Building AppSec Automation With Python - DEF CON

1y ago
32 Views
3 Downloads
1.03 MB
44 Pages
Last View : 18d ago
Last Download : 4m ago
Upload by : Annika Witter
Transcription

Building AppSec Automation withpythonAbhay Bhargav - CTO, we45

A Gentle Introduction to DevOps What is DevOps? Where does Security !t in?

What is DevOps? Key Objective - Harmonize IT Operations byworking with Developers and Opsseamlessly Rely on processes and automation toachieve higher throughput - ContinuousDelivery

Without DevOpsRequirementsDesignDevelopTestDeploy

With DevOps (hopefully )RequirementsDesignDevelopTestDeploy

Example pipelineDeveloperOrchestration engineDocker:cGit:sucCheckout for buildRun testsQADocker:Jenkins:ContinuousIntegrationDeploy toQAsuccessCoding Modify and commitessSelenium:Publish torepoDocker:Deploy toProd

But .RequirementsDesignDevelopTestDeploy

Let’s do a security testjust before we go live .The line that has ruinedApplication Security for all of us.

In Short .

Trigger threat modellingTrigger ARAPre-commit checksTrigger manual code reviewEmail notificationsConfiguration reviewCompile and build codeRun SAST toolsCommit-time checksAutomatic security testingGather metricsBreak the buildComprehensive SASTSCACI/CD PipelineBuild-time checksRisk based security testingGather metricsBreak the build

CI/CD PipelineBroader SASTDAST/ASTTest-time checksMalicious code detectionGather metricsBreak the buildContinuous managementPre-deployment checksProvisioning runtime environmentCommit-time checksPost-deployment checksSecurity scanningVulnerability scanningBug bounty programThreat intelligence

The Need of the Hour . Continuous Application Security Practices tokeep pace with Continuous Delivery Dynamic Application Security Testing inthe Pipeline Static Application Security Testing in thePipeline

Security in DevOpsCodePlanThreatmodelingTestBuildSASTSecurity - rity inIaCSecurity monitoring& attack detection

The Application Security Engineer’s Story How? Run DAST in the Pipeline? Correlate Results from DAST Compare Results from scans in time?

The Need of the Hour . Continuous Application Security Practices tokeep pace with Continuous Delivery Dynamic Application Security Testing inthe Pipeline Static Application Security Testing in thePipeline

Our Approach Today A View of DAST in the Pipeline Tool of Choice: OWASP ZAP with: Jenkins Customized Python Scripts ElasticSearch/RedisObjective: Explore Automated DAST TestingApproaches with OWASP ZAP and its PythonAPI

Why OWASP ZAP? Free and Open Source Web ApplicationVulnerability Scanner Feature-Rich, well supported, with severalcontributors Community Support - Plugins, Add-ons, etc. Documentation - Better than most scannersout there Great API and Scriptable Scanner

Security in DevOpsCodePlanThreatmodelingTestBuildSASTSecurity - rity inIaCSecurity monitoring& attack detection

Stories for today . The Application Security Engineer/DevSecOps Engineering Perspective The Automation-focused PentesterPerspective

Key Questions - AppSec Engineering/DevSecOps How do we roll out Automated SecurityTesting in the pipeline? Authenticated Scanning in the Pipeline for Apps/API, etc Account for changes in Attack Surface

Introduction to the OWASP ZAP API OWASP ZAP - Automation Concept Overview Useful Concepts and API OWASP ZAP Python API Deep-Dive Workshop Exercises

Concept Overview - OWASP ZAP Context Session Active Scan Passive Scan Scan Policy Alert

Workshop Exercise - Basic ZAP Functionality Concept overview: Context Sites Scan Policy Scripts Script Console

ZAP - Useful API Operationsfrom zapv2 import ZAPv2 as ZAPzap.spider#spider operationszap.core#App-wide operationszap.ascan#Active Scanzap.pscan#Passive Scanzap.script#Operations with ZAP Scriptszap.context#Context related operations

ZAP API Quicksearch operationszap.spider.scan()#initiate ZAP Spider Scan against targetzap.ascan.scan()#initiate ZAP Active Scan against Targetzap.core.alerts()#all alerts (scan results) from the ZAP Scannerzap.core.urls()#list of URLs from ZAPzap.ascan.status(), zap.spider.status()#real time status of the spider or ascanzap.ascan.scan progress()#List of Vulnerabilities being tested for with number of payloads

Workshop Exercise - ZAP API Walkthrough1. ipython walkthrough2. Walkthrough ZAP API Code - Please refer to Instructions in the HTML

Running Authenticated Scans in OWASP ZAP Approaches: Selenium-driven Scan Process Leveraging canned ZAP Sessions Zest Scripting

Selenium-Authenticated ScanRun Selenium and ZAP in Headless ModeLeverage Functional ScriptsBeats Spidering the app! :)

ZAP Session-Authenticated ScanProgrammatically invoked with ZAP APIMaintains state with Sessions/Tokens, etc

ZestScript Authenticated ScanProgrammatically invoked with ZAP APIEasily Customizable

Workshop Exercise - Automated, Authenticated ZAP Scans1. Selenium-ZAP Scan - Follow the HTML Instructions2. ZAP Session Scans - Follow the HTML Instructions3. Zest ZAP Scans - Follow the HTML Instructions

ZAP in the Continuous Delivery Pipeline

Workshop Exercise - Automated, Authenticated ZAP Scans Authenticated ZAP Scans - Jenkins Integration - Follow HTML Instructions

Correlating DAST Results The Common Weakness Enumeration (CWE)system is the best we have for correlation rightnow Problems: Several tools don’t give any/accurate CWEs Multiple CWE values tend to be di#cult tohandle and correlate with - BurpSuite, etc

