micro focus presentation template · transparent integration and automation the name of devsecops...
TRANSCRIPT
#MicroFocusCyberSummit
#MicroFocusCyberSummit
Shifting Security Left
Brenton Scott Witonski <>< , Acxiom
Brandon Spruth, Target
Lucas von Stockhausen, Fortify
Bringing security into continuous integration and delivery
#MicroFocusCyberSummit
WHY ARE YOU HEREYou want to know WHAT shifting security left means
You want to know WHY you should shift left
You want to know HOW to shift left
4
WHAT is Shifting Security Left
Moving current activities left Changing how you do security
Changing the location of the Compromise in order to reduce risk
Controlling development Becoming a part of development
Software Development LifeCycle
5
WHY You to Shift Left
Shifting left (correctly) can change ALL of this!!!
6
Security
FROM TO
7
WHY You to Shift Left
RESULTSActual Risk Reduction
TRANSPARENT INTEGRATION AND AUTOMATION
THE NAME OF DEVSECOPS IS SPEED
GO AT THE SPEED OF DEVELOPMENT (DAILY SCANS OF MODIFIED CODE)
TRANSPARENT ACTIVITY
SCANS AND RESULTS SHOULD BE COMPLETED WITHOUT DEVELOPMENT STOPPING
DIRECT ACCESS TO SOURCE CODE
A DEVELOPER SHOULD NOT HAVE TO MANUALLY PROVIDE CODE TO SCAN
AUTOMATED SCANNING BASED ON RELEVANT CHANGES
A DEVELOPER SHOULD NOT HAVE TO WAIT ON RESULTS
8
HOW Can Security Shift Left
ALLOW CRITICALS INTO PRODUCTION
tCELL’s 2018 Q2 Report “Security Report for In-Production Web Applications”
Average of 34 DAYS to patch the most critical CVE’s
IDEA: Patch Introduced Risk by Next Release
DIFFER LEGACY VS INTRODUCED RISK
Immediately address introduced risk with developers in existing or next release cycle
Work with application and product owners to reduce technical debt over time
IDEA: FOCUS ON THE NOW
9
Two Shift-Left Concepts for DEVSECOPS
NOW: REAL WORLD EXAMPLE
BitBucket/GitHub/SVN(TeamForge)
You need direct access to your repos as a security team
Use APIs and scripting to identify all repositories and branches having code changes
IDENTIFY ALL REPOS THAT HAVE CHANGED
CAPTURE REPO INFORMATION: ProjectName->RepositoryName->BranchName
Validate repository changes and capture commit metadata
10
STEP 1: Identify Relevant Code
$github_proj_url="https://git.instance.net/api/v3/user/repos?per_page=100\\&page=$i";chomp($github_proj_url);$curl_proj_command = "curl -s -u <password>";$curl_proj_command .= " -X GET";$curl_proj_command .= " $github_proj_url";$json_proj=`$curl_proj_command`;chomp($json_proj);$decoded_json_proj=decode_json($json_proj);push @repo_values , @{$decoded_json_proj};
GITHUB Example in PERL to pull Repositories
FORTIFY PROJECT APIs
Define a naming standard for your SSC Project based on Code Repository Data
Generate Fortify API Access Token
Verify SSC Project exists, if not, create it
Pull the source code and scan it
Upload results to SSC
11
STEP 2: Create Projects and Scan
my $token_response=`curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic $Base64_Encoded_Password' -d '{ "type": "UnifiedLoginToken" }' 'http://ssc_server_name.net:PORT/ssc/api/v1/tokens’`;
chomp($token_response);my $decoded_json_commit=decode_json($token_response);my $t_response_code=$decoded_json_commit->{'responseCode'};print MSTRLOG "\nThe Token create response code was: $t_response_code\n";my $token_value = $decoded_json_commit->{'data'}->{'token'};
API Snippet for generating a Fortify Access Token
FORTIFY ISSUE APIs
For each issue, identify the issues of importance
Severity, Age, Category, Confidence Level, etc
Label issues based on relevant to current release or legacy issues existing prior to current release
Initiate reporting mechanism (email, dashboard notification, etc) for issues to stakeholders
CURRENT ISSUES – ACTIVE DEVELOPERS RESPONSIBLE
LEGACY ISSUES - PRODUCT OWNERS AND DEVELOPER LEADS
12
STEP 3: Relevant Issue Identification
my $issue_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$target_version_id/issues?limit=-1&orderby=priority&fields=priority'`;chomp($issue_response);my $decoded_json_issues=decode_json($issue_response);print Dumper $decoded_json_issues;
API Snippet for Fortify Issues
13
What Tools Will You Need
1) TECHNICAL RESOURCE FOR PYTHON or PERL SCRIPTING
2) ACCESS TO YOUR SOURCE CODE REPOSITORY
3) SERVER WITH ACCESS TO SOURCE REPO AND SSC SERVER
NEXT 15 DAYS
Requisition a Linux server for testing
Research Repo and Fortify APIs and Play with Examples Provided
NEXT 30 DAYS
Write scripts to process your repository data
Write scripts to create SSC Projects
NEXT 60 DAYS
Write scripting process to scan relevant repositories
Define the official process for Automated Static Scanning
14
What Now – Next Steps
Thank You.
