxima and minima Price index Lace Mathematical analysis Complete metric space Spring (hydrology) CNN Befehlsprozessor Source code Maize Position operator Descriptive statistics Default (computer science) Parsing Vulnerability (computing) Torus Online help Building Open source Login Core dump ACID Element (mathematics) Sign (mathematics) Error message Event horizon Normed vector space Revision control Hill differential equation Negative number Information security Exception handling Curve fitting Identity management
Wechselseitige Information View (database) Multiplication sign Core dump Term (mathematics) Thomas Kuhn Twitter CAN bus Component-based software engineering Spring (hydrology) Revision control Limit of a function Software framework Source code Authorization Information security Traffic reporting
Server (computing) Mobile app Software Internetworking Content (media) Virtual machine Port scanner Database Utility software Client (computing) Social class
Demon Server (computing) Link (knot theory) INTEGRAL Point (geometry) Content (media) Cartesian coordinate system Limit (category theory) Total S.A. Thresholding (image processing) Power (physics) 2 (number) Medical imaging Proof theory Process (computing) Revision control Source code Software testing Information security Position operator Vulnerability (computing)
Arm INTEGRAL Multiplication sign Point (geometry) Virtual machine Database Information security Social class
Exterior algebra Repository (publishing) View (database) Multiplication sign Computer-generated imagery Virtual machine Software testing Online help Cartesian coordinate system Traffic reporting Shareware
Injektivität Causality View (database) Server (computing) Content (media) Maxima and minima Website Port scanner Proxy server Form (programming) Vulnerability (computing) Hand fan
Email Web page Expression Open source Port scanner Menu (computing) Parameter (computer programming) Port scanner Host Identity Protocol Uniform resource locator Explosion Computer configuration Descriptive statistics Modem
Point (geometry) Web page Wechselseitige Information Web crawler Arm Link (knot theory) View (database) Multiplication sign Cartesian coordinate system Arm Landing page Website Figurate number
Ocean current Dependent and independent variables System call Multiplication sign Software developer Moment (mathematics) Electronic mailing list Mereology System call Component-based software engineering Process (computing) Universal product code Hill differential equation Right angle Process (computing) Office suite Information security Digital rights management Library (computing) Position operator Installable File System Vulnerability (computing)
Point (geometry) Mobile app Arm Computer file Code Multiplication sign Software developer Stress (mechanics) Data storage device Insertion loss Cartesian coordinate system Rule of inference Hand fan Data mining Web service Latent heat Software Different (Kate Ryan album) Software testing Information security Position operator Task (computing) Library (computing) Exception handling
Group action Arm Multiplication sign Port scanner Software maintenance Rule of inference Medical imaging Process (computing) Website Right angle Object (grammar) Operating system Physical system
yes. a i'd be up to a halt at all so this is a very interesting topic that has been.
in what the popular the last couple of months. and i'm personally very interested in this topic to so i'm curious on to see what he's going to tell us today and how all of you can make your projects more secure so please welcome sight thanks. hey.
hey. ok so it's it can really see you guys but with looks like it could up pretty good for like two p.m. on top based on java stuff.
i will just give you a quick introduction to me myself and we can show you why and what and how we can do all this fancy automated it secretly testing stuff.
it's not necessarily this our order if you have questions are maybe can raise your hands and maybe i will see them but probably not to use screaming at me. well and that skill ago and chris.
the system developer i do a job back and stuff mostly i do quantities and clout stuff and i'm trying to get into security. and i am also a corgan as or of the new cuts were develops made up. cynics just a quick shout out to be mostly job our development for our customers with their for this special needs and stuff. slogan is called with attitude so are we try not to work for our arms cedars or people who do nuclear energy stuff. yeah you also can be also be consulting and later shirts and they paid for our camp tickets so just a quick shout out if you ever in southern germany and you're looking for a job. so i thank you for listening any questions you know i got questions he is any of you directly involved with a software products developing its running it maintaining it.
