Conf42 Site Reliability Engineering 2021 - Online

Keep your code safe during the development path using Opensource tools

Video size:

Abstract

Practical demonstration of how a Developer can use a SAST tool for static analysis in code vulnerability, executing it in source code, byte code and/or binary and identifying security holes during the development process, analyzing many languages and codes, like as, C, C #, Java, Kotlin, Python, Ruby, Golang, Javascript, JSON… And searching for key leaks and security flaws in all files of your project, as well as in Git history and in addition to receiving a managerial view with all this analysis information.

Summary

  • Filipi Files is principal security engineer at Talkdesk and security research at Can Segura. He talks about how you can keep your code safe during the development path. You can enable your DevOps for reliability with chaos native.
  • SAST is a statistic application security testing. leaks is another interactive application security test. You can use in this strategy or this method during your development process or development path. This is just to clarify something related to the main topic about the security Andor software development lifecycle.
  • Sec. is an open source tool that performs statistical code analysis to identify security flows during the development process. Currently the language and tools for analyzing are C sharp, Java, Kotlin, Python, Ruby, Golang. It's pretty nice because you can improve your pipeline.
  • Rsack IO you can click here on a GitHub to see the main page in a GitHub. Here you can see you can using this to exchange knowledge with the community. So pretty nice that you have this opportunity.
  • Aurotech was developed by the security team from supernovation. Sonarcube is more focused in a quality code and Sec is using a security code. All those vulnerabilities that you find in your code in this platform. How exactly where you can using the auto sac analysis.
  • Ten possible vulnerabilities were found and we classified it into one critical, two highs, four low andor. Here we have a here guide to suggest you andor to improve your knowledge if you're a developer guy. Here's some examples and how you can find your code.
  • So I will use in the GitHub actions to explain you to simulate the pipeline. Actually you can using this the AWS code build so you can integrate. You can also write in the forum and the security team and the Orsec team can help you right to this project. So for example here you can set using some other different solutions.