#MicroFocusCyberSummitBrenton Scott Witonski <><E-mail: [email protected] LinkedIn: https://www.linkedin.com/in/brentonwitonskiPersonal: www.lovepala.com
Brandon Spruth
Pre
vio
us
Ne
xt
17
Not Just Scanners & ReportsAttack products and services like an attacker providing remediation
Security As CodeDelivering value with frictionless, innovative and responsive processes
Be a Better PartnerProvide tests and insight beyond known anomalies
Products & ServicesCreate awesome products & services with feedback loops
Business strategy is achieved with the
collaboration of all departments and
providers in service to the customer
who requires better, faster, cheaper,
secure products and services
// Security as Code / Everything as Code
Pre
vio
us
Ne
xt
18
SAST & DAST TestingUpdating and creating pipeline jobs for
automated testing
Code ReviewsHunting for security defects
Regulatory Compliance
Overcoming hurdles for laws regulations, guidelines, and
specifications.
Bug ManagementIssue management and justification
with development teams remediation
Threat ModelingConsulting with design and
architecture
Sublinear programs scale better than linear ones where budget, resources and workload increases year-over-year.
12111
210
39
48
576
Security TreadmillScaling your product security operations
Pre
vio
us
Ne
xt
19
Change in leadershipLive for a cause and focus on
outcomes
Break Industry Practices
Experiment beyond the typical taxonomy of tests
Decrease ResourcesCompany experiences a downturn
in the market with cutbacks
Increase WorkloadGreater development more
releases overall velocity is up 25%
Contingency
Planning01
Plan for the worst but hope for the best!
Create use cases02
Illustrate and discuss outside influences that would adversely effect your
operations
Implement tests03
Challenge the use-cases with hypotheticals
Pre
vio
us
Ne
xt
20
InnovativeFlexible enough to
complement the tech
stack
I
ResponsiveSimple onboarding with
quick iterative scan
duration
R
ReliableScan results need to be
accurate and
meaningful
R
FrictionlessStreamline process with
quality experience
F
DevSecOps Scanning
Pre
vio
us
Ne
xt
21
Feedback
Remediate
Iterate
Scan
Dynamic Application Security Test Orchestration
Pre
vio
us
Ne
xt
22
WebBreaker Demos Orchestration on DAST with a light-weight client
WebBreaker Installation & Configuration
WebBreaker Centralized Scan Management
WebBreaker with DevSecOps
WebBreaker Proxy & Swagger Integration
Pre
vio
us
Ne
xt
23
Pre
vio
us
Ne
xt
24
Test CoverageAchieve greater velocity of tests with wide adoption
Self-ServiceLow barrier to entry for non-
security professionals
PortabilityLightweight and practical enough to seamlessly integrate into a tech stack
Actionable FeedbackProvide reproduction steps and
concise remediation guidance
Security-As-A-Service
Contextual Scan Orchestration
Pre
vio
us
Ne
xt
25
Bonus Content – APIs
USE FOR GETTING A LIST OF YOUR REPOS IN A STASH GIT INSTANCE
my $stash_repo_url="https://stash.company.com/rest/api/1.0/projects/$proj_name/repos?limit=300";
chomp($stash_repo_url);
my $curl_repo_command = "curl -s -u <password>";
$curl_repo_command .= " -X GET";
$curl_repo_command .= " $stash_repo_url";
my $json_repo=`$curl_repo_command`;
die "Could not get $stash_repo_url!" unless defined $json_repo;
chomp($json_repo);
my $decoded_json_repo=decode_json($json_repo);
print "\n\n#################\n\tSTART REPO DUMP\n#################\n";
print Dumper $decoded_json_repo;
27
GIT STASH API – Repository
USE TO GET COMMIT DATA FOR EACH REPO IN STASH GIT INSTANCE
my $stash_commit_url="https://stash.company.com/rest/api/1.0/projects/$proj_name/repos/$repo_name/commits?limit=1";
chomp ($stash_commit_url);
my $curl_commit_cmd = "curl -s -u <password>";