the prize. who have you ever use his job well. ok so the talk will or first part will run mainly with made in context so i hope it's not too far fetched four people live and seen this i think it's quite self-explanatory out our have you use a stock or.
four. or cover net is or something container in production. who view scans your software regularly for security problems or no own vulnerabilities. two of you run its software in production where they know they have known security warner abilities. it's ok. um i think we get back to this later on ok so what's the problem with suffer securities use what could go wrong with our suffer that has not only technical issues but also secured stuff for people could break in and do better stuff well. you could use your own lose your business state all your customers business that you could also use your actual and customer data which is like a very hard topic are i think it has been quite interesting in germany in like for ever but since two thousand and eighteen the g.d.p. are kicked.
then in europe and apparently lot of companies have never thought about securing their users or customers personal a ton of an example about this later on. security issues could cause service interruptions like somebody is so that trying to attack your web server if us over goes down you businesses fact you can serve customers can make money out yeah well anyone can think about what happens you could use so you could have industry milk. function. we have the key to his infrastructure in germany on where we are. it's or it's summer. infrastructure that's used for your daily life and that's absolutely necessary like so which is cleaning stuff and electricity and stuff like that and maybe have heard our votes deaths that actually happened arm because of all. made cars drove over someone because they thought it was like some kind of paper bag flying over the street that's a technical error on but this could also possibly be used by a hacker if you have a security issue in your automated car that much or people have shown that they could remotely stop cars. start the ignition. breaks in its whatever. ok i'm does anyone know about it the fox. it's like they german show far they do credit monitoring for their consumers so if you apply for credit if you have trouble paying your bills it will put could happen that if you live in the u.s. army your show up in their database its. i'm in two thousand and seventeen day were hacked the heck are some factors breach their web server through a vulnerability an apache struts an open source project way you can build about fuse. turns out that's traci was our had been patched on there was an official patch for strauss for like four weeks and apparently a few folks didn't know about this or nobody cared and people were able to infiltrate the servers and take i would say law. lot of personal data like i think hundred and thirty four forty three million social security numbers and if you know about the u.s. social security system it's and number that you get a signed by birth and you can never change that and there's a lot of service this way can like change your passwords you call them on the.
phone in the us to give them the last four digits of fewer social security number and that's their medication for you. so this is pretty bad it was also a lot of credit card numbers involved and well you can think about what happens next.
i. one abilities cannot saw happen in the platform that you use your. to run your servers on germans smite know this summer than in panama papers or maybe everyone. i'll don't think we have time for this but they had a bad drug possession that not upgrade this for the web service and well that turned over not so good for them. so why would you not patch of software while this negligence so you just like you don't care you don't have the time its priority problem your product managers like know we need the feature maybe you might be pretty.
occupying the by doing performance tests or something that you purchase hire could happen on you might not have the training like when i start it interesting myself in this whole security thing i had no idea what to do i'm not even have been doing this for like two years now and i am. far from being an expert in an insular suffer security at more like the average is that knowledge. so you might like the inside or you could just say security is not my department i've seen people at customers that's claim that they are suffer developers and the company has a security team a pen to thing team they have a test engineering team and people that changing diapers the in the morning i don't know.
i'm ok and there's the to tackle these problems this the open web publication security project it's a think it's a nonprofit organization and they give out in a top ten list of publication security risks.
on and sometimes they renew its all i think the last one was from two thousand and seventeen and what we're trying to tackle today is the top nine it's about using components with known repeated he's so this is like i'm somebody has found a vulnerability and likes. trusts and they were reported to have someone at the patch you're at the struts project and they would the report is publicly available so everyone can see it and everyone can also write a scanner for this on you might ask the question why do we start with a nine. and not with the top one problems while you can have all the top its problems in many many more inside our third party libraries that you use and so we try to get the easiest way to tackle this problem and it's of so you can. and undeveloped but it's. ok so what can we do to address the problem we can search for an owner abilities there's public debt a basis for every can't everyone also the bad guys but also the good guys can look for one or abilities and fix them and see what's what they have to do what version they have to patch to.
