Security Automation: Look At Your Vulnerabilities In The Eyes

great thanks hi um so first I want to talk about cyber security because you know it attacks are happening constantly um I really like this map so I don't have the internet I don't know why so I can't really show you but there is uh this website oh it's working so maybe I have inter um I love this map it's a map of uh all current attack in the world and you can see uh countries what the type of attacks um the the ranking in the country's most attacked and why and look so you can't really know why I'm it's following them but you can like guess why if there are events everything and it helps you get a feeling of uh the

cyber security uh currently in at the moment what's happening what are uh the current threats um and I especially used it uh for the Olympic Games in France because I'm I'm a French uh person and uh I'm French and I uh I worked with company who were really um sented uh sensible about cyber security because we uh knew it could be a higher risk during the Olympics because media were uh every media in the world were looking at friends how it worked if there were an attack and everything um so I'm uh Marine Jil I'm I'm from a developer background I know a technical leader in a team uh a cyber security expert and and I'm a member of

uh the AAS chapter France and um and I think it's really important to keep this connection with developers so to do security with them uh during uh during their time during their coding um it's also really important to automate to automate especially in uh their environment in the IDE and uh we'll see how we can do this and security is fun uh it can be challenging of course but it's fun and it can simplify users lives and it's uh it's our goal like for example password managers they help people they don't need to remember lots of passwords if there is a comp permission sometimes your password manager can tell you uh this password is not safe anymore um if uh there is a

fishing attack and you arrive on a website with a small typo uh in the URL you might not detect it but the password manager will detect it so it's like many things uh that improves users lives uh with a cyber security tool and uh I think like many of our tools the tools we uh we developed we sell and and we use in our daily life this is what we want them to do to simplify lives and improve uh the cyber security um so at Theo we develop web application and work for various companies and so we want to also create a secure code so uh this is uh what I do with uh with my team is to help them

develop more SEC code uh for uh for those clients so first uh let's talk about the fact that we ignore vulnerabilities and uh there are flows there are vulnerabilities in a web application in app we use and we develop and they are often ignored um there was a study in 2020 uh that said that 50% of web applications have a cal flow uh that was um study in the US but it can like be uh also applied I think in Europe um and there are various studies I saw a study in 2021 that said 30% another one 50% and 25% it really depends on who's conducting the the study but still we have critical flows

in uh many applications and here critical flow means access to personal information or code execution on the server so they are ignored what doesn't mean ignored it means sometimes we don't know they exist okay we haven't done anything to look at the code look at uh the server and we don't even know there is a flow it happens some people some developer they don't know about cyber security it's a really vast word world so not really easy but also I so team where they know there is a vulnerability but they don't fix it they ignore it it's written somewhere in the backlog and that's all there were a pentest and the pentester said okay you have this

flow it's really important you have to to fix it but it's not fixed and it really depends why we will see why but it really depends the reason but they are ignored so what are the reasons why are these vulnerabilities ignored do you have any ideas or like in your teams yeah money SL project timelines okay yeah project timelines see so accept the risk okay accept the risk it really depends sometimes it's a good idea most of the time the C is not the one accepting the rest yeah exactly yeah okay yeah optimism yeah optimism we so about the bias before optimism oh yeah optimism of pride in my own workability in my yeah you ignore it we

saw it like this morning and you may sometimes I don't know if you went to this camera talk but sometimes you tell someone there is an is shuee but they don't want you to listen to it yeah prior yeah obviously so those are great reasons so I C categorize them in three uh three categories so the first one is it's complex we don't always know what to do um like a really simple application you you have like the front front end back end maybe some dependencies a datab base already like in this really really simple uh application you can have vulnerabilities everywhere um and so it's really hard to track all of them um in only in like

dependencies you have uh 50 new CV cve uh per day so CV is common vulnerability Expo exposures it's the vulnerabilities that can impact uh many people and those vulnerabilities can be on uh on uh a dependency you use it can be on a computer it can be on the server it can be everywhere so it's really hard uh to to do like to get all those vulnerabilities um sometimes developer don't know about the risks or the best practices uh so it it doesn't help them fix it um there is also responsibility and ownership the lack of ownership on uh the in the team um I really like uh this this sentence and I always tell it

to my uh my teams where everyone is responsible no one is really responsible because when you have like the pentesters giving you the report and saying okay you have five vulnerabilities there is one you need to fix this week and maybe like two in in the next month everything and then like the project owner maybe will say okay we'll fix it or someone in the Tim say we'll fix it but then no one is taking uh the ownership so it's I think you've been all to uh meetings where uh we talk about an issue and then at the end we say okay we'll do something and and then nothing happens and then the next week the next month

