2024 DevOps Lifecycle: Share your expertise on CI/CD, deployment metrics, tech debt, and more for our Feb. Trend Report (+ enter a raffle!).
Kubernetes in the Enterprise: Join our Virtual Roundtable as we dive into Kubernetes over the past year, core usages, and emerging trends.
Cofounder and CTO at Contrast Security
About
Jeff is a founder and CTO of Contrast Security - a revolutionary application security platform that automatically identifies vulnerabilities *and* blocks attacks in real time. Contrast works like "AppDynamics for Security" - no scanning, continuous monitoring, highly accurate, and integrated with all your favorite tools. @planetlevel ---------------------------------------------------------------- DZone Refcardz authored by Jeff: ---------------------------------------------------------------- * https://dzone.com/refcardz/introduction-to-devsecops * https://dzone.com/refcardz/introduction-to-iast (Interactive Application Security Testing) * https://dzone.com/refcardz/introduction-to-rasp (Runtime Application Self-Protection)
Stats
Reputation: | 2085 |
Pageviews: | 62.4K |
Articles: | 2 |
Comments: | 31 |
Articles
Refcards
Introduction to DevSecOps
Introduction to IAST
Introduction to RASP
Trend Reports
DevSecOps
For years, security has been an afterthought — functionality that developers and product managers often address at the last minute. Security, like any other part of software development, is iterative; it takes rounds of testing and attention to detail to eliminate vulnerabilities. More organizations are beginning to understand the importance of security testing and integration, and as a result, they have started to incorporate security into their DevOps pipelines. With this in mind, we consulted industry experts and leaders about the state of DevSecOps adoption and implementation to help readers understand more effective ways to manage security throughout every step of the SDLC.
Application Security
DZone Trend Reports will expand on the content from DZone Research Guides that our readers have told us is most useful. The Application Security Trend Report analyzes new developments in the increasingly important field of AppSec to predict what's next.
Comments
May 31, 2020 · Mackenzie Jackson
Nice article! Note that Contrast CE provides open source analysis and RASP in addition to IAST.
Jan 05, 2020 · Unni Mana
I know it’s just a sample, but this is a textbook example of a reflected cross-site scripting (XSS) vulnerability. Could you add HTML entity encoding to the output so that attackers can’t use this to exploit victims? Thx!
Feb 21, 2019 · Sibanjan Das
For web app/API security, we released a *free and full-strength* tool called Contrast Community Edition (Java). Should be in every dev's toolbox. CE provides full IAST (vulnerability testing), SCA (open source analysis), and RASP (runtime application security protection). Contrast works from inside your applications using instrumentation - far easier & more accurate than scanning tools. Integrates with all your favorite tools, including Eclipse, IntelliJ, Slack, JIRA, github, Jenkins, Splunk, and more. https://www.contrastsecurity.com/ce.
Oct 30, 2018 · Matthew Casperson
By the time the cast occurs, the damage has already been done. The deserialization process reads the untrusted data, initializes a new object of the attacker's chosen class with the data, and then calls the zero arg constructor. The attacker sends carefully crafted data and chooses certain "widgets." These widget are just classes that do dangerous stuff in their zero arg constructor and nobody knows just how many of them there are in a typical application. Sometimes you need a "chain" of these widgets to make a full attack. But when successful, the attacker can invoke Runtime.exec() (or something else harmful) and completely subvert the application.
Oct 25, 2018 · Chris Brumfield
Selenium is a fantastic way to drive Interactive Application Security Testing (IAST) tools as well. Just add the IAST agent to your application and run your Selenium tests. IAST does the security testing in the background without any tailoring or fuss. There's a free and full-strength IAST engine available from Contrast Security. Download here: https://www.contrastsecurity.com/ce.
Nov 29, 2017 · Jordan Baker
Finally, I think it's reasonable to include RASP in the list of ways of dealing with injection. By instrumenting applications so that they can no longer execute queries where the semantics of the query have been modified by untrusted data, RASP makes exploiting these flaws impossible. It's a bit like using ASLR to defend against buffer overflows.
