Jump to content

Title: Lite version of SDL implementation practice

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

1. Preface

Generally, safety belongs to the operation and maintenance department. I talked with the operation and maintenance director of the previous company about whether some daily safety work can be integrated into DevOps. Not long after, I left for various reasons. In May, he joined a third-party payment company in 2018 and spent various inspections in the first half of the year. The regulatory situation was severe and the major leaders attached importance to safety (mainly supervision), and the goals of all departments in 2019 are linked to safety. Since payment companies need to face inspections from various regulatory agencies, some security has been done relatively well. After nearly a year of familiarity with the company, it has been found that the application security is relatively weak. This part of the better solution in the industry is SDL. After communicating with various manufacturers, I decided to promote it bit by bit in the company.

1049983-20230223005505851-1935601238.png

The above picture shows the standard version of SDL. Since the operation and maintenance adopts the DevOps system, the test also uses automation for functional testing. The version iteration cycle is relatively fast, the security staff is insufficient, and the threat modeling of SDL is also confused. If safety is added to the entire process, it will seriously affect the delivery time. In this case, some practices in the industry were investigated and decided to simplify SDL. The simplified version of SDL is as follows:

1049983-20230223005506900-1241560024.png.

2. Lite SDL implementation practice

Safety Training

One of the core SDL is security training, so in terms of security training, we have done security coding, security awareness, security knowledge base, and security SDK

Safety code:

We found some Java security coding specifications, product security design and development security specifications online, combined with the company's actual business, and released a version.1049983-20230223005507712-1799677019.png

Because various regulatory agencies have requirements for training, they have introduced safety training and regularly trained for development and new employee recruitment.1049983-20230223005508666-156154663.png

Safety Awareness:

The company has a WeChat official account for the enterprise, and most employees have followed it and promoted it on the official account.1049983-20230223005511575-1861001679.png

After the promotion is completed, please give me a small gift

1049983-20230223005512954-1257222268.png

Because of insufficient staff, functional testing and safety testing are essentially in common, the testing department is also relatively cooperative and has conducted some safety testing-related training for testers, but the effect is not very ideal.

1049983-20230223005513820-1671772662.png

Safety Knowledge Base:

During the vulnerability repair process, many developments do not understand the principles and repair solutions, so we have established a security knowledge base and first go to the security knowledge base to check related solutions. If you cannot find it, communicate with the security personnel, and the security personnel will constantly update the knowledge base to form a closed loop.

1049983-20230223005514543-574197297.png

Security SDK

Since the company has an architecture department, the development framework is basically provided by the architecture department. After we communicated some common vulnerabilities with the architecture department, we let the architecture implement some vulnerability repair methods using SDK. Development only requires importing the JAR package and configuring it in the configuration file. There are also many pitfalls and need to be optimized slowly.

1049983-20230223005515341-1061280096.png

3. Safety requirements design

The company has a project approval system, and all project approvals need to be established through the system. Safety is a must-have, and the safety of the review meeting must also be participated in.

1049983-20230223005516070-1183240391.png

At this time, the project manager will basically contact the security personnel to communicate, copy a VIP product safety design specification, and determine the security needs based on the requirements documents and the project manager.

1049983-20230223005518167-302814842.png

After confirming the security requirements, it will be added to the requirements document as required and confirm the security testing time. This process is only for new projects. The requirements of projects that have been launched do not follow this process. In the subsequent security testing, we will talk about how this part of the project is done.

1049983-20230223005519575-917103671.png

IV. Development, security testing

Security testing is mainly divided into code audit, vulnerability scanning, and manual security testing. The safety products derived from this are divided into three categories. DAST: Dynamic application security test (wvs, appscan), SAST: static application security test (fortify,rips), IAST: interactive application security test (seeker, Lijian). For detailed introductions of these three products, please refer to https://www.aqniu.com/learn/46910.html. The figure below is a comparison of the test results of the three products.

1049983-20230223005520614-1980739689.png

These types of products can be automated and can be inherited into DevOps. Next we incorporate these tools into the development testing phase.

There are many implementation modes of IAST, common ones include proxy mode, VPN, traffic mirroring, and instrumentation mode. This article introduces the two most representative modes, proxy mode and instrumentation mode. Some of the products surveyed are shown in the figure below, and the specific test results will not be announced.

