Click here to load reader
Upload
solita-oy
View
439
Download
0
Embed Size (px)
Citation preview
CI SECURITY CONTROLS IN .NETJoona ImmonenSoftware [email protected]
PROBLEM DOMAIN
CI SECURITY CONTROLS› Static code analysis
• FxCop, VisualCodeGrepper, SonarQube, ReSharped commandlinetools
› Code quality metrics• SonarQube, Code metrics
› Configuration and deployment analysis• Microsoft Baseline Security Analyzer, Attack surface analyzer
› Vulnerability scanning• OWASP-ZAP, Nessus
› Performance testing• jMeter
TOOLS IN SECURE DEVELOPMENT LIFECYCLE
Before development
Definition and design
Development
Deployment
Maintenance
FxCop X VisualCodeGrepper X SonarQube X Code Metrics X OWASP ZAP X X XMBSA X XASA X Nessus X XjMeter X X X
TOOLS IN DEFENCE IN DEPTH
Network
Host
App server
Application
Web.config
Source code
FxCop X XVisualCodeGrepper X X
SonarQube X X
Code Metrics X
OWASP ZAP X X
MBSA X X
ASA X X
Nessus X X X X
jMeter X X
HOW TOOLS MITIGATE ”OWASP TOP 10”
Injection
Broken auth
XSS
Direct obj ref
Misconf
Data exposure
Function level auth
CSRF
Known vuln
Unvalidated redirects
FxCop 1 1 1 1 VCG 1 1 1 SonarQube 1 1 1 1 Code Metrics OWASP ZAP 2 2 2 2 2 1 2 1 2MBSA 2 2 ASA 1 Nessus 1 1 1 1 2 1 1 2 1jMeter empty=no, 1=maybe, 2=meant for that
HOW TOOLS MITIGATE CSA ”NOTORIOUS NINE”
Data Breaches
Data Loss
Account or Service Traffic Hijacking
Insecure interfaces and APIs
Denial of Service
Malicious Insiders
Abuse of cloud services
Insufficient Due Diligence
Shared Technology Vulnerabilities
FxCop 1 1 VisualCodeGrepper 1 1 SonarQube 1 1 Code Metrics 1 OWASP ZAP 1 1 1 MBSA 1 1 ASA 1 1 Nessus 1 1 1 jMeter 1 1 empty=no, 1=maybe, 2=meant for that
HOW USEFUL TOOLS WERE FROM PROJECT PERSPECTIVE
FxCop
jMete
r
VisualC
odeG
reppe
r
Sona
rQub
e
Code M
etrics
OWASP ZAP
MBSA
Nessu
sASA
0
1
2
3
4
5
Usefulness of tools
Average Project 1 Project 2
SONARQUBE: WHAT IS AN ISSUE?