Resource Center > Webinars
Diving Into The Key Pieces of DevSecOps
Speaker 1: Welcome everyone to the Bright webinar, where we are going to dive into the key pieces of devsecops. So I’m Tanya Janca and I’m your host. I’m from Bright Security. We make a dynamic application security testing tool. So sort of like for your web apps and your APIs. And with me today is my totally awesome friend, Vandana Verma. Can you tell everyone a bit about yourself?
Speaker 2: Sure. Thank you so much, Tanya. And it’s always a pleasure to speak to you and I. To be on webinars with you. It’s always, always makes me feel super happy a little bit about myself. I’m currently working with Snyk with the software security company. I’m currently one of the board members for OWASP as well. Amazing. A little bit about myself.
Speaker 1: And for those who are interested in OWASP, there is an election coming up next month, so get ready if you are paying member because you are going to need to vote for people to join. So, Vandana, staying on the board, she has more time, but we’re voting in some new people and maybe re re electing some people that are on the board. And so you’re going to receive an email from OWASP in the next few weeks asking you to vote. And so you should pay attention because if you don’t vote, you don’t get heard.
Speaker 2: Cool. That’s right. Voting is important. The members, the community makes, it makes the. The open source community is what that is. So we need people. Yeah.
Speaker 1: Okay. So today we’re going to talk about Devsecops and how so it’s not only a process change, but an entire cultural change that enables collaboration throughout the entire system development lifecycle by uniting the three teams, the development security team and the operations team. And so Vandana and I wanted to talk about Sast. So static application security testing, SCA software composition analysis and death dynamic application security testing, but also lots of other acronyms because we wanted to talk about basically the things that make up that process. So I was wondering, Vandana, since I said a lot of acronyms, if maybe you could explain what SAS is for everyone and code review. Like, I don’t know however you want to define it.
Speaker 2: Yeah. So SAST simply means software design or code testing in very, very plain words. And a lot of people, especially developers, they think when they are testing their code, that’s also called SAST. But here we are speaking in the terms of security where when we write the code, we are testing the security and the the security features are important things that we need to consider as part of that. Now, one important aspect when we talk about SAS is that there are bugs that we can fix early on when we are writing the code itself, so why not fix it at that time rather than fixing it any other later stage? So it’s more of a testing methodology where we test the code quality and in terms of security. So it does not require a working application. It can take place without even code being executed. So it helps everyone, especially developers, finding the vulnerabilities or the bugs in the initial stages, stages of the development, which actually they can fix early on without even breaking the build or passing on vulnerabilities. Earlier. What used to happen, we used to fix bugs or find bugs at the later stage and say you cannot go live. Now we have shifted left and we have come to a point. We are going to start understanding it from the beginning itself. So SAS Tools gives developers an experience where they can real time fix as the code, which can help them fix issues before they even pass to code, before they even pass the code to the next phases of SDLC, which actually helps them in finding and fixing security related issues before even being considered afterthought. So SAS is something which in simple words, let’s understand the code from a security perspective and fix these issues and we’re going to make it as part of our sort of a lifestyle, as a developer lifestyle. Another interesting aspect is that SAST can enable developers to create the code and the tool relatively. And another important aspect, it’s just that I feel that developers have the power to do everything. If I do something, I might not be doing as good as they do because they know the environment well. So SAST tool, if they know and they work with that, they can fix the findings better than I do. So SAST is that in simple words? But yes, I do want to add something to it.
Speaker 1: Actually, I think it’s perfect. And I love that you explain it in a different way than I usually explain it because I feel like I’m learning. So that’s that’s awesome.
Speaker 2: But let me tell you, I want to learn the way you’d say because everyone loves. And you start.
Speaker 1: Okay. So I usually explain sassed with the idea that so you can do manual code review for security issues or you can use a tool to help you to find security issues in your code. And so SAS looks at the code your team wrote. So the custom unique code for your application that you built, it’s not looking at dependencies generally, it’s usually just looking at the code your team wrote and some of them, some of the SAS products do symbolic execution. So for those of us who are nerds who had to build a compiler when they’re in college or university, I’m one of those. It parses down your application into components and then it tries to follow every single possible outcome of your code to look where there might be a vulnerability. And then there’s newer types of SAS tools where instead of doing symbolic execution, which can take a long time, they do pattern matching for anti patterns. So an anti pattern is we know for sure if it’s got this pattern, it’s bad. So let’s say you’re doing you’re grabbing some input from the user from the screen and then you immediately use it without doing any sort of validation sanitization or escaping or anything. So it’s like, Oh, that’s probably a bad pattern because you took something from the user and you didn’t check to see if it’s what you were expecting. So there could be something malicious inside there. So this is not good or we see you’re not using any security headers. Apparently you like to live dangerously. We don’t want that as your SAS tool. So it tells you generally like things that are pretty darn sure are bad, but it doesn’t perform symbolic execution, so it might miss some things. But it’s really fast and tends to be a lot of true positives where when you do symbolic execution is trying to find 100% of the things that might be a problem and it will find more things, but it also tends to find false positives. So I find that they kind of fall into two buckets at this point. So people who are watching. Hi, everyone. Thanks for being here. If you have questions for Vandana and I, you can put them in the chat and we’ll answer them when it makes sense. So if you’re you’re asking a random question that doesn’t have to do with what we’re talking about, we might wait. But if it does have to do with it, we’ll just add it into our answer or separately answer it. You can also use the Q&A function if you’re more comfortable with that. But next, I was thinking we could talk about dynamic application security testing and maybe I could define it. And then why I think it’s important and you could define it why you think it’s important.
