micro focus presentation template · transparent integration and automation the name of devsecops...

#MicroFocusCyberSummit


Shifting Security Left

Brenton Scott Witonski <>< , Acxiom

Brandon Spruth, Target

Lucas von Stockhausen, Fortify

Bringing security into continuous integration and delivery


WHY ARE YOU HEREYou want to know WHAT shifting security left means

You want to know WHY you should shift left

You want to know HOW to shift left

4

WHAT is Shifting Security Left

Moving current activities left Changing how you do security

Changing the location of the Compromise in order to reduce risk

Controlling development Becoming a part of development

Software Development LifeCycle

5

WHY You to Shift Left

Shifting left (correctly) can change ALL of this!!!

6

Security

FROM TO

7

WHY You to Shift Left

RESULTSActual Risk Reduction

TRANSPARENT INTEGRATION AND AUTOMATION

THE NAME OF DEVSECOPS IS SPEED

GO AT THE SPEED OF DEVELOPMENT (DAILY SCANS OF MODIFIED CODE)

TRANSPARENT ACTIVITY

SCANS AND RESULTS SHOULD BE COMPLETED WITHOUT DEVELOPMENT STOPPING

DIRECT ACCESS TO SOURCE CODE

A DEVELOPER SHOULD NOT HAVE TO MANUALLY PROVIDE CODE TO SCAN

AUTOMATED SCANNING BASED ON RELEVANT CHANGES

A DEVELOPER SHOULD NOT HAVE TO WAIT ON RESULTS

8

HOW Can Security Shift Left

ALLOW CRITICALS INTO PRODUCTION

tCELL’s 2018 Q2 Report “Security Report for In-Production Web Applications”

Average of 34 DAYS to patch the most critical CVE’s

IDEA: Patch Introduced Risk by Next Release

DIFFER LEGACY VS INTRODUCED RISK

Immediately address introduced risk with developers in existing or next release cycle

Work with application and product owners to reduce technical debt over time

IDEA: FOCUS ON THE NOW

9

Two Shift-Left Concepts for DEVSECOPS

NOW: REAL WORLD EXAMPLE

BitBucket/GitHub/SVN(TeamForge)

You need direct access to your repos as a security team

Use APIs and scripting to identify all repositories and branches having code changes

IDENTIFY ALL REPOS THAT HAVE CHANGED

CAPTURE REPO INFORMATION: ProjectName->RepositoryName->BranchName

Validate repository changes and capture commit metadata

10

STEP 1: Identify Relevant Code

$github_proj_url="https://git.instance.net/api/v3/user/repos?per_page=100\\&page=$i";chomp($github_proj_url);$curl_proj_command = "curl -s -u <password>";$curl_proj_command .= " -X GET";$curl_proj_command .= " $github_proj_url";$json_proj=`$curl_proj_command`;chomp($json_proj);$decoded_json_proj=decode_json($json_proj);push @repo_values , @{$decoded_json_proj};

GITHUB Example in PERL to pull Repositories

FORTIFY PROJECT APIs

Define a naming standard for your SSC Project based on Code Repository Data

Generate Fortify API Access Token

Verify SSC Project exists, if not, create it

Pull the source code and scan it

Upload results to SSC

11

STEP 2: Create Projects and Scan

my $token_response=`curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic $Base64_Encoded_Password' -d '{ "type": "UnifiedLoginToken" }' 'http://ssc_server_name.net:PORT/ssc/api/v1/tokens’`;

chomp($token_response);my $decoded_json_commit=decode_json($token_response);my $t_response_code=$decoded_json_commit->{'responseCode'};print MSTRLOG "\nThe Token create response code was: $t_response_code\n";my $token_value = $decoded_json_commit->{'data'}->{'token'};

API Snippet for generating a Fortify Access Token

FORTIFY ISSUE APIs

For each issue, identify the issues of importance

Severity, Age, Category, Confidence Level, etc

Label issues based on relevant to current release or legacy issues existing prior to current release

Initiate reporting mechanism (email, dashboard notification, etc) for issues to stakeholders

