$30 off During Our Annual Pro Sale. View Details »

Preventing Security Vulnerabilities in a Web Application

Preventing Security Vulnerabilities in a Web Application

Companies with web applications invest significant resources to defend them from malicious users and hackers.

To achieve this, companies should implement a Software Development Life Cycle (SDLC) that includes review iterations before the software is released to the public, as well as ongoing security checks after it is in production.

I will present a complete process of secure production and control of an application as follows:

The process is based on the Rational Unified Process (RUP) analysis and production process but it is applicable to any other process.
I will help you with calculating the risk
I will then describe methods for securely writing code and educate your team
I will show how to use AI in development
I will show to monitor your code after it is in production

Alexius DIAKOGIANNIS

October 15, 2023
Tweet

Other Decks in Programming

Transcript

  1. PREVENTING SECURITY
    VULNERABILITIES IN A
    WEB APPLICATION
    ALEXIUS DIONYSIUS T. DIAKOGIANNIS
    Senior JAVA Solutions Architect / European Investment Bank
    Tech Advisory Board Member / Packt Publishing
    Blogging on: JEE.gr
    Twitting on: @Diakogiannis
    LinkedIn: @Diakogiannis 13/10/2023

    View Slide

  2. WHO AM I?
    ü Senior JAVA Architect / Team
    Leader over 20 years of experience
    ü I have designed very complex
    secure applications eg. e-Banking
    Systems
    ü Packt Tech Advisory Board member
    ü Soon to be a writer
    ü Volunteer by principal
    ü Mentor by principal
    Blogging on: JEE.gr
    Twitting on: @Diakogiannis
    LinkedIn: @Diakogiannis
    ALEXIUS DIONYSIUS T. DIAKOGIANNIS
    Senior JAVA Solutions Architect & Squad Leader / EIB
    Tech Advisory Board Member / Packt Publishing
    15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS
    DIAKOGIANNIS
    2

    View Slide

  3. Introduction
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    3

    View Slide

  4. Introduction
    Companies with web applications invest significant resources to defend them from malicious users and
    hackers.
    To achieve this, companies should implement a Software Development Life Cycle (SDLC) that includes
    review iterations before the software is released to the public, as well as ongoing security checks after it
    is in production.
    I will present a complete process of secure production and control of an application as follows:
    • The process is based on the Rational Unified Process (RUP) analysis and production process but it is
    applicable to any other process.
    • I will help you with calculating the risk
    • I will then describe methods for securely writing code and educate your team
    • I will show how to use AI in development
    • I will show to monitor your code after it is in production
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    4

    View Slide

  5. Back to Basics!
    What is a Web
    Application?
    🙄
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    5

    View Slide

  6. We are focusing on the security and delivery of this part
    The Structure of a Web n-tiered Web Application
    •Typically there is:
    •A Client (usually a browser)
    •A web server
    •A application servers
    •Data storage (DB, MDM etc)
    •Communication
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    6

    View Slide

  7. Challenges in Web Application Security
    •Most web standards are informal Request For Comments (RFCs)*
    •These standards are usually not well defined
    •The internet is vast
    •This situation makes modelling the web almost impossible.
    •But can we somehow model the process of how we can secure a web app?
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    7
    *A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet

    View Slide

  8. RUP - RATIONAL
    UNIFIED PROCESS
    METHODOLOGY FOR THE ANALYSIS AND SECURITY OF THE
    APPLICATION
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    8

