Improve the identification of vulnerabilities in your project with just few commands

good afternoon b-side san antonio i hope you guys are having a great event today i am presenting mr felipe perez and he is going to do a walk through of identifying security holes during the development process as well as do practical demonstration of how a developer can use sas tool for static analysis and code vulnerability execution in source code byte code and binary and identifying security holes during the development process uh he will be analyzing many languages such as java python ruby going so on and so forth and searching for key link leaks and security flaws in all files of your project as well as your get hit story he's a very busy principal security engineer

and security researcher at sup innovation global researcher manage manager at hacker security he's a staff at defcon group in sao paulo brazil he's talked in security events all over the world and he is the founder and instructor of the course malware analysis fundamentals hacker set company online course so be sure to check that out also remember to hop on discord right after to talk with our sponsors and community organizations if you have any questions for felipe please go to track one in the weeds breakout room and felipe also wants to say hello to all of you guys so have a great event hi thank you thank you for these presentations thank you so much and uh my name is felipe pierce again

and i'm talking from brazil now here from my office by the way my office is in my balcony as you can see behind me you know he is at night here in brazil at you know it's six at six pm not six pm yeah six pm sorry and um yes let's talk about during this in the end of this event about the secure development right so here my home page it's very simple homepage just to just to see some information about me you know in the um hear my presentations again i am yeah that doesn't matter that who am i but here the most important is i'm advocate of the hacks not a crime uh project i think you

heard about that during this event and i'm a part of the devcon groups here in south all the staff teams you know you know i'm supported fcom groups they're the right team village too right so here you can see some open source project that i have here in supernovation my company here in brazil and uh here's another presentations that i have been doing the during this year in the last year and we have here in english in spanish in portuguese or everyone we have here some you know talks and here we have some articles that i wrote in the fantastic magazine hackney and you know a forensic magazine in other places right so today we're going to talk about

the the very interesting talk that i like by the way and about the secure development because this is a very interesting important process when you build something right of course related to a software or when you have some code because in the end of the day we have you produce some code you you know you build some code and you can produce it and you can compile this right it turn this up you know turning this this code that has a binary or you know you can create a uh some apps using in a mobile environment or you can use in a web application but the first you need to create this code right and um

here it's important to understand the difference between you know where what is fast and dust right so just a few explanations about that you know i i pick up this information from the sign off site it's um i think it's a company responsible to produce some sas or last product i don't know exactly but just a reference to you to see because i think it's important to explain the difference between you know and uh here the difference sustains uh a white block security test it's related when you analyze the applications before or not before uh actually as before before to produce this right so actually the tester has access to the underlying framework design and implementation

the application here is important the application is tested from the inside out right so uh you don't publish this applications yet right so on the other hand in the black box security testing in this case is a dust right so the application is tested from the outside right so you need to publish the url and after that you can execute the test application inside by name application security test just to understand the difference between right so another uh difference is related to a requires required search code sas doesn't require a deployed application you know on the other hand on that solutions requires a running application which means thus doesn't require the search code or binary

analyzes by executing the application it means you need to publish the applications you have the url of course and after that you can execute this test in this case dust right in this case sast is different you you're not your analysis is uh if in the search code right so here another interesting difference right so when you talk about assessed find these vulnerabilities early in the stlc you know it's a software development life cycle this economy right so this can can be executed as soon as cold is teammate feature completely right but on the other hand in this case it's finds lunar reads toward the end of the sdlc you know you have that this life cycle

when you talk about the the software software development right so vulnerabilities can be discovered after development cycle is completed right so another difference less expensive to fix vulnerability in fast mode right since this variabilities are found early in the sdlc it's easier and faster to remediate them right because you remember you don't you you don't publish yet you know the applications right it's more expensive to fix vulnerabilities in this case in the desk why it's very simple because since vulnerabilities are founded toward the end of the sd lc it means after you publish your application right you need to remediate this it's very complicated because if you you see the attacker or you know find some vulnerabilities the the fix

needs to be emergency release you need to create some release emergency right so another point is can is can't discovery run time and environment related to issues it means since the tool is kind of statistical it can't cover runtime vulnerability because you analyze the code but in this case you have a published you know you already published the um applications right so and the end of this explanation by the way typically supports all kind of softwares example including web applications as i mentioned web servers and think lines client and think clients right and the dust wave typically scans only apps like web applications and web services right so that is not usable for other types of