Speaker 2: I think that’s a good way. But how about we talk about software composition analysis?
Speaker 1: Okay, let’s do that first. Yes. Do you want me to start or do you want to start?
Speaker 2: I think you should start first, and then I’ll add some.
Speaker 1: Think so. Software composition analysis. The idea is, is they are taking a look at your code again, but they’re looking at all the components like the third party components. So this could be a library, this could be a ruby gem, this could be a new get package. So anything that you did not. Right, but that’s included in your application. And so it looks at what you’ve got and the versions, and then it tries to see if they’re already known to be vulnerable. So they’re not performing static, static application security testing on your third party components. What they’re doing is cross-referencing it with a list. So that list is very valuable. So if you look up is common vulnerability and numerators. Those are all things that we know are vulnerable. It’s like if you have this version of Windows and you’re missing this patch, we really need you to do it because there’s these vulnerabilities in the earlier version of Windows, right? And so when it’s products that are well known like Windows SharePoint, I don’t mean to only name Microsoft things, so like Confluence, etc.. So there’s all these different cool products. They can have vulnerabilities in them, but everyone has the same one. So if you have Windows eight service pack one, it’s the same as my Windows eight service pack one, which I don’t have to be clear, I didn’t like Windows eight, but it’s the same. But when we make custom software, it’s a snowflake. It’s unique. The code that Vandana or I write to do the same thing will be different. Even if we’re both coders, it will be different. And so it’s looking at these components that are inside of your code. And this list is created of all the vulnerabilities that are known are created by checking public databases, but also just having a whole ton of security researchers work for these companies that make the software composition analysis projects or products, and they look through popular ruby gems, they look through popular NuGet packages and all the other things to try to find vulnerability is and add to this list so that they can protect their customers more. And so basically you run it, it’s very fast. It’s like you have these 25 dependencies and four of them are really scary and here’s why. And then it suggests like upgrade to this version or that version. So you’ll be in a secure or like a not known to be vulnerable version. And so that is my definition of software composition analysis.
Speaker 2: Very interesting.
Speaker 1: SCA is all about dependencies.
Speaker 2: Yeah. Agreed. And actually, you rightly said that software composition analysis is one of the very important aspects, because now when we talk about software, we have a huge amount of software which is all open source, the software composition. Naturally provides greater visibility on the open source confidence and the vendors that we have the third party libraries and dependencies we have, and it helps us also manage the licenses that we have because a lot of times we have something we don’t even know about it. Like I’m a developer. My code is not working. I download third party library from the internet. It works. Now I leave the project, go somewhere else. Nobody even knows about it, that there’s a third party dependency. So software composition analysis literally helps there because if we go back to just a few months back, which lock was shall happen where everyone was going crazy. A lot of live chats, a lot of discussions, webinars. Every company was giving statement, Oh, we are vulnerable or we are not vulnerable, or we have a third party vendor which is making us vulnerable. So how should we deal with that? It was talk of the town, but was it new? No. 2017 There was a big breach happened with Equifax. Now they’ve come out stronger really well. But then Apache struts. Vulnerability is a big one. But even after five years, we are still sailing the same boat because we miss to address certain issues, which was which would actually with software composition analysis, and they needed really attention. So software composition analysis can have multiple items to check on or bucket list, like what kind of vendor we are using as part of those projects, what kind of library we are using, what’s the version of it from where it’s coming and what kind of licenses it’s using. Because if we miss out on license, it’s again a big issue. And that’s where we talk about software bill of materials, where we have to track each and everything. Now I’ll stop because I can see a lot of questions are popping up and interesting questions.
Speaker 1: Okay, so where do we even start? So one of so one of the first questions was what layer of the OSI model does a SAS tool work on? And it works on the application layer like Vandana and I are definitely talking about, of the highest level, level seven, which is the application layer and is software composition analysis all about dependencies? Oh yeah. But Arturo had a question that I thought you might think is interesting. Vandana does SCA typically look at interdependencies by default? So I believe that means like a dependency that’s on another dependency because you include this library, but it needs these three libraries and those need these six libraries and so on.