CURRENT ISSUES – ACTIVE DEVELOPERS RESPONSIBLE

LEGACY ISSUES - PRODUCT OWNERS AND DEVELOPER LEADS

12

STEP 3: Relevant Issue Identification

my $issue_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$target_version_id/issues?limit=-1&orderby=priority&fields=priority'`;chomp($issue_response);my $decoded_json_issues=decode_json($issue_response);print Dumper $decoded_json_issues;

API Snippet for Fortify Issues

13

What Tools Will You Need

1) TECHNICAL RESOURCE FOR PYTHON or PERL SCRIPTING

2) ACCESS TO YOUR SOURCE CODE REPOSITORY

3) SERVER WITH ACCESS TO SOURCE REPO AND SSC SERVER

NEXT 15 DAYS

Requisition a Linux server for testing

Research Repo and Fortify APIs and Play with Examples Provided

NEXT 30 DAYS

Write scripts to process your repository data

Write scripts to create SSC Projects

NEXT 60 DAYS

Write scripting process to scan relevant repositories

Define the official process for Automated Static Scanning

14

What Now – Next Steps

Thank You.

#MicroFocusCyberSummitBrenton Scott Witonski <><E-mail: [email protected] LinkedIn: https://www.linkedin.com/in/brentonwitonskiPersonal: www.lovepala.com

Brandon Spruth

Pre

vio

us

Ne

xt

17

Not Just Scanners & ReportsAttack products and services like an attacker providing remediation

Security As CodeDelivering value with frictionless, innovative and responsive processes

Be a Better PartnerProvide tests and insight beyond known anomalies

Products & ServicesCreate awesome products & services with feedback loops

Business strategy is achieved with the

collaboration of all departments and

providers in service to the customer

who requires better, faster, cheaper,

secure products and services

// Security as Code / Everything as Code

Pre

vio

us

Ne

xt

18

SAST & DAST TestingUpdating and creating pipeline jobs for

automated testing

Code ReviewsHunting for security defects

Regulatory Compliance

Overcoming hurdles for laws regulations, guidelines, and

specifications.

Bug ManagementIssue management and justification

with development teams remediation

Threat ModelingConsulting with design and

architecture

Sublinear programs scale better than linear ones where budget, resources and workload increases year-over-year.

12111

210

39

48

576

Security TreadmillScaling your product security operations

Pre

vio

us

Ne

xt

19

Change in leadershipLive for a cause and focus on

outcomes

Break Industry Practices

Experiment beyond the typical taxonomy of tests

Decrease ResourcesCompany experiences a downturn

in the market with cutbacks

Increase WorkloadGreater development more

releases overall velocity is up 25%

Contingency

Planning01

Plan for the worst but hope for the best!

Create use cases02

Illustrate and discuss outside influences that would adversely effect your

operations

Implement tests03

Challenge the use-cases with hypotheticals

Pre

vio

us

Ne

xt

20

InnovativeFlexible enough to

complement the tech

stack

I

ResponsiveSimple onboarding with

quick iterative scan

duration

R

ReliableScan results need to be

accurate and

meaningful

R

FrictionlessStreamline process with

quality experience

F

DevSecOps Scanning

Pre

vio

us

Ne

xt

21

Feedback

Remediate

Iterate

Scan

Dynamic Application Security Test Orchestration

Pre

vio

us

Ne

xt

22

WebBreaker Demos Orchestration on DAST with a light-weight client

WebBreaker Installation & Configuration

WebBreaker Centralized Scan Management

WebBreaker with DevSecOps

WebBreaker Proxy & Swagger Integration

Pre

vio

us

Ne

xt

23

Pre

vio

us

Ne

xt

24

Test CoverageAchieve greater velocity of tests with wide adoption

Self-ServiceLow barrier to entry for non-

security professionals

PortabilityLightweight and practical enough to seamlessly integrate into a tech stack

Actionable FeedbackProvide reproduction steps and

concise remediation guidance

Security-As-A-Service

Contextual Scan Orchestration

Pre

vio

us

Ne

xt

25

Bonus Content – APIs

USE FOR GETTING A LIST OF YOUR REPOS IN A STASH GIT INSTANCE

my $stash_repo_url="https://stash.company.com/rest/api/1.0/projects/$proj_name/repos?limit=300";

chomp($stash_repo_url);

my $curl_repo_command = "curl -s -u <password>";