    View Slide

  9. Intro on the Rational Unified Process
    •The Rational Unified Process is a Software Engineering process that provides a disciplined approach
    to assigning tasks and responsibilities within an organization's development. Its goal is to ensure the
    production of high quality software that meets the needs of its end users within a predictable
    schedule and budget.
    •RUP divides the software development lifecycle into four phases:
    • Inception: The team defines the project's goals and scope.
    • Elaboration: The team develops a detailed plan for the project, including the architecture and requirements.
    • Construction: The team develops and tests the software.
    • Transition: The software is deployed to production and supported.
    •RUP also defines six core development disciplines:
    • Business modelling: The team understands the business needs and requirements.
    • Requirements: The team defines the specific requirements of the software system.
    • Analysis and design: The team designs the architecture and components of the software system.
    • Implementation: The team develops the software code.
    • Testing: The team tests the software to ensure that it meets the requirements.
    • Deployment: The team deploys the software to production and provides support.
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    9

    View Slide

  10. Approach
    Business
    modelling &
    Requirements
    (What)
    Design /
    Implement
    QA/Test
    Continues
    Review/
    Feedback
    Change
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    10

    View Slide

  11. Where Do We Start?
    •Security in web applications starts with:
    • Penetration Testing?
    • Code Reviews?
    • Code Scanners?
    • Firewalls?
    •It starts with SECURE REQUIREMENTS!
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    11

    View Slide

  12. How to Collect Secure Requirements
    •Involve security experts early in the process. They can help you identify potential security risks
    and ensure that the requirements are secure by involving your experts in the inception cycle.
    •Use a risk-based approach. Use a risk-based approach to prioritize the security requirements
    and focus on the ones that pose the greatest risk.
    •Consider the different types of attacks. Consider the different types of attacks that your
    application may be vulnerable to and make sure that the requirements address these risks and
    don’t violate in principle the OWASP TOP-10 (yes business requirements can violate OWASP
    TOP-10)
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    12

    View Slide

  13. Use Secure Design Patterns and Practices
    Defense in Depth Use multiple layers of security to protect your
    application. This can be done by using different security controls, such as
    authentication, authorization, and encryption.
    Least Privilege: This is a security principle that states that users should
    only have the permissions they need to do their job.
    Deny by Default Principle: Everything is denied unless instructed
    otherwise
    Zero Trust: This is a security model that assumes that no user or device
    is trusted by default.
    Threat Modeling: This is the process of identifying and evaluating the
    threats to your application.
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    13

    View Slide

  14. How to Collect Secure Requirements
    •Document the security requirements. The security requirements should be documented in a
    clear and concise way so that they can be easily understood by the developers.
    •Review the security requirements with the stakeholders. Once the security requirements have
    been documented, they should be reviewed with the stakeholders (if they are not already
    involved in the process) to ensure that they are complete and accurate and don’t create
    business implications.
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    14

    View Slide

  15. Some Thumb Rules
    Some thumb rules when gathering requirements:
    • Be aware of the different types of sensitive data that will be stored or processed by the
    application.
    • Consider the different ways that this data could be compromised and prepare for the worst
    • Make sure that the requirements specify how the data will be protected, such as through
    encryption or access control.
    • Consider the different ways that the application could be used to attack other systems or
    networks.
    • Make sure that the requirements also specify how the application will be secured against
    these attacks.
    • Don’t forget to audit trail 🤨
    By taking these steps, you can help to ensure that the security requirements for your web
    application are comprehensive and effective.
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    15

    View Slide

  16. Our Holy Grail the OWASP TOP 10
    The OWASP Top 10 is a list of the 10 most
    common application vulnerabilities. These are:
    üBroken Access Control
    üCryptographic Errors
    üInjection Attacks
    üInsecure Design
    üSecurity Misconfiguration
    üVulnerable Outdated Components
    üIdentification and Authentication Failures
    üSoftware and Data Integrity Failures
    üSecurity Logging and Monitoring
    üServer Side Request Forgering
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    16