software this is just a simple definitions right guys so another point is here is you understand about this explanation right sas is a statistical application security testing and today i will explain more about the open source of the open source project right about the orosec is currently a sas project that you can execute in your code right or in your environment you're you know and binary something like that again this is the last two as i mentioned right it's dynamic application to keep the test it's too recommended to find the vulnerabilities externally visible right as i mentioned okay and here we have another interesting yest interactive application security test you can mix at both of them right so east is the

combination of the statistic and dynamic past modules right and it has better results why because of course it's better because you can test both of them before and after the applications uh to be published right and here is the interesting point yesterday has an option to perform it together with a security analyst you need to have in this ca usually this guy then it's called by application security guy right because this guy can be using this um type of the you know analysis to run it is the best type to test in terms of the false positive rate due to the human interactions right because of these you can reduce the false positive right but in my opinion in philippi opinion i

think it's better you if you have if you need to choose for example a false positive or false negative in my perspective from my perspective it's better when you have false positives because you need to analyze it and you can see what this what happened in your environment right but when you have the false negative you have a problem because something wrong it's happening in your environment you know and you you you don't see during the scanning or another platform that you have right so okay i've explained the difference between the sas and dust and us just to understand so now i would like to explain more about the auros sec right so the name is called

aurus sec you can write this in in google for example and you can see more information about that right so uh our sec is on open source tools again you can click here using the github or here or sec.ko or take you take a look there's some videos about me okay nice let's return here so you can click here to see the documentations and take a look at this in portuguese and english right so identity five vulnerabilities simple and fast right so again our second is an open source tools so because of this i'm present this for you because i really appreciate if you can do some you know pull requests in this tools because this uh project

uh it was created to the security inside of the security team from zoop but to give this project to the community right so this is a very important your help for me and not for me for this project actually right so our section open source 2 that performs a statistical code analysis here it's some keys to identify security flows during the development process right so here's some tools some languages and tools there that um autosec analyze like you know chart java kotlin pattern and like another different terraform your kubernetes right so okay here is here is the web page okay i can click here the documentations and here i have some interesting information so some simple

overview about this project right so again here some interesting thing that i like it's open source project and here another point here check out all the support language and availables tools here it's very interesting guys because you can see here all those languages and tools supported by aurosec you can see here the python and take a look at this here is the engines responsible to to find some vulnerabilities inside the environment if you if you click here instant grab for example take a look what happened here it's very simple the explanation about how the same graph works it means you have this um another project inside the or sex exactly it's not a framework but almost

a framework right because you have here many different engines as you can see here like a golang for example in golang you have a gosak and sangrat it's two different engines right and uh but here is the difference take a look at that so you have here you are sec java it's another engine but not but it's open source you know it's open source engine but this engine it's uh created by the our sec team so take a look at this you can see different engines inside the same project you know you can see there for example like a rsec kotlin same grab and or sec java different engines towards right so from my perspective it's very interesting

because if for example stingrap don't detect the vulnerability you can maybe to be detected by or sec java it's very very cool right so okay let's return here the overview where can you use the rsac locally right so our sec has an intuitive cli made for developer where it's possible to perform a loophole analysis this is the first idea when we created an rsec okay and below you can see another difference uh locals where you can use like a c c i c d pipeline an id and e a actually um extension here it's the key both of these functions it was creates it was suggested by the community right so because of this it's very important your pull request

right so you can use in the cicd pipelining and you can use it uh in by vs code for for example right so here below you can some pictures but but i will explain in the in live here and take a look at this orsac analysis types it's very important things right so the other side performance three types of analysis right the first is assessed as i mentioned in the beginning because of this explained difference between soft and dust and he asked right and here is another interesting key uh our sec analyze and can collect the leaks right so the leaks checks the source code for a possible leaks of credentials private keys or harded

coded password you know for for example if you are a developer or if you know any development developer and usually sometimes the developer put or forgot or you know um [Music] takes the uh some private keys inside the code or some had coded password inside the code in a guitar platform for example uh if you are a fantastic now you know and you are hearing me now probably when you realize that when you perform some uh recognization steps in a pentagon penetration test you usually when you execute this step you like to use to see the github if you can find some you know credentials of this some target that you are doing the fantastic right