$curl_commit_cmd .= " -X GET";
$curl_commit_cmd .= " $stash_commit_url";
my $json_commit=`$curl_commit_cmd`;
chomp($json_commit);
my $decoded_json_commit=decode_json($json_commit);
print "\n\n#################\n\tSTART COMMIT DUMP\n#################\n";
print Dumper $decoded_json_commit;
28
GIT STASH API – Commits
LOOP THROUGH TO GET A LIST OF REPOS FROM YOUR GITHUB INSANCE
$github_proj_url="https://git.instance.net/api/v3/user/repos?per_page=100\\&page=$i";
chomp($github_proj_url);
$curl_proj_command = "curl -s -u <password>";
$curl_proj_command .= " -X GET";
$curl_proj_command .= " $github_proj_url";
$json_proj=`$curl_proj_command`;
chomp($json_proj);
$decoded_json_proj=decode_json($json_proj);
push @repo_values , @{$decoded_json_proj};
29
GIT GITHUB API – Repository
CREATE A TOKEN USING BASE64ENCODED PASSWORD
BASE64ENCODING EXAMPLE -
my $token_response=`curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic $Base64_Encoded_Password' -d '{ "type": "UnifiedLoginToken" }' 'http://ssc_server_name.net:port/ssc/api/v1/tokens'`;
chomp($token_response);
my $decoded_json_commit=decode_json($token_response);
my $t_response_code=$decoded_json_commit->{'responseCode'};
print MSTRLOG "\nThe Token create response code was: $t_response_code\n";
my $token_value = $decoded_json_commit->{'data'}->{'token'};
30
FORTIFY API – Generate Token
https://www.base64encode.org/
sub get_proj_id{
my $all_ssc_projects_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' 'http://ssc_server_name.net:port/ssc/api/v1/projects?limit=-1&fulltextsearch=false’`;
chomp($all_ssc_projects_response);my $decoded_json_projects=decode_json($all_ssc_projects_response);print Dumper $decoded_json_projects;my $total_ssc_projects=$decoded_json_projects->{'count'};print "The total number of ssc_projects are: $total_ssc_projects\n\n";
my @proj_values= @{ $decoded_json_projects->{'data'}};foreach my $v (@proj_values) {my $project_name=$v->{'name'};my $project_id=$v->{'id'};chomp($project_name);chomp($project_id);if ( $_[0] eq $project_name) {print "Project name is: $project_name and Project id is: $project_id\n";return ($project_name, $project_id);}
}}
31
FORTIFY API – Get Project ID
sub get_version_id{my $ssc_versions_response=`curl -X GET --header 'Content-Type: application/json' --header
'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' 'http://ssc_server_name.net:port/ssc/api/v1/projects/$_[0]/versions’`;
chomp($ssc_versions_response);my $decoded_json_projects=decode_json($ssc_versions_response);my @version_values= @{ $decoded_json_projects->{'data'}};foreach my $vv (@version_values) {my $version_name=$vv->{'name'};my $version_id=$vv->{'id'};chomp($version_name);chomp($version_id);if ( $_[1] eq $version_name) {print "Version name is: $version_name and Version id is: $version_id\n";return ($version_name, $version_id);}
}}
32
FORTIFY API – Get Version ID
sub create_ssc_project{print "\t\tPassed into the sub create ssc project values are proj_name: $_[0] and repo_name:
$_[1] and description: $_[2] and token: $_[3]\n";my $create_response=`curl -X POST --header 'Content-Type: application/json' --header
'Authorization: FortifyToken $_[3]' -d '{"description": "$_[2]", "name": "$_[1]", "issueTemplateId": "Prioritized-HighRisk-Project-Template", "masterAttrGuid": "87f2364f-dcd4-49e6-861d-f8d3f351686b", "objectVersion": 3, "project": {"description": "$_[2]", "issueTemplateId": "Prioritized-HighRisk-Project-Template", "name": "$_[0]"} }' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions’`;
chomp($create_response);my $decoded_json_commit=decode_json($create_response);#print Dumper $decoded_json_commit;my $id = $decoded_json_commit->{'data'}->{'id'};return $id;
}
33
FORTIFY API – Create SSC Project