    View Slide

  17. OWASP Risk Rating Methodology
    •Online applications may have many vulnerabilities, so we must be able to assess the risk of each
    vulnerability. To help companies assess risk, OWASP uses a risk assessment methodology to
    judge how dangerous any given vulnerability is.
    Identification
    • Who is she;
    • What attack is being
    performed?
    • What factors are
    involved?
    • How much damage
    can it do?
    • What is the
    potential business
    impact?
    What are the threat
    factors?
    • How much skill is
    required?
    • What motivation is
    needed?
    • What opportunities
    are necessary for its
    exploitation
    • How much attacker
    volume is needed?
    What are the factors
    of vulnerability?
    • Ease of discovery.
    • Ease of use.
    • Intrusion detection.
    What are the technical
    factors of the impact
    of an attack
    • Loss of
    confidentiality
    • Loss of integrity
    • Loss of availability
    • Loss of responsibility
    What are the business
    impact factors of an
    attack?
    • Financial cost
    • Damage to
    reputation
    • Non compliance
    • Invasion of privacy
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    17

    View Slide

  18. OWASP Risk Rating Methodology
    •LOW
    •MEDIUM
    •HIGH
    Determination
    of risk severity
    Deciding what
    needs to be
    fixed
    Model
    adjustment if
    needed
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    18

    View Slide

  19. Development
    GOD HELP US…
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    19

    View Slide

  20. How The Team Should Develop
    Secure Coding
    Standards
    Code Reviews
    Secure
    Deployments
    Debt
    Improvement
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    20
    The path to glory…

    View Slide

  21. Secure Coding & Code
    Review
    MIX AND MATCH
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    21

    View Slide

  22. Why Do We Need Software Quality?
    High Quality
    Software
    Is (most likely) a
    SECURE Software
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    22

    View Slide

  23. Secure Coding and Code Review
    You need to review code exactly like the way you should write it. Regardless what you write you
    need to be able to answer the following
    qAm I able to understand the code easily?
    qIs the code written according to company standards/guidelines?
    qIs the same code repeated more than once?
    qCan I easily test/debug the code to find the root cause of a problem?
    qHave I written tests for at least 65% of the code and more that 80% of the if/case statements?
    qIs this method or class too big? If so, does the function or class have too many responsibilities?
    qDoes it violate any of the OWASP TOP 10 rules?
    qDoes it violate any secure coding principles?
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    23
    This also applies
    to Low Code No Code
    Platforms like
    PEGA, OutSystems etc

    View Slide

  24. How do we Code Review?
    It is a process that is actively run by a moderator or a group of moderators together with the
    developers at the time the code is written. The methodologies are:
    •A moderator sits next to the developer or asks him/her to share screen and asks him to walkthrough his code. As the
    facilitator "looks over the developer's code" and explains his or her mindset and approach, he or she tries to identify
    potential issues and advises the developer on best practices.
    OVER-THE-SHOULDER REVIEW
    •A Reviewer is assigned automatically
    GIT NOTIFICATION
    •Pair programming is a flexible software development technique in which two programmers work together on a workstation
    (or a shared screen). One, the driver, writes code, while the other, the observer, examines each line of code as it is typed
    Pair Programming
    •Authors and moderators use their integrated development environment (IDE) plug-ins to connect directly to analyzers and
    analyze their code on the fly.
    Static Code Analysis and SAST tools
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    24

    View Slide

  25. The Golden Rule of Code Review
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    25

    View Slide

  26. The Golden Rule of Code Review Algorithm
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    26
    •IF ( a code reviewer is ){
    •Aggressive in his comments
    •Making bad examples out of people
    •Has a GOD attitude
    }
    •THEN {
    REMOVE HIM/HER EVEN IF HE/SHE IS THE BEST RESOURCE YOU HAVE
    •}

    View Slide

  27. Happy & Bonded Teams Create Quality Software
    •Happy developers are more collaborative. Happy developers are more likely to share their
    knowledge and expertise with their colleagues. This can lead to better team communication,
    problem-solving, and innovation.
    •Happy developers are more likely to be security champions. Security champions are employees
    who are passionate about security and who are willing to go the extra mile to help their
    company improve its security posture.
    •Developer happiness leads to better code. When developers are happy, they are more likely to
    be engaged and productive. This leads to better code quality, fewer bugs, and faster
    development cycles.
    •Happy developers are more likely to stay with their company. Developer turnover is disruptive.
    Happy developers are less likely to leave, which saves the company money and time and
    education investment.
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    27
    Creating a positive and supportive work environment → Better and more Secure Software