so it's a first step that we're going to recognize in this recognization steps right and the leaks it's very interesting because if the developer forgot some keys inside like you know aws key or azure key or gcp or ever you can discover this in this engine right using this some motorcycle leaks engines actually another point is independence audits right so you analyze a project's dependence to check whenever it's ina take a look at this third part libraries because you know when you create when you produce something you know when you create some apps sometimes you need to import another different library right so it's very important if you it should have important actually if you have some uh tools to execute

some analysis in your code right if you see if this library it was vulnerable or not right so here's the important things okay so i think you understand now about what is our sex so now i made this overview about this is that i will be installing i will be starting now the or sec you can install it in different ways right so here the requirements i need to have the docker and it installed in my machine i always put this in my linux platform here in my linux machine right so here i have the my my cli right so by the way i have here my this is my project actually let me delete this

because you need to use it after okay so take a look this i have here our second what i have here inside of this project by the way i have here my some codes vulnerable right so go and go laying java and cosplay node and ph php okay felipe i would like to do this demo after your presentation no worries you can see here these informations in my github here not here it's here okay philip 86 or dash or other sec dash damn sorry and here all those codes vulnerable right so go lane slash api and here we have different um codes vulnerable right so here it's my github if you'd like to see something

you have many repositories and informations about me too right so uh here it's a very interesting if you remember here it's like it helped from this project right you can afford the project you can you know uh suggest some improvements right so it's here and here if you'd like to make another different task you have here one folder called example as you can see here if you click here you can find many others example of the vulnerable code right so just suggest you if you'd like to works right if you can practice your in this way okay let me install their site here let me return the documentations here not here let me close here it's okay

installations process okay twist our sex cli or macos in linux you can execute this okay i will cop this as you can see copy and i pass here let me pass selection here and as you can see it's very simple some curl with some you know flags here in the url url to install to call the script and call the bash and request the last latest version right so i click enter and after that i will download the rsac in my environment and of course this is my user don't have some privilege to access i think it's more safe right okay oh something wrong because i always forgot my password i don't know if you

forgot your password but i always forgot my password okay our sec was downloaded and take a look at this very cool move it to local bean it's easier to manipulate the information okay or a sec oops or sack i don't know the comments dash help yes and click enter take a look this this is a cli simple cli you can use in two ways right right so the autosac using the flags and other stack using a comma right so here is available comments for now just for now because we can improve that right of course generate generate of core uh or cycle configurations help i use it now here have about the any comment right and

start means start there are sex cli inversion actual actual version install of the rsac so i can execute this autosack just confirm the version the version okay make sure it's the verse the verse two dot one dot zero okay so i see here that i can use the start here to start our sex cli okay perfect so that music with this or sec start start what i don't know let me again help take a look this many different flags here so i this is the use usage usage and here you can use the eight examples right so uh take a look this is starter sec analysis in the current path it means if i don't put any uh flags

they are psychic view as it could in the exactly currently currently uh current path right so it means in this case in this path right in this folder or project whatever right so okay another example of course we have many examples but i just talked about something some uh flags in this case uh the a right so it's at authorization strings the authorization talk from the rsac api for example after you perform your scan in your code you can send all these codes or none though this codes or these uh all those one arrays founded in your code to send to their site manager because we have a manager to manage this whenever it's just not a

code right the vulnerabilities found right so it's very important to just to clarify okay another point is related to this dash o in this case it's output format right output that format string the format for the output to be sewn shown options were in the text in s t dot json and take a look at this the sonar cube you know maybe you are you are making a question to you so philippe i like to use this on my cube in my environment i work with typesec you know i'm i am a psych guy and uh my company we we use that we use um solar cube but sonar cube looks in your quality of

your software and of course they have some you know a security settings in the configuration some settings in the in the in this one archival you know exactly how deeply is the the place called deciding this configuration but or sec it was created to to the community right for a community but for a security team thought uh it was uh thought in security great way right so it's very important to clarify because it's um you know you can use both of them the the tools the sonar cube to see the quality in our site to see the security right and another interesting uh flag here it's it's here dash e right because it's in this case written