sub create_ssc_project_version{print "\t\tPassed into the sub create ssc project version values are proj_name: $_[0] and
version_name: $_[1] and description: $_[2] and token: $_[3]\n";my $create_response=`curl -X POST --header 'Content-Type: application/json' --header
'Authorization: FortifyToken $_[3]' -d '{"description": "$_[2]", "name": "$_[1]", "issueTemplateId": "Prioritized-HighRisk-Project-Template", "masterAttrGuid": "87f2364f-dcd4-49e6-861d-f8d3f351686b"}' 'http://ssc_server_name.net:port/ssc/api/v1/projects/$_[0]/versions’`;
chomp($create_response);my $decoded_json_commit=decode_json($create_response);print Dumper $decoded_json_commit;my $id = $decoded_json_commit->{'data'}->{'id'};return $id;
}
34
FORTIFY API – Create SSC Project Version
sub update_ssc_project_attributes{print "\t\tPassed into the sub create ssc project version values are proj_id: $_[0] and token:
$_[1]\n";my $update_att_response=`curl -X PUT --header 'Content-Type: application/json' --header
'Accept: application/json' --header 'Authorization: FortifyToken $_[1]' -d '[{"attributeDefinitionId":5,"values":[{"guid":"Active"}]}, {"attributeDefinitionId":6,"values":[{"guid":"Internal"}]}, {"attributeDefinitionId":7,"values":[{"guid":"internalnetwork"}]}]' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$_[0]/attributes’`;
chomp($update_att_response);my $decoded_json_commit=decode_json($update_att_response);print Dumper $decoded_json_commit;my $u_att_response_code=$decoded_json_commit->{'responseCode'};print "\nThe update attributes response code was: $u_att_response_code\n";
}
35
FORTIFY API – Update Project Attributes
sub update_ssc_project_proc_rules{
print "\t\tPassed into the sub create ssc project version values are proj_id: $_[0] and token: $_[1]\n";
my $update_pr_response=`curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $_[1]' -d '[{"displayName": "Require approval if the Build Project is different between scans","identifier": "com.fortify.manager.BLL.processingrules.BuildProjectProcessingRule","displayable": true,"enabled": false},{"displayName": "Check external metadata file versions in scan against versions on server.","identifier": "com.fortify.manager.BLL.processingrules.ExternalListVersionProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if file count differs by more than 10%","identifier": "com.fortify.manager.BLL.processingrules.FileCountProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if result has Fortify Java Annotations","identifier": "com.fortify.manager.BLL.processingrules.FortifyAnnotationsProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if line count differs by more than 10%","identifier": "com.fortify.manager.BLL.processingrules.LOCCountProcessingRule","displayable": true,"enabled": false},{"displayName": "Automatically perform Instance ID migration on upload","identifier": "com.fortify.manager.BLL.processingrules.MigrationProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if the engine version of a scan is newer than the engine version of the previous scan","identifier": "com.fortify.manager.BLL.processingrules.NewerEngineVersionProcessingRule","displayable": true,"enabled": false},{"displayName": "Ignore SCA Scans performed in QuickScan mode","identifier": "com.fortify.manager.BLL.processingrules.QuickScanProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if the rulepacks used in the scan do not match the rulepacks used in the previous scan","identifier": "com.fortify.manager.BLL.processingrules.RulePackVersionProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if SCA or WebInspectAgent scan does not have valid certification","identifier": "com.fortify.manager.BLL.processingrules.ValidCertificationProcessingRule","displayable": true,"enabled": false},{"displayName": "Require