Making DevSecOps a Reality in your Spring Applications

MAKING DEVSECOPS A REALITY
IN YOUR SPRING APPLICATIONS
Roberto Velasco

ABOUT ME
Roberto Velasco
Working as Java Software Architect since 2004
Involved in Software Security since 2001
Hdiv open-source project founder
CEO at Hdiv Security

CONTENTS OF TALK
• Introduction
• Software Security issues
• DevSecOps: Security Bugs
• DevSecOps: Business Logic Flaws
• Summary

THE NEW REALITIES
• New deployments every day
• Moving to the Cloud
• Exponential scalability requirements
• Exposed to automated attacks (low cost attacks)

SECURITY ISSUES IN THAT NEW SCENARIO
• Security teams don’t have enough time to review
the applications manually
• Many security solutions are not adapted to the cloud
• Hardware-based
• Scalability issues

THE SOLUTION: DEVSECOPS
• Security must be integrated within the design
process of the applications
• Security solutions must work within cloud
environments
• We need to follow a DevSecOps approach

HOW TO IMPLEMENT DEVSECOPS
Metrics Tools

SOFTWARE SECURITY ISSUES
• SQL Injection
• Cross-Site Scripting (XSS)
• Directory Traversal
• Weak Crypto Algorithm
• Java Object Deserialization
• etc.
• Access Control
• Binding attacks
• Race condition
• Step N of workflow can be skipped
• etc.

DEVSECOPS:
• Syntax issues related to
security
• They can be detected by tools:
Application Security Testing
(AST)
• AST
• SAST
• DAST
• IAST
• OWASP A1: Injection
• OWASP A2: Broken Authentication
• OWASP A3: Sensitive Data Exposure
• OWASP A4: XML External Entities (XXE)
• OWASP A6: Security Misconfiguration
• OWASP A7: XSS
• OWASP A8: Insecure Deserialization
• OWASP A8 (2013): Cross-Site Request Forgery (CSRF)
• OWASP A9: Using Components with Known Vulnerabilities
SECURITY BUGS

1. Use an AST solution during development
2. Define metrics and thresholds to assure quality
3. Integrate security issues within your issue tracker
4. Monitor and protect production deployments
DEVSECOPS: SECURITY BUGS HOW TO

DEMO
https://hdivsecurity.com/videos/devsecops-security-bugs

Automated AST is not a panacea though. All of the AST tools
share significant weakness in the area of detecting business
logic flaws as well as more deliberate, malicious flaws like logic
bombs and back doors. Business logic flaws include
vulnerabilities like insecure direct object reference, which can
lead to account compromise or privilege escalation.
A Guidance Framework for Establishing and
Maturing an Application Security Program

DEVSECOPS:
• OWASP A4 (2013): Insecure Direct Object References
• OWASP A7 (2013): Missing Function Level Access Control
• OWASP A10 (2013): Unvalidated Redirects andForwards
• OWASP A5 (2017): Broken Access Control
BUSINESS LOGIC FLAWS
• Access control
• Binding attacks
• Race condition
• Step N of workflow can
be skipped
• etc.

DEMO
• URL DIRECT ACCESS
• PARAMETER MANIPULATION
• MISSING FUNCTION LEVEL ACCESS CONTROL
• BINDING ISSUE
https://hdivsecurity.com/videos/devsecops-business-logic-flaws

• Even though they can’t be detected automatically,
we can automated the protection
• Business logic flaws protection can be automated
through input validation
• We can measure the quality of the protection
DEVSECOPS: BUSINESS LOGIC FLAWS & SOLUTION

• Input
• URLs
• HTTP form Parameters
• JSON attributes (REST apps)
• Validations that we usually perform manually
• Type
• Size
• Role based
• Custom code validation

• Traditional security validations (format & role)
present important limitations
• http://www.bank.com?id=123456789012345
• Security depends on people

How to automate protection?
We can apply contract based protection
DEVSECOPS: BUSINESS LOGIC FLAWS

public class Pet {
Integer id;
id;
String name;
Date birthDate;
PetType typeId;
Breed breed;
Color color;
}

public class Pet {
Integer id;
id;
@Pattern(regexp=“^[A-Za-z0-9]*$”)
String name;
Date birthDate;
PetType typeId;
Breed breed;
Color color;
}

How do we implement this?
The server must define what is allowed,
rejecting the rest

1
2
Validation Filter
Libraries Extension2

DEMO
BUSINESS LOGIC FLAWS PROTECTION
https://hdivsecurity.com/videos/devsecops-business-logic-flaws-protection

• Using contract enforcement we can
measure the quality of the input validation
• We know how much of the input is validated
using:
• Integrity
• Basic input validation (format, size, etc.)
• Nothing at all
DEVSECOPS: BUSINESS LOGIC FLAWS & METRICS

DEMO
VISUALIZING VALIDATIONS QUALITY
https://hdivsecurity.com/videos/devsecops-validations-quality-visualization

• Define thresholds depending your maturity
model
DEVSECOPS: BUSINESS LOGIC FLAWS & METRICS

DEMO
BUSINESS LOGIC FLAWS – CI (JENKINS)
https://hdivsecurity.com/videos/devsecops-business-logic-flaws-continuous-integration

SUMMARY
• DevSecOps approach must be complete, not only
focused on Security Bugs
• We need tools that work in all environments
offering:
• Metrics generation and enforcement
• Automation of protection and monitoring

Making DevSecOps a Reality in your Spring Applications

More Related Content

What's hot (20)

Similar to Making DevSecOps a Reality in your Spring Applications (20)

Recently uploaded (20)

Making DevSecOps a Reality in your Spring Applications