arm that's pretty easy technically because this to win for this we have to implement a process to fix it.
you know like you find a vulnerability but you need the time to fix that this project is their speeches to do their so the stuff to to address arm and you have to find a way who is going to fix our to patch or to delete vulnerable software and i think that's the hardest part for. company. and i personally would also treat security issues like technical that like the longer it takes you to patch this the harder it is to upgrade or to patch because there would be new vulnerabilities there will be new features everyone of you knows this like if you if you wait for weeks to patch software to. technical issue is vulnerability is whatever and the sufferer progresses it's much harder to fix it and to update it so and also well i think the best thing is also always to automate everything so i don't want to know like it's monday morning ten a.m. after a run a vulnerability. city to us now it should be automatically now like i don't know it's the same as with our unit tests integration test performance s. this software it changes so it should be automatically built should be automatically tests that and it should be able to magically are scanned.
for security issues. ok so let's check this out how we can are fine dependency third party libraries i've chosen to make a quick maven project i hope far.
if you haven't used maven a job or before you still get the message we will scan for our components in dr images on because like stuff like drew pocket the package into a doctor image way you put your actual web server website but software website in. and it's if you've got time we can also scanner a.p.i. later on because we're doing it what they pay or web at. ok i'm and well i said we want to automated so i tried to show you with something that could be a in a continuous delivery pipeline right now so this is from the junk in slow motion play again it's not one source tool every job of her probably has used that before and these are steps.
it's that i think are in some respects necessary for modern so for development like you you want to arm unit test your stuff you need to package a new suffer so you can use it you need to applaud this artifact so its sauce a full later you run. dr bill if used to occur on and push the darker image to the doctor at just three so it can be deployed to some servers and this is just a demo projects obviously use e.u. would add more tests and maybe it would be deployed to production or to test systems automatically in this. this. our pipeline. so we could add additional steps that this pipeline turning increases the stepson improve on our suffer security scanning part.
i have had three demo steps one is running dependency check i want is running a container security scan and one would be running and a.p.i. security test. it could also look like this.
yellow or usually means injunctions that the bill has been unstable so it has been built this nor major breaking point but something's fishy so you have to look into the bill are on a show you this letter on i think arm the bill should always build. this people say arm if you have one or ability or if you have bad tests well tested breakable my my opinion but vulnerabilities. our little tricky because it might you might have to fix to vulnerability is at once but you don't you can do ball at the time sometimes like maybe this one of them is missing a patch but you still want to fix the other one so your bill has to run. so in my opinion you should have some visual or some alert that the built has not fully are the pipeline has not fully run like by setting it on to unstable arm and at the team's i usually work at we have big dashboards for our development processing and. we usually show on.
like traffic lights are so dashboards that will show by color if the builds on the most most the dead branches like mass a branch or any stage systems are fully built and sold with its you would directly get a visual feedback if something. that didn't buy the automatic bid process so don't have to necessarily checked every built but rather you get a visual or if something went wrong. and then you have to like implement this process how to actually fix this problem address the problem ok i'm so what's a were ability you wonder ability we could be as he is on the quality of state of being exposed to the possibility of being attacked on her.
from either physically or emotionally. and so. something might happen to your software and its and third party library as the problem is that it might be publicly known because you haven't touched the software and well how would you know this arm there is a public reference database are multiple ones. from that list scum and vulnerabilities and exposures. are well a c.v.a. common vulnerabilities and exposures is actually a description for a full realty so i've been taking the equifax example with patches struts so you see there is the arm one of this or this is the vulnerability description for the apaches trial.