maybe the next year you'll talk about the same thing and nothing will have changed so um it's really important to have someone take the ownership it's not it shouldn't have to be like the most cyber security expert uh all the time because it can be just someone who wants to learn about cyber security or someone who feel responsible for the project and will ask they will ask other people they will ask the cyber security team they will ask uh the the architect of the project to uh find the best way to fix it or it can be also the project people the business people uh they can be the owners but they need to follow and ask people to

face it um so yeah we told so about prioritization about delivery pressure it's things that put the this fix at the end of the road map and it's never St fixed um and this is why we need someone to like talk about it all the time and feel the ownership of uh the vulnerability and the last thing it's the impact it's not imitate you don't know when it will happen you you don't know when not if I I hear a lot if it happens if someone will attack us no it's when because there are there are attackers there are hikers that have like automation they automate uh they have Bots uh scanning the web scanning

all the apps and they improve their Bots they improve their tools one day your application if you don't fix it will be the one that will pop something on their screen and they will try to attack you so it's really important to think it's not if it's when tell this to your teams it's not if it's when um and if we look at the vulnerability maybe we find like only a bug in fact a vulnerability is a bug it's a defect it's a mistake in our uh in our computer program so we can uh just take it in the flow just as a bug and we can accept the risk for example just as a bug sometimes you have

like a design bug and you say okay it doesn't matter we don't need it sometimes you have like uh a vulnerability and you think it won't like have great impacts and you can say okay maybe it will uh it will have an impact on defacing or a website and our website is not critical so it's okay we don't we don't need it but we need to think about it there are still differences with uh the bugs like your users won't won't tell it won't call you there is a an issue with security in your application sometimes ethical hacker will do it uh you might have to pay but uh it can be like a great thing to to have this but most of

the time it won't be ethical hicker it will be uh after they will they they stole something or after they um get your data your so it's it's really uh you should detect before it before them uh it's also really hard to measure the impact and it might be complex to fix so let's take like a real example like for example the top 10 so the oasp is open worldwide application secret project I think many many of you know it uh it's really wellknown um project and and they U and they give this top 10 of the most uh the most impact uh flows on on the impactful flows on websites and in 2021 the last uh top 10

they said it it it's broken access control so if I look at one of my application and I want to check broken Access Control it's really hard because in my application maybe I have like 300 endpoints so I don't know what to do I don't maybe I don't know all the business rules so what to do with that so we must automate if you feel safe about your security without automation then you're just in a fire without uh any fire alarm because uh you don't know what's happening around you um there are great tools that exists uh on the internet I have like small example but there are many others um so Samra I really use uh

I really like this tool and I use it with my team um you can try it you just uh create an account and then uh launch it on your on one of your code code base so I've done it with Juice Shop Juice Shop it's an a project from the oasp it's a vulnerable application with many V vulnerabilities so if I uh launch it I can see like many issues and I can uh like see what what are the issues so for example I can check I don't know if my internet works no not really so I maybe I control you I'm sorry so if I do this I'm just going to unskip the slides

because I've prepared something just in case um so it can find like classic vulnerabilities of course it's a vulnerable application so for example here we have uh an SQL injection and uh it can show like the codes the exact line and some uh cheat sheet and and um and useful documentation on the oasp uh or on other websites uh documentation to help correct the vulnerability and understand what happens uh okay so yeah that's what I showed you so it's better we know have some vulnerabilities but there are still false positives and the business flows so the broken access control is not detected we don't know uh if a user can do this action or not so it's better but

still we can make progress so I want to present uh a tool which is qrqc and uh how we can learn from our flows to avoid repeating them so qrqc it comes from uh the lean methodology it's from Toyota and the the the Toyota uh Industries and the the goal of this tool is to understand the vulnerability or the bug and uh find the best countermeasures for this bug so to do it we need to go to uh the real place where the flows happened so where the vulnerabilities was it could be like the environment the server it could be on the computer of the developers who uh wrote the the vulnerability we then want to see the defect really

the real thing like not all the best code we want the team to show what line were uh where the vulnerability was introduced so it could be the code it could be the configuration everything but we need to see what introduced the bug and then real data um like the number of defect on the code if it was exploited see the logs everything so we'll see um a better like an example after so QC what does it mean it's quick response quality control so we have uh fuse tabs so we detect the problem we identify what it is for example a vulnerability in our application in the code uh we characterize it we secre it of course

the first thing we should do is at least mitigate the the the flow uh do a quick fix then we will analyze the the root causes uh implement the the long-term fix and capitalize so it's we've F we found a vulnerability we uh we secur it now we need to uh teach the other team team uh and uh tell the story to uh to to team so they they don't reproduce it uh and it works for companies in the industrial world for example saffron which is a a French company uh in aviation they uh they introduced curacy in 2011 and they improved their delivery time by uh 15% annually and improve their product quality by 10% and another