$curl_repo_command .= " -X GET";

$curl_repo_command .= " $stash_repo_url";

my $json_repo=`$curl_repo_command`;

die "Could not get $stash_repo_url!" unless defined $json_repo;

chomp($json_repo);

my $decoded_json_repo=decode_json($json_repo);

print "\n\n#################\n\tSTART REPO DUMP\n#################\n";

print Dumper $decoded_json_repo;

27

GIT STASH API – Repository

USE TO GET COMMIT DATA FOR EACH REPO IN STASH GIT INSTANCE

my $stash_commit_url="https://stash.company.com/rest/api/1.0/projects/$proj_name/repos/$repo_name/commits?limit=1";

chomp ($stash_commit_url);

my $curl_commit_cmd = "curl -s -u <password>";

$curl_commit_cmd .= " -X GET";

$curl_commit_cmd .= " $stash_commit_url";

my $json_commit=`$curl_commit_cmd`;

chomp($json_commit);

my $decoded_json_commit=decode_json($json_commit);

print "\n\n#################\n\tSTART COMMIT DUMP\n#################\n";

print Dumper $decoded_json_commit;

28

GIT STASH API – Commits

LOOP THROUGH TO GET A LIST OF REPOS FROM YOUR GITHUB INSANCE

$github_proj_url="https://git.instance.net/api/v3/user/repos?per_page=100\\&page=$i";

chomp($github_proj_url);

$curl_proj_command = "curl -s -u <password>";

$curl_proj_command .= " -X GET";

$curl_proj_command .= " $github_proj_url";

$json_proj=`$curl_proj_command`;

chomp($json_proj);

$decoded_json_proj=decode_json($json_proj);

push @repo_values , @{$decoded_json_proj};

29

GIT GITHUB API – Repository

CREATE A TOKEN USING BASE64ENCODED PASSWORD

BASE64ENCODING EXAMPLE -

my $token_response=`curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic $Base64_Encoded_Password' -d '{ "type": "UnifiedLoginToken" }' 'http://ssc_server_name.net:port/ssc/api/v1/tokens'`;

chomp($token_response);

my $decoded_json_commit=decode_json($token_response);

my $t_response_code=$decoded_json_commit->{'responseCode'};

print MSTRLOG "\nThe Token create response code was: $t_response_code\n";

my $token_value = $decoded_json_commit->{'data'}->{'token'};

30

FORTIFY API – Generate Token

https://www.base64encode.org/

sub get_proj_id{

my $all_ssc_projects_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' 'http://ssc_server_name.net:port/ssc/api/v1/projects?limit=-1&fulltextsearch=false’`;

chomp($all_ssc_projects_response);my $decoded_json_projects=decode_json($all_ssc_projects_response);print Dumper $decoded_json_projects;my $total_ssc_projects=$decoded_json_projects->{'count'};print "The total number of ssc_projects are: $total_ssc_projects\n\n";

my @proj_values= @{ $decoded_json_projects->{'data'}};foreach my $v (@proj_values) {my $project_name=$v->{'name'};my $project_id=$v->{'id'};chomp($project_name);chomp($project_id);if ( $_[0] eq $project_name) {print "Project name is: $project_name and Project id is: $project_id\n";return ($project_name, $project_id);}

}}

31

FORTIFY API – Get Project ID

sub get_version_id{my $ssc_versions_response=`curl -X GET --header 'Content-Type: application/json' --header

'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' 'http://ssc_server_name.net:port/ssc/api/v1/projects/$_[0]/versions’`;

chomp($ssc_versions_response);my $decoded_json_projects=decode_json($ssc_versions_response);my @version_values= @{ $decoded_json_projects->{'data'}};foreach my $vv (@version_values) {my $version_name=$vv->{'name'};my $version_id=$vv->{'id'};chomp($version_name);chomp($version_id);if ( $_[1] eq $version_name) {print "Version name is: $version_name and Version id is: $version_id\n";return ($version_name, $version_id);}

}}

32

FORTIFY API – Get Version ID

sub create_ssc_project{print "\t\tPassed into the sub create ssc project values are proj_name: $_[0] and repo_name:

$_[1] and description: $_[2] and token: $_[3]\n";my $create_response=`curl -X POST --header 'Content-Type: application/json' --header

'Authorization: FortifyToken $_[3]' -d '{"description": "$_[2]", "name": "$_[1]", "issueTemplateId": "Prioritized-HighRisk-Project-Template", "masterAttrGuid": "87f2364f-dcd4-49e6-861d-f8d3f351686b", "objectVersion": 3, "project": {"description": "$_[2]", "issueTemplateId": "Prioritized-HighRisk-Project-Template", "name": "$_[0]"} }' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions’`;

chomp($create_response);my $decoded_json_commit=decode_json($create_response);#print Dumper $decoded_json_commit;my $id = $decoded_json_commit->{'data'}->{'id'};return $id;

}

33

FORTIFY API – Create SSC Project

sub create_ssc_project_version{print "\t\tPassed into the sub create ssc project version values are proj_name: $_[0] and

version_name: $_[1] and description: $_[2] and token: $_[3]\n";my $create_response=`curl -X POST --header 'Content-Type: application/json' --header

'Authorization: FortifyToken $_[3]' -d '{"description": "$_[2]", "name": "$_[1]", "issueTemplateId": "Prioritized-HighRisk-Project-Template", "masterAttrGuid": "87f2364f-dcd4-49e6-861d-f8d3f351686b"}' 'http://ssc_server_name.net:port/ssc/api/v1/projects/$_[0]/versions’`;

chomp($create_response);my $decoded_json_commit=decode_json($create_response);print Dumper $decoded_json_commit;my $id = $decoded_json_commit->{'data'}->{'id'};return $id;

}

34

FORTIFY API – Create SSC Project Version

sub update_ssc_project_attributes{print "\t\tPassed into the sub create ssc project version values are proj_id: $_[0] and token:

$_[1]\n";my $update_att_response=`curl -X PUT --header 'Content-Type: application/json' --header

'Accept: application/json' --header 'Authorization: FortifyToken $_[1]' -d '[{"attributeDefinitionId":5,"values":[{"guid":"Active"}]}, {"attributeDefinitionId":6,"values":[{"guid":"Internal"}]}, {"attributeDefinitionId":7,"values":[{"guid":"internalnetwork"}]}]' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$_[0]/attributes’`;

chomp($update_att_response);my $decoded_json_commit=decode_json($update_att_response);print Dumper $decoded_json_commit;my $u_att_response_code=$decoded_json_commit->{'responseCode'};print "\nThe update attributes response code was: $u_att_response_code\n";

}

35

FORTIFY API – Update Project Attributes

sub update_ssc_project_proc_rules{

print "\t\tPassed into the sub create ssc project version values are proj_id: $_[0] and token: $_[1]\n";

my $update_pr_response=`curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $_[1]' -d '[{"displayName": "Require approval if the Build Project is different between scans","identifier": "com.fortify.manager.BLL.processingrules.BuildProjectProcessingRule","displayable": true,"enabled": false},{"displayName": "Check external metadata file versions in scan against versions on server.","identifier": "com.fortify.manager.BLL.processingrules.ExternalListVersionProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if file count differs by more than 10%","identifier": "com.fortify.manager.BLL.processingrules.FileCountProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if result has Fortify Java Annotations","identifier": "com.fortify.manager.BLL.processingrules.FortifyAnnotationsProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if line count differs by more than 10%","identifier": "com.fortify.manager.BLL.processingrules.LOCCountProcessingRule","displayable": true,"enabled": false},{"displayName": "Automatically perform Instance ID migration on upload","identifier": "com.fortify.manager.BLL.processingrules.MigrationProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if the engine version of a scan is newer than the engine version of the previous scan","identifier": "com.fortify.manager.BLL.processingrules.NewerEngineVersionProcessingRule","displayable": true,"enabled": false},{"displayName": "Ignore SCA Scans performed in QuickScan mode","identifier": "com.fortify.manager.BLL.processingrules.QuickScanProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if the rulepacks used in the scan do not match the rulepacks used in the previous scan","identifier": "com.fortify.manager.BLL.processingrules.RulePackVersionProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if SCA or WebInspectAgent scan does not have valid certification","identifier": "com.fortify.manager.BLL.processingrules.ValidCertificationProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if result has analysis warnings","identifier": "com.fortify.manager.BLL.processingrules.WarningProcessingRule","displayable": true,"enabled": false},{"displayName": "Warn if audit information includes unknown custom tag","identifier": "com.fortify.manager.BLL.processingrules.UnknownOrDisallowedAuditedAttrChecker","displayable": true,"enabled": false},{"displayName": "Require the issue audit permission to upload audited analysis files","identifier": "com.fortify.manager.BLL.processingrules.AuditedAnalysisRule","displayable": true,"enabled": false},{"displayName": "Disallow upload of analysis results if there is one pending approval","identifier": "com.fortify.manager.BLL.processingrules.PendingApprovalChecker","displayable": true,"enabled": false},{"displayName": "Disallow approval for processing if an earlier artifact requires approval","identifier": "com.fortify.manager.BLL.processingrules.VetoCascadingApprovalProcessingRule","displayable": true,"enabled": false}]' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$_[0]/resultProcessingRules’`;

