Friday, December 05, 2014

On risk management: Do you practice Continuous Web Application Security?

Do you practice Continuous Web Application Security? We have learned how to continuously deliver software and of course that means that anything you do as part of the SDLC should be done continuously including security. Just like with backup-restore tests this is a hot topic. As usual there is no simple answer about what we should all do because we should all do different things depending on our budget.

Here is though an affordable practical proposal for continuous web application security:
  1. Have a Ubuntu Desktop (I personally like to see what is going on when it comes to the UI related testing) with Selenium server running and at least chrome driver available.
  2. From Jenkins hit (remotely) a local runner that triggers locally running automated E2E tests against your application URL (I personally believe that E2E concerns belongs to developers, whether you have full stack engineers of dedicated front end engineers. I strongly believe that they belong to whoever is in charge of the UX/UI)
  3. The tests normally will open chrome instances where you can see UI tests in action if you like (Did I say that when it comes to UX/UI I like to *see* what is going on in the browser?)
  4. A proxy based passive scanner like zaproxy is installed as well. You can install it easily using a plain old bash (POB) recipe I created here BTW.
  5. If you want to start the proxy with a user interface so you can look into the history of found vulnerabilities through a nice user interface and assuming you installed it from the recipe then run it as '/opt/zap/zap.sh' or if you get issues with your display like it happened to me while using xrdp with 'ssh -X localhost /opt/zap/zap.sh'.
  6. In order to proxy all requests from chrome we need to follow the below steps.
    • From zap proxy menu export the Root CA certificate using "Tools | Options | Dynamic SSL Certificates | Save"
    • From Chrome settings search for "certificate", click "Mamage Certificates | Authorities | Import | All Files"; select the exported cer file and select "trust his certificate for identifying websites"
    • If you use selenium server it must be started after you run the below commands. Google Chrome Browser should be started after these commands in order to use the proxy. If using protractor with directConnect flag set to true, then you will need to run these commands before you invoke the tool.
      export http_proxy=localhost:8080
      export https_proxy=localhost:8080
      
    • To stop the proxy we just need to reset the two variables and restart the selenium service .


    LEGACY 12.04: For the proxy to get the traffic from chrome you need to configure the ubuntu system proxy with the commands below. All traffic will now go through the zaproxy. If you want to turn the proxy off just run the first command. To turn it on run just the second but run them all if you are unsure about the current configuration. This is a machine where you just run automated tests so it is expected that you run no browser manually there BTW and that is the reason I forward all the http traffic through the proxy:
  7. Every time your tests run you will be collecting data about possible vulnerabilities
  8. You could go further now and inspect the zaproxy results via the REST API consuming JSON or XML in your jenkins pipeline in fact stopping whole deployments from happening. You can take a less radical approach and get the information in plain HTML. Below for example we extract all the alerts in HTML for http://google.com (none ;-). It is assumed that you have run '/opt/zap/zap.sh -daemon' which allows to access from http:/zap base URL the REST API:
  9. If you want to access this API from outside the box you will need to run '/opt/zap/zap.sh -daemon -host 0.0.0.0 -p 8080' however keep in mind the poor security available for this api.
  10. Do not forget to restart the proxy after vulnerabilities are fixed or stop and start it automatically before the tests are run so you effectively collect the latest vulnerabilities only
  11. Provide active scanning as well: See https://wiki.jenkins-ci.org/display/JENKINS/Zapper+Plugin
A last note about security. Make sure you never use the environment we have built here to go through sites that are not those you are testing. Remember that you have added the OWASP root certificate to your browser which means other people having the same certificate could do a number of nasty things with a user working behind this browser setup. Congratulations. You have just added continuous web application security to your SDLC.

No comments:

Followers