Workshop Exercise1. Correlation of Application Vulnerabilities based on CWE - Follow HTML Instructions2. Di Scans with ZAP - Follow HTML Instructions

AppSec Automation - A Pentester’s perspective How do we go beyond traditional DAST? Scale Custom/Business Logic SecurityFlaws Create Custom Application Exploits fornon-standard/esoteric %aws Create a Library of attacks extending/complementing DAST Scanners

Tools we will use OWASP ZAP 2.6.0 mitmproxy 0.17

OWASP ZAP - Scripting Framework Active Rules Scripts invoked during Active Scan Authentication Scripts Scripts invoked to facilitateauthentication for a Context Fuzzer Processors Scripts invoked after Fuzzers are runwith ZAP HTTPSender Scripts invoked against every request/response received by ZAP Proxy Runs inline and acts on all requests and responses Targeted Rules Invoked on speci!c urls or on manualstart only Standalone Invoked manually Passive Rules Passive Scanning Rules

Con!guring ZAP to run with Python ZAP supports scripts written in Jython Python on Java JVM Not fully compatible with python libraries limitations on networking and i/o libraries in python Works when œPython Scripting’ add-on is installed in OWASP ZAP. Third Party Python Libs can be linked when refer to the jython site-packages directory

mitmproxy Primarily used as an extensible, interception proxy. Powerful Inline scripting framework Pure Python implementation :) - Highly extensible and scriptable Current version is 2.x on python 3 only

ZAP Scripting QuickSearchmsg#the message object that is acted upon to parse/manipulatemsg.getRequestHeader()#Request Header Objectmsg.getRequestHeader().getURI()#fetches the URI from the request headermsg.getRequestBody()#Fetches the request body from the requestmsg.getResponseBody()#Fetches the request body from the requestmsg.setRequestBody()#Sets a different request body from the one in the original request

ZAP Active Rules Template"""TheTheURL"""defscanNode function will typically be called once for every pagescan function will typically be called for every parameter in everyand Form for every pagescanNode(sas, msg):#Invoke something for every page heredef scan(sas, msg, param, value):#invoke something for every param here.sas.raiseAlert(1, 1, 'Active Vulnerability title', 'Full ing(),param, 'Your attack', 'Any other info', 'The solution', '', 0, 0, msg);

mitmproxy inline scriptingdef request(context, flow):flow.request.headers#request headers objectflow.request.host#host in the requestflow.request.path#request pathflow.request.content#request bodydef response(context, flow):flow.response.headers# request headers objectflow.response.host# host in the requestflow.response.path# request pathflow.response.content# request body

Workshop Exercises1. ZAP POST Request Insecure Direct Object Reference Active Script2. ZAP JSON Insecure Direct Object Reference Active Script3. ZAP Standalone Script4. mitmproxy JWT Bruteforce Script5. mitmproxy JWT Attribute check script

OWASP ZAP - Scripting Framework Active Rules Scripts invoked during Active Scan Authentication Scripts Scripts invoked to facilitate authentication for a Context Fuzzer Processors Scripts invoked after Fuzzers are run with ZAP HTTPSender Scripts invoked against every request/ response received by ZAP Proxy Runs inline and acts on all requests and responses

Related Documents:

Java Hurdling Obstacles and Techniques in Java Client Penetration-Testing Tal Melamed Application Security Expert Tal@AppSec-Labs.com. Agenda Me AppSec Labs The problems Fail #1 Fail #2 Fail #3} about:me Tech Lead @ AppSec Labs Tal@AppSec-Labs.com Application Security Expert Trainer, builder & breaker

Python Programming for the Absolute Beginner Second Edition. CONTENTS CHAPTER 1 GETTING STARTED: THE GAME OVER PROGRAM 1 Examining the Game Over Program 2 Introducing Python 3 Python Is Easy to Use 3 Python Is Powerful 3 Python Is Object Oriented 4 Python Is a "Glue" Language 4 Python Runs Everywhere 4 Python Has a Strong Community 4 Python Is Free and Open Source 5 Setting Up Python on .

Python 2 versus Python 3 - the great debate Installing Python Setting up the Python interpreter About virtualenv Your first virtual environment Your friend, the console How you can run a Python program Running Python scripts Running the Python interactive shell Running Python as a service Running Python as a GUI application How is Python code .

Python is readable 5 Python is complete—"batteries included" 6 Python is cross-platform 6 Python is free 6 1.3 What Python doesn't do as well 7 Python is not the fastest language 7 Python doesn't have the most libraries 8 Python doesn't check variable types at compile time 8 1.4 Why learn Python 3? 8 1.5 Summary 9

site "Python 2.x is legacy, Python 3.x is the present and future of the language". In addition, "Python 3 eliminates many quirks that can unnecessarily trip up beginning programmers". However, note that Python 2 is currently still rather widely used. Python 2 and 3 are about 90% similar. Hence if you learn Python 3, you will likely

There are currently two versions of Python in use; Python 2 and Python 3. Python 3 is not backward compatible with Python 2. A lot of the imported modules were only available in Python 2 for quite some time, leading to a slow adoption of Python 3. However, this not really an issue anymore. Support for Python 2 will end in 2020.

A Python Book A Python Book: Beginning Python, Advanced Python, and Python Exercises Author: Dave Kuhlman Contact: dkuhlman@davekuhlman.org

Mike Driscoll has been programming with Python for more than a decade. He has been writing about Python on his blog, The Mouse vs. The Python, for many years. Mike is the author of several Python books including Python 101, Python Interviews, and ReportLab: PDF Processing with Python. You can find Mike on Twitter or GitHub via his handle .