PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS T. DIAKOGIANNIS Senior JAVA Solutions Architect / European Investment Bank Tech Advisory Board Member / Packt Publishing Blogging on: JEE.gr Twitting on: @Diakogiannis LinkedIn: @Diakogiannis 13/10/2023 

WHO AM I? ü Senior JAVA Architect / Team Leader over 20 years of experience ü I have designed very complex secure applications eg. e-Banking Systems ü Packt Tech Advisory Board member ü Soon to be a writer ü Volunteer by principal ü Mentor by principal Blogging on: JEE.gr Twitting on: @Diakogiannis LinkedIn: @Diakogiannis ALEXIUS DIONYSIUS T. DIAKOGIANNIS Senior JAVA Solutions Architect & Squad Leader / EIB Tech Advisory Board Member / Packt Publishing 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 2 

Introduction 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 3 

Introduction Companies with web applications invest significant resources to defend them from malicious users and hackers. To achieve this, companies should implement a Software Development Life Cycle (SDLC) that includes review iterations before the software is released to the public, as well as ongoing security checks after it is in production. I will present a complete process of secure production and control of an application as follows: • The process is based on the Rational Unified Process (RUP) analysis and production process but it is applicable to any other process. • I will help you with calculating the risk • I will then describe methods for securely writing code and educate your team • I will show how to use AI in development • I will show to monitor your code after it is in production 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 4 

Back to Basics! What is a Web Application? 🙄 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 5 

We are focusing on the security and delivery of this part The Structure of a Web n-tiered Web Application •Typically there is: •A Client (usually a browser) •A web server •A application servers •Data storage (DB, MDM etc) •Communication 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 6 

Challenges in Web Application Security •Most web standards are informal Request For Comments (RFCs)* •These standards are usually not well defined •The internet is vast •This situation makes modelling the web almost impossible. •But can we somehow model the process of how we can secure a web app? 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 7 *A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet 

RUP - RATIONAL UNIFIED PROCESS METHODOLOGY FOR THE ANALYSIS AND SECURITY OF THE APPLICATION 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 8 

Intro on the Rational Unified Process •The Rational Unified Process is a Software Engineering process that provides a disciplined approach to assigning tasks and responsibilities within an organization's development. Its goal is to ensure the production of high quality software that meets the needs of its end users within a predictable schedule and budget. •RUP divides the software development lifecycle into four phases: • Inception: The team defines the project's goals and scope. • Elaboration: The team develops a detailed plan for the project, including the architecture and requirements. • Construction: The team develops and tests the software. • Transition: The software is deployed to production and supported. •RUP also defines six core development disciplines: • Business modelling: The team understands the business needs and requirements. • Requirements: The team defines the specific requirements of the software system. • Analysis and design: The team designs the architecture and components of the software system. • Implementation: The team develops the software code. • Testing: The team tests the software to ensure that it meets the requirements. • Deployment: The team deploys the software to production and provides support. 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 9 

Approach Business modelling & Requirements (What) Design / Implement QA/Test Continues Review/ Feedback Change 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 10 

Where Do We Start? •Security in web applications starts with: • Penetration Testing? • Code Reviews? • Code Scanners? • Firewalls? •It starts with SECURE REQUIREMENTS! 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 11 

How to Collect Secure Requirements •Involve security experts early in the process. They can help you identify potential security risks and ensure that the requirements are secure by involving your experts in the inception cycle. •Use a risk-based approach. Use a risk-based approach to prioritize the security requirements and focus on the ones that pose the greatest risk. •Consider the different types of attacks. Consider the different types of attacks that your application may be vulnerable to and make sure that the requirements address these risks and don’t violate in principle the OWASP TOP-10 (yes business requirements can violate OWASP TOP-10) 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 12 

Use Secure Design Patterns and Practices Defense in Depth Use multiple layers of security to protect your application. This can be done by using different security controls, such as authentication, authorization, and encryption. Least Privilege: This is a security principle that states that users should only have the permissions they need to do their job. Deny by Default Principle: Everything is denied unless instructed otherwise Zero Trust: This is a security model that assumes that no user or device is trusted by default. Threat Modeling: This is the process of identifying and evaluating the threats to your application. 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 13 

How to Collect Secure Requirements •Document the security requirements. The security requirements should be documented in a clear and concise way so that they can be easily understood by the developers. •Review the security requirements with the stakeholders. Once the security requirements have been documented, they should be reviewed with the stakeholders (if they are not already involved in the process) to ensure that they are complete and accurate and don’t create business implications. 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 14 