chomp($update_pr_response);my $decoded_json_commit=decode_json($update_pr_response);print Dumper $decoded_json_commit;my $u_pr_response_code=$decoded_json_commit->{'responseCode'};print "\nThe update process rules response code was: $u_pr_response_code\n";

}

36

FORTIFY API – Update Project Processing Rules

sub commit_ssc_project{print "\t\tPassed into the sub create ssc project version values are proj_id: $_[0] and token:

$_[1]\n";my $commit_response=`curl -X PUT --header 'Accept: application/json' --header 'Content-

Type: application/json' --header 'Authorization: FortifyToken $_[1]' -d '{ "committed":"true"}' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$_[0]'`;chomp($commit_response);my $decoded_json_commit=decode_json($commit_response);print Dumper $decoded_json_commit;my $c_response_code=$decoded_json_commit->{'responseCode'};print "\nThe commit project response code was: $c_response_code\n";

}

37

FORTIFY API – Commit SSC Project

my $issue_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$target_version_id/issues?limit=-1&orderby=priority&fields=priority’`;

chomp($issue_response);my $decoded_json_issues=decode_json($issue_response);print Dumper $decoded_json_issues;

38

FORTIFY API – Get Project Version Issues

my $issue_detail_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' '$issue_href’`;

my $decoded_json_issues_det=decode_json($issue_detail_response);print "\n\n#############################\n\tSTART ISSUE DETAILS DUMP\n#############################\n";print Dumper $decoded_json_issues_det;

39

FORTIFY API – Get Issue Details

Bonus Content – PROCESS

1. LOOP THROUGH API COMMAND TO CAPTURE ALL REPOSITORIES

2. FOR EACH REPOSITORY CAPTURE COMMIT DATA AND EVALUATE FOR RELEVANCE

3. CAPTURE USER DATA OF COMMITS FOR LATER REPORTING

4. CREATE LIST OF RELEVANT REPOSITORIES FOR PROCESSING

41

STEP 1: Identify Relevant Code

1. GENERATE YOUR FORTIFY ACCESS TOKEN

2. USING LIST OF REPOS FOUND VALIDATE IF SSC PROJECT EXISTS FOR CODE REPOSITORY

3. IF NOT, THEN CREATE THE SSC PROJECT

1. Create the Project

2. Create the Project Version

3. Update Project Attributes

4. Update Project Processing Rules

5. Commit SSC Project

4. SCAN CODE REPOSITORY AND UPLOAD RESULTS TO SSC PROJECT

42

STEP 2: CREATE PROJECTS AND SCAN

1. GENERATE YOUR FORTIFY ACCESS TOKEN

2. USE PROJECT ID AND VERSION ID TO CAPTURE LIST OF ISSUES

3. FOR EACH ISSUE, CAPTURE METADATA

4. EVALUATE METADATA FOR RELEVANCE (LEGACY OR INTRODUCED RISK)

5. CONSOLIDATE ISSUES AND REPORT TO APPROPRIATE STAKEHOLDERS

6. GATHER METRICS AND EVALUATE

43

STEP 3: Relevant Issue Identification

micro focus presentation template · transparent integration and automation the name of devsecops...

Documents