Speaker 2: Yeah. I think by default is a question and it depends on the tool that you’re using. Because if you don’t have the tool which actually checks the interdependency, you would never be able to figure out. So you have to evaluate the tools. And I’m not going to preach about any of the tools, but not every tool does that. Let’s put it this way log we shall actually brought at this point because when you are not vulnerable but you have a third party dependency and there’s another dependency which is reliant on that. If you fix one which is right now, which you can see, you fix it, but then the other one makes it vulnerable. So it depends on the tool that actually gives you the result, or you would never get to know that.
Speaker 1: Yes.
Speaker 2: So let’s put it this way. So you have to evaluate the tool.
Speaker 1: Not all tools are created equal. And also some tools have weaknesses. And I’ve seen it where some you’ll take two different tools and compare. And it’s like, wow, this one found like 100 and this one only found ten. And I’m kind of scared now.
Speaker 2: Yeah.
Speaker 1: Yes. So Scott had a question. How do transitive dependencies factor into that definition of software composition analysis? Does yesterday’s old SCA solutions cover areas such as SW bombs? So I feel like that’s two questions.
Speaker 2: Yeah. And the interesting part is that not every transitive dependency can be detected by the tools that we were discussing because you might be able to get to see there’s a source to sink. But what’s next? You never know. I’ll give you an example of second order SQL injection, which sometimes used to be false positives, but a lot of times it could be true as well. So it depends in that too. You have to wait it. Let’s put it this way. And Tool might not even detect it as well if you don’t have the right rightly set it up. Another thing is that when you’re testing those interdependencies as bomb creation is not done. By most of the tools as bone creation can only be done by you. At least what I know from from what I see in the industry, you have the information which is shared by SCA tools, and then you actually pass that information to an S form so that you have everything right because CO two will might detect in a certain form, but then you have other tools as well which are giving you that information. So it’s best to have your customize as tools and you take care from that. And we have amazing as bombs available which are open source, which are free to use by all of us, and I’m going to preach about it. Cycle on the X. So hi to Cyclone D, X Friends, and you can use it, you can leverage it. All the information that everything they keep it, try and keep it up to date. You can leverage that and but not every SCA turn it to is gone for sure. And at least that’s my understanding.
Speaker 1: I’m hoping that over time, though, so as so as bomb stands for software Bill of Material or Bill of Materials, and it’s a list of every single thing that you need in order to build the software. So it’s every single component that you that you need, all the stuff you need to build your thing. And this is a thing that software kind of so so secede and DevOps, a lot of those things, they all came from the manufacturing world where there are basically like instead of a pipeline made of software, they have an assembly line that’s physical. And so the bill of materials is like, we need all these ingredients to make our product. And if we’re missing one, our products not going to work, right? And so like whether your product is tomato sauce or your product is a piece of software, if you’re missing one of these things, it’s not going to be right. It’s your product is going to be faulty. And so the industry, we’re hoping, is moving towards some sort of standardization on what the format for an SX bomb will be. But a lot of people are following the OWASP Cyclone X project and their format. And so I’m hoping over time, Vandana, that all the companies that do software composition analysis, like eventually you’ll be able to export the information into an SE bomb because life will be glorious then.
Speaker 2: Yeah, absolutely. And the best part is that once we have that, we would have less of hygiene issues because we still have a lot of hygiene issues. Most of the problems are. Right. Because we don’t even know what we have in our house. And we start fixing the unknowns of the world, which everyone is talking about.
Speaker 1: Yeah.
Speaker 2: Yeah. So a lot of things we don’t know. Yeah.
Speaker 1: No, no, you.
Speaker 2: Go ahead, please. I was just saying that. We have good list. No, no, no, no.
Speaker 1: I’m waiting for you. I need to zip it.
Speaker 2: Please go. I think there’s so many stories to tell. And this topic is so dear to both of us, and we’re so excited about it. And there’s some wonderful questions in the chat box that we are like, Yes, and this is amazing. Like, the audience is truly amazing.
Speaker 1: I know. I feel like we get to have like such friendly, awesome audiences on the right webinars. Like they ask tons of questions and quite frankly, a lot of their questions. I’m like, That’s so good. I should like write a blog post or so. The next question is, is from Arturo. So he already asked an awesome question. He has another one. So what’s the difference between a SAS tool being utilized on a binary? So that’s like a compiled version of your app versus scanning the actual source code. So stuff you save into version control, like if then else, etc. and I would say that different tools, some of them are able to work on a binary and some of them aren’t. So if you’re doing symbolic analysis and you’re going to parse apart the things that I decompile the binary and they try to parse it out and then they do the same symbolic execution, that’s the original style of SAS. But then some of the newer ones that look for anti patterns, they don’t necessarily work with a binary. It really depends on the tool you’re buying. What do you think, Vandana?