problem in this particular version you see there is now on the left lower left side there is a base corn that says something critical something and you don't have to be built in security expert to know that should probably address this problem. and it has some information and you get inflows about what's the actual problem in instructs version like this is something contents craft a spec as she could send to this thing to run code on somebody else's web server. some and there's also some scoring and serves some exploitable easy scores and this much information that you don't actually need at the first place when you get started it's more like an in-depth information thing later on. ok i'm now i'll jump into the maven independence apart and this is just an example of how maven dependencies in a modern job application what you look like him.
i have written are actually i have just are generated a maven project and i have at some are.
some dependencies than third party libraries that i think are the minimum that i would use in every new job was pretty good application that also runs something web service so we have the times. why are we have this spring board star a springboard is a framework on top of job or that actually does a lot for you so you don't have to program everything and just can focus on your business case and don't have to do the job or basics and it's the most common our job our framework right now.
i'm so you can at this starters to this that's third party libraries that brings certain functionality you like it. obviously we make an a.p.i. so we have to secure it so we need a starter for security that does authorization and authentication stuff out of the box so you can just a little snippets into your code and springwood will actually have this all programs out. and we want to do an a.p.i. so we need a web starter. to run a web server. curator can give you are run time metrics and information about the health of your application i think this one is absolutely necessary if you want to monitor your obligation later on and then we have a test scope so this will actually run in the production compilation. if the software where we can test the actual are springboard framework and also this spring security and that comes with springboard security starter and it's not you have to necessarily understand all the parts of this and then and become a job a developer to actually use this. but think every language has that has a dependency management framework can do stuff like this. on obviously are we at the vulnerable apache stress wasn't so we can find something that we actually want to fix or white list may be ok and the problem is right now that these six or seven dependencies arm brought the.
so if you see them on the left side and they bought the sufferer and they download like eighty more dependencies themselves and their called trends in dependencies so every tendency brings more and i resist on and they bring more libraries and so on so it's a big a bloated library. and while i wanted to say fuck up but it's depending on what you actually using springboards very very well maintained then they are having quite quick reaction time if they find something i'm kind of set this six made independent says you can find this on get up.
and i will tell you something about it later on. and almost eighty transitive or seventy transitive dependency so it's like eighty over all and they can all have one or abilities and you want to at least patch the ones that are public in northern for having security issues. so it's like so long in fruit and everyone can find this and you should too.
so what can we do to find one of the dependencies i'm a third party libraries this twenty four this and this is a really big high bright now in this off industry on this quite a lot of when there are so at pro of products for this are get top. i'm not big on advertising for paid services but get up there is this for open source public software so if you have created get a repository as the owner you will see when get help finance a vulnerability in your dependency system if you use one of the. the big ol programming frameworks and they will show you in order and and an alert for this and if you set the correct notification settings you will also get an e-mail for this.
pretty nice an era of a couple months ago the edit a system that can also patch of vulnerabilities or patch your third party libraries. and well you might think if the owner sees one of the problems that's ok because it's still hidden nobody else is that of someone fox the repository they are the owner of the fork so they will get a notification of could help find it's the same vulnerability in their report. for the demo and for this whole talk amusing dependency check because it's an open source tools it's out. in the open web publication security project so if you contribute or if you are not donate money to the or was project some of it will allow the are men tenors of dependency check to make this offer better and it's really well maintained the. quick they react quickly few asking something or if you set up with a request or something like that. how does it work.
this this database run by an american our government organization publicly way you can get the see the data sold that's the database with the actual abilities and their descriptions and scoring are held and dependency check dannatt's this into a local. database and then you can run a dependency check. in maven you can also use docker if you're not using maven you can use a command line clients to check your software i think for maven or great at the same for job suffer it's really easy to use it this way but it's up to you and the end you should check this in any way it's. nestle necessary the best one. ok let's just see how this recession.
ok so i have for the guys who have no job and made an eye of our program they may even goal for this and that's just run this check and see what it tells us and it takes a couple seconds in the demo report i have disabled the automatic update.
