Making the best of Application Security solutions

Amit Ashbel
Product Evangelist
 How I am about to spend your time?

• Very Shortly about us

• Introduction to Application Security
•Where does what fit?
•Pros & Cons
•The importance of early detection

• Gamification for techies

• Not so wet t-shirt contest
• Node.js potential risks
• Takeaways
 About Us

• Checkmarx
– Founded in 2006
– Enterprise Grade Application Security Solutions:

SAST | RASP | Application Security Education

– Hundreds of Fortune 500 and SMB Customers
– Fanatical support
 Introduction to Application Security

~90% of Applications are vulnerable

Network solutions are not designed to protect the

Application level

Application are designed to run on browsers multiplying the

threats every day

Attack are in stealth mode

 The Problem

37 Million
 The Problem

5.6 Million
 The Problem

40 Million
The Problem
 The Problem

Employee End Points

Access Management
• Allowed Port
• Allowed Source
Web App Servers • Allowed Protocol
• Transaction Data?
 Application Development Life Cycle

Security requirements SAST RASP or WAF

Product
Development Testing Deployment Production
Design

DAST/IAST Pen Tests

 Web Application Firewalls (WAF)

• Pattern Recognition
• Session Protection
• Signature KB
 WAF Pros and Cons

Protection in real Vulnerabilities are

time not resolved

No understanding of
Blocking capability application data flow

Developer Buy-in High Maintenance

Hi False Positive Rate

No Client side Vuln.

Detection
DAST and Pen Tests (BlackBox)
 DAST Pros and Cons

Cannot detect non-reflective

No need for source code attacks

Analysis on Client and Server Might miss minor or less visited

side areas of the app

Requires full compilation upon

Exposes Vulnerabilities every code change
manifested in real-time

Not fitting for agile methodology

Can expose 3rd party
vulnerabilities
No Remediation location
indication
 Pen Test (BlackBox) Pros and Cons

Only relevant for the specific

Can be point of time when the pen
comprehensive test takes place

Analysis on Client
Lengthy process
and Server side

Human logic Expensive Process

(Tools + Man hours)

Only as good as the tester

 IAST – Interactive Application
Security testing

• A completing solution to DAST products

• Allows detection of non-reflective
vulnerabilities
 IAST Pros and Cons

Allows DAST Can’t live on its own

solutions to detect requires DAST
more vulnerabilities

Has to be integrated
May allow within the tested
pinpointing application
vulnerable code lines

Potential for high

False positives or
missed detection
 Real-Time Application Security
Protection (RASP)

‘ or 1=1 ;--
Web App

RASP analyzes data flow and

logic before allowing further
functionality
 RASP Pros and Cons

Negligible False Positives Requires

instrumentation

Can block or alert in real

time Implemented in
production environment

Transparent Patching

Can integrate with SAST

SAST
 SAST Pros and Cons

Fix vulnerabilities at their source False Positives (In many cases)

Reduce TCO Might report findings that can’t

be exploited

No need for code compilation Doesn’t run during application

run time

Indicated fix location

Fits into any development

methodology

No effect on production environment

Education!
 Black Box vs White Box testing

False Negatives!

Source webapsec.org
 SAST ROI/TCO

= Cost of repairing at this dev Phase

Most vulnerabilities are
= Defects introduced at this dev Phase
created during coding

85%
$16000
Percentage of Bugs

resolve your
vulnerabilities here $1000

$250
$100
$25

Coding Unit Function Field Post

Tests Test Test release
 Why Early Detection?

Legal Costs
Re-Launch
Costs

Schedule delays
Development Efforts
Re-Launch monitoring services
Schedule delays Reputation damage
Development Efforts Reimbursements
Impact Analysis Impact Analysis
Development Efforts Version rollback Version rollback

During Development After Release After Breach

(SAST) (Pen-test, DAST, WAF)

Vulnerability detection stage

The Conflict

I need to get this

code released ASAP

And who will take

responsibility once
we are breached??
 So, what can we do?