award the returning airport is the option to check if you can return exit to one it means for example if i would like to put this in my pipeline for example to see that that's this life cycle do you remember that explaining that this that's dlc okay i can put this in my youtube reaction for example if i receive this as if one for example i if found some vulnerability you know it's uh i can set for example here take a look the explanation if i found vulnerabilities i can break you know i can break my uh pipeline because my code was vulnerable right so i just set the uh dash e equal true because if is true in this case

it means the code it was vulnerable right so it's like if i put here false in this case it is zero in this case the pipeline can go on right so that's very important okay perfect you you explain i think i explained something so take a look at this i have uh four three four no five five folders here and i use include so now the rsac start and i can i just click enter here take a look this the folder selector is it's my my folder here and or sac dash demo proceed yes oh no and yes if i pulled for example uh dash p i need to set the the real path right for example if i would like to

scan to perform this scanning another path i just put dash p equal and i need to select the path right so i can uh execute this way right so i just click enter and now when we started the rsac is coming in my project in this case this is the name of this project right so guys if you have any questions you can send in its channel i think if i am correctly and uh i'm totally available to talk during this scanning because it but it's fast it's very fast here as you can see so if you see here the oroseki created some dock or sec uh file just to uh during this study right and after

that the the file is delete deleted um okay our second and the analysis with is that and why because we found some vulnerabilities right with the following results uh we starting this time right and finishing this time so i think it's uh 30 minutes 30 i think 30 minutes right so let's see the logs very important so you can see here the language it's java and here's the in here the severity right so but philippia what what is the the savage that you have inside of the other side here nice question you can see here for example in a glossary you can see here the explanation of it means the security brexit in the project in and can cause some damage yes

of course we are in the security event of course if you found some whoever it's it's it's maybe call can cause some damage right into the system or the organization or sec can identify six types of the security brush it's very interesting it's almost the same it's it's a similar it's very similar when you think about the the my tree not nitrogen and cve for example if you are uh if you would like to reduce some cveig it's usually using the same uh almost the same meaning right so we have the first the critical high medium low info it means it's a warning no you know you don't it's not classified by low or you know

medium it's just an info warning and maybe you won't know what what that means no no it's a zero they know it's not a zero day of course but probably the aging don't you know identify what it is exactly it's not an info it's not uh it's not clear it's not a ah you know a good code but it's maybe you know it's i know it's not a zero day okay just to clarify that right so that's really returning here in this case it's high take a look that this is for my my site it's very interesting so the line two column seven in the code security tools or sec engine in this case for java confidency

it's low and here guys you can see the real file right in this case take a look this is the the main project right when i execute this scanning or sec dash demo but here you can find this is the our sec real is performance this is cunning all those fires to try and find some honorable code inside these project and he found the app doc java right code vulnerable import java dot until doc randall right why because in details it's insecure randall number generate but okay i would like to see more information about this vulnerability right so the apps use any secure random number generate for more information check out the cve 30 uh

330 okay and you can click here if you'd like to see more information about that because you can close here okay you can see this information is not definition by philippe peters or supernovations or whatever it's definitions it's based on the c w e common weakness enumerations right so as you can see here the weakness ide and take a look this it's a good good good library to learn not library i don't know it's the correct name but you know it's not library it's a good resource to learn more about the security right because you can hear the parent off of another vulnerabilities like a interface entropy for example and you can clock click here and you can

read more about that right so you can improve your knowledgement in security stuffs right it's very important but these vulnerability is related at my code right as we see here in my cli right so all those explanations here the type is vulnerability and here the reference hash it means we have the reference of this vunderability right so it's pretty cool uh here another it's javascript it's the same case it's high or sec java and here below another another language it's go in this case right the severity is median line is 23 column seven and take a look at the security tool is different in this case it's a gold stack do you remember goldsack it's another interesting open source

project to um using that we have inside the rsac right so as you can see here the correct file you to go inside of this path right and as you can see here the name is that it takes off this uh vulnerable code is use of weak cryptography primitive right and uh in the end of this log take a look this in these analysis and a total of the five possible vulnerabilities were found and we classify it then it right so it's a five and you execute this inside your environment okay but let's suppose that you works with um um [Music] uh results to the code yes code right like me here and here as you can see we have our

