Continuous Integration and Security Testing with .NET

CI SECURITY CONTROLS IN .NETJoona ImmonenSoftware [email protected]

PROBLEM DOMAIN

CI SECURITY CONTROLS› Static code analysis

• FxCop, VisualCodeGrepper, SonarQube, ReSharped commandlinetools

› Code quality metrics• SonarQube, Code metrics

› Configuration and deployment analysis• Microsoft Baseline Security Analyzer, Attack surface analyzer

› Vulnerability scanning• OWASP-ZAP, Nessus

› Performance testing• jMeter

TOOLS IN SECURE DEVELOPMENT LIFECYCLE

Before development

Definition and design

Development

Deployment

Maintenance

FxCop X VisualCodeGrepper X SonarQube X Code Metrics X OWASP ZAP X X XMBSA X XASA X Nessus X XjMeter X X X

TOOLS IN DEFENCE IN DEPTH

Network

Host

App server

Application

Web.config

Source code

FxCop X XVisualCodeGrepper X X

SonarQube X X

Code Metrics X

OWASP ZAP X X

MBSA X X

ASA X X

Nessus X X X X

jMeter X X

HOW TOOLS MITIGATE ”OWASP TOP 10”

Injection

Broken auth

XSS

Direct obj ref

Misconf

Data exposure

Function level auth

CSRF

Known vuln

Unvalidated redirects

FxCop 1 1 1 1 VCG 1 1 1 SonarQube 1 1 1 1 Code Metrics OWASP ZAP 2 2 2 2 2 1 2 1 2MBSA 2 2 ASA 1 Nessus 1 1 1 1 2 1 1 2 1jMeter empty=no, 1=maybe, 2=meant for that

HOW TOOLS MITIGATE CSA ”NOTORIOUS NINE”

Data Breaches

Data Loss

Account or Service Traffic Hijacking

Insecure interfaces and APIs

Denial of Service

Malicious Insiders

Abuse of cloud services

Insufficient Due Diligence

Shared Technology Vulnerabilities

FxCop 1 1 VisualCodeGrepper 1 1 SonarQube 1 1 Code Metrics 1 OWASP ZAP 1 1 1 MBSA 1 1 ASA 1 1 Nessus 1 1 1 jMeter 1 1 empty=no, 1=maybe, 2=meant for that

HOW USEFUL TOOLS WERE FROM PROJECT PERSPECTIVE

FxCop

jMete

r

VisualC

odeG

reppe

r

Sona

rQub

e

Code M

etrics

OWASP ZAP

MBSA

Nessu

sASA

0

1

2

3

4

5

Usefulness of tools

Average Project 1 Project 2

SONARQUBE: WHAT IS AN ISSUE?