so if you're in this way to check the sodden if you have and never use thirty pence to check before. you will be true told to update your database beforehand. so some vulnerability is were found so a bit broke. and so this will our and in a record one so anything different from zero is bad and you can see the vulnerabilities that were actually found so we have jackson data behind this is the a r can. can you read this in a back up to its it's a jason parcel or that you can use to our for for europe location it's pretty on on and this is one of the trends in dependencies i have not actually chosen to use this but it comes with one of the on. springwood dependencies and this spring security of our actually this is an actual vulnerability. there is a patch for this into nine nine one hot fix these print book version that actually brings this dependency it has not yet been upgraded for this so this is a. if you have a process for fixing this you could to manually upgrade this to two nine nine one for example and then this should work out if we have time later on or if you join my workshop tomorrow you we can we can play around with this. this spring security core this is actually a false positive so spring security corps has a or has had a problem in five zero something and they have fix that but somehow this is still in the vulnerability database so the vulnerability database will still have the information that this is actually. are problematic and this is for our thank occasion stuff an authorization. saul if this was still an issue and using authorization. annotations in incentives of our you should probably upgrade this. and then there's are good struts vulnerability which has like ten vulnerabilities and it's really old its from two thousand and seventeen and the commons five upload is just another one that comes with strapped soul we won't care about this.
what's the cool thing about dependency check i forgot the app itself does nothing it doesn't even have the world it's just this the basic what you get if you use this dependencies use you get a weapon web server you get a look in screen because we use security and you could never logged in because you have been.
no way to find any user data. ok dependency check not also gives you the come on line references but also generates an h t m l report the news for other stuff and if you like search for the struts problem what's they are.
you find a description what's the actual problem here this is this one is passed from the c.v. about drugs and this some more information about what happens here and then they have a list of all the vulnerabilities town and arm there's a very good.
this description what's up actually happening here and some scoring and this is the point where you can actually learn just by by using this dependency check and and checking out the the end she met report you will find these vulnerable third party libraries and the report would also tell you what's what could potentially happen here. and sometimes there is also a link to exploit the be. to me so exploited this is the big in the big one the critical ten zero.
a positive thing that i mentioned earlier and you can also find wrecking exploits that you can use to test please all the on our servers nobody else's. and usually this is a very good way to learn about vulnerabilities if you find them if you have no idea how to actually what how big the problem is you look for in the report for exploited the billings or check some of the other descriptions and some of them a very very helpful in understanding this stuff. on one one more thing the report also lets you are on has a prepared statement that you can use to white list are false positives.
it's one. wings hugely. they are so we can we want to watch a spring security core big because we have read reports that this is actually false positive so we go to the suppression button and if the serious as this working wish i have is we get some i excelled a town that we can.
and i use for a configuration file and we can just copy this and at this to the i think their four hundred before to its oppressions five that we have configured in a jar file and now this c.v. that i've.
are suppressed here.
so there's one are will no longer show up because the dependency check will now white this that because i've configured this sulfide to be for white listing.
our something high.
miss something that are good idea not great for off the. dependents the checkpoint another year to prepare for the talk and apparently something in the eczema description changed so you just have to trust me that this will would actually have whiteness of the false positive.
ok i'll let us go on with some more fun stuff.
you can also use the reports to. run some are reported another reporting watched you to use it in other reporting tools like this the sonar i'm a quote quality product quality tool that shows you are trends and stuff we don't have time for this so dr out who here has actually scanned their doctor containers for problems.
people are good.
dr is so i. well you use use doctors you so you know how it works you pull some containers that that someone on the internet has built for you and this is like the your style of a running software and there's also a scanner is called claire its has been written by quo. for us known by rhetoric now owned by i.b.m. i think. they do or our content or stuff in coronary stuff and so apparently they needed some containers scanning utilities and it works similarly they also carry the in its database but they host the vulnerable one realty daytime in a another database on your local servers. and they're on a class her and you can run a client that actually feats your doctor container to the server and the server will scan all the doctor layers and tell you what's happening. ok are. so i have started a class server and a database on my machine usually you were would have to run on the servers in your infrastructure somewhere.