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Are you an SRE, a developer, a quality engineer who wants to tackle the challenge of improving reliability in your DevOps? You can enable your DevOps for reliability with chaos native. Create your free account at Chaos native Litmus cloud hello everyone. My name is Filipi Files and today we're going to talk about how you can keep your code safe during the development path. Right? So my name is Filipi Files and I've been working at principal security engineer at Talkdesk. By the way, Talkdesk is a company from Portugal responsible to provide some contact center as a service, as a product, actually. And I'm security research at Can Segura. Right. So, Sen Segura is a brazilian company, but they have many customers around the world. They appear in many different reports. Like a gardener, like a Forrester, like a coupinger tools. It provides some solutions of the pen, privileged access management. And I'm secured advocate and secured instructor about many topics related to security. Right? Andor. I'm research, not research. I'm advocate of this awesome project. Hack is not a prime, by the way, this project, it's pretty awesome because the idea here is to explain more about the concept, about the hacking, right? Because hacking is really not a prime. It's a mindset, it's a lifecycle. So how you can look into some software, for example, and how you use your creative mind. Okay? And I'm a contributor of the red team Village. It's a pretty nice community in the US. I'm a speaker there and I'm talking in many different events. Andor. I'm a part of the staff team of the Defcon groups here in Sao Paul. It's a community here. And I'm a creator instructor of the Maor analysis course of Maura attack types with Q can. It's a kind of technique using in an offensive exploitations using the concept calling Maor. This is my web page, if you'd like to see more information about me. Other talks that I'm doing or I'm not doing, but talks that I'm making in different events, different talkdesk that you can see here. Andor. Here I have here some articles published about different stocks related to cybersecurity, right? And here you can find Philippe X 86. Actually, this is my main GitHub. Here you can see more information about my project, about some things, about me. Okay, so let's talk about our main topic today. About how you can improve your code, actually. So as you can see here, I don't know if it's small but here I have in my GitHub or sac demo, this is my project that I will be using here during this demo. During these presentations. I have here different codes vulnerable, right? So you can copy that after this conference or this meeting and you can using this in your presentations or your tasks in your demo. Okay, so first of all I would like to explain more differences about the same concept because I would like to put all those people in the same page. Okay, so there's a simple definition about what is exactly sast dust and leaks difference. Okay, so SAST is a statistic application security testing. It's important step when you create some software, when you develop something. Remember when I'm talking about the software development lifecycle, but I will put another SSS DLC. So secured software development lifecycle. So you can use in this strategy or this method during your development process or development path. Okay, so set analyzes the search code of the system or that you using before you're putting this code in the productions, okay. Tasks are usually performing before the system, as I mentioned is in productions and only in the search code. The idea here is to scanning your search code to see if you find some vulnerabilities in this code. The point important here is Orosack is can open source project that you can see. I will put here Orusaki in the Internet, for example, you can check here and I will explain more about what is exactly Orusaki during this presentation. Okay. Another point is das is a dynamic application security test is another approach. The dask tests expose interfaces for a vulnerability. In this case it's different when you compare to test. Okay. In this case, dask is great for finding externally visible vulnerabilities. So after the publications, okay, it tools recommended to find vulnerability externally visible. I mean you need to publish this URL to be tested is enough to perform, to test or a binary to be executed. So this is can important thing. So you have another different techniques that you can use in this analysis like SCA or container scanning. So part of the process using in this development path, okay, so leaks is another interactive application security test. You combine these two different strategy, okay, just to be clear, when we talk about the vulnerabilities in safe code, it's pretty important to understand some difference. So you have some levels about the security, right. When you find some vulnerabilities, probably, you know, but if you don't know, it's pretty important to clarify this. Okay, so first it's critical, it's too high. And the second is high, median low. It means this is the definitions about the vulnerability and here in this case. But this explanation is related to these tools in this case or sac is the info, I mean when you receive some info about the log. No, probably we don't have any information about this. Maybe something is suspicious but it's not clear if it's malicious or not or it's vulnerable or not in this case. Okay, so it is how you can using these explanations related to these tools in this case or Recyc, right? Okay so this is just to clarify something related to this main topic about the security Andor software development lifecycle. Okay, so let's talk about what is exactly these open source tools or Sec. Okay, open source autosec today is maintaining for innovation supernovation is a brazilian company by the way, it's my previous job and this tool is responsible to identify vulnerabilities. Simple and fast. Here is the explanation or SeC is an open source tool again that performs statistical code analysis as I mentioned, to identify security flows during the development process. So here it's good point here. Currently the language and tools for analyzing are C sharp, Java, Kotlin, Python, Ruby, Golang and take a look this the terraform and kubernetes and another like a JSon Alexa shell and so on and so on. Okay and another point here, pretty nice in these tools is has option to search for key leaks and security flows in all files of your project as well as in a GitHub history. So you can using the Orsec tool in the developer through the CLI and by using the devsecops team on CI CS. I will explain more during this conversation. Okay, just to clarify what is exactly this tool. So here we have a web manager to manage the vulnerabilities and you can using this in your pipeline