Integrating secure coding to DevSecOps cycle
Session Description
This talk aims to overcome the drawbacks of the current approach of teaching application security by blindly attacking applications to analyze vulnerabilities.
This results in engineers being unable to figure out the proper fix for the vulnerabilities and hence allowing attackers to exploit the same.
The labs will help security enthusiasts, developers and students to identify the root cause of the vulnerability in the code, patch it, re-deploy the application, and finally verify the fix.
As an attendee, you will learn to find vulnerabilities with both an attacker and a defenders point of view which would help in a swift SDLC of fixing and moving forward instead of traditional pentesting procedures of fixing
the issues at the end of the cycle. The demonstration will be done using a vulnerable e-cart application with microservice architecture which is deployed using docker where the vulnerable code is attacked and replaced with secure code snippets, compiled, deployed and pentested again to demonstrate how fixing a vulnerability at the root saves engineers time and efforts.
Open source tools used:
nMAP
ZAP
Detailed Plan
The talk will be divided into two sections: Attack & Secure Coding. This talk is completely beginner friendly for an audience ranging from students to professionals
Note: The demonstration will be shown for every vulnerability and patches alongside the talk. If the participant wants to have a hands-on session, the dockerized application will be provided to the participants to be set up in their personal laptops.
The Hands-on lab is an intentionally vulnerable dockerized e-commerce application for testing for bugs which our team would demonstrate. The application uses a microservice architecture which uses multiple components of the e-commerce app as services which are written in different programming languages and databases to help attendees learn attack and defense vectors in multiple tech stacks. We would explain the bug, where to find it and why it occurs along with a demonstration of how to look for the bug in any application. This class focuses on specific areas of appsec and on advanced vulnerability identification and exploitation techniques.
Hands-on labs to attack the components of the vulnerable e-commerce site would be provided with multiple ways of exploiting the bug.
● Mass Assignment vulnerability
● SQL Injection
● File Upload Vulnerability
● Remote Code Execution
● IDOR
● Server Side Template Injection
● OS Command Injection
● Server Side Request Forgery
● Cross Site Scripting
● Lack of validation
● Local File Inclusion
This talk takes a comprehensive and practical approach at implementing DevSecOps Practices for efficient Application Security.
The attendees would be taught to do source code analysis, mitigation techniques and security practices. Secure code snippets to implement the following practises would be taught:
● Input Sanitisation
● Data transfer Objects
● Parameterized queries
● Stored procedures
● File type validation checks
● Access Controls
● Whitelisting
● Rate Limiting
● Sandboxing
● Shell Escape Mitigations
● Parameter Validation
● Response Validation
● Regex checks
● Authorization Checks
Key Takeaways
Open source tools used:
nMAP
ZAP