#MicroFocusCyberSummit Shifting Security Left Bringing security - - PowerPoint PPT Presentation

microfocuscybersummit shifting security left
SMART_READER_LITE
LIVE PREVIEW

#MicroFocusCyberSummit Shifting Security Left Bringing security - - PowerPoint PPT Presentation

Apr 08, 2023 264 likes •714 views

#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and delivery Brenton Scott Witonski <>< , Acxiom Brandon Spruth, Target Lucas von Stockhausen, Fortify #MicroFocusCyberSummit WHY ARE YOU

slide-1
SLIDE 1

#MicroFocusCyberSummit

slide-2
SLIDE 2

#MicroFocusCyberSummit

Shifting Security Left

Brenton Scott Witonski <>< , Acxiom Brandon Spruth, Target Lucas von Stockhausen, Fortify

Bringing security into continuous integration and delivery

slide-3
SLIDE 3

#MicroFocusCyberSummit

WHY ARE YOU HERE

You want to know WHAT shifting security left means You want to know WHY you should shift left You want to know HOW to shift left

slide-4
SLIDE 4 4

WHAT is Shifting Security Left

Moving current activities left Changing how you do security Changing the location of the Compromise in order to reduce risk Controlling development Becoming a part of development Software Development LifeCycle

slide-5
SLIDE 5 5

WHY You to Shift Left

Shifting left (correctly) can change ALL of this!!!

slide-6
SLIDE 6 6

Security

FROM TO

slide-7
SLIDE 7 7

WHY You to Shift Left

RESULTS

Actual Risk Reduction

slide-8
SLIDE 8

TRANSPARENT INTEGRATION AND AUTOMATION

THE NAME OF DEVSECOPS IS SPEED

  • GO AT THE SPEED OF DEVELOPMENT (DAILY SCANS OF MODIFIED CODE)

TRANSPARENT ACTIVITY

  • SCANS AND RESULTS SHOULD BE COMPLETED WITHOUT DEVELOPMENT STOPPING

DIRECT ACCESS TO SOURCE CODE

  • A DEVELOPER SHOULD NOT HAVE TO MANUALLY PROVIDE CODE TO SCAN

AUTOMATED SCANNING BASED ON RELEVANT CHANGES

  • A DEVELOPER SHOULD NOT HAVE TO WAIT ON RESULTS
8

HOW Can Security Shift Left

slide-9
SLIDE 9

ALLOW CRITICALS INTO PRODUCTION tCELL’s 2018 Q2 Report “Security Report for In-Production Web Applications” Average of 34 DAYS to patch the most critical CVE’s IDEA: Patch Introduced Risk by Next Release DIFFER LEGACY VS INTRODUCED RISK Immediately address introduced risk with developers in existing or next release cycle Work with application and product

  • wners to reduce technical debt
  • ver time

IDEA: FOCUS ON THE NOW

9

Two Shift-Left Concepts for DEVSECOPS

NOW: REAL WORLD EXAMPLE

slide-10
SLIDE 10

BitBucket/GitHub/SVN(TeamForge)

  • You need direct access to your repos as a security team
  • Use APIs and scripting to identify all repositories and branches having code changes
  • IDENTIFY ALL REPOS THAT HAVE CHANGED
  • CAPTURE REPO INFORMATION: ProjectName->RepositoryName->BranchName
  • Validate repository changes and capture commit metadata
10

STEP 1: Identify Relevant Code

$github_proj_url="https://git.instance.net/api/v3/user/repos?per_page=100\\&page=$i"; chomp($github_proj_url); $curl_proj_command = "curl -s -u <password>"; $curl_proj_command .= " -X GET"; $curl_proj_command .= " $github_proj_url"; $json_proj=`$curl_proj_command`; chomp($json_proj); $decoded_json_proj=decode_json($json_proj); push @repo_values , @{$decoded_json_proj};

GITHUB Example in PERL to pull Repositories

slide-11
SLIDE 11

FORTIFY PROJECT APIs

  • Define a naming standard for your SSC Project based on Code Repository Data
  • Generate Fortify API Access Token
  • Verify SSC Project exists, if not, create it
  • Pull the source code and scan it
  • Upload results to SSC
11

STEP 2: Create Projects and Scan

my $token_response=`curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic $Base64_Encoded_Password' -d '{ "type": "UnifiedLoginToken" }' 'http://ssc_server_name.net:PORT/ssc/api/v1/tokens’`; chomp($token_response); my $decoded_json_commit=decode_json($token_response); my $t_response_code=$decoded_json_commit->{'responseCode'}; print MSTRLOG "\nThe Token create response code was: $t_response_code\n"; my $token_value = $decoded_json_commit->{'data'}->{'token'};