company they reached zero defects on some of their sites after a few years of using curacy um and to do that to do the this cure accuracy we need to study the system stat and to find the flows with all uh the the aspects of the application because as cyber Security Experts we might not know all the codes and even some some even developers they don't know all the codes so we need people who knows part of the codes uh that was written where the flow was written uh we need the cyber security knowledge to know the impact to know how to correct it and we need the business knowledge uh to know that we are not uh

adding a regression or that we are really fixing a vulnerability and not something that was uh designed by uh by the company because they want uh I don't know maybe everyone can have access to this page or any uh any business knowledge we need um so qrqc we have this template at my company that we use uh there are other templates on the internet for example but it's to help think about the defect and so we think about two analysis to to root Cod analysis it's why it was introduced why was written how the the developer added this code and why it wasn't detected because if you WR if we write um a vulnerable vulnerable code it's okay if we detect

it before prodution if we detect it in the test for example then we're we're safe so it's uh two two things that we need to to think about so let's see for an example I'll zoom in the different section so first the defect we describe it through the user point of view so here for example on an application uh I I saw we had uh this vulnerability where the the function to modify an account was accessible by everyone not we didn't even need to be uh authenticated to modify an account so now we look at the code the real place where uh the vulnerability is is happening so here for example so it's Java code we don't really care if we

know this code or not but what's important is there should have been an access control annotation and it's not there and uh we can see that uh the function the update user function it's accessible for everyone so we can write the access the defect description uh here to see uh there is a missing annotation okay so then why why is there a missing annotation in fact what happened so we we talked to the developer who introduced the flow what happened they uh copied and pasted the account creation function and obviously the account creation because everyone can create an account on this website they there is no access control and uh and so they they didn't think

about it and what we could do like a cont measure is to add an explicit annotation to every endpoint then we will think about it so this is what uh the technical leader of the team uh did they went through every endpoint and added this priz permit all which means that when next time when someone will copy and paste a a function uh and to create an endpoint then maybe the one reading the code will see priorize permit all and will think about the exess control or the one who will copy and paste the code will think about it it's some little warning to help developers code a better code there is also the fact that uh the

project owner in this case did didn't specify the uh needed permissions for this route for this for this inut uh for example we don't know if like can I update my own account or only an admin can update an account is there some business rules on uh on the account like can I update my email can I update my phone number everything so this is also a great tool to share with the team what uh what happened and to train like for example the business people uh to train them in cyber security and to help them understand the basics of cyber security then we analyze what could have prevented the default to be deployed in

production so uh for example in our case uh the developer Mary she didn't uh write a test uh so now she adds a test she had she added a test test uh for an unauthenticated user so it's a better uh practice to add this test okay that's great for this case but it doesn't prevent a new developer to introduce the same flow next time we also uh thought about how we could control all the endpoints and make sure that uh the access control is checked for example in the CI so the the automated flow after the code before it's uh it's merged in production and so the technical leader added a generic test to verify that

there is always a priorize annotation on controllers now if someone writes an endpoint without their prorize uh it will fail so this is the test that was uh added by the technical leader and uh it all only verifies that there is this Pro to right annotation and this test I talked to the team this test uh it failed three times since it was added so there was we prevented three different flows to be introduced in prod in fact the three times uh one of them was a public route Public Access so it was okay but two times we prevented uh developer to write code that that would have uh led to access broken Access Control in

production and it's a really basic uh basic protection so okay we saw an example and uh we do that on all flows in uh our application to uh try to prevent flows that we encounter to happen again so uh we have like on one of the project I saw there were like 400 end points on a single API so I couldn't go through them obviously and uh so we checked that there were this protor everywhere but it's not uh enough to check if there is no broken access control for example someone could have written uh permit all and then it's accessible to everyone but uh the business people who have the knowledge about um like who should have access to which

function to which button which action they can't go through the code code and and check uh everything so with this tool we have a list with any uh any endo and the the associated prorise and we uh go through this with the business people so the end points most of the time it's easy to read or at least with a tech people tech tech person and a business person we can understand that and uh we can see if the prorise is uh the right one for example should a user search all clients maybe yes maybe we are on a social media and everyone should search all clients but maybe not maybe uh we're on on another app and we

shouldn't check all the clients so it's uh a great tool to ask the business about uh the the access control and to uh check together so um this tool it's open source it's uh for spring application and uh it it goes through the code from uh the the the pom.xml file and uh it can helps find uh if there is The annotation the right annot ation on the controller and we check if we have The pre-authorized annotation there are two others way uh two other ways to um to secure the the controllers and they are also uh in the tools I didn't put them here because it was in the the same example but uh it's a great way to check