sac dash demo it's the same folder right so i have here all those codes write and go lang and java and node.js and php so i can basically write here and i have here the extension to downloading side of my vs code right so here it's very very useful to use because you just to click here and start analysis as you can see here hold on our sec started to announce in your code as you can see here let me close here okay and if you see here our sex oops security analysis running it's running during our talk our conversation which means it's running some uh analysis during these conversations okay so first of all is a good mystery in the

cli so now i'm excluding the orsak in a vs code so you can use in both of them too to see the environment so okay let's see here the first folder java and take a look this if i just put in my mouse above this you can see the explanation again you know as you can see here but you can click here you take a look at this the real cold guy is the real code here here is the code vulnerable if i put my my just in my mouse here you can see the insecure randall number generator right again here you can see the explanation the apps uses an insecure random number generator for more

information oops check out the cve 330 again here you can find the information let's see here another here injection another here's the process right so let me put here using a shell interpreter when executing eos comments arbitrary eos common injections gonna beat where one more likely when a shell is exponent rather than a new process so here you can found you can find here the explanation about this um this vulnerability right so again guys you can see difference many different explanations about this one update so you can imagine if you are a developer you produce your code you have your code by the way i have some similar presentations in my in there not my zoop channel in this

youtube channel but in portuguese presentation i probably i will produ are you you know i you do a demo similar when i create my web page this web page here and i create this this web page using you know uh awesome statistics page i create this and after that i execute this uh or sec to analyze to as a good summary as if this web page it was vulnerable or not so i can maybe in the future to present this to yourself right uh to to you to understand more about this in the real quote because here it's just a a few uh you know lines about the code it's not a completely code written many like here

here it's another uh interesting because if you remember here it's uh in this case it's a a medium because it's you know as i mentioned it's a um a weak clear cryptographic primary primitive and here you can see the total code right but it's a small code actually okay i explain more about the you know the cli the vs code but let's see here another interesting thing let's suppose that you have some uh pipeline is a good in your environment take a look this we have here the github actions and as you can see here it's i don't have any job as i put in here and or ever right so i hit but i hear i have here my code

right in my environment and i can let's suppose that i can publish this in the github but i can publish this of course not vulnerable perfect okay so let's return here to the documentations where is the documentation it's here okay in a cli extension id that i explained to you right so using the ivs code but here if you see in the cli installation here other way is to execute this in uh via image docker right to run this command and another point is installing installation via pipeline this type of this installation assures that a safe in the deliver of your project in production right so here this is important since your sec is added to your pipeline

so let's suppose that i have i have here my pipeline and it i you as i could they are setting my code before to put this in production right so we tested we tested uh our second github reactions aws code built in another circle ci and jenks and azure dev spotlight in github ci city right so ball and all and all those uh pipeline you have here the uh command as you can see here so but let me turn here let me close this this and this this another example here in this okay so let me turn here we if what i need to uh to try as i put something inside the github box let me click here i need to

set this workflow i need to have this workflow actually inside of my environment right i have here there are sec demo slash dot github i need to create this workflow but i have i need to have the main file called dot eml right not main but i can put whatever name i want right and i just put here main in this case i can put you know besides or you know uh horosek or whatever and here is the standard information that i need to put here okay let me turn here not here github actions and okay if i need to create something i have here the github and workflow so what i need to create here

the or sec not our second can put whatever name again eml right and i have here in the documentations this command let me copy here i will copy and i will pass here so i will call this workflow the names uh security pipeline this job actually and this this job will execute this ram this command actually the crow as you can see here the same co the same command that i execute in the beginning right to download our sec after that the the command call the or sec start write to as i could to start our sec dash p to set the path right in this case either the root path downward path but the the path that

this environment have has right and dash e in this case is true do you remember that i explained it to you when we have true in this case why we receive the award exit one in this case i will break my pipeline right so i just save here this or prosec doc eml here and i need to write what what what i need to do i need to let me see it works here okay it works because i'm using ssh access okay so github add a new for a new file right so i will commit this information because i have here this new file in my environment i need to commit this remotely to github right or second demo

one file change it right so in this case exactly for that i have been created right so i need to push this informations to original master okay okay so let me click here i need to put my password and let's see okay heads up it was i think it works let me return here in my github actions i will click here you take a look what happened wow we have a security pipeline works here for us okay security demo the name of this flow the workflow right if i click here i can see my job right so i'm as i put in this uh actions or using this you know the similar my pipeline right