API Snippet for generating a Fortify Access Token

slide-12
SLIDE 12

FORTIFY ISSUE APIs

  • For each issue, identify the issues of importance
  • Severity, Age, Category, Confidence Level, etc
  • Label issues based on relevant to current release or legacy issues existing prior to current release
  • Initiate reporting mechanism (email, dashboard notification, etc) for issues to stakeholders
  • CURRENT ISSUES – ACTIVE DEVELOPERS RESPONSIBLE
  • LEGACY ISSUES - PRODUCT OWNERS AND DEVELOPER LEADS
12

STEP 3: Relevant Issue Identification

my $issue_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$target_version_id/issues?limit=- 1&orderby=priority&fields=priority'`; chomp($issue_response); my $decoded_json_issues=decode_json($issue_response); print Dumper $decoded_json_issues;

API Snippet for Fortify Issues

slide-13
SLIDE 13 13

What Tools Will You Need

1) TECHNICAL RESOURCE FOR PYTHON or PERL SCRIPTING 2) ACCESS TO YOUR SOURCE CODE REPOSITORY 3) SERVER WITH ACCESS TO SOURCE REPO AND SSC SERVER

slide-14
SLIDE 14

NEXT 15 DAYS

  • Requisition a Linux server for testing
  • Research Repo and Fortify APIs and Play with Examples Provided

NEXT 30 DAYS

  • Write scripts to process your repository data
  • Write scripts to create SSC Projects

NEXT 60 DAYS

  • Write scripting process to scan relevant repositories
  • Define the official process for Automated Static Scanning
14

What Now – Next Steps

slide-15
SLIDE 15

Thank You.

#MicroFocusCyberSummit

Brenton Scott Witonski <>< E-mail: Brenton.Witonski@acxiom.com LinkedIn: https://www.linkedin.com/in/brentonwitonski Personal: www.lovepala.com

slide-16
SLIDE 16

Brandon Spruth

slide-17
SLIDE 17 Previous Next

17

Not Just Scanners & Reports Attack products and services like an attacker providing remediation Security As Code Delivering value with frictionless, innovative and responsive processes Be a Better Partner Provide tests and insight beyond known anomalies Products & Services Create awesome products & services with feedback loops Business strategy is achieved with the collaboration of all departments and providers in service to the customer who requires better, faster, cheaper, secure products and services // Security as Code / Everything as Code
slide-18
SLIDE 18 Previous Next

18

SAST & DAST Testing Updating and creating pipeline jobs for automated testing Code Reviews Hunting for security defects Regulatory Compliance Overcoming hurdles for laws regulations, guidelines, and specifications. Bug Management Issue management and justification with development teams remediation Threat Modeling Consulting with design and architecture Sublinear programs scale better than linear ones where budget, resources and workload increases year-over-year.

12 1 11 2 10 3 9 4 8 5 7 6 Security Treadmill

Scaling your product security operations
slide-19
SLIDE 19 Previous Next

19

Change in leadership Live for a cause and focus on
  • utcomes
Break Industry Practices Experiment beyond the typical taxonomy of tests Decrease Resources Company experiences a downturn in the market with cutbacks Increase Workload Greater development more releases overall velocity is up 25%

Contingency Planning

1 Plan for the worst but hope for the best! Create use cases 2 Illustrate and discuss outside influences that would adversely effect your
  • perations
Implement tests 3 Challenge the use-cases with hypotheticals
slide-20
SLIDE 20 Previous Next

20

Innovative Flexible enough to complement the tech stack

I

Responsive Simple onboarding with quick iterative scan duration

R

Reliable Scan results need to be accurate and meaningful

R

Frictionless Streamline process with quality experience

F

DevSecOps Scanning

slide-21
SLIDE 21 Previous Next

21

Feedback Remediate Iterate Scan

Dynamic Application Security Test Orchestration

slide-22
SLIDE 22 Previous Next

22

WebBreaker Demos

Orchestration on DAST with a light-weight client WebBreaker Installation & Configuration WebBreaker Centralized Scan Management WebBreaker with DevSecOps WebBreaker Proxy & Swagger Integration
slide-23
SLIDE 23 Previous Next

23

slide-24
SLIDE 24 Previous Next

24

Test Coverage Achieve greater velocity of tests with wide adoption Self-Service Low barrier to entry for non- security professionals Portability Lightweight and practical enough to seamlessly integrate into a tech stack Actionable Feedback Provide reproduction steps and concise remediation guidance