the controllers and if you have like def teams or if you are in Def gims you can try this tool and uh and check if uh if the Access Control are the right ones uh and for endpoints without authentication we uh write it explicitly uh in the team so uh it's it's clear it it should be that way uh and it's not the only framework obviously it's not uh the only framework with issues in in Access Control um there are many Frameworks used by all developers and uh and it the flows depends on on the framework so for example with uh API platform and with Symphony uh when you write a new resource and you expose it all the crowd

so all the the action available on uh this uh this resource are directly available uh publicly and if the developer don't uh the developers doesn't put like an Access Control by default fa they are accessible so um we in my company we also work a lot with API platform so we also created uh a tool that uh check this this uh that check the access access control on uh that kind of uh of applications so we also created some tools with other other languages that we use at theodo but maybe if you don't use those languages there are tools that exist and uh you can try them you can try on uh on your on your

team's um applications uh we have also worked like on other cath categories because we don't have like only the broken Access Control flow unfortunately uh in our apps so for example uh with the xss um we saw I don't know if some of them some of you went to the previous uh talk but we talked about uh dangerously set in HTML which is uh like the bypass for encoding in uh in langu in the front front end languages like uh react or View and uh it can lead to xss obviously so we uh added this tool and now we have a linter uh rule for all the developers to avoid uh making this mistake and

bypassing the the rule so it's really useful for for that kind of projects there are many other well-known tools uh and really useful and uh so I I've created an awesome security automation repository on GitHub it's still in progress there are new tools every day so if you know tools and uh you want to contribute to uh this project and share your tools um I'll be really happy about it uh you can also check the tools and then use them in your uh in your projects um so takeaways uh first takeaway we must automate and there are already great sometimes free sometimes uh not free but there are free Solutions also uh on the internet uh check them

and uh use them in your project uh second take away to find the flows we need every actor working on the project we need to uh be together from time to time and to think about what it means to be secure uh and to uh and to uh think about the application what are the best way to uh avoid security flows and when we uh when we have flows we must analyze them analyze the root causes to uh to avoid them uh be there again after we fix fixed them uh many times I've seen the same flow uh appear on project uh because nothing nothing changed after uh the the first flow was fixed uh so it's really important to

think about how we can uh avoid the same flow uh appearing again on on the project thank you very much for uh for your attention uh please give me your feedbacks uh about uh about this presentation uh you can also give me your tools what you what you use and uh what are the best best uh uh flows you fixed with longterm term fixes um there are there is so my colleague was talking before but there is a also a newsletter we we right it's in French so if there are French people French speaking people you can uh check it and uh also if we have like many English people interested we uh might uh translate it we are

written a book we're are writing a book uh that will go out in full 2024 and uh if you want to get my slides you can uh go there and have all the information and I can take some questions thank

you yeah so any

questions yes how would um your solutions for automating um like code effectively stand up against something like um 45 360 45 in general like somebody's using that as part of their secure development life cycle why we using something like 50 us something like that um so there is no like there I I don't know if it's the best solution it might there might be a better solution obviously uh it really depends on on the teams and on the language they use on what like kind of default they have most of the time uh so I don't know i' I've maybe there is a better solution and I I haven't used like all the solution that exist and

there are many many solutions now on on the the web and on other other things yeah yeah so this is not like a question might be like have you about it so um a lot of coding is done on text editors like yes code and then right now there's a lot of AI tools that are helping coders so yeah maybe you guys could consider building like an AI tool that can be installed alongside editors such that when the developers are writing the code and they a line of code that's going to introduce the vulnerability in the whole project the to will be like oops um you have just a line of cod that's cost vulnerability and this is like

suggested how to fix it and better way to another autom yeah it's it's a great uh great thing um there is for example like get copilot uh which helps uh write code but not always secure code but uh you can like overwrite the the the instruction you give to uh to this uh tool and then you can ask for better tool better uh code like secure code so it can be a great uh great thing we also added an extension to vs code uh to recommend standards like for example OAS standards and documentation uh when it's uh it it's linked to what the the developer is writing so yeah but I think that it's still it could still be improved so yeah

it's a great thing I think it's I I need to find it uh again Jinx maybe I let me check and yeah another question oh yeah interest

um it's a great question so uh all the teams they don't use the same tool so we can't really use Sam grab with all our applications uh so we don't really have a centralized uh platform for the moment um and so it could be great for examp but uh for the moment like in in uh in the project I'm working on we're using Sonar Cube and we have a centralized platform but it's just for maybe like 20 teams so just part of the company for the moment I don't have the solution to have all those tools in the same place I'm afraid that's the last thank you very much