and i have package this app that the road earlier into a container and i have used. on earth.
so. they go i've used a basic job much for giant it's one of the official images. from auburn dedicate. let's see what happens to this.
so the stakes are a couple of seconds so the. and and we are pretty late so we'll just go to the you see a lot of red. iran this test then it found that these are the the image content ninety six the vulnerabilities and they are all already in the base image so this has no none of the vulnerabilities that we found a job application this is everything you get when you download a new opera genetic a package and this is the slim one so. it's not as bloated and that's fun stuff like to live see obviously. and you to limits and you can actually i also want this false positives or you can also white is our stuff that you nor that are not armed. not applying to your software like if you have a problem with the sh demon you someone could probably break into your server but in dr usually don't open the port so it should not be so hard to just. not stand for it anymore. i'm and the and then you can i you can also set thresholds i will not show the examples now because i'm a little behind so you could choose only to see a high or critical or medium will rebuild his and our ports and everything else is auto prove. moved on. and to run this in continues integration you might have to be at some more fun stuff is typically a if you run the stuff in modern are good tools like it let's see i get top automated tools you won't necessarily have our the power of the.
the time to set up infrastructure and you don't need it so you may be don't want to run and class over that years to care for the time you don't want to manage another post rest of the base. so what you can do is inside continues integration just before the scan the actual scan happens you can start a database container and a clear sky container and this guy are mean and sees something i can he has a french sounding name and i can pronounce that he could find his repose and. top arm he he actually came up with this solution so just before you understand your star those dr containers and after the scan you just stop them again. i'm and i've obviously just start them on my machine so after the scan i would just stop them.
the demo report contains a jenkins fired so views jenkins you can also run all these tests are not you might have to play around with little jenkins with our own. the un green credentials of the jenkins user and on the permissions that they have. from this also our public repositories arm that to the scan for you like quake is an alternative to dr help so you can choose to host your repositories with way and they will do is scanned for you get top or get lab offer his name a method to scan and you can. center for you and give you a hint about broken stuff.
i'm ok and i think we have some more time to do a quick quick m.p. i scan. as i mentioned earlier i've started the application on my local machine and i couldn't i now run a is that.
four out of town so sore.
and so without or so.
we can use another almost all its cause that attack proxy to actually attack are i.p.i. and dynamic the scan it to find actual vulnerabilities that it's serving like stuff like that offers as quell injection or across outstripping. and what he does not important what we do here is just use dr again because we have great doctor and container fans so we can download a doctor content that they provide that actually has the scanner built in and then you can just run it against your website. and i world just show you the reported that and then it's actually coming out of this and have taken the liberty on couple weeks ago to scan the cynics website so please don't have to us.
and the scanner shows and this is very very cool about this tool on also a great description about the actual vulnerabilities because like i have no idea of what the expression method which option had it is as any of you. another two people have made but actually it's i is i think in the solution there is always a description what the actual problem here is and what you can do to fix it and that's also references and where this is where there's a description for this and way you can find its old. a. what are we can find more options what you can do. i would run one.
or attack think. this also takes a sometimes i've already done this before for you. if you're on the the us this against the six sites not as we run but press so you will find a lot of warnings that might or might not be critical. we have a company that does the page for us so maybe we should address them with this and then again this is just a spider is so this one this attack will go to i think i can figures and it's the. were there. and this will start at a landing page that you can figure out a target and will it would just spider all the links inside this page and just drove us into deeper into the. into the page you give it you can also run this and feed it and open a p ice pack so if you or develop and your own application usually norwich a.p.i. and points you are serving you might generate this using tools like swagger if you know this. let's say you have like three and points like log in or out on all shop and web page some like that you might tell the tool which are which f.b.i. and points or which your else to look for and so you save the time that it would use to see. by the all these links and the longer it runs obviously the more its are able to find. ok arm.