Security-As-A-Service Contextual Scan Orchestration

slide-25
SLIDE 25 Previous Next

25

slide-26
SLIDE 26

Bonus Content – APIs

slide-27
SLIDE 27

USE FOR GETTING A LIST OF YOUR REPOS IN A STASH GIT INSTANCE my $stash_repo_url="https://stash.company.com/rest/api/1.0/projects/$proj_name/repos?limit=300"; chomp($stash_repo_url); my $curl_repo_command = "curl -s -u <password>"; $curl_repo_command .= " -X GET"; $curl_repo_command .= " $stash_repo_url"; my $json_repo=`$curl_repo_command`; die "Could not get $stash_repo_url!" unless defined $json_repo; chomp($json_repo); my $decoded_json_repo=decode_json($json_repo); print "\n\n#################\n\tSTART REPO DUMP\n#################\n"; print Dumper $decoded_json_repo;

27

GIT STASH API – Repository

slide-28
SLIDE 28

USE TO GET COMMIT DATA FOR EACH REPO IN STASH GIT INSTANCE my $stash_commit_url="https://stash.company.com/rest/api/1.0/projects/$proj_name/repos/$repo_n ame/commits?limit=1"; chomp ($stash_commit_url); my $curl_commit_cmd = "curl -s -u <password>"; $curl_commit_cmd .= " -X GET"; $curl_commit_cmd .= " $stash_commit_url"; my $json_commit=`$curl_commit_cmd`; chomp($json_commit); my $decoded_json_commit=decode_json($json_commit); print "\n\n#################\n\tSTART COMMIT DUMP\n#################\n"; print Dumper $decoded_json_commit;

28

GIT STASH API – Commits

slide-29
SLIDE 29

LOOP THROUGH TO GET A LIST OF REPOS FROM YOUR GITHUB INSANCE $github_proj_url="https://git.instance.net/api/v3/user/repos?per_page=100\\&page=$i"; chomp($github_proj_url); $curl_proj_command = "curl -s -u <password>"; $curl_proj_command .= " -X GET"; $curl_proj_command .= " $github_proj_url"; $json_proj=`$curl_proj_command`; chomp($json_proj); $decoded_json_proj=decode_json($json_proj); push @repo_values , @{$decoded_json_proj};

29

GIT GITHUB API – Repository

slide-30
SLIDE 30

CREATE A TOKEN USING BASE64ENCODED PASSWORD BASE64ENCODING EXAMPLE - my $token_response=`curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic $Base64_Encoded_Password' -d '{ "type": "UnifiedLoginToken" }' 'http://ssc_server_name.net:port/ssc/api/v1/tokens'`; chomp($token_response); my $decoded_json_commit=decode_json($token_response); my $t_response_code=$decoded_json_commit->{'responseCode'}; print MSTRLOG "\nThe Token create response code was: $t_response_code\n"; my $token_value = $decoded_json_commit->{'data'}->{'token'};

30

FORTIFY API – Generate Token

https://www.base64encode.org/

slide-31
SLIDE 31

sub get_proj_id { my $all_ssc_projects_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' 'http://ssc_server_name.net:port/ssc/api/v1/projects?limit=-1&fulltextsearch=false’`; chomp($all_ssc_projects_response); my $decoded_json_projects=decode_json($all_ssc_projects_response); print Dumper $decoded_json_projects; my $total_ssc_projects=$decoded_json_projects->{'count'}; print "The total number of ssc_projects are: $total_ssc_projects\n\n"; my @proj_values= @{ $decoded_json_projects->{'data'}}; foreach my $v (@proj_values) { my $project_name=$v->{'name'}; my $project_id=$v->{'id'}; chomp($project_name); chomp($project_id); if ( $_[0] eq $project_name) { print "Project name is: $project_name and Project id is: $project_id\n"; return ($project_name, $project_id); } } }

31

FORTIFY API – Get Project ID

slide-32
SLIDE 32

sub get_version_id { my $ssc_versions_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' 'http://ssc_server_name.net:port/ssc/api/v1/projects/$_[0]/versions’`; chomp($ssc_versions_response); my $decoded_json_projects=decode_json($ssc_versions_response); my @version_values= @{ $decoded_json_projects->{'data'}}; foreach my $vv (@version_values) { my $version_name=$vv->{'name'}; my $version_id=$vv->{'id'}; chomp($version_name); chomp($version_id); if ( $_[1] eq $version_name) { print "Version name is: $version_name and Version id is: $version_id\n"; return ($version_name, $version_id); } } }