Some Thumb Rules Some thumb rules when gathering requirements: • Be aware of the different types of sensitive data that will be stored or processed by the application. • Consider the different ways that this data could be compromised and prepare for the worst • Make sure that the requirements specify how the data will be protected, such as through encryption or access control. • Consider the different ways that the application could be used to attack other systems or networks. • Make sure that the requirements also specify how the application will be secured against these attacks. • Don’t forget to audit trail 🤨 By taking these steps, you can help to ensure that the security requirements for your web application are comprehensive and effective. 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 15 

Our Holy Grail the OWASP TOP 10 The OWASP Top 10 is a list of the 10 most common application vulnerabilities. These are: üBroken Access Control üCryptographic Errors üInjection Attacks üInsecure Design üSecurity Misconfiguration üVulnerable Outdated Components üIdentification and Authentication Failures üSoftware and Data Integrity Failures üSecurity Logging and Monitoring üServer Side Request Forgering 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 16 

OWASP Risk Rating Methodology •Online applications may have many vulnerabilities, so we must be able to assess the risk of each vulnerability. To help companies assess risk, OWASP uses a risk assessment methodology to judge how dangerous any given vulnerability is. Identification • Who is she; • What attack is being performed? • What factors are involved? • How much damage can it do? • What is the potential business impact? What are the threat factors? • How much skill is required? • What motivation is needed? • What opportunities are necessary for its exploitation • How much attacker volume is needed? What are the factors of vulnerability? • Ease of discovery. • Ease of use. • Intrusion detection. What are the technical factors of the impact of an attack • Loss of confidentiality • Loss of integrity • Loss of availability • Loss of responsibility What are the business impact factors of an attack? • Financial cost • Damage to reputation • Non compliance • Invasion of privacy 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 17 

OWASP Risk Rating Methodology •LOW •MEDIUM •HIGH Determination of risk severity Deciding what needs to be fixed Model adjustment if needed 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 18 

Development GOD HELP US… 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 19 

How The Team Should Develop Secure Coding Standards Code Reviews Secure Deployments Debt Improvement 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 20 The path to glory… 

Secure Coding & Code Review MIX AND MATCH 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 21 

Why Do We Need Software Quality? High Quality Software Is (most likely) a SECURE Software 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 22 

Secure Coding and Code Review You need to review code exactly like the way you should write it. Regardless what you write you need to be able to answer the following qAm I able to understand the code easily? qIs the code written according to company standards/guidelines? qIs the same code repeated more than once? qCan I easily test/debug the code to find the root cause of a problem? qHave I written tests for at least 65% of the code and more that 80% of the if/case statements? qIs this method or class too big? If so, does the function or class have too many responsibilities? qDoes it violate any of the OWASP TOP 10 rules? qDoes it violate any secure coding principles? 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 23 This also applies to Low Code No Code Platforms like PEGA, OutSystems etc 

How do we Code Review? It is a process that is actively run by a moderator or a group of moderators together with the developers at the time the code is written. The methodologies are: •A moderator sits next to the developer or asks him/her to share screen and asks him to walkthrough his code. As the facilitator "looks over the developer's code" and explains his or her mindset and approach, he or she tries to identify potential issues and advises the developer on best practices. OVER-THE-SHOULDER REVIEW •A Reviewer is assigned automatically GIT NOTIFICATION •Pair programming is a flexible software development technique in which two programmers work together on a workstation (or a shared screen). One, the driver, writes code, while the other, the observer, examines each line of code as it is typed Pair Programming •Authors and moderators use their integrated development environment (IDE) plug-ins to connect directly to analyzers and analyze their code on the fly. Static Code Analysis and SAST tools 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 24 

The Golden Rule of Code Review 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 25 

The Golden Rule of Code Review Algorithm 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 26 •IF ( a code reviewer is ){ •Aggressive in his comments •Making bad examples out of people •Has a GOD attitude } •THEN { REMOVE HIM/HER EVEN IF HE/SHE IS THE BEST RESOURCE YOU HAVE •} 