as well. It's pretty nice because you can improve your pipeline. Okay, so here's some explanations on how the or Sec works. You can read after this presentation the documentations. Okay so let's return here in the documentations. So if I click here in our sec, take a look this, I will fall into the main page here as you can see, just to explain you. Okay let me close this another tabs. Another point is you can click here. For example, let me clear just the main page. Let me put here again rsack here one more time. Rsack Andor I will explain the main page here. Rsack IO you can click here on a GitHub to see the main page in a GitHub. As you can see here you can check all those informations here about what it is exactly, the documentation and how you can contribute more in this case from this awesome product. By the way, another point in this documentation is you have here the docs Andor the community, you have here the forum, you can interact with another people from the community. Here you have the english page of orsack, you can open here many cases or if you have some ebore using our sec in a GitHub actions or using your pipeline. So here you can see you can using this to exchange knowledge with the community. Okay, so pretty nice that you have this opportunity. Okay, so let's return here in the documentation. It's here, okay, and I will click here in a CLI and I'm using here the installation processor. So pretty simple, I will install here in my Linux machine, I will be using curl here, as you can see I have here by the way the main directory that I have the same ports vulnerable as you can see here in my virtual machine. So first of all you pass here and as you can see I will using the crow to request this binary to install in my virtual machine. And after to install, as you can see I'm downloading and I will move this binary to the local bin as you can see here because I can execute this binary in whatever place I have inside of my virtual machine. So now I have here the orsack in my virtual machine, okay, so I will set h to see about what kind of comment I can use here. So as you can see here, I can use into two different ways, like a flags and like a comments, comments. I mean it's available comments that you can use in the start to start or reset CLI version to see the version, but basically and generate but I mean the main comment that you will use in the start because I will be using the CLi executing aerosack. So aerosack start and after that h to see about what kind of flag I can use here. And if you see I have many flags to use here. So here a simple explanation is start the orsac analyzing in your current path. I mean when you executing this, just by default you execute this in rsack demo because this is the current path. Okay, so I can set, by the way, if you would like to analyze another different directory, for example another folder I can set for example p, like this, let me show you here p. Here p I mean the project path, okay, so for example, in this case I am in this path, but if I set here p, I will write another different folder to analyzing this. It's pretty simple and very intuitive how it can use the CLI and you can set for example a. I mean it's authorization. In this case the authorization token is responsible to send all those information about the vulnerabilities to a web manager or a SEC web manager that you can manage it. All those vulnerabilities that you find in your code in this platform. If you have a time I will explain during this presentations. Okay, so another point is if you use another polycode like a sonar cube for example, and you have gear o to set the output format. And as you can see here, I can send the output format to integrate with the sonarcube. Because in Sonarcube you have the qualicold software or tools for example. And of course in Sonarcube you have some version with a security stuff. In this different version, I think it's an enterprise version, I don't know exactly. But Aurotech, it was developed by the security team from supernovation. It's a guy different, right. So when the team created the engine responsible to analyzing this, it's a security team. So the essential of this tools is from the security team. So this is some difference. But you can recommendation to both of them because Sonarcube is more focused in a quality code and Sec is using a security code. Okay, so let's execute to see how this works in my environment, for example. So let me set here, let's check here I have an agolake, let's see for example I will executing this auto sec start and I will set p. Okay. And I can put here for example different path. I will executing this in the main path here I will click enter for example and I will set this. This is by default the folder that I am having here. And I click enter and after that I will execute this in my environment. So as you can see here, I will start execution and I will see how the auto sect works. Another point during the scanning is so how exactly where you can using the auto sac. So here I will go to the autosack, sorry, going to overview. Anyhow you can see here the auto sac analysis type. First is the set as I mentioned. So there's a statistical vulnerability analysis. And the second is they can be done in the search code or a byte code or binary. So this is the main topic here, the main function using the Orsat, but they have more two different analysis that I like. By the way it's about the leaks, I mean the leaks checks to the search code for possible leaks, printations or private keys or hard coded password, for example, if you have some hard coded in your code, they appears to you that this is vulnerable. Sometimes you put in your code in a clear text, terrible vulnerability by the way. It's a misconfiguration, actually not vulnerability in the code, it's a misconfiguration because you take there. So dependence audit you analyzing the project. Dependence is to check the vulnerabilities for a 30 part libraries. Because sometimes you need to import semi libraries in your code to execute something and sometimes this library is vulnerable. So because of this, it's pretty nice you see about this library. It's a kind of dependence check, but it's pretty nice to see about this type. So for me it's three different ways that you can, different types that you can analyze. Okay, so I performed this in my environment. I executing this during this presentation. As you can see the scanning about the RSAC. Okay, so let me hit down here. So where can you use the Orsec locally as I'm using here my files tomachine. You can using this in your CI CD pipeline. And if you are a developer, you can using this in your IDE extension in your vs code. For now it's just available an extension in vs code. So this is how you can using the autosec in two different ways. Not two, Andor three, in a locally Andor a CI CD pipeline. Andor