32

FORTIFY API – Get Version ID

slide-33
SLIDE 33

sub create_ssc_project { print "\t\tPassed into the sub create ssc project values are proj_name: $_[0] and repo_name: $_[1] and description: $_[2] and token: $_[3]\n"; my $create_response=`curl -X POST --header 'Content-Type: application/json' --header 'Authorization: FortifyToken $_[3]' -d '{"description": "$_[2]", "name": "$_[1]", "issueTemplateId": "Prioritized-HighRisk-Project-Template", "masterAttrGuid": "87f2364f-dcd4- 49e6-861d-f8d3f351686b", "objectVersion": 3, "project": {"description": "$_[2]", "issueTemplateId": "Prioritized-HighRisk-Project-Template", "name": "$_[0]"} }' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions’`; chomp($create_response); my $decoded_json_commit=decode_json($create_response); #print Dumper $decoded_json_commit; my $id = $decoded_json_commit->{'data'}->{'id'}; return $id; }

33

FORTIFY API – Create SSC Project

slide-34
SLIDE 34

sub create_ssc_project_version { print "\t\tPassed into the sub create ssc project version values are proj_name: $_[0] and version_name: $_[1] and description: $_[2] and token: $_[3]\n"; my $create_response=`curl -X POST --header 'Content-Type: application/json' --header 'Authorization: FortifyToken $_[3]' -d '{"description": "$_[2]", "name": "$_[1]", "issueTemplateId": "Prioritized-HighRisk-Project-Template", "masterAttrGuid": "87f2364f-dcd4- 49e6-861d-f8d3f351686b"}' 'http://ssc_server_name.net:port/ssc/api/v1/projects/$_[0]/versions’`; chomp($create_response); my $decoded_json_commit=decode_json($create_response); print Dumper $decoded_json_commit; my $id = $decoded_json_commit->{'data'}->{'id'}; return $id; }

34

FORTIFY API – Create SSC Project Version

slide-35
SLIDE 35

sub update_ssc_project_attributes { print "\t\tPassed into the sub create ssc project version values are proj_id: $_[0] and token: $_[1]\n"; my $update_att_response=`curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $_[1]' -d '[{"attributeDefinitionId":5,"values":[{"guid":"Active"}]}, {"attributeDefinitionId":6,"values":[{"guid":"Internal"}]}, {"attributeDefinitionId":7,"values":[{"guid":"internalnetwork"}]}]' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$_[0]/attributes’`; chomp($update_att_response); my $decoded_json_commit=decode_json($update_att_response); print Dumper $decoded_json_commit; my $u_att_response_code=$decoded_json_commit->{'responseCode'}; print "\nThe update attributes response code was: $u_att_response_code\n"; }

35

FORTIFY API – Update Project Attributes

slide-36
SLIDE 36 sub update_ssc_project_proc_rules { print "\t\tPassed into the sub create ssc project version values are proj_id: $_[0] and token: $_[1]\n"; my $update_pr_response=`curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $_[1]' -d '[{"displayName": "Require approval if the Build Project is different between scans","identifier": "com.fortify.manager.BLL.processingrules.BuildProjectProcessingRule","displayable": true,"enabled": false},{"displayName": "Check external metadata file versions in scan against versions on server.","identifier": "com.fortify.manager.BLL.processingrules.ExternalListVersionProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if file count differs by more than 10%","identifier": "com.fortify.manager.BLL.processingrules.FileCountProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if result has Fortify Java Annotations","identifier": "com.fortify.manager.BLL.processingrules.FortifyAnnotationsProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if line count differs by more than 10%","identifier": "com.fortify.manager.BLL.processingrules.LOCCountProcessingRule","displayable": true,"enabled": false},{"displayName": "Automatically perform Instance ID migration on upload","identifier": "com.fortify.manager.BLL.processingrules.MigrationProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if the engine version of a scan is newer than the engine version of the previous scan","identifier": "com.fortify.manager.BLL.processingrules.NewerEngineVersionProcessingRule","displayable": true,"enabled": false},{"displayName": "Ignore SCA Scans performed in QuickScan mode","identifier": "com.fortify.manager.BLL.processingrules.QuickScanProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if the rulepacks used in the scan do not match the rulepacks used in the previous scan","identifier": "com.fortify.manager.BLL.processingrules.RulePackVersionProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if SCA or WebInspect Agent scan does not have valid certification","identifier": "com.fortify.manager.BLL.processingrules.ValidCertificationProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if result has analysis warnings","identifier": "com.fortify.manager.BLL.processingrules.WarningProcessingRule","displayable": true,"enabled": false},{"displayName": "Warn if audit information includes unknown custom tag","identifier": "com.fortify.manager.BLL.processingrules.UnknownOrDisallowedAuditedAttrChecker","displayable": true,"enabled": false},{"displayName": "Require the issue audit permission to upload audited analysis files","identifier": "com.fortify.manager.BLL.processingrules.AuditedAnalysisRule","displayable": true,"enabled": false},{"displayName": "Disallow upload of analysis results if there is one pending approval","identifier": "com.fortify.manager.BLL.processingrules.PendingApprovalChecker","displayable": true,"enabled": false},{"displayName": "Disallow approval for processing if an earlier artifact requires approval","identifier": "com.fortify.manager.BLL.processingrules.VetoCascadingApprovalProcessingRule","displayable": true,"enabled": false}]' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$_[0]/resultProcessingRules’`; chomp($update_pr_response); my $decoded_json_commit=decode_json($update_pr_response); print Dumper $decoded_json_commit; my $u_pr_response_code=$decoded_json_commit->{'responseCode'}; print "\nThe update process rules response code was: $u_pr_response_code\n"; } 36