Speaker 2: Yeah, I agree. And especially if I talk about SAS, it actually checks out the application. Look inside out what’s inside the code. And when we talk about SDLC, it can really greatly fit. And it’s mostly trying to figure out the build that we have created. But when you talk about CIOs, it’s more of the third party things that we have integrated as part of the code. And why do we even talk about both of these? Because if we do, if we go by the research which have been done by many companies, that only 10 to 20% is the code that we write which can be tested by SAS, now comes C, which is like mostly 80 to 90%. So we need to have a consideration for SAS and SCA both and they go hand in hand. And as I mentioned, not every tool does both of the things. Some are good in SAS, some are good in. Some are trying to fit in both. And then the languages, the number of languages that we have.
Speaker 1: I feel like it also depends on what you’re trying to do with it, right? So if I am working with like a newer company that’s just started building software two years ago and their stack is very modern and they’re using a CD in order to deploy their code and test their code, then I don’t need to test binaries. All our codes new, like that’s not what I need. But quite often, Vandana, I’m working with these large enterprises that are 30 years old and so they have software that’s maybe 20 years old and sometimes they don’t have the source code anymore. All they have is a binary. And so then I need a SAS tool. And also if it’s that old and they don’t have the code DNA, it’s usually like the security could be rated like this. Very not good. And so usually I’m like, okay, we’re going to put a firewall around that app. We’re going to do network segmentation so it can’t get out. We’re going to put a web application firewall in front of it, and then we’re going to scan it with a SAS product, like just scan the binary. That’s all we have. So I know if it’s a little scary or if it’s utterly terrifying and then like you’re just doing what you can, it’s almost like palliative care for an app, Like we know you’re going to you’re going to pass away soon, but we’re going to try to take as best care of you as we can. Until that day, Like I worked somewhere last year and we had a 38 year old app and it needed a lot of love and tender care. And so I think it depends on what you need to do with your SAS to which ones you choose. So you kind of have to come up with a list of requirements before you choose something.
Speaker 2: You, actually. It said it very right. And I’ll tell you an example about my friend. I’m not going to name words, but then the person said the tool is fancy. And everyone was like, Oh, this is a buzz in the market. And we bought it. Now they bought it, but it is not at all useful because that’s not fulfilling or taking the boxes that they are supposed to have. So the most important thing is to have a checklist of what we really need and then go in the market to test it out, to check it out. If it takes my bucket or not, if it takes 80%, I think it’s good. It’s really good. Nothing can be 100%.
Speaker 1: Yeah. I feel like how to perform a proof of concept with a new tool and how to evaluate which tool your company actually needs could potentially be another session we could do sometime because like, I’ll, I’ll talk with the developers and get requirements from them and be like, How would you like to use it? How would my team like to use it? What do we need to cover with it? And I think sometimes people are like, I heard this person talk at a conference and they’re really cool and so their products probably awesome. And so I should just buy that versus it turns out that devs really need to do this with it. And so we need to make sure it does this before we make any purchasing decisions. I think I’ve definitely had some big bosses that are like, I heard product XYZ is cool and we’re going to buy it. And I’m like, Oh no, yeah. So there’s a bunch of other cool questions. So, so Josue, I hope I said your name correctly, says, Do we create our own sast or are there ones that we can use? So definitely there’s tons of products on the market you can buy Sneak makes one, right? Does not make one. We make a dynamic scanner. There’s a whole bunch that you can buy and then there’s a bunch of free ones and some of the free ones are really good. Like Break man. For Ruby, it’s it’s good if you do Ruby, you probably if you only do Ruby, probably use brakemen, but there’s a bunch of open source ones that are not super fantastic Awesome. But if you have no budget, it’s way better than nothing. So it, it depends. You need to evaluate. And then the second part of Josie’s question was how can we integrate them into the host like Versal or Heroku? So Josue, it’s more it’s not something you would integrate with the host, you might put it in your CI CD so that when you are running tests, one of the tests is that you might integrate it with your code repository. So every time you check a code in boom, it runs a scan for you and tells you like, Oh, you changed this code and I’m kind of concerned about this. You could run it yourself manually from your ID or from the tool itself and say like, This is a folder full of code. Could you test it and tell me what you think? But either I don’t understand your question. And so if so, just like clarify and send another one in. But you don’t integrate it with the host. Is this correct, Vandana? You wouldn’t integrate it with the cloud provider.
Speaker 2: So no, no, no, no, no. But I think a. But you said it perfectly. I’ve not seen it with her. But if you talk about specifically us or as your we see that there are a lot of tools getting integrated, but not like you integrate with an app or like a sast that I think I have not seen. Maybe. But yeah, in the. Uh, in the development pipeline, Yes, we can have these tools as part of the pipeline and then get the reports out of it. Get the bugs out of it. Yes, you’re right.