1049983-20230223005521457-454737043.png

Development Stage

When investigating several types of products, IAST's instrumentation mode can be placed directly in the development environment. The main difference between the code between the development environment and the test environment is the application.yml configuration file, so this mode can be placed in the development stage in advance.

When the development has finished writing the code and submit it to gitlab to deploy it to the development environment and start the application, the development needs to verify whether the function is available, and at this time, it can detect whether there are vulnerabilities.

The company uses rancher in the test environment, puts the IAST jar package into the project's gitlab, pulls the code locally during deployment, and adds the jar package to the container by modifying the Dockerfile file.

ADD shell/xxx.jar /home/app/xx/lib

Since the company's projects basically use spring-boot, all projects start the application through a start.sh script. Start.sh and Dockerfile need to be added to the project's gitlab, and modify the start.sh script file at the same time.

-javaagent:$APP_HOME/lib/xx.jar -jar $APP_HOME/app/*.jar --spring.profiles.active=dev $APP_HOME/logs/startup.log 21

The test items are as follows, typos are ignored:

1049983-20230223005522132-529066295.png

After the development and submission code is deployed, access the normal functions and you can see whether there are vulnerabilities on the platform.

1049983-20230223005522696-404919098.png

1049983-20230223005523433-204390000.png

1049983-20230223005524107-1209971798.png

Some products will also detect third-party component packages.

1049983-20230223005524868-632493352.png

The company uses harbor to mirror the image as a warehouse. After the project is deployed, it will be packaged into a mirror and uploaded to harbor. Harbor comes with a mirror scanning function.

1049983-20230223005525557-202407059.png

Testing Phase

After the development is completed, it enters the testing stage. In this stage, we conduct static code scanning, functional testing, and security testing.

Static code scanning

Use the static code scanning tool to scan the code before compilation and find various problems at the static code level, including security issues. Some tools list1049983-20230223005526258-2127755831.png

Static code scanning We use sonarQube integration, we use FindbugSecurity, streamlined rules, and then perform static code bugs and secure scanning during the continuous construction process.

1049983-20230223005526910-1086384454.png

While scanning static code, third-party dependency packages can also be scanned. OWSAP's Dependency-Check can be integrated into the continuous construction process. Since IAST-class products support this function, I will not introduce it.

Functional Test

In terms of functional testing, the company's testing department has implemented an automated test platform. In the early stage, we did not use agent detection. At the beginning, we used open source gourdscan plus openrasp, and used the default openrasp to enable non-intercept mode and vulnerability record function to detect vulnerabilities that are not returned on the server.

Just configure the proxy IP on the automation platform:

openrasp vulnerability record

1049983-20230223005842123-671978983.png

Later, the test reported that there was too much dirty data scan and the effect was not very good, so I gave up this plan. IAST's instrumentation method is used in the development stage, and the test environment also uses agents to detect problems in the same way as the development environment. After the functional test is completed. Since testers do not understand the vulnerability very much, the specified process is for testers to go to the platform to view reports and security personnel to communicate about which problems need to be fixed, and then write the problems to the test report

Safety Test

Security has been added to the entire process during the testing phase. All requirements changes need to be completed and functional tests are required, that is, all processes have passed the security test. In this way, the security staff is not very sufficient. It is decided to use the method of distinguishing internal and external services to determine whether security personnel are needed to intervene.

1049983-20230223005902448-222221029.png

Vulnerability Management

Vulnerability Management has formulated a vulnerability management system, and the vulnerabilities are rated according to the degree of impact. Serious vulnerabilities must be corrected before they can be launched. High, medium and low-risk vulnerabilities have a small impact and need to be scheduled. Security personnel regularly track the vulnerability repair situation.

V. Monitoring

Payment companies generally have security equipment. This part basically uses the syslog of the device to the log center to visualize it, and customize the corresponding rules to achieve alarms.

VI. Conclusion

Personal knowledge and experience are not very familiar with the SDL system and have no experience, so they can only reach the current level. There are many places to optimize and add processes in the future. If you have any good suggestions, please feel free to communicate

Source: https://xz.aliyun.com/t/5656

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.