approval if result has analysis warnings","identifier": "com.fortify.manager.BLL.processingrules.WarningProcessingRule","displayable": true,"enabled": false},{"displayName": "Warn if audit information includes unknown custom tag","identifier": "com.fortify.manager.BLL.processingrules.UnknownOrDisallowedAuditedAttrChecker","displayable": true,"enabled": false},{"displayName": "Require the issue audit permission to upload audited analysis files","identifier": "com.fortify.manager.BLL.processingrules.AuditedAnalysisRule","displayable": true,"enabled": false},{"displayName": "Disallow upload of analysis results if there is one pending approval","identifier": "com.fortify.manager.BLL.processingrules.PendingApprovalChecker","displayable": true,"enabled": false},{"displayName": "Disallow approval for processing if an earlier artifact requires approval","identifier": "com.fortify.manager.BLL.processingrules.VetoCascadingApprovalProcessingRule","displayable": true,"enabled": false}]' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$_[0]/resultProcessingRules’`;
chomp($update_pr_response);my $decoded_json_commit=decode_json($update_pr_response);print Dumper $decoded_json_commit;my $u_pr_response_code=$decoded_json_commit->{'responseCode'};print "\nThe update process rules response code was: $u_pr_response_code\n";
}
36
FORTIFY API – Update Project Processing Rules
sub commit_ssc_project{print "\t\tPassed into the sub create ssc project version values are proj_id: $_[0] and token:
$_[1]\n";my $commit_response=`curl -X PUT --header 'Accept: application/json' --header 'Content-
Type: application/json' --header 'Authorization: FortifyToken $_[1]' -d '{ "committed":"true"}' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$_[0]'`;chomp($commit_response);my $decoded_json_commit=decode_json($commit_response);print Dumper $decoded_json_commit;my $c_response_code=$decoded_json_commit->{'responseCode'};print "\nThe commit project response code was: $c_response_code\n";
}
37
FORTIFY API – Commit SSC Project
my $issue_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$target_version_id/issues?limit=-1&orderby=priority&fields=priority’`;
chomp($issue_response);my $decoded_json_issues=decode_json($issue_response);print Dumper $decoded_json_issues;
38
FORTIFY API – Get Project Version Issues
my $issue_detail_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' '$issue_href’`;
my $decoded_json_issues_det=decode_json($issue_detail_response);print "\n\n#############################\n\tSTART ISSUE DETAILS DUMP\n#############################\n";print Dumper $decoded_json_issues_det;
39
FORTIFY API – Get Issue Details
Bonus Content – PROCESS
1. LOOP THROUGH API COMMAND TO CAPTURE ALL REPOSITORIES
2. FOR EACH REPOSITORY CAPTURE COMMIT DATA AND EVALUATE FOR RELEVANCE
3. CAPTURE USER DATA OF COMMITS FOR LATER REPORTING
4. CREATE LIST OF RELEVANT REPOSITORIES FOR PROCESSING
41
STEP 1: Identify Relevant Code
1. GENERATE YOUR FORTIFY ACCESS TOKEN
2. USING LIST OF REPOS FOUND VALIDATE IF SSC PROJECT EXISTS FOR CODE REPOSITORY
3. IF NOT, THEN CREATE THE SSC PROJECT
1. Create the Project
2. Create the Project Version
3. Update Project Attributes
4. Update Project Processing Rules
5. Commit SSC Project
4. SCAN CODE REPOSITORY AND UPLOAD RESULTS TO SSC PROJECT
42
STEP 2: CREATE PROJECTS AND SCAN
1. GENERATE YOUR FORTIFY ACCESS TOKEN
2. USE PROJECT ID AND VERSION ID TO CAPTURE LIST OF ISSUES
3. FOR EACH ISSUE, CAPTURE METADATA
4. EVALUATE METADATA FOR RELEVANCE (LEGACY OR INTRODUCED RISK)
5. CONSOLIDATE ISSUES AND REPORT TO APPROPRIATE STAKEHOLDERS
6. GATHER METRICS AND EVALUATE
43
STEP 3: Relevant Issue Identification
#MicroFocusCyberSummit