Time
4 hours 39 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:00
for less in 3.5.
00:02
I'm just going to a demo of spot bugs just to kind of give you a perspective of from the developers what they would be seeing and, you know, prevent. So this is part of the preparedness state stages, giving them the tools to work on the bugs fixem or find me
00:18
identifies writing secure code before he actually run it in the test that we can fix these bugs early.
00:25
So the objective looks that just gonna go through demonstrate spot bugs and then explain the steps to go through actually fixed one of the bugs, just kind of given example so you can see the perspective of it.
00:40
And here is that you take a look at this is the website for spot bugs and and, uh, Eclipse so eclipses the integrated development environment. The i d Do we call it that the developer could be working in and spot bugs or just a plug in for it later on? When actually run it in our pipeline? That's it's a
00:57
It's a self running program that will provide results back to Jenkins. But this is getting like fixem fixing the books early
01:04
it's over. This demo just gonna kind of go through the
01:08
eclipse using spot bugs. This is gonna be a little bit depth. It's a lot of coding. I just want to kind of you follow along. If you don't understand the concept, it's fine. It's really just understanding how we can help the developer and provide tools to them within the integrated development environment here of Eclipse.
01:26
So the 1st 1 I have the job of vulnerable ab our lab opened up
01:32
with the What they had developer would do is say OK, I have spot bugs here, take a look.
01:37
Let me go through here and find all my bugs
01:41
I went to see down. Here is for each one of these job of files. There's now a in parentheses showing that the number of spot bugs that are the number of possible bugs that spot books has found,
01:53
so there's a couple ways they can go through it. Um,
01:56
if you're not going by the file, you can actually drill down and see, so they're scary. Troubling of concern. There. Five scary ones. You could actually open these up
02:06
and then keep drilling down to you See So, for example, this one says I have an http response. Splitting vulnerability
02:14
drill down again and they can actually click on it.
02:16
Tonight's it pops up the. So this one's called the Open Java file is the one that actually has the issue here, and you'll see there's a little bug right next to it, and that tells them Here is the issue So you can click on this
02:29
drill down and give this but some information about it. So forget this bug is HD primer directly written toe header output,
02:38
and this is, ah, split header issues so they can if they want to split response.
02:44
You can actually click on a link here, and they can get some information. This one is Wikipedia gives him a little official information
02:51
again. You can read further down here.
02:53
But so, for example, what it might be interested in doing is that they want they want to fix a specific file. So this is an email check file
03:01
Scroll down here. What's the issue? This is a sequel. Injection.
03:07
Um, that says
03:09
read it and says this method invokes, execute or add batch method on a sequel statement with a string that seemed to be dynamically generated. Consider using a prepared statement instead, more efficient and less vulnerable to sequel injection
03:23
so they could maybe go about and read it. So
03:27
But that would be fun. Here is, if we actually fix it
03:30
again, there's gonna be feel like coding. But you can kind of see, just want to show you how the developer would be working. So they would say, instead of just a regular statement, I want to do a prepared statement.
03:42
I'm gonna call my variable prepared statement,
03:47
and I'm gonna make it equal to instead of see, this was just connection. Create statement when I wanted to be is
03:57
connection dot
03:59
Prepare statement.
04:02
Groups like a spell.
04:08
That's what it's gonna look like. I'm gonna fix a little bit here. We have to fix this import.
04:14
Ah, I
04:15
just in Java, you have to stay with. Explain where you got that method from, and it goes and finds a library for you.
04:23
Um, so instead of
04:26
this sending
04:28
text here,
04:32
I put this in here and I explain what we're doing.
04:35
He equals
04:39
So
04:43
I see Hope so. I spent the wrong repair statement. I prepared um so So the issue has probably explained Here is that this email right here this variable was taken directly from the Web server or so the application server and put right into a sequel statement. This is the classic
04:59
sequel. Injection is you take
05:00
text or you take a variable directly for an application service that the user sent most time it works, but a malicious user could put semi colon. Who knows what else in there and directly inject into your sequel statement.
05:13
That's what it there
05:15
the spot bugs did not like or found. So what we said here, instead of putting that email variable, I'm kind of a question mark in here cause it's just wait the way Prepared statement works. Prepare
05:28
statement
05:30
dot set string, which is where I'm not gonna put that thing that variable in here dot email.
05:36
So the prepared statement has ways of combating sequel injection doesn't work perfectly. I would probably do some other filtering, but we're just for this example. That's what we want to do.
05:46
So I'm gonna
05:47
I'll start clearing some of this out or commenting out to show you to find a
05:53
once we conclude unclear the bugs. I just wanna kind of show this
05:58
real time. So our results that
06:00
instead of the statement like we're above, I'm gonna call my prepared statement much I just created.
06:09
And then I'm gonna execute the query
06:14
query.
06:16
Everything looks good. I've still got the bug here.
06:19
So let me comment out that bug.
06:21
Let me come it out. That issue,
06:26
and it saved the file.
06:28
And now our bug is gone because we fixed it with a prepared statement.
06:30
This is Ah, You see, this is the way the developer but would be working fixing these bugs
06:35
on then, obviously fixing it in the I d. And in the lot quicker than waiting till we get deeper and spot, but later have to go back and re code it. Find any issues like that.
06:46
And again, you can kind of they kind of go through here and fix someone at the time. Um, when I go through all these, but you can kind of see how again, Just drilling down. They could do this. Open up the problem. I see you got another sequel injection finding here.
07:00
But that's what it looks like for that from the developers perspective.
07:04
At this point, I just have a question for you.
07:08
Can you see the value of developers fixing bugs during the coating
07:15
of the ideas? It's cheaper to fix it before you go through the building. Maybe even the test phase and then changing require me looking. Their requirements are at anything like that. If you do it right in the I. D developer couldn't be writing see the bug, go research, fix it before it even gets to the pipeline where we have to. Then
07:33
security people have to look at it. You created issue any of that
07:38
a cycle of additional people additional time
07:41
and also can help the
07:43
teach them as they're writing, they could see vulnerability like Oh, let me go research to see how to find it and then the next time the writing it they may not, There may not make the same issue again. Or see it was like already seen. I've already seen this bug on how to fix it.
07:58
Did this model it? Take a look at spot bucks. You can see how the developer would be using security while the weather coating and next we'll take a look at how we can help security learn Dev ops

Up Next

DevSecOps Fundamentals

DevSecOps certification training helps students learn to incorporate security features in every step of the development process and navigate distinct security challenges in custom software and web applications.

Instructed By

Instructor Profile Image
Philip Kulp
Instructor