    View Slide

  28. Specific Secure Coding Guidelines
    •Validate and sanitize all inputs including data from URLs, and APIs to prevent injections. Use whitelist
    approach when you can.
    •Use a secure and centralized authentication mechanisms (like OAuth, OpenID etc) AND implement a
    proper authorization to enforce access controls and permissions. Avoid custom implementations.
    •Always secure sensitive data using hashing and encryption techniques even if they exist only in
    memory.
    •Prefer using UUIDs over increments on your data sets to prevent enumerations.
    •Enforce session timeouts
    •Secure your queries even if you use ORM frameworks like Hibernate.
    • Always use prepared statements or parameterized queries. In the extreme case you can’t, always use prepared
    statements or parameterized even if you trust your source
    • Always use secure DB connections
    •Have a logging strategy
    • Avoid exposing detailed error messages to users
    • Log securely and not excessively
    • Sanitize variable output when you log to prevent system attacks
    • Nice to have: Your logging media has anti forgery measures
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    28

    View Slide

  29. Don’t Forget to
    •Implement audit trails and logging for critical security-related events within the application. This
    includes logging both Success and Failures (e.g. Log-Ins).
    •Enforce within your application secure communications (TLS/SLL)
    •Implement Rate Limiters and Exponential backoff with jitter reconnection algorithms for your
    endpoints (to be discussed later).
    • Implement CSRF tokens to protect against CSRF attacks in web applications.
    •Configure HTTP Security Headers(e.g., Content Security Policy, X-Content-Type-Options,CORS) to
    enhance browser security
    •Encrypt your passwords
    •Remove commented code
    •If your application handles file uploads, validate and restrict file types NOT ONLY BY THEIR
    EXTENSION (use Apache Tika), and store uploaded files in a secure location. Also keep in mind
    your file system limitations and implement pseudo-random folder structures. Also don’t forget
    to virus scan (use your provides AV service or just ClamAV from within your app).
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    29

    View Slide

  30. Rate Limits and Exponential backoff with jitter
    !Imagine you are trying to connect to a service, but the service is down. You could keep trying to
    connect over and over again, but that might not work also making it even harder for every other
    service to connect. If the service comes up again it will probably fail again because of the big
    demand.
    !Also imagine a service out of your control that decides to request e.g. from your service 100.000
    contracts using a loop asking for one contract at the time.
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    30
    Use libraries like: Resilience4j Bucket4j Apache APISIX OR a Gateway API like Kong or ask your provider

    View Slide

  31. AI Code Generators
    WHAT SORCERY IS THIS?
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    31

    View Slide

  32. AI For Security & Productivity
    AI code generators can be used in various ways
    •Productivity:
    • Auto-completion (ex. writing boilerplate code, Unit test skeletons or implementing common design patterns)
    • Code-refactoring
    • Create documentation (improve code readability, reduce code duplication, and eliminate unnecessary
    complexity)
    •Security:
    • Vulnerability detection
    • Suggest secure coding practices
    •Main players
    • GitHub Copilot
    • Tabnine
    • ChatGPT
    • Ask Codi
    • AWS CodeWhisperer
    • Google Bard
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    32