Speaker 1: We agree. We agree a lot. You audience members should be prepared for Vandana and I to agree basically always. Not just because we’re friends, but because we both have similar experiences. Like we both learned a lot from Alaska. We’re part of the same charities and we both want the same things, which is everyone making way better, more secure software. There is a question in the chat, Vandana, and I don’t I don’t know the answer. And so I was wondering if you know. So this is from Accolade. So Accolade says might be a little off topic, but it would be cool. I don’t know if it’s possible. Can we create an exit trap for reducing the risk of running with known vulnerabilities? I don’t know if this is feasible, so I don’t know if Have you heard of Exit Trap? Because I was thinking like in a second it breaks the build if you have a vulnerable thing. But have you heard of that term before?
Speaker 2: I think I exit life as generally I would in the form of a network security perspective where something is going out and then you’re dropping it and you’re figuring it out. But in this case, when you talk about these risks which are already there, which are part of your vulnerabilities, what you can only do is you can actually figure it out that, yes, you have these vulnerabilities, but if you want to have these known vulnerabilities and you still want to go ahead with that, then you need to have proactive controls. Like Tanya said, web application firewalls and network segmentation that can be seen as an exit trap. Just to put it in context, because there’s nothing else that I can see that you can do much about it, because if you have to have those components like legacy servers, legacy application softwares, then only there are certain things that you can do, have some controls which can track it and give you an information that is something which is happening. Have those policies, strict policies that, okay, this is my critical application, but it’s a legacy application. So I need to monitor how the traffic is moving. So you have to have your proper SIM solutions configured so that you can track what’s happening, where traffic is going out. I think that can be one thing. And another interesting aspect is where application firewalls can actually stop the incoming traffic, but outgoing traffic can only be controlled by a network policies network segmentation where we talk about so called zero trust. We bring in that. But SIM solutions are one of the good solutions to monitor it.
Speaker 1: Yeah. And to add on to bandanas answer. Now that I understand the question, a WAAF analyzes all the input to your app, but it also can analyze the output from your app. So you can actually set rules about what can go out. So you could block, for instance, really big output. So if someone does an SQL injection, they usually try to see if they can read all the stuff in the database and exfiltrate it. So steal your data, which obviously we do not want, and then they might try to modify things, etc.. And so if you see a request go in and then a ton of data is coming back, you could tell your WAF maybe you shouldn’t send that or don’t send things if it’s to certain IPS. ET cetera. So it depends on the app you buy, but they tend to have like not only input filters but output filters that you can set.
Speaker 2: Yeah. And interestingly, I think Accolade has added some more details, like the short version would be having a virtual machine or a build exit when a vulnerable code path is hit. See, the fun fact is that how exactly vulnerable is it? You need to have some mechanism where something which is going to be coming from the external facing. When you have a live application and somebody is trying to get inside. But if you talk about just the code part, it can only be. Detected within the code inside the application. Another explanation could be where you have these bots designed specifically to lure people to just to make sure that it’s not hitting your inside. Application. But again. Even if you build a virtual machine and play around with the core part, it is going to be doing the same thing like it is on the native system if it’s vulnerable. So you need to have those proactive controls and I think it’s going to work out.
Speaker 1: What she said. I agree with what she said. So we have a lot of questions now. So a question in the Q&A section from someone cleverly named anonymous attendee. So for dynamic analysis, do you recommend any open source tools such as Python scripts, customized Linux, VMs, etc. for self testing that preclude the risks and liabilities of hiring a third party pen testing business? Thanks. So I work for a company that makes it fast. So I recommend you buy ours all the time and twice on Sunday. There are lots of open source tools that are good. Vandana and I are both part of OAuth, so we both like the OWASP toolset, and one of their tools is called SAP, and it does dynamic analysis. But when you say like, open source tools and then you list Kali Linux, so Kali Linux has like how many tools are there in there?
Speaker 2: Like at least they keep updating. Yeah, they keep updating. And even you can have those custom tools as part of the Kali. So that’s really amazing.
Speaker 1: Yeah, but with Linux, some of those tools are like pretty dangerous. So, you know, like you use a butter knife, you’re not going to accidentally cut yourself. But if you had a scalpel, it’s possible to accidentally cut yourself. So with tools like that, I’d like to note that if you cannot test prod, that would be ideal. So if you could test pre prod or test in a sandbox or something else like that, then you don’t accidentally break things. When I started as a pen tester, I had very, very little training and they would just let me loose on crazy stuff. And I have destroyed sites before by accident with like an open source tool that kind of got a bit out of hand. And so whenever possible, don’t test prod until you have more training and you feel more comfortable and confident that you’re not going to accidentally do something. Like what happened was in both cases where I like, I destroyed the database and the web servers, basically my scanner was fuzzing things, which means like trying to do input validation and just throwing lots of stuff at the app to see what sticks. But it got into the admin module and then made like 10,000 users deleted lots of users like just and just like took things down. I also accidentally found server side request forgery and I didn’t know that, like sending that many commands that I was actually like taking apart the directory structure on the web server and eventually bad things happened. And so ideally, especially if you’re a beginner, either get a tool that is safe where you can’t make a mess. So like the professional dast tools. There. They have a whole team behind them to make sure they’re safe. Right. And if you’re going to use open source tools, then just don’t test prod. And until you’re confident, like I know, like a professional pen tester can do that and they can use whatever toolset because they’re super experts. But until you’re in that spot and confident, just test in a sandbox or pre prod or some other area, you can find tons of things wrong and give major value to your organization. Is there anything you wanted to add, Vandana, because she has way more pen testing experience than I did? I did it like a year and a half and then I moved into app stack because I got lonely in data centers.