ide like a vs code. Okay, so let me hit on it here and. Okay, so let's see the log about the results of this scanning. Okay, let me turn in the beginning. So here as you can see the type of the starting of this code and the finish time. So as you can see and the first, let's see about the lot. First is the leaks. That's very totally critical. Andor first is the engine security tools. It's can autosac engine. Okay, it's pretty nice in my opinion, because this is development by the security team. In this case not security team, but development by the autosac team. So engine responsible to see this vulnerability. This is the files exactly vulnerable, right. In this case the Python. TTC. Python and as you can see the code. Take a look. This is not a password. In this case you have here the hard coded password, as I mentioned. So where is the exactly explanation about this vulnerability? In this case you can find here the main information, not many information, the explanation about this vulnerability. And you can see here the link of the CWE. So Philippe, I don't know exactly what is CWE. So you can open the link and you can see here in the Internet, what is exactly this information if you don't security guy, for example. So basically, CWE is a common weakness enumerations, right? So it's from my tree. And here is the total explanations about this vulnerability. In this case, the software contains 100 folded credentials such as a password or a cryptography key. And here is the extended description. And by the way, here you can see here the relationship of this main vulnerability. And the point is here, it's pretty nice if you don't have a guy, actually, if you don't have a guy, or if you know a guy of the security here you have a good content to read and to learn more about the security. Right? So we have here the other variants of these vulnerabilities or different vulnerabilities is connected with this main vulnerability. And you can see here the many explanation, the many informations about this vulnerability. Here's some examples and how you can find your code. So it's a guide about the security and you can use in your code. So here's some vulnerabilities. This is the idea of this vulnerabilities about other vulnerabilities in different protocol, for example. So here potentials mitigate, so how you can improve these vulnerabilities. And here you can see many information about these vulnerabilities using a safe code credentials. Okay, so we have a here guide to suggest you andor to improve your knowledge if you're a developer guy. And take a look this in the second log we have here Java. And take a look in this case the two line and the column seven. And here is the correct files that we can find. The vulnerability in this case is the app Java. As you can see here, you have another different Cwe, it's a three 30. It's a different when you compare to the first, we have two different vulnerabilities and two different searches, because the difference is the vulnerability is different. Okay, so let's go more another difference. So here, take a look. This python in this case, so take a look is the security tools is different. It's not from Orsec, in this case it is for Bandit. So as you can see here, it's another engine. In this case it's open source engine. So another different tools that you can using together the RSC. From my perspective, it's pretty nice because you can combine all those engines. And if you see here below, take a look at this. You have an ago sach engine, it's another, you have more than one engine inside the same platform here you can have more than engines scanning your code. So here you can find others, pretty nice information. Okay, in the end of this analyzing, as you can see here, in this analysis, the total of this ten possible vulnerabilities were found and we classified it then into one critical, right? So one totally critical, two highs, three medium andor four low. As you can see here, you have ten vulnerabilities in this, remember in this fold here, in this case, this folder. Okay, so if you see I have here more than one project. Let's see, I have here three different project in different, okay, so Andor how Philippe can use in this nvs code for example. So as I mentioned here, let me open my, I guess put here sandbox. Let's see here section one. Okay, we'll take a look at this. I have here the same project, okay, I have here my Golang code, I have here Java here node js folding the same code vulnerable. Okay, as you can see here in my vs code and I have here the extension. Basically we click here and I write your autosec. Pretty simple. If you're using vs code, for example, as you can see just clicking here install and after that you have the extension here in your environment. It's pretty simple to use basically. Let's see here, I just click in here in a start analyzing. And after that take a look this, hold on for a sec. Started to analyzing in your code. And as you can see here, they will executing this analysis in my search code. The same execution that I execute this in my environment. So let me explain more about another thing during this study with happening. Let me explain here about auto sec. Let's check here the overview, let me not here and about the installation CLI installations one more time. And as I mentioned, I executing this locally. As I explained here, you can use here in the Windows platform. If it works with Windows. For example, you have here different versions about the Unix platform in Windows. And you can use in here Andor a Mac. This is the process hash actually here's the version on how you can use in such they give the privilege actually. And here is the installations by image Docker. Because you can using this in image Docker here it's the common that you can use in your environment. And you can using this the installation by pipeline. It's pretty nice. I think we have time to explain during this presentation. So I will use in the GitHub actions to explain you to simulate the pipeline. Actually you can using this the AWS code build so you can integrate. But basically here is the step that you can use in the comments. The example here you can use in your circle CI for example, and your Jenkins, in your azure DevOps pipeline or in your git CI CD. So all those CI CDs, it was tested by the Photosec team and this works pretty nice. Okay, if you'd like to have another different cis you can test or you can again using openness, some case or tickets, not tickets, it's not a ticket, but you can write in the forum and the security team and the Orsec team can help you right to this project. Let's return it here in this vs code here it's running, still running the orsack here. And by the way, I am doing the streaming, I am using the virtual machining, I am doing the scanning at the same time. So because of this, it's not too fast, but usually 30 