    View Slide

  33. AI Code Generator Comparison
    Feature GitHub Copilot Tabnine ChatGPT Ask Codi Google Bard
    AWS
    CodeWhisperer
    Code completion Yes Yes Yes Yes Yes Yes
    Code generation Yes Yes Yes Yes Yes Yes
    Code review Yes Yes Yes Yes Yes Yes
    Security Features Yes Yes Yes Yes Yes Yes
    IDE integration
    Yes (Visual Studio
    Code, JetBrains,
    Neovim, Visual
    Studio)
    Yes (Visual Studio
    Code, Sublime
    Text, JetBrains,
    Eclipse, and
    others)
    No No No
    Yes (Visual Studio
    Code, JetBrains,
    Cloud9, AWS
    Lambda console)
    Pricing
    $10/month or
    $100/year for
    individuals,
    $19/month per
    user for business
    Free for open
    source projects,
    $60/year for
    individuals,
    $120/year per
    user for teams
    Free for research
    purposes, paid
    plans available for
    enterprise users
    Free for open
    source projects,
    paid plans
    available for
    enterprise users
    Paid plans
    available for
    enterprise users
    Free for
    individuals,
    $19/month per
    user for business
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    33

    View Slide

  34. AI Pitfalls
    Be aware of the limitations of AI code generators. They are still under development and may not
    be able to generate perfect code all the time.
    üAlways test code that is generated by AI code generators before using it in UAT or Production.
    üUse AI code generators in conjunction with other security tools and practices, such as code
    review and static analysis.
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    34
    Never put your eggs in one basket using
    AI Code Generators → NEVER bypass
    manual code reviews
    DEV
    AI
    PROD

    View Slide

  35. Static Code Analysis
    WHAT SORCERY IS THIS?
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    35

    View Slide

  36. Benefits of Static Code Analyzers
    Static code analyzers (SASTs) are important because they can help you to detect bugs and
    vulnerabilities in your code before you deploy it to production. This can save you time and
    money, and it can also help to protect your users from security threats.
    SASTs help you by:
    • Detect bugs and vulnerabilities early
    • Improve code quality
    • Reduce risk of security breaches
    • Increase confidence in your code
    • Improve compliance with regulations
    Usually they integrated in the CI lifecycle and within the IDE or they are triggered with branch
    merging
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    36
    THE GOAL: Educate the team → Produce Secure Software
    However you should also use them within the development process to educate developers.
    ü Group the significant findings and organize a retrospective with your team to produce lessons
    learned
    ü Take milestone findings of a young developer and do a 1-1 education session

    View Slide

  37. How to Choose the Right Static Code Analyzer
    Tool License
    Scanning
    Performance
    Easy
    Interpreted
    Results
    Man. Code
    Review Cap
    Performance
    in Security
    Findings
    Performance
    in Security
    Findings
    Online Only
    Checkmarx
    CxSAST
    Commercial Normal Normal Yes Very Good Very Good No
    Klocwork
    Commercial Normal Very Easy No Good Good No
    Fortify
    Commercial Normal Normal No Very Good Very Good No
    SonarQube
    Opensource Can be Slow Normal Yes Good Good No
    Semgrep
    Opensource Fast Can be Hard No Good Good No
    Synopsys Code
    Sight
    Commercial Normal Normal No Very Good Very Good No
    Veracode
    Commercial Normal Normal No Very Good Very Good No
    Qodana
    Opensource Fast Can be Hard Yes Good Good Yes
    Snyk
    Commercial Can be Slow Very Easy No Good Good Yes
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    37
    G2 Crowd: Best Static Application Security Testing (SAST) Software: https://www.g2.com/categories/static-application-security-testing-sast
    OWASP Foundation: Static Application Security Testing: https://owasp.org/www-community/Source_Code_Analysis_Tools
    Mend: Best SAST Tools: Top 7 Solutions Compared: https://www.mend.io/blog/best-sast-tools/

    View Slide

  38. How to Choose the Right Static Code Analyzer
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    38
    SAST
    Opensource
    Online Only Qodana
    Online/Offline
    Sonarqube
    Semgrep (for
    advanced usr)
    Commercial
    Medium Budget
    Online Only Snyk
    Online/Offline None L
    High Budget
    Checkmarx
    CxSAST
    Klocwork
    Fortify
    Synopsys Code
    Sight
    Veracode