Speaker 2: I would just add that when we talk about testing and especially about these automated tools, sorry, DAS tools, the one interesting aspect is that if I pick up Linux for testing, I would use multiple tools, not just a single tool because they’re all they all have some things to scan but not everything. If I pick up Nmap, I want to do something and I pick up certain other tools. I would be checking one other other thing, but if I have to check it holistically I would go for a tool which can give me a big picture. And that’s why we were talking about the the proper professional tools to perform the test, which can be part of your CD pipeline where you might want to fail the build. You might not want to fail the build, but still get the bugs out of it. So it’s important to have a tool which has custom scripts in it, and you can add your custom scripts as part of that because you can write your own Python script, but then you can keep scanning each and every vulnerability. If you start doing that, then you’re building your own tool. Let’s put it this way. But Zap is already doing it for you, but it is already doing it for you, and many of them are already doing it for you. So why do you build you want to build the castle again and spend time on that?
Speaker 1: Yeah, I agree. It’s a slippery slope when you’re a developer, though, Vandana. Like I wanted to build everything. When I was a dev, I was like, I don’t need to buy that. I’ll just make it for us. And it took me a long time to realize that, like, the maintenance of the tool is way more expensive than first creating it, especially if you do it off the side of your desk and don’t do a good job of documentation, etc.. But yeah, I’m going to try not to dive down that rabbit.
Speaker 2: Hole we have. So I have done that. Yeah. Yeah. I have done those mess ups where I created a script for SQL Injection Cross-Site scripting, which had more than 2500 vectors instead. I couldn’t detect this equal injection down there. So you never know. Sometimes you need those help.
Speaker 1: Yes. I always need their help. So we have a question. We have one more question in the Q&A and then like 11 in the chat. So just to give everyone a time check, we have around 17 minutes left. So Alex has a great question. So is a SAS scan and a DASH scan redundant? So, for example, if I find an SQL injection vulnerability with my SAS tool, but I can’t reproduce that with my dynamic testing tool, is that still legitimately a vulnerability? Do you want to answer or do you want me to answer?
Speaker 2: I will start off. I would say it’s still a legitimate vulnerability. A lot of times what happens is that. SQL injection cannot be replicated. A lot of times I had to down delay to check if it’s working or not. Not every time you’ll figure out that. Yes, there is that. But think of a code review situation when you don’t have the right input validation it will detect. And another interesting aspect is that I know there’s a source to sync, but a lot of times I just miss out on certain area where input validation should happen there, but I thought it should be there. So those input vectors are joined and there are certain hidden input fields which are there as part of the code which is shown and we miss out on them. So it’s important to consider those things as well. It could be false positive, but then a lot of times it’s actually detected as write. So you have to have proper validation check and not just saying that I am whitelisting certain or blacklisting certain characters, but whitelisting and have those parameters queries so that I’m avoiding the SQL injection or injection person, not just SQL but injection in general.
Speaker 1: Yeah, I, I’ve seen this before where they’re like, well, the dynamic scanner didn’t find it, so it’s not real. So I don’t mean to break all the hearts in every devs in all of the software development shops, but there’s no product that’s perfect. There’s no automated tool that will find 100% of the things that are potentially wrong with your app. If there was, me and Vandana would be so rich. Well, I don’t know. I’d still want us to hang out all the time, but maybe we wouldn’t do webinars. We’d just hang out. But but the point the point is, is like no tool can find everything. So just because one tool finds it and the other tool doesn’t, that doesn’t mean that it’s not necessarily a real vulnerability. The best way is to go and validate it for yourself. So for instance, like with a dynamic scanner, so our art, like the bright dynamic scanner, it has built in validations. So let’s say we find cross-site scripting with a certain test. We’ll have a separate second test to validate that it’s actually cross-site scripting or let’s say that there’s we find some credentials, we’ll go try them and see if we get in or not write whatever the thing is. And it’s the same with any dynamic testing tool. Not that it has a double check, but you need to validate these results. Same with SAS tools, so it tells you we think there’s SQL injection here. So then look at it. Does it look bad? It hopefully you’ve taken some secure coding courses and if you haven’t so promotion time we have, Purple Community is free and there’s a secure coding course in there for free and I’ll put it the address in the chat. But if you’ve never taken care coding, it’s on demand, it’s free. So that’s a pretty good deal. We don’t sell you anything in the community so you can join. We have purple meet lots of awesome humans like Vandana and I in there and learn about this for free. But so when you take that course or any secure coding course, they’ll tell you about input validation. And like Vandana said, you want to use a list of approved stuff. So some people call it a wait list. I like to call an approved list. Like this is the thumbs up stuff. So like it’s a username. So let’s say it’s allowed numbers zero through to nine, it’s allowed letters A through Z, uppercase and lowercase, and maybe that’s all you’re willing to allow. And so then if anything that’s not in there, it’s like fail. And then that could avoid attacks for you. And so you look at the code and you’re like, is there some input validation here? Is there like, are they calling a stored procedure or are they just making inline SQL and sending direct commands to the database, which is, by the way, two thumbs down. Don’t do that, please. And so when you look at it and you see the code, you’re like, Oh, yeah, there is a problem there, and then you can fix it. Or you look at the code and you like it seems perfect. You try doing that, Target suggested it seems perfect, and then maybe it’s a false positive. And that does take time. Which is why all the tools try to minimize the false positives that they give. But yeah, I don’t know. I feel like I got off topic after certain point. Sorry.