Integrate Source Code Analysis seamlessly

SCA Solution should:

• Integrate in SDLC – IDE, Bug Tracking, Build server, Code repository and CI
Server
• Recognize source code issues during the development. Don’t wait until the end
of the Sprint
• Not depend on external service SLAs
• Provide clear prioritization
• Provide clear remediation instructions
• Integrate time saving functionality – Fix one  Address many
• Scan only what is really required
• Educate the teams to prevent repeating mistakes
Game of Hacks – An Idea is Born

using System;
using System.Security.Cryptography;
class Program
{ Spot The
static void Main() Vulnerability
{
using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider()){
// Buffer storage.
byte[] data = new byte[4];
// Ten iterations.
for (int i = 0; i < 10; i++)
{
// Fill buffer.
rng.GetBytes(data);
// Convert to int 32.
int value = BitConverter.ToInt32(data, 0);
Console.WriteLine(value);
}
// other Random Generation method
Random otherRandomGenerator = new Random();
double otherRandomNumber = otherRandomGenerator.NextDouble();
 CISO Concerns – Education and Awareness

https://www.owasp.org/images/2/28/Owasp-ciso-report-2013-1.0.pdf
 1+1=?

Launched in August
More than 100,000 games played since
Let’s take a look at the game
What was behind GoH?
 Honeypot

• We assumed the game would be attacked

• We might as well learn from it
• Vulnerabilities were left exposed and patched along the way
 GoH Architecture

Server
Client
 Node.js Architecture

Single Thread Architecture - Event Loop

Register Callback
Event Queue

File System
Event Loop
Single Thread
Database

Network
Operation Complete
Trigger Callback
 Event Driven

Single Thread
Events Handler
 Get your browsers ready!

Checkmarx@OWASP Romania 2015

Turn your mobile devices ON!
Go to: www.kahoot.it
SOME NODE.JS CODING PRACTICES TO
REMEMBER
 Event Driven - remember?

Single Thread
Events Handler
 Denial of Service

Function sum (p)

for (i=1;i<=p;++i)
{
f=f+i;
}
 Demo
http://localhost:49090/sum?p=5
http://localhost:49090/sum?p=100000000
http://localhost:49090/sum?p=5
 JSON-based SQL Injection

• Node.JS, being a JSON based language, can

accept JSON values for the .find method:

• A user can bypass it by sending

http:///server/page?user[$gt]=a&pass[$gt]=a

• http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html
 JSON-base SQL Injection

db.users.find({username: username});

bcrypt.compare(candidatePassword, password, cb);

• This can lead to Regular Expression Denial of Service through the

{“username”: {“$regex”: “……..}}
• So always validate the input length, structure, and permitted characters

• Remembering that Node.js is highly sensitive to CPU-intensive tasks, and

there’s a single thread for user-code – ReDoS is really bad
 RE-DOS Demo

http://localhost:49090/?user=admin&pass[$regex]=^(a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|
a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a
|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|
a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a
|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|
a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a
|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|
a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a
|a|a|a|a|a|a|a|a|a)(d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|
d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d
|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|
d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d
|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|
d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d
|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|
d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d
|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|
d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d
|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|
d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d)$
 Key Takeaways

Static Application Security Testing

• Detect vulnerabilities while they are being created to save resources and increase ROI
• Make application security part of your development cycle
• Get developers to become part of the Application security process

Gamification of Education
• Knowledge is key to deliver secure code
• Students (of all ages) absorb and retain information better
• Anytime you have a chance to make learning a fun experience you should do it

Using Code
• Always validate the input length, structure, and permitted characters
• Each coding language has its own pitfalls
• Research and learn a language before you use it publicly
• Remember - Node.js is highly sensitive to CPU-intensive tasks
Questions?
 Thank You!

Come visit our booth

[email protected]

Amit Ashbel

@aashbel