Happy & Bonded Teams Create Quality Software •Happy developers are more collaborative. Happy developers are more likely to share their knowledge and expertise with their colleagues. This can lead to better team communication, problem-solving, and innovation. •Happy developers are more likely to be security champions. Security champions are employees who are passionate about security and who are willing to go the extra mile to help their company improve its security posture. •Developer happiness leads to better code. When developers are happy, they are more likely to be engaged and productive. This leads to better code quality, fewer bugs, and faster development cycles. •Happy developers are more likely to stay with their company. Developer turnover is disruptive. Happy developers are less likely to leave, which saves the company money and time and education investment. 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 27 Creating a positive and supportive work environment → Better and more Secure Software 

Specific Secure Coding Guidelines •Validate and sanitize all inputs including data from URLs, and APIs to prevent injections. Use whitelist approach when you can. •Use a secure and centralized authentication mechanisms (like OAuth, OpenID etc) AND implement a proper authorization to enforce access controls and permissions. Avoid custom implementations. •Always secure sensitive data using hashing and encryption techniques even if they exist only in memory. •Prefer using UUIDs over increments on your data sets to prevent enumerations. •Enforce session timeouts •Secure your queries even if you use ORM frameworks like Hibernate. • Always use prepared statements or parameterized queries. In the extreme case you can’t, always use prepared statements or parameterized even if you trust your source • Always use secure DB connections •Have a logging strategy • Avoid exposing detailed error messages to users • Log securely and not excessively • Sanitize variable output when you log to prevent system attacks • Nice to have: Your logging media has anti forgery measures 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 28 

Don’t Forget to •Implement audit trails and logging for critical security-related events within the application. This includes logging both Success and Failures (e.g. Log-Ins). •Enforce within your application secure communications (TLS/SLL) •Implement Rate Limiters and Exponential backoff with jitter reconnection algorithms for your endpoints (to be discussed later). • Implement CSRF tokens to protect against CSRF attacks in web applications. •Configure HTTP Security Headers(e.g., Content Security Policy, X-Content-Type-Options,CORS) to enhance browser security •Encrypt your passwords •Remove commented code •If your application handles file uploads, validate and restrict file types NOT ONLY BY THEIR EXTENSION (use Apache Tika), and store uploaded files in a secure location. Also keep in mind your file system limitations and implement pseudo-random folder structures. Also don’t forget to virus scan (use your provides AV service or just ClamAV from within your app). 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 29 

Rate Limits and Exponential backoff with jitter !Imagine you are trying to connect to a service, but the service is down. You could keep trying to connect over and over again, but that might not work also making it even harder for every other service to connect. If the service comes up again it will probably fail again because of the big demand. !Also imagine a service out of your control that decides to request e.g. from your service 100.000 contracts using a loop asking for one contract at the time. 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 30 Use libraries like: Resilience4j Bucket4j Apache APISIX OR a Gateway API like Kong or ask your provider 

AI Code Generators WHAT SORCERY IS THIS? 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 31 

AI For Security & Productivity AI code generators can be used in various ways •Productivity: • Auto-completion (ex. writing boilerplate code, Unit test skeletons or implementing common design patterns) • Code-refactoring • Create documentation (improve code readability, reduce code duplication, and eliminate unnecessary complexity) •Security: • Vulnerability detection • Suggest secure coding practices •Main players • GitHub Copilot • Tabnine • ChatGPT • Ask Codi • AWS CodeWhisperer • Google Bard 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 32 

AI Code Generator Comparison Feature GitHub Copilot Tabnine ChatGPT Ask Codi Google Bard AWS CodeWhisperer Code completion Yes Yes Yes Yes Yes Yes Code generation Yes Yes Yes Yes Yes Yes Code review Yes Yes Yes Yes Yes Yes Security Features Yes Yes Yes Yes Yes Yes IDE integration Yes (Visual Studio Code, JetBrains, Neovim, Visual Studio) Yes (Visual Studio Code, Sublime Text, JetBrains, Eclipse, and others) No No No Yes (Visual Studio Code, JetBrains, Cloud9, AWS Lambda console) Pricing $10/month or $100/year for individuals, $19/month per user for business Free for open source projects, $60/year for individuals, $120/year per user for teams Free for research purposes, paid plans available for enterprise users Free for open source projects, paid plans available for enterprise users Paid plans available for enterprise users Free for individuals, $19/month per user for business 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 33 

AI Pitfalls Be aware of the limitations of AI code generators. They are still under development and may not be able to generate perfect code all the time. üAlways test code that is generated by AI code generators before using it in UAT or Production. üUse AI code generators in conjunction with other security tools and practices, such as code review and static analysis. 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 34 Never put your eggs in one basket using AI Code Generators → NEVER bypass manual code reviews DEV AI PROD 