Speaker 2: No, no. I think this is important. This is important to talk about. And that’s what we are here for, not to just have a scripted talk, but talk about the actual issues which are there.
Speaker 1: Yeah. So there is a question from Jim a little while ago, and he’s asking about Unix shell scripts and if there’s a Sast tool that covers those. He said there’s so there’s a website called Shell Check dot net and it’s a lentor and it can help you see if there’s issues. But is there a specific tool that’s for Unix shell scripts? Because I don’t know of one personally. Like I’ve never been asked to check the security of a Unix shell script because whenever I wrote one that was long before I worked in security, I just did Unix only for the first couple of years of my career and then I moved into the government and they are like Windows programming, yay, Windows form apps and yay dot net web apps. And so it’s been a long time since I’ve done much C shell.
Speaker 2: I think I also would pass this question because even I don’t know of anything. But, Jim, what we can do is we can actually go back and check and probably would share the information later. Maybe we can create a thread where Twitter, we can have this information. Probably at least not that I remember of any at the moment.
Speaker 1: Yeah, because just because we don’t know the answer doesn’t mean that. Because we outsell both of us have different followers on social media. And I have to say, my followers are brilliant. They’re really smart. Whenever I don’t know the answer, one of them knows the answer, and I turned to them for help quite a lot. And so if you tweet at Vandana and I and ask your question again, we can ask all of our followers, and I bet a bunch of them have suggestions. So I like that if I don’t know the answer to try to help people find the answer. And also then I get to learn something new. And that’s cool.
Speaker 2: Yeah, absolutely. I think that’s the power of the community.
Speaker 1: Yes, exactly. So we have another question or we have a comment or question, I’m not sure from Scott. So dast, I asked and rasp. So Das is dynamic application security testing. I asked is interactive application security testing and that’s basically I asked is a binary that goes up inside your application and to set it up, it’s called instrumentation. And what it does is it tests your application as you use it. So only the code paths that actually get executed get tested and it works in real time reporting bugs to you as it finds them. And then RASP runtime application security protection is similar in that it is a binary put inside your application, but then it stops attacks in real time. It’s like it looks at that input and where it’s supposed to go and it’s like, Oh no, no, no, no, let’s just timeout, timeout, let’s stop. So those things can be difficult to cover all code paths within a deployed application without a full set of tests that are articulate every single path. And then the rest of their comment is about something else. And I agree with you that it can be hard to test every code path with those tools. But if you like, when you look at an app, there’s many, many different ways that the code could go, but it never does because no one calls those things like when you write a global exception. HANDLER So that’s the thing. So, so usually when you try to do something, you say try and then you do a whole bunch of things. And then if it fails or there’s an error, you catch the error. So it’s like, try all this stuff. If it doesn’t work, catch it and give an error message. But if all of those things fail and there’s a system error within your application, the global exception handler will catch it and be like, Yeah, let’s not crash, let’s do this. We never want that to be called ever. But we still write it just in case it’s in case of emergency break glass, do this. But you might notice when you walk around buildings, all of those in case of emergencies, break class. Most of them the glass is not broken. And that’s because emergencies aren’t happening that often, which is great. So testing every single area of code. Unless you need your app to be perfect. I don’t think you necessarily need that. What do you think? Fontana? This is my opinion. Like most apps don’t need to be perfect. They just need to be pretty darn good.
Speaker 2: I would totally agree with you. And the people who are writing it. If they have an understanding of security, trust me, it is going to be totally amazing. And that’s why people talk about Security Champions Program, that your code does not need to be perfect. But if someone is writing who has an understanding of it, actually it automatically goes next to perfect. If not perfect. Nothing is 100% perfect. Let’s put it this way.