i'm a little sorry that i had to rush to the end. if you want to try this more in-depth.
daniel and i are hosting a two hour workshop about this way we will show you more the use of just the tools and you can ask questions and might just get your hands dirty and try this yourself to more also i think it's three fifteen p.m. it has been rescheduled. it's for a couple times so you should look into the three had of monkeys ask annual i guess if you don't have it can make it you can also stop by a village to convince his wallet and its ask your questions. and it's well usually i what this cost the city and this is like this is about the process what can you do maybe one sentence about this in my current team ifs if a vulnerability is found the creator of the current pull request is also responsible or to.
fix this as soon as possible we have a zero or one ability of our own policy so anything that is found has to be fixed immediately. and if we found something on our production codes. we will also have a job that scans this nightly and the first one to be in the office or the one on call also his responsibility to are responsible to at least look into the issue so they could find our diets it's a false positive their much just suppress it they could find out that it's a horrible horrible bad. the possibility to bring your own you're all and the price down so they want might want to catch it immediately but this many up to you and i think as i mentioned earlier this is like the most interesting part for a company and a development team. thank you. we have a couple of minutes left for question so if you want to cite a question please come to one of the microphones in the front or in the back. none to ask your question. right i don't see any questions at the moment so if you'll a will there's one piece go and i thank you for the talk and my question is a volatile handling false positives can't you already shown an example and.
friends especially dealing with something like sept you get a lot of false positive and spirit but sometimes stores a pretty hard to like stuff in libraries which you actually don't use right so if you use if the ice that are not all nimble and amina talking to development teams i know that they spend. most of the time handing exceptions do you have some general recommendation loss could you share some experience regarding that i'm. especially in dynamic scanning arm with your out for a.p. eyes or web service this is like really time consuming arm i can maybe sharing fan poll that i have seen in a team of a friend of mine on their own a.p.i. tests every night and when they started this they just sat down. for a couple of days actually and that because they have a very big application that has grown over the years with a big big a.p.i.. and they scanned this and with with the open i stress the open a p.r. specification that they had generated earlier this can their app and then they actually sat down and checked everyone ability that steps that out so. i think that's the only way to do it you have to take the time and and get all of those and story if you're at a point where you have zero new were abilities or zero one or abilities found that you think are worth fixing then you can do or for example a weekly task or might be built that checks your a p. i and if something new was found you have to fix the according to a policy but i don't think there is a good way to do this differently. what you can you can always are if you have like libraries that are a vulnerable in and that you don't really need i'm the biggest the biggest fan of believing your code if you don't need it or deleting or like holding a p ice that you don't need so i think it's it's not say if you are. and if you're new to this you should always are maybe talk to your security team or if you're not sure to the networking timor if you have an african team yourself you should probably think about your file rules and stuff like that. but i think you have to address every one ability that this found. it's painful write them a letter to one last question from the back ok so he went on to you have any we have an experience was ground the and more clark was because if you have all these bloat in your containers it's easy to get confused and who runs a banner cities.
it could be interesting to have expired experiences of is this a mall is bare metal at all but they are cold containers was all that any operating system i think it's on. the general rule to use as as little suffered to run your called on s. as you do itself play one of the docket best practices that think. in dhaka if you can use the official like in in job or you can use the open and j.k. official alpine images and they come if you don't want them right now they won't come with anyone abilities and the little problem with the with the scanner us that i have used is that stuff like rugby m.. it doesn't have a container or its stuff that group price if you use to get if you know this one will abandon the create containers and they are not really containers in the dark or a sense sold the scanner can actually scan them on i think these are. objects that you have to rely on the maintainance to find its own abilities and fix it but it's also is also more easy to handle it because you can just upgrade your running systems like my plea or something like that are every week every hour. right arm were out of time so think so much site for the talk.