Nov 29, 2017 · Jordan Baker
Second, I don't think of CSRF as an injection attack because there's no interpreter involved. Why not focus on command injection, ldap injection, xpath injection, expression language injection, XXE, serialized objects, and other ways of targeting interpreters to make them do your bidding?
Nov 29, 2017 · Jordan Baker
First, validation (or what you call "filtering") is really a secondary defense for most injection attacks. It's a very bad idea to try to "filter" out malicious content -- there are just far too many ways to bypass. Just ask Samy. The primary defense for injection should be to use parameterization (preferred if API available) or output escaping. Not mentioning parameterized queries for SQL here is a major oversight.
Jul 10, 2017 · Duncan Brown
Not sure why, but link goes to the XSS Cheatsheet, not the XXE one. Try this one... https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
Jul 08, 2017 · Duncan Brown
Turn off doctype processing in your XML parser. Doesn't make sense to process doctypes from untrusted sources. Unfortunately, every parser does this differently.
Apr 28, 2017 · Ana Jones
This is nonsense. WAFs don't instrument anything. It doesn't make sense to "virtualize" your runtime platform for security. First, nobody wants to replace their platform. Second, it only allows visibility into calls to the platform. Instrumentation is the right way here, as it can see into the entire app, from runtime to appserver, to libraries and frameworks, and all custom code. It's the same technique used by New Relic and AppDynamics...anyone offering a "virtualized" platform for APM? No. And it doesn't make sense for security either.
Mar 10, 2017 · James Higginbotham
API security is critically imporant as we move to cloud, agile, devops, etc...
This article does a great job covering how to implement some defenses. But equally important is avoiding security vulnerabilities, like SQL Injection, CSRF, and the rest of the OWASP T10. Unfortunately, neither static (SAST) or dynamic (DAST) tools work well on APIs. So you're going to need a new and different testing strategy. I wrote about it here:
http://www.darkreading.com/application-security/what-do-you-mean-my-security-tools-dont-work-on-apis!!/a/d-id/1321050
Feb 27, 2017 · Jordan Baker
If you're testing modern applications (cloud, libraries, APIs, agile, devops), check out Contrast Security. It's a lot like New Relic or AppD for security. Here's a 3 minute overview. https://www.linkedin.com/pulse/what-self-protecting-software-all-contrast-rsa-sandbox-jeff-williams
Feb 17, 2017 · Sarah Davis
Great article Matt. Contrast Security (http://contrastsecurity.com) is an instrumentation based tool like AppDynamics or New Relic for security -- it continuously identifies security vulnerabilities instantly and with much better accuracy than static or dynamic scanners.
Aug 29, 2016 · Alisha Henderson
Alisha - was there a reason that you left out Interactive Application Security Testing (IAST) from the list? IAST works a lot like New Relic or AppDynamics, but for security, not performance. The idea is that there is much more context available inside the application, so IAST can be more accurate than legacy SAST and DAST techniques. Also because IAST is distributed, it can scale much better.
Jul 28, 2016 · Michael Tharrington
Nice article Mike. DevOps + RASP (and IAST) is a killer combination... for the bad guys.
Dec 04, 2015 · John Vester
Absolutely :-) We've done it many times. And yes I do believe that there are still huge numbers of vulnerable applications out there. As I mentioned all current versions of WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS are vulnerable. And anything that uses RMI. And any library or custom code that uses serialized data. You do the math.
Nov 29, 2015 · John Vester
All current versions of WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS are vulnerable. Are you using any of those? There are almost certainly many more instances of this vulnerability as only a few gadget chains have been identiifed.
Nov 29, 2015 · John Vester
What? Serialized objects are just data too. And the same problem can be with objects serialized to XML too. See http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html. So fine, do it yourself. But be careful.
Nov 25, 2015 · John Vester
Agreed Christian. One of the problematic classes is https://apache.googlesource.com/commons-collections/+/COLLECTIONS_4_0/src/main/java/org/apache/commons/collections4/functors/InvokerTransformer.java. No special readObject(). And your code doesn't have to use it.