FORTIFY API – Update Project Processing Rules

slide-37
SLIDE 37

sub commit_ssc_project { print "\t\tPassed into the sub create ssc project version values are proj_id: $_[0] and token: $_[1]\n"; my $commit_response=`curl -X PUT --header 'Accept: application/json' --header 'Content- Type: application/json' --header 'Authorization: FortifyToken $_[1]' -d '{ "committed":"true"}' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$_[0]'`; chomp($commit_response); my $decoded_json_commit=decode_json($commit_response); print Dumper $decoded_json_commit; my $c_response_code=$decoded_json_commit->{'responseCode'}; print "\nThe commit project response code was: $c_response_code\n"; }

37

FORTIFY API – Commit SSC Project

slide-38
SLIDE 38

my $issue_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$target_version_id/issues?limit=

  • 1&orderby=priority&fields=priority’`;

chomp($issue_response); my $decoded_json_issues=decode_json($issue_response); print Dumper $decoded_json_issues;

38

FORTIFY API – Get Project Version Issues

slide-39
SLIDE 39

my $issue_detail_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' '$issue_href’`; my $decoded_json_issues_det=decode_json($issue_detail_response); print "\n\n#############################\n\tSTART ISSUE DETAILS DUMP\n#############################\n"; print Dumper $decoded_json_issues_det;

39

FORTIFY API – Get Issue Details

slide-40
SLIDE 40

Bonus Content – PROCESS

slide-41
SLIDE 41
  • 1. LOOP THROUGH API COMMAND TO CAPTURE ALL REPOSITORIES
  • 2. FOR EACH REPOSITORY CAPTURE COMMIT DATA AND EVALUATE FOR RELEVANCE
  • 3. CAPTURE USER DATA OF COMMITS FOR LATER REPORTING
  • 4. CREATE LIST OF RELEVANT REPOSITORIES FOR PROCESSING
41

STEP 1: Identify Relevant Code

slide-42
SLIDE 42
  • 1. GENERATE YOUR FORTIFY ACCESS TOKEN
  • 2. USING LIST OF REPOS FOUND VALIDATE IF SSC PROJECT EXISTS FOR CODE REPOSITORY
  • 3. IF NOT, THEN CREATE THE SSC PROJECT
  • 1. Create the Project
  • 2. Create the Project Version
  • 3. Update Project Attributes
  • 4. Update Project Processing Rules
  • 5. Commit SSC Project
  • 4. SCAN CODE REPOSITORY AND UPLOAD RESULTS TO SSC PROJECT
42

STEP 2: CREATE PROJECTS AND SCAN

slide-43
SLIDE 43
  • 1. GENERATE YOUR FORTIFY ACCESS TOKEN
  • 2. USE PROJECT ID AND VERSION ID TO CAPTURE LIST OF ISSUES
  • 3. FOR EACH ISSUE, CAPTURE METADATA
  • 4. EVALUATE METADATA FOR RELEVANCE (LEGACY OR INTRODUCED RISK)
  • 5. CONSOLIDATE ISSUES AND REPORT TO APPROPRIATE STAKEHOLDERS
  • 6. GATHER METRICS AND EVALUATE
43

STEP 3: Relevant Issue Identification

slide-44
SLIDE 44

#MicroFocusCyberSummit