    View Slide

  39. Software Composition
    Analysis (SCA)
    WHAT IS THAT?
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    39

    View Slide

  40. What is SCA?
    •Software composition analysis (SCA) is a process of identifying and analyzing the third party
    components and dependencies used in a software application. SCA tools can scan source code,
    binary files, and container images to identify components, their versions, and any known
    vulnerabilities or licensing issues.
    Benefits of SCA:
    •Improved security: SCA can help organizations identify and fix vulnerabilities in the software
    they use, which can reduce the risk of security breaches and data leaks.
    •Compliance: SCA can help organizations ensure that they are complying with legal and licensing
    requirements for the software they use, which can reduce the risk of legal issues and fines.
    •Reduced risk: SCA can help organizations identify and mitigate risks associated with using
    software dependencies, such as security vulnerabilities, licensing issues, and supply chain
    attacks.
    •Increased visibility: SCA can provide organizations with a comprehensive inventory of all the
    open source components used in their software, which can help them to better understand their
    software supply chain and make informed decisions about risk management.
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    40

    View Slide

  41. Common SCA Tools
    SCA Tool Cost Ease of Use Cons
    Sonatype Nexus IQ Paid ($10,000+/year) Moderate Expensive, complex to use
    Synopsys Black Duck Paid ($20,000+/year) Moderate Expensive, complex to use
    WhiteSource Bolt Paid ($9,000+/year) Easy
    May not offer as many features
    and capabilities as the more
    mature SCA tools
    Snyk Free (for open source projects) Easy
    May not offer as many features
    and capabilities as the more
    mature SCA tools
    Dependency Track Open source Easy
    May not offer as many features
    and capabilities as the more
    mature SCA tools
    Dependabot
    Free (for public GitHub
    repositories) Easy
    Only available for public GitHub
    repositories, does not support
    all programming languages and
    package managers
    OWASP Dependency Checker Free Easy Lacks a lot of functionality
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    41

    View Slide

  42. Common SCA Tools
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    42
    SCA
    Free
    Others Dependency Track
    Opensource
    OWASP Dep
    Snyk
    Dependabot
    Paid
    Low Budget
    Snyk
    WhiteSource Bolt
    High Budget
    Sonatype Nexus
    IQ
    Synopsys Black
    Duck

    View Slide

  43. Penetration Testing
    THE BAD GUYS
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    43

    View Slide

  44. Penetration Testing and DAST Tools
    •To ensure that the project produced is safe and of high quality, we perform Penetration Test
    using a suitable application.
    •Penetration Testing and DAST tools attempt to identify insecure processes, loose security
    settings or other weaknesses that an attacker could exploit. Examples of such instances include
    the transmission of unencrypted passwords, forgotten and unencrypted credentials etc.
    Penetration testing tools try to identify these vulnerabilities.
    •These tests need not be conducted as frequently but should be repeated on a regular basis.
    •The Penetration Tests can be automated and integrated to the development lifecycle, however
    DAST tools have some limitations, for example, they cannot detect all vulnerabilities, and they
    can be slow to scan large applications. This is why a developer can use these tools to test parts
    of the functionality he/she has developed, for ex a set of endpoints, and not the complete
    application.
    •Pen test may not detect business issues, this is why you need secure requirements
    •Pen test may not detect bad design, this is why you need secure design & code reviews
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    44

    View Slide

  45. Common Opensource DAST Tools
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    45
    Tool
    Programming
    languages supported
    Attack types
    supported
    Scanning methods Features
    ZAP Wide Wide Active, passive
    Scripting, automation,
    extensibility
    W3AF Wide Wide Active, passive
    Scripting, automation,
    extensibility
    Nikto Limited Limited Active Limited
    Intruder Wide Wide Active
    Scripting, automation,
    extensibility
    Burp Suite
    Community Edition
    Wide Wide Active, passive
    Scripting, automation,
    extensibility
    AppScan Open Wide Wide Active, passive
    Scripting, automation,
    extensibility
    Detectify Community
    Edition
    Wide Wide Active, passive
    Scripting, automation,
    extensibility
    Acunetix Community
    Edition
    Wide Wide Active, passive
    Scripting, automation,
    extensibility
    Astra Pentest
    Community Edition
    Wide Wide Active, passive
    Scripting, automation,
    extensibility
    EASY
    Cloud
    Based