and 40 seconds to perform this, it's too fast. But in my case I'm using the virtual machining, I'm doing the streaming, the recording many functions in the same machine because it's more not too fast. Okay, so let's see here the doc Python, take a look. This, when I click here, this is a totally critical in the line exactly where you can found the vulnerability. You can put your mouse here below and take a look at this information, the same information that you find in the CLI. So take a look at this. You have here the hash reference about this vulnerability and you have here the explanations about the leaks. Remember in the first log that I show you, okay? And one more time here the CWE, again 790 80, the same link that you can click here and you can read more about this information if you don't know about what is exactly the CWE Andor here it's another, take a look. This is the orsac engine, the engine responsible to the tactics they'll define in this vulnerability. And here you can see the bandit. So let's see another the Java here it's the same, click here, you can read more about this insecure andor number generate, and here the explanation why this Andor number is vulnerable. Not my definition, not definition from Felipe or from Zupi or from Autosec, it's definition from my trip. Okay, the organization, the organization responsible for the vulnerabilities. And here it's another Javascript, take a look. This is another Javascript using a shell interpreter when executing OS commands arbitrary. So here it's another pretty nice explanation about this flow. And as you can see here, it's just for info, not info, in this case it's load, right based on Ongo sac engine. So as you can see here, the point that you can find, exactly point that you can find the vulnerability. So for example here you can set using some other different solutions and you can set the environment, the secret environment you don't pass. For example here in the text, in the clear text, okay so here is the way that you can use it receiving your vs code in your ide, okay so in the last one are you using in this case in the security Andor GitHub actions. So I have here my GitHub actions, okay here my action, it's flaws, it's not any job running for now and I will return in my main fold here. And if you click here, so you need to set the workflow right in this repository. So here if you don't know how this works, you can click here and set up workflow yourself. Andor here is the information, so how you can create this folder. And here is the example that you can use in this case, right, so let me click in action one more time here. As you can see none jobs running out and I will create this folder here and I will go return here to the documentations Andor when I will pop this and I will explain more about the here and take a look. First of all I will create this job, the security pipelines and take a look the job, okay, I will run basically this comma, it's the safe code, install the order sack, okay. And after that I will execute the ordersack start and I will set the path, basically is the main path here that I'm running this and I will set as another flaws e I mean in this case it's true because in this case if they found whatever vulnerability in this code, they broke the pipeline. They create a gate to break the pipeline Andor because the code is vulnerable and it's impossible to go to the production because the code is totally vulnerable. And by the way, in this case with Python we have here the clear text, remember that? Yes okay, I think you remember. So I create this, so let's see about the GitHub states. I think it's running just a log, let me go, let me add this folder, let me commit the demo enter. So we have here the new folder, the new file actually. So you push, I'm working with a master not a main, so you need to set my password. In this case I'm executing this new action. So let's return it here in my GitHub actions, as you can see, non jobs running. I will click an action one more time and take a look what happened. So now I have one workflow here, security pipeline. And if I click here, take a look at this, I am running now this new job in my GitHub actions. So I'm trying to see if my code is vulnerable, not if not vulnerable, it pass, okay, but it's vulnerable I will break because I set, remember the flag e. In this case it's true, the code needs to be minos one. If they found some vulnerability in this code, they will broke or create a gate in this pipeline, okay, so they will executing this, let me go to the job. So take a look this setting the environment, and after that they will check out the code, and now they will running autosack in my environment. So if they found here any vulnerabilities, as you can see here, it's tools, it's the same that I execute things in CLI and vs code. And as you can see here, let me return here, as you can see, create a gate or break the pipeline, okay, and here is the execution, right. As you can see, executing the curl Andor after that they set the rsack, sast, p and e if vulnerable. And let's see the logs. So take a look this. It's basically 1 minute. In this case, take a look this the same vulnerability that we found since the first, right in the CLI, in yes code, okay, others about the many information about the logs. And take a look at this here the password secret in python. In this case, in a clear desk, one more time you pass it, one, two, three, and another is, this is not a password. Okay. And here, as you can see in this case, more than one possibility. Andor, take a look this a four process completed with the execute exit code. One, because I set the flag, remember Andor, as you can see the code, it was broken. In this case I can send many information, I can send these information to the web manager, but we don't have to explain more during this presentations. During this presentation, Andor, after that you can treat all those vulnerability and you can changing this code, and after that you can rerun the job. If the code was pretty nice, so they will pass. Okay guys, so I finish here, my presentation, I don't know if you have any questions, so if you have any questions, so please let me know. I hope this presentation should be useful for you. And one more time, thank you so much for being here using these presentations and see you in the next event.
...

Filipi Pires

Principal Security Engineer @ Talkdesk

Filipi Pires's LinkedIn account Filipi Pires's twitter account



Join the community!

Learn for free, join the best tech learning community for a price of a pumpkin latte.

Annual
Monthly
Newsletter
$ 0 /mo

Event notifications, weekly newsletter

Delayed access to all content

Immediate access to Keynotes & Panels

Community
$ 8.34 /mo

Immediate access to all content

Courses, quizes & certificates

Community chats

Join the community (7 day free trial)