Static Code Analysis WHAT SORCERY IS THIS? 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 35 

Benefits of Static Code Analyzers Static code analyzers (SASTs) are important because they can help you to detect bugs and vulnerabilities in your code before you deploy it to production. This can save you time and money, and it can also help to protect your users from security threats. SASTs help you by: • Detect bugs and vulnerabilities early • Improve code quality • Reduce risk of security breaches • Increase confidence in your code • Improve compliance with regulations Usually they integrated in the CI lifecycle and within the IDE or they are triggered with branch merging 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 36 THE GOAL: Educate the team → Produce Secure Software However you should also use them within the development process to educate developers. ü Group the significant findings and organize a retrospective with your team to produce lessons learned ü Take milestone findings of a young developer and do a 1-1 education session 

How to Choose the Right Static Code Analyzer Tool License Scanning Performance Easy Interpreted Results Man. Code Review Cap Performance in Security Findings Performance in Security Findings Online Only Checkmarx CxSAST Commercial Normal Normal Yes Very Good Very Good No Klocwork Commercial Normal Very Easy No Good Good No Fortify Commercial Normal Normal No Very Good Very Good No SonarQube Opensource Can be Slow Normal Yes Good Good No Semgrep Opensource Fast Can be Hard No Good Good No Synopsys Code Sight Commercial Normal Normal No Very Good Very Good No Veracode Commercial Normal Normal No Very Good Very Good No Qodana Opensource Fast Can be Hard Yes Good Good Yes Snyk Commercial Can be Slow Very Easy No Good Good Yes 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 37 G2 Crowd: Best Static Application Security Testing (SAST) Software: https://www.g2.com/categories/static-application-security-testing-sast OWASP Foundation: Static Application Security Testing: https://owasp.org/www-community/Source_Code_Analysis_Tools Mend: Best SAST Tools: Top 7 Solutions Compared: https://www.mend.io/blog/best-sast-tools/ 

How to Choose the Right Static Code Analyzer 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 38 SAST Opensource Online Only Qodana Online/Offline Sonarqube Semgrep (for advanced usr) Commercial Medium Budget Online Only Snyk Online/Offline None L High Budget Checkmarx CxSAST Klocwork Fortify Synopsys Code Sight Veracode 

Software Composition Analysis (SCA) WHAT IS THAT? 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 39 

What is SCA? •Software composition analysis (SCA) is a process of identifying and analyzing the third party components and dependencies used in a software application. SCA tools can scan source code, binary files, and container images to identify components, their versions, and any known vulnerabilities or licensing issues. Benefits of SCA: •Improved security: SCA can help organizations identify and fix vulnerabilities in the software they use, which can reduce the risk of security breaches and data leaks. •Compliance: SCA can help organizations ensure that they are complying with legal and licensing requirements for the software they use, which can reduce the risk of legal issues and fines. •Reduced risk: SCA can help organizations identify and mitigate risks associated with using software dependencies, such as security vulnerabilities, licensing issues, and supply chain attacks. •Increased visibility: SCA can provide organizations with a comprehensive inventory of all the open source components used in their software, which can help them to better understand their software supply chain and make informed decisions about risk management. 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 40 

Common SCA Tools SCA Tool Cost Ease of Use Cons Sonatype Nexus IQ Paid ($10,000+/year) Moderate Expensive, complex to use Synopsys Black Duck Paid ($20,000+/year) Moderate Expensive, complex to use WhiteSource Bolt Paid ($9,000+/year) Easy May not offer as many features and capabilities as the more mature SCA tools Snyk Free (for open source projects) Easy May not offer as many features and capabilities as the more mature SCA tools Dependency Track Open source Easy May not offer as many features and capabilities as the more mature SCA tools Dependabot Free (for public GitHub repositories) Easy Only available for public GitHub repositories, does not support all programming languages and package managers OWASP Dependency Checker Free Easy Lacks a lot of functionality 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 41 

Common SCA Tools 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 42 SCA Free Others Dependency Track Opensource OWASP Dep Snyk Dependabot Paid Low Budget Snyk WhiteSource Bolt High Budget Sonatype Nexus IQ Synopsys Black Duck 

Penetration Testing THE BAD GUYS 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 43 