    View Slide

  46. Is it Over?
    AFTER I GO TO PRODUCTION?
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    46

    View Slide

  47. So is it Over?
    •After you go to production you need:
    • Frequent SAST and SCA checks to ensure
    your code is not in subject of new
    vulnerabilities
    • Regular penetration tests
    • A solid monitoring process for the above
    • A solid Risk management process to tackle
    the potential vulnerabilities
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    47

    View Slide

  48. My Counterexample
    App
    AND HOW THEY DID (ALMOST) EVERYTHING WRONG
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    48

    View Slide

  49. A “Typical” Government Application
    For the municipal and regional elections, the Greek government built an application for the
    registration of political formations (parties) and candidates. The application has all the
    phenotypic characteristics (looks alike) of an enterprise web application that you expect to be
    secured.
    §It was build by a major Greek company
    §It has an SSO OAuth2 login based on you Tax credentials
    §SSL secured
    §Belonged to a swarm of similar applications like tax returns etc.
    So I expected:
    üA secure requirement gathering
    üSecure Implementation
    üSecurity testing
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    49

    View Slide

  50. What it Does
    •The main purpose was for the registration of political formations (parties) and candidates.
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    50
    A Candidate or a party logs
    in through an SSO
    Registers the party or
    verifies that he is registered
    Approves or rejects the his
    nomination
    SIMPLE? WHAT CAN GO WRONG RIGHT?

    View Slide

  51. What was the Problem
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    51
    URL: https://xxxxx-some url-xxxxxx/validations/edit/56099

    View Slide

  52. What was the Problem
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    52
    URL: https:// xxxxx-some url-xxxxxx /validations/edit/56000
    I Could even
    remove him/her
    from the
    Elections!

    View Slide

  53. Trying to FIX the Issue*
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    53
    •After several written communication attempts (including the minister) I got an answer from the
    portal:
    •THIS IS NOT OUR RESPONSIBILITY please contact ….
    * The issue is fixed now after several written communications

    View Slide

  54. What Went Wrong
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    54
    Secure requirements
    Secure Design
    Code Review
    SAST
    Testing
    DAST
    Risk Assessment
    NO
    NO
    NO
    YES
    MAYBE
    MAYBE
    NO

    View Slide

  55. Conclusion
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    55

    View Slide

  56. Conclusion
    •This process described, which is not one of the well-known standards such as NIST 800-64, MS
    Security Development Lifecycle (MS SDL), OWASP CLASP differs in the fact that it does not
    require the developer to be highly skilled to apply it and produce secure software but teaches
    him/her how to write secure software and pushes him/her to evangelize these practices in his
    environment. In other words it adds education and automation to the lifecycle aiming for hustle
    free secure software creation.
    15/10/2023
    DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION
    ALEXIUS DIONYSIUS DIAKOGIANNIS
    56
    Secure Coding
    Standards
    Code Reviews
    Secure
    Deployments
    Debt
    Improvement
    Educate
    Educate
    Automate Automate

    View Slide

  57. 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS
    DIONYSIUS DIAKOGIANNIS
    57
    Blogging on: JEE.gr
    Twitting on: @Diakogiannis
    LinkedIn: @Diakogiannis
    ALEXIUS DIONYSIUS T. DIAKOGIANNIS
    Senior JAVA Solutions Architect & Squad Leader / EIB
    Tech Advisory Board Member / Packt Publishing

    View Slide