Static App Security Test (SAST)

Lesson 4.3 of deaths that got fundamentals. We're gonna talk about static application, security testing or the fast we've talked about a couple times. I think we briefly mentioned it what it is. You should have an idea, but when I delve a little bit deeper, so we understand when we're actually running the tools what we're looking for. So the lesson objectives were going to list some.

‍

The open source tools for static analysis describe the benefits of limp based tools. Look that that look for style issues and any other some type of security issues top in Java script or some of these other non compiled languages and relate the need for container security as well. And then I want to demonstrate de compiling code. It's kind of it's slightly off topic, but it's an interesting issue that I've run into before, so I just want to kind of make sure we understand what byte code is, and you know how we can take a look at it. You're interested in the static analysis, really, In doing security checks, there's thestreet ill based lint tool that we could check the structure, typos, some some security issues like she see this little bit later, when I wish I showed the Jenkins demo.

‍

I do a check style check in there and you'll see a number of errors in the type of errors that come up with that. There's a mother specific ones called like, yes, lint that can check the security and check JavaScript special when you're doing node. Andi. It's important when things are running our that what the code behind his JavaScript. And we also have to look at container security, especially as you start moving towards micro services. And those is shift air that the application development is shifting to the left. Where there's this, it's no longer this monolithic application that's deployed. You have these individual pieces of code and they're built into the containers. That's that's running the libraries, and it's really moving towards the developer side. And there's so much later on. I think one of the last modules will talk about this. Is that an application called Falco, which is a rules based engine? It you can actually monitor containers, which is interesting topic. And then there's benchmarks to harden containers I have mentioned in this one back in the first module. So static analysis tools.

‍

We actually have a s s d f with nist. Ah, framework for ah, met up. Sorry, a requirement p w 0.5. So you have to have these type type of tool. So for Java, there's tons out there. But there's some free one that there's one called PMD spot bugs. Both of these will be in the demo later where I show Puma scan for dot Net is a free tool, but there's also get you have to pay for advanced features of it. Does the loss dependency check which one of my favorite tools. It looks at the third party libraries and shows you what vulnerabilities accept is this for versions that are included in your application? Is also commercial tools out there that do all these type of checks as well.

‍

So there's a question for you. Are you familiar with vulnerability scoring other than a lost top 10 that the very we all kind of heard of this. We know this, but do you know there's other ones out there? It was when you may not have heard off, but it is the common weaknesses in new Marais Shin which is related specifically to secure it relates started the vulnerabilities in applications specifically to secure code. So this is the C W E. They actually publish a top 25 most dangerous software errors. What they do is they pull in the C V D data from the NPD and then they take thesis E V S s scores.

‍

But what they do it is map each one of these vulnerabilities specifically to a CBE i d. And then rank them that way so that you can see what the common coding errors are. I won't go through all Top 25. It just pulled out a couple here. There's ah linked to you can see the CB dot miter website where this is stored. The 1st 1 is improper restrictions operations. This is the parent to the classic buffer over close. You see, they're still 75. It's the top rank here and there. There's errors are still going on. When the issues I mentioned I want to talk about quick is being able to d compiled code doesn't work for all languages like C on some of the other ones. But it does work for dot Net and job because they're the code is actually by code, which can be decomp. I'll go back to the source code and the reason this is someone interesting topic cause I've run in this before where either I was given a special or a a private library or an application.

‍

And the developer said This is not in my contract. Actually give the source code. I only have to deliver the final application. Well, we couldn't run static analysis on the built application we needed to decomp, I'll it. So when I found some tools and ability to decomp, I'll take the bite code or the application and reverse engineer back to the source code so they could run static analysis on it, dont Lee said. Java has bite code dot net has assemblies. The first tool is DNS by that could take dot net. So actually went out and I wrote just quick application compiled it, and then I ran it through the end spy and then got a screen capture here so you can see on the right side. That's the D compiled code, and you can see it's near clear tax iffy. If you've ever written in dot net, or just that you can understand basic apple or a basic source code. What looks like So I actually have a secret here.

‍

I did a right line, I added. Asked for some text. What do you see? It all This was a dot net assembly built application. I was able to de compile it and the ends by actually has ability to then save off that D compiled code into a workspace, and I was able to bring it up in visual studio and run that Puma skin on it. We could do the same thing in Java. It's a different program called JD Gooey. Same thing I wrote up a Java program, compiled it into a class file, brought it back in or brought it into the day D and D compiled it, and you see the same way on the right. It has a, uh, clear text, and it looks almost exactly like the original code, and this one has. The you could do is what the same thing.

‍

You can take a whole jar file or war file, actually save it off the whole entire source code and then run it through the SAS tool. Um, one of the other ways I found that interesting is that this good search functionality the D N spice a little bit better, but I would guess you go through and look forward. The word passwords secret. And it's just amazed that these low hanging fruit you find in these applications some of the static analysis tool who find that but other ones there might be specific things, like in this case, I knew the developers, their domain name or their email addresses.

‍

They're up for the domain portion of email. Actually start searching and finding this privacy information in the application. Here's a quick quiz spot bugs and other source code review tools perform. Is it static analysis or dynamic analysis? This should be an easy one to have been paying attention. Static analysis is poor is performed before the apus built dynamic analysis is gonna be done after its is running in the environment. We'll look at that later module. We talked about static analysis tools and some of the concepts that we need. Uh, and then next we'll talk about external libraries and adding them during the deployment. And what security ramifications there are.