Speaker 1: Yes. And and also so this is the thing that I’ve been working on with a lot of clients that I consult with from time to time is they’ll be like, well, we need to find 100% of the vulnerabilities. Like we can’t have a tool that might miss one. But then I look at what they’ve got going on and I’m like, You have like 700 articles in PROD right now, and you’re like, This tool didn’t find this one low. You’re not fixing any loads, you’re not even fixing me mediums you mostly ignore hais I don’t think you need a tool that finds every single possible low because you’re never going to fix those. And instead of spending energy buying your 12th tech scanner, what if instead we spent that money on a new engineer and all they do is fix those security bugs? And so sometimes, even though I work for a vendor, this might sound weird. I have to talk them off the ledge and like, No, don’t spend another $150,000 on like a second task or, you know, hire like 25 more pen testers, hire someone that’s going to fix these bugs because you have thousands and thousands and thousands of really big, scary web app bugs in production right now. And like, if we could fix a bunch of those or like, we would have more better security. Or another thing I talked to a lot of them about is like, it’s impossible to push a fix. Oh my gosh, it’s like five weeks of fighting. I’m like in meetings, like rah rah, rah rah. I want to update this app and I feel like I’m like battling. And if we made it easier to release a fix and we could automate some of those tests and approvals. Then we could actually fix a ton of these security bugs way faster. But there’s no point in us buying five more tools or hiring more engineers. If you’ve made a process that’s impossible to release new secure code. And that’s not the answer everyone’s hoping to hear. Vandana is like, Have you had this experience where you have to talk people off a ledge?
Speaker 2: Absolutely. A lot of times I think they need to understand that there are certain ways that we work and we have to be very sure that this is how it’s going to be working. So you have to tell them, okay, this can be done, this cannot be done. And they need to be very clear about it. Now, I have to tell you something, that there’s something someone who is talking about Ellie’s involved application security. So let’s talk about that.
Speaker 1: So I wrote a book called Alice and Bob Learn Application Security, and it’s an introductory book. Anyone in it could read it. And even if you’re not in I.T, you could read more than half of it and understand like my grandma read a couple of chapters, not all the chapters, but like the less technical chapters. And she’s like, Oh, this makes so much sense. And so someone was saying it would be awesome to see a book about learning secure coding. So I just started writing my second book. Alice and Bob learned secure coding, but it’s not going to come out until not this Christmas, but next Christmas because it takes a really long time to write a book. But I’m writing chapter two now, which is exciting, and I think there’s 14 chapters, so I still have a long way to go. But yeah, I’m really excited about that. And thank you Vandana, for sharing a link to my book in the in the chat. Thank you. So we have 4 minutes left and this like, I’m having a lot of fun, but I wish we didn’t have to end. So I have to create more excuses for Vandana to come back. Does anyone.
Speaker 2: Have any left.
Speaker 1: Actually to finish? Vandana, is there anything you want to promote? Like is is there a thing that you’re going to be at soon? I don’t know. Maybe in November in San Francisco that you might be at? I don’t know. Whatever thing you might want to promote.
Speaker 2: I would say I would love to promote OWASP apps like San Francisco, which is happening in New York, like San Francisco. That’s what I do. So next month I’m going to be in New York, but in November I’m going to be in San Francisco. So I would love to meet all of you. And I’m sure I’m hoping Tanya’s going to be there so you can just come stop by and say hi and we’re going to be there, connect with you, talk about all things application security. So that’s one thing for sure. And another thing is that I do run a YouTube channel where I talk about OWASP, actually OWASP projects, which are all open source. I do connect with a lot of CSOs entrepreneurs, even I have spoken with Tanya and how her journey has been with rehab. So I would love for you to see if that’s actually relevant and share feedback about that.
Speaker 1: Yes. So I think the key takeaway is that we should all follow Vandana on social media. We should subscribe to her YouTube channel. I’m subscribed and we should consider joining the OWASP community. Is that like a good takeaway?
Speaker 2: Yes, we love OWASP and we will love to have you learn more about application security, mobile security, API security, and the great resources, what other leaders have to share.
Speaker 1: Okay. And then I would like to invite everyone to join the We Hack Purple community. It’s free. There’s no upsell. We don’t sell anything in there. We invite you to events like this and we have our own we have purple events. Some of them are in person, most of them are virtual. We have free courses about OPSEC, secure coding, infrastructure as code, etc. and basically there’s 6000 super nice people in there. I also want you to consider following Bright so Bright Security has socials everywhere. They have a YouTube channel where I release lots of workshops that I build and we also have a blog on our website. And then also please consider following me. If you look up, she hacks purple like anywhere that’s me except for she hacks purple dot dev. That is a very, very nice impostor. They’re really nice though, so you can still follow them if you want. But with that, I think we got to wrap up. Thank you so much for being on the show. Vandana. You’re so great.
Speaker 2: Thank you so much. It’s always, always a pleasure speaking with you. It’s a cherry on top of. Thank you so much for inviting me.
Speaker 1: Oh, my pleasure.