Static Application Security Testing Strategies for Automation and Continuous Delivery

Presenters Kevin Fealey • Lead, Automation and Integration Services @ Aspect Security • 5+ years of experience with SAST and DAST tools • @secfealz William Frontiero • IBMer • Senior Worldwide Escalation Engineer AppScan Source • 10 Years SDLC experience, including 2 years of SAST tools 1

Takeaways • What is SAST? • Common SAST Usage • SAST Automation • Provide faster feedback to developers • Simplify the security analysis workflow • Incorporating Open Source Tools • Looking at the AppScan SDK • Jenkins Plugin • Next Steps • Improved AppScan Source API • Application Server Importer 2

What is SAST and Why Do We Need It?

Why do we need tools? 44 More apps to review Flat AppSec budgets A need for scalable, efficient solutions Vulnerabilities are being introduced This is starting to change, but slowly…

5 When to Fix Security Issues Fixing an issue in development is 30x cheaper than when it’s in production! 5 $139.00 $1,390.00 $2,780.00 $4,170.00 $- $500.00 $1,000.00 $1,500.00 $2,000.00 $2,500.00 $3,000.00 $3,500.00 $4,000.00 $4,500.00 Coding Testing Beta Release Cost to Fix a Vulnerability Depends on When it is Found

How SAST Works 6 DoPost() { String username = request.getParameter("username"); String password = request.getParameter("password"); String query = "SELECT * from tUsers where " + "userid='" + username + "' " + "AND password='" + password + "'"; ResultSet rs = stmt.executeQuery(query); } GetParam ExecuteQuery Str.Append DoPost DoPost GetParam Str.Append ExecuteQuery GetParam ExecuteQuery Str.Append DoPost Apply vulnerability rules Compile and translate

7 SAST’s Benefits • Static Application Security Testing (SAST) • Analyzes applications at rest (source code/compiled code) • Automates code review… to a point • Data/control flow analysis and advanced grep • Ex. IBM Security AppScan Source 7 Strengths • Can traverse millions of lines of code in hours • If it can find one instance of an issue, it can find all instances in the application Weaknesses • Application must build • Lots of false-positives out-of-the-box

9 Continuous Improvement Environment 9 CONFIGURE TRIAGE ASSIGNREMEDIATE AppScan Source •For Analysis •For Development •For Automation AppScan Enterprise AppScan Source •For Remediation •For Development REPORT High-confidence findings >> > > > > > AppScan Source •For Analysis AppScan Source •For Analysis SCAN

Receive a source code archive Extract code and import into AppScan Source Scan, resolve compilation issues (often many) Triage scan results Export or write report Deliver Report Begin again with a new application 10 Security Analyst Workflow Security Professionals using AppScan Source for Security: 10 Total time: 2-3 weeks / application • Applications are scanned once per year or less • Minimal carry-over for subsequent scans

Click scan Wait for scan to complete Triage scan results Resolve vulnerabilities Check code into central repository 11 Developer Workflow Any developer using AppScan Source for Development: 11 Total Time: ½ - 1 day • Developers cannot develop while scanning (can take hours) • Developers are not security experts • Scan workflow interrupts agile workflows

Automation Components • Continuous Integration (CI) Server (ex. Jenkins) • AppScan Source (or other SAST tool) • AppScan Enterprise (or other Dashboard/Reporting tool) • Source code repositories (SVN, ClearCase, git, etc.) 13 Example Architecture

14 Security Analyst Workflow Security Professionals using AppScan Source for Security: First Scan: 14 Sync Code Import into AppScan Source Scan, resolve compilation issues Configure scan frequency in CI server Total time: 2-3 days Subsequent Scans: Log into CI server Click Scan Download assessment file and triage scan results Total time: 1 day

0 2 4 6 8 10 12 Current Workflow Automation Workflow Days Per Application Subsequent Scans Scan Configuration Security Engineer Scan Workflow Time in Days 15

16 Centralized Bundles 16 Use of a centralized environment drastically reduces the time required for subsequent assessments. Security Analyst Only new findings are triaged (and bundled) Scan Server Scan Results Downloaded Triaged Scan Results (Bundled) Security Analyst Subsequent Scans Triaged Results Uploaded Scan Results Downloaded New Vulnerabilities Already Triaged Initial Scan

17 Developer Workflow • Any Developer (IDE Plugin optional) Total time: Minutes 17 Check code into central repository Receive high- confidence findings via e- mail Resolve vulnerabilities

0 0.2 0.4 0.6 0.8 1 1.2 Current Workflow Automation Workflow Days Per Application Developer Developer Scan Workflow Time in Days 18

19 Potential Scans Per Year 19 26 65 0 10 20 30 40 50 60 70 Current Workflow Automation Workflow Applications Workflow Per Security Analyst Security Analyst (best case scenario)

Enterprise Rollout of AppScan Source: Strategy 20 Application Portfolio Less CriticalMore Critical Coverage/Assurance Scan Scan Scan FullScan/Review Remediation Guidance IncreaseCoverage ReduceRisk • More time to review critical applications • More time to find and fix complex issues

Improving Security Visibility Business and Executive Management Software Development Security and Audit Visibility • Developers receive everything they need to resolve issues. • Managers receive everything they need to make smart business decisions. • IT Security receives everything they need to understand compliance risks.

Build/Release Engineer & Dev Ops • Automate (CI/scripts) simple security checks before each CD release • No security expertise required – If certain vulnerability types are found, do not push release/notify stakeholders – Only sees actionable results • Iterative triage to accumulate vulnerable/trusted patterns and APIs • Incremental vulnerability reporting • Only investigate new vulnerabilities to reduce remediation time and focus on what is new and relevant 22 Security

Automation Performed Through Jenkins 25

View of Custom Rules Created 26

29 Open Source Jenkins Plugin • Available TODAY! • As a work in progress  • Developed by Aspect Security and IBM • Hosted on GitHub • https://github.com/aspectsecurity/sensor-integration-framework 29

31 What’s Next? • The AppScan Source SDK continues to improve • Assessment Parsing for External tooling • Viewing findings in Web Portal • Diffing at the SDK level • Improve Jenkins Plugin • Support Additional Dashboard/Reporting Engines: – Jenkins – SonarQube • AppScan Source App Server Importer Plugin Architecture • Point and Shoot Discovery of EARs and WARs • Discover Applications via Import • Successive scans can be run via automation 31

More Questions William Frontiero: wfronti@us.ibm.com Kevin Fealey: Kevin.Fealey@AspectSecurity.com @secfealz https://github.com/aspectsecurity/sensor-integration-framework 33

34 Notices and Disclaimers Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

35 Notices and Disclaimers (con’t) Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM expressly disclaims all warranties, expressed or implied, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. • IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

Thank You Your Feedback is Important! Access the InterConnect 2015 Conference CONNECT Attendee Portal to complete your session surveys from your smartphone, laptop or conference kiosk.

Static Application Security Testing Strategies for Automation and Continuous Delivery

In this document