Penetration Testing and DAST Tools •To ensure that the project produced is safe and of high quality, we perform Penetration Test using a suitable application. •Penetration Testing and DAST tools attempt to identify insecure processes, loose security settings or other weaknesses that an attacker could exploit. Examples of such instances include the transmission of unencrypted passwords, forgotten and unencrypted credentials etc. Penetration testing tools try to identify these vulnerabilities. •These tests need not be conducted as frequently but should be repeated on a regular basis. •The Penetration Tests can be automated and integrated to the development lifecycle, however DAST tools have some limitations, for example, they cannot detect all vulnerabilities, and they can be slow to scan large applications. This is why a developer can use these tools to test parts of the functionality he/she has developed, for ex a set of endpoints, and not the complete application. •Pen test may not detect business issues, this is why you need secure requirements •Pen test may not detect bad design, this is why you need secure design & code reviews 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 44 

Common Opensource DAST Tools 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 45 Tool Programming languages supported Attack types supported Scanning methods Features ZAP Wide Wide Active, passive Scripting, automation, extensibility W3AF Wide Wide Active, passive Scripting, automation, extensibility Nikto Limited Limited Active Limited Intruder Wide Wide Active Scripting, automation, extensibility Burp Suite Community Edition Wide Wide Active, passive Scripting, automation, extensibility AppScan Open Wide Wide Active, passive Scripting, automation, extensibility Detectify Community Edition Wide Wide Active, passive Scripting, automation, extensibility Acunetix Community Edition Wide Wide Active, passive Scripting, automation, extensibility Astra Pentest Community Edition Wide Wide Active, passive Scripting, automation, extensibility EASY Cloud Based 

Is it Over? AFTER I GO TO PRODUCTION? 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 46 

So is it Over? •After you go to production you need: • Frequent SAST and SCA checks to ensure your code is not in subject of new vulnerabilities • Regular penetration tests • A solid monitoring process for the above • A solid Risk management process to tackle the potential vulnerabilities 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 47 

My Counterexample App AND HOW THEY DID (ALMOST) EVERYTHING WRONG 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 48 

A “Typical” Government Application For the municipal and regional elections, the Greek government built an application for the registration of political formations (parties) and candidates. The application has all the phenotypic characteristics (looks alike) of an enterprise web application that you expect to be secured. §It was build by a major Greek company §It has an SSO OAuth2 login based on you Tax credentials §SSL secured §Belonged to a swarm of similar applications like tax returns etc. So I expected: üA secure requirement gathering üSecure Implementation üSecurity testing 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 49 

What it Does •The main purpose was for the registration of political formations (parties) and candidates. 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 50 A Candidate or a party logs in through an SSO Registers the party or verifies that he is registered Approves or rejects the his nomination SIMPLE? WHAT CAN GO WRONG RIGHT? 

What was the Problem 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 51 URL: https://xxxxx-some url-xxxxxx/validations/edit/56099 

What was the Problem 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 52 URL: https:// xxxxx-some url-xxxxxx /validations/edit/56000 I Could even remove him/her from the Elections! 

Trying to FIX the Issue* 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 53 •After several written communication attempts (including the minister) I got an answer from the portal: •THIS IS NOT OUR RESPONSIBILITY please contact …. * The issue is fixed now after several written communications 

What Went Wrong 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 54 Secure requirements Secure Design Code Review SAST Testing DAST Risk Assessment NO NO NO YES MAYBE MAYBE NO 

Conclusion 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 55 

Conclusion •This process described, which is not one of the well-known standards such as NIST 800-64, MS Security Development Lifecycle (MS SDL), OWASP CLASP differs in the fact that it does not require the developer to be highly skilled to apply it and produce secure software but teaches him/her how to write secure software and pushes him/her to evangelize these practices in his environment. In other words it adds education and automation to the lifecycle aiming for hustle free secure software creation. 15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 56 Secure Coding Standards Code Reviews Secure Deployments Debt Improvement Educate Educate Automate Automate 

15/10/2023 DEVOXX MA - PREVENTING SECURITY VULNERABILITIES IN A WEB APPLICATION ALEXIUS DIONYSIUS DIAKOGIANNIS 57 Blogging on: JEE.gr Twitting on: @Diakogiannis LinkedIn: @Diakogiannis ALEXIUS DIONYSIUS T. DIAKOGIANNIS Senior JAVA Solutions Architect & Squad Leader / EIB Tech Advisory Board Member / Packt Publishing