Researchers have found several of these dangerous classes, but there are almost certainly more.
Nov 25, 2015 · John Vester
Full disclosure: I work for Contrast Security. Our product uses software instrumentation (like New Relic) for security. Contrast is uniquely able to identify deserialization problems in your code instantly AND stop deserialization attacks across the entire application stack. All of this is in my bio on the site.
But this article is about the free and open source RASP agent that we released. We believe this problem is serious and that everyone could use a free and powerful protection. It's far easier to use this agent than to figure out if you are vulnerable anywhere in your stack.
Nov 25, 2015 · John Vester
Hi Charlie, there are a number of "gadget chains" that can be used to exploit Java deserialization. Apache Commons is only one. There are almost certainly plenty more of these powerful gadgets that can be exploited with the right set of serialized objects (see ysoserial tool).
Nov 24, 2015 · John Vester
So the real solution is to make it impossible to deserialize crazy-powerful classes that appear in a variety of libraries, frameworks, servers, etc... That's all the RASP agent we released does. A simple fix for a complex problem.
Nov 24, 2015 · John Vester
You are right that the solution is not to deserialize untrusted data, but that doesn't mean it's not a vulnerability. It is clearly a vulnerability in large numbers of applications. Many custom apps, frameworks, servers, and libraries still use serialization and RMI. The impact is far worse than HeartBleed, which in some cases could disclose secrets. Here the impact is a total server takeover, with the attacker able to run arbitrary code on the server. One difference is that this vulnerabiliy is harder to identify than HeartBleed, causing some to discount the risk inappropriately.
Nov 24, 2015 · John Vester
Wrong. In this attack, the attacker serializes special objects that are instantiated with class, method, and parameters. When deserialized, this code runs. This is an exceptionally dangerous vulnerability. Try reading some of the links to get the full background.
Nov 24, 2015 · John Vester
Hi Oleksandr -- that's not really true. If your Java application deserialzes untrusted data anywhere, the attacker can completely take over your server by invoking Runtime.exec() wiht arbitrary code. The deserialization doesn't have to be in your code -- could be in libraries/frameworks/server. Or any use of RMI. And it doesn't matter what you mark Serializable - because the attackers are taking advantage of Serializable classes already on your classpath.
Nov 23, 2015 · John Vester
You can find a free and open source RASP agent to protect against serialization attacks here. https://github.com/Contrast-Security-OSS/contrast-rO0.
Just download the jar, set an environment variable, and you’re safe.
export JAVA_TOOL_OPTIONS="-javaagent:/path/to/contrast-rO0.jar"
Nov 15, 2015 · Matthew Casperson
We just released an even better solution to this problem. It's free and open source.
Contrast-rO0 is a lightweight Java agent that uses instrumentation to block attacks targeting object deserialization problems like those described above.
This approach is the *only* way to protect your *entire* application because the problem can be in libraries or frameworks. Rather than re-architecting your entire messaging infrastructure, this agent absolutely prevents this vulnerability from being exploited.
https://github.com/Contrast-Security-OSS/contrast-rO0
Nov 15, 2015 · Matthew Casperson
Sorry - this flaw can happen in any application that accepts serialized objects from an untrusted source. The flaw is not restricted to apps that include Apache Commons. There are multiple different gadgets that can result in remote command execution. Beware.
Jan 22, 2015 · grspain
Hi Luca -- Contrast for Eclipse is totally free and finds most of the OWASP Top Ten quickly and accurately. We're trying to help the JavaEE world avoid the critical vulnerabilities that are enabling hackers to cause all the problems you've been reading about in the news. I'm sorry you felt this was marketing.
Jan 22, 2015 · grspain
Hi Luca -- Contrast for Eclipse is totally free and finds most of the OWASP Top Ten quickly and accurately. We're trying to help the JavaEE world avoid the critical vulnerabilities that are enabling hackers to cause all the problems you've been reading about in the news. I'm sorry you felt this was marketing.