so let me click here and take a look at this i will set up the job here you know setting the talk and the permissions and okay using the checkout code run something to understand the environment and what take a look what happened here let me see here what happened in the end of this scanning as i mentioned to you i think it's small okay take a look at this process completed with exit called one in this case my code is vulnerable as you can see here and by the way i receive hearing my phone the message from github right because i have a problem in my code and take a look this in this case i have

seven possible vulnerabilities the same uh scanning executed in my cli and let's see here this information take a look at this run the scan it means as i could the curl right base cutting after that execute this or sec start start dash p and dash e through if my code is vulnerable my pipeline it was break broke right so that's very cool because you can put or sack in your pipeline right so okay felipe as i could in the three ways and a cli and vs code and and using a github actions but you have a another one you have here the web applications it means we have a manager to manage all these vulnerabilities

right so and take a look it's very simple to execute this are you using install with a docker compose this is the requirements in your environment docker compose stocker and linux it's very very simple just to get copy here get cloning in the or sec environment right so let me hit turn here now you pass here git cloning okay okay quit cloning and uh url basically this is our site platform from supernov superit it's a it's a negative club okay i will execute this and i will download this this rsac platform cd or sec dash platform enter and after that just make install very very difficult and after that boom the service are all those services and

dockers it will be works right it's very simple if you return it here in the in the documentation it's very simple enter the folder you have clone it as i made run the command making style in order to have all web applications because you need to have some dockers in your environment right so you use it with is in your environment of course i have it's uh already exists because i i have some i have doing i've been doing this presentations in other events and after that access our sex services just copy here it's a just a for demo yeah so you can using in your environment as you prefer right so we have here our

sec web page you you can go there and you can copy this please if you using your environment change the password please it's very important to change this the full password you know if you don't change it's a misconfiguration right so okay so okay let me go to this workspace let me delete this because i present this yesterday i think something happened expected i have try again but it works let me click here enter and okay so when you uh connect in this in your sec this is the the real uh web page let me connect again here just to show you when you copy here nice i closed here copy them look how you this the local page

i will copy here and i will pass here okay and now you cop this and i will pass here and i will sing it and here this is the webpage when i was when i will be logged right so i need to add the workspace i can call it from this site for example and i will add this workspace sorry now you add here besides i can put some description but i don't need to put now i need to click here and take a look at this i need to i can use the token to identify add token the besides and after that i just click in save and i can copy this okay and after that i can just as i could

this uh again so i can return here and go towards seki demo and i can click here or seki start and here i can set do you remember dash a equals and i passed here the okay i just need to pass here and after that all those vulnerabilities we will be send sent to this manager as you can see here okay and take a look at this this is a good point because if you have a good team with many developers you can see for example during the week during the day or during a month for example uh what kind of language it has more vulnerable codes for example for it is for example javascript

uh the manager can generate some can suggest some training with a secure development to a job for example right and it's very interesting let me click here in workspace in this case not here it's here workspace and as you can see one developer it's me one repository and here we can find all vulnerabilities hi the language javascript javascript and here you can find other informations like you know javascript high low and i need to do some improvements in my front change as you can see here right and if you click here in vulnerabilities um not here here actually we have some problem here in mind probably my environment it was uh with some problems some air horse

because as you can see here i used it's another database in other presentations but it means you know it's very simple all those vulnerabilities this one are abilities it was it is some this bits are sent are sent to this uh space and after that you can manage it in this case severity you can see the severity and you can see here all the what is the stats for example if you uh pass if you send your team and you your team uh made the improvement of this code you can put the correct it right so if he is a false positive you can click here and after that if you risk accept you can click here

and usually when you have here the vulnerabilities this is the correct stats right so here i finish my presentation guys again thank you so much um i don't know if you have some question let me close here my video and i finished my presentations here again i hope this um presentation it will be helpful for you and here i can see you more and managing my and again if you have any questions please feel free yes thank you for your demonstration felipe uh uh you presented a great sas tool today horosek um it was a pleasure and it was nice meeting you today um remember to hop on discord right after if you want to

talk to our sponsors and community organizers also felipe would love to say hi to you guys afterwards so just meet him in the track one in the weeds breakout room thank you for attending san antonio besides everybody and i hope you guys have a great evening thank you felipe thank you bye

[Music]

[Music]

do [Music]

[Music] you