SlideShare a Scribd company logo

Deploying Static Application Security Testing on a Large Scale

Achim D. Brucker
Achim D. Brucker

SCA, if used for finding vulnerabilities also called SAST, is an important technique for detecting software vulnerabilities already at an early stage in the software development life-cycle. As such, SCA is adopted by an increasing number of software vendors. The wide-spread introduction of SCA at a large software vendor, such as SAP, creates both technical as well as non-technical challenges. Technical challenges include high false positive and false negative rates. Examples of non-technical challenges are the insufficient security awareness among the developers and managers or the integration of SCA into a software development life-cycle that facilitates agile development. Moreover, software is not developed following a greenfield approach: SAP's security standards need to be passed to suppliers and partners in the same manner as SAP's customers begin to pass their security standards to SAP. In this paper, we briefly present how the SAP's Central Code Analysis Team introduced SCA at SAP and discuss open problems in using SCA both inside SAP as well as across the complete software production line, i.e., including suppliers and partners.

Technology
1 of 27
Download to read offline
Deploying SAST on a Large Scale Achim D. Brucker joint work with Uwe Sodan {achim.brucker, uwe.sodan}@sap.com SAP AG, Germany
Has Sony been Hacked this Week? http://hassonybeenhackedthisweek.com/ Time-line of the Sony Hack(s) (excerpt): 2011-04-20 Sony PSN goes down 2011-05-21 Sony BMG Greece: data 8300 users (SQL Injection) 2011-05-23 Sony Japanese database leaked (SQL Injection) 2011-05-24 Sony Canada: roughly 2,000 leaked (SQL Injection) 2011-06-05 Sony Pictures Russia (SQL Injection) 2011-06-06 Sony Portugal: SQL injection, iFrame injection and XSS 2011-06-20 20th breach within 2 months 177k email addresses were grabbed via a SQL injection (http://hassonybeenhackedthisweek.com/history) Consequences: • account data of close to 100 million individuals exposed • over 12 million credit and debit cards compromised • more than 55 class-action lawsuits • costs of $ 170 million only in 2011 © 2014 SAP AG. All Rights Reserved. Page 3 of 18
A Bluffers Guide to SQL Injection • Assume an SQL Statement for selecting all users with “userName” from table “user” © 2014 SAP AG. All Rights Reserved. Page 4 of 18
A Bluffers Guide to SQL Injection • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" © 2014 SAP AG. All Rights Reserved. Page 4 of 18
A Bluffers Guide to SQL Injection • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" • What happens if we choose the following userName: userName = "’ or ’1’=’1" © 2014 SAP AG. All Rights Reserved. Page 4 of 18
A Bluffers Guide to SQL Injection • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" • What happens if we choose the following userName: userName = "’ or ’1’=’1" • Resulting in the following statement: stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’’ or ’1’=’1’;" © 2014 SAP AG. All Rights Reserved. Page 4 of 18
A Bluffers Guide to SQL Injection • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" • What happens if we choose the following userName: userName = "’ or ’1’=’1" • Resulting in the following statement: stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’’ or ’1’=’1’;" • Which is equivalent to stmt = "SELECT * FROM ‘users‘;" selecting the information of all users stored in the table ‘users’! © 2014 SAP AG. All Rights Reserved. Page 4 of 18
Vulnerability types of CVE reports since 1999 Execute Code 28% Denial of Service 17% Overflow 12% XSS 11% SQL Injection 8% Gain Information 5% Bypass Something 4% Other 15% • Causes for most vulnerabilites are • programming errors • configuration errors • Patching is • expensive • may introduce new bugs How can we ensure that no vulnerable code is shipped? © 2014 SAP AG. All Rights Reserved. Page 5 of 18
Finding Security Vulnerabilities © 2014 SAP AG. All Rights Reserved. Page 6 of 18
Finding Security Vulnerabilities © 2014 SAP AG. All Rights Reserved. Page 6 of 18
Evolution of Source Code • Increase in • code size • code complexity • number of products • product versions © 2014 SAP AG. All Rights Reserved. Page 7 of 18
SAST as Part of SAP’s SDL © 2014 SAP AG. All Rights Reserved. Page 8 of 18
SAST as Part of SAP’s SDL © 2014 SAP AG. All Rights Reserved. Page 8 of 18
So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. © 2014 SAP AG. All Rights Reserved. Page 9 of 18
So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): © 2014 SAP AG. All Rights Reserved. Page 9 of 18
So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): • The cat tool reports each line, that might contain a vulnerability: © 2014 SAP AG. All Rights Reserved. Page 9 of 18
So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): • The cat tool reports each line, that might contain a vulnerability: • It supports also a mode that reports no false positives: © 2014 SAP AG. All Rights Reserved. Page 9 of 18
Continuous Improvements Further input channels: • Development teams • Internal research • Scan reviews • Code reviews • . . . © 2014 SAP AG. All Rights Reserved. Page 10 of 18
SAST Solutions Applied at SAP ABAP 42% C/C++ 13% Java 30% JavaScript 7% Others 8% • Mandatory for all products • Multiple billions lines analyzed Language Tool Vendor ABAP CVA (SLIN_SEC) SAP C/C++ Coverity Coverity Others Fortify HP Other important pillars of SAP’s SDL: • Secure programming training’s • Pen tests on the final product In addition: • Own research (e.g., JS, Mobile) • Ongoing evaluation of • alternative tools and • complementary techniques. © 2014 SAP AG. All Rights Reserved. Page 11 of 18
Open Issues • Estimating the risk of not fixing security issues is hard • How to prioritize security vs. functionality • In case of doubt, functionality wins • Pushing SAST across the software supply chain • Consumed software (OSS, third-party products) • SAP Customers, partners, and OEM products • Huge and hybrid multi-language applications • Client-server applications • Web-frameworks • Dynamic programming paradigms and languages • JavaScript, Ruby, etc. • Lack of standardized regression test suites • Different tools • Different versions of the same tool © 2014 SAP AG. All Rights Reserved. Page 12 of 18
Lessons Learned: Recommendations (1/3) Follow the recommendations given by Chandra et al: • Start small • Start with one pilot • Succeed with pilot before larger roll-out • Go for the throat • Start with the main security threat • Appoint a champion • Identify a developer that knows all parts of the application • Make this developer your tool champion • Measure the outcome • Track and measure the generated data • Make it your own • Adapt the tool to your needs • SAST tools are not “off-the-shelf” products © 2014 SAP AG. All Rights Reserved. Page 13 of 18
Lessons Learned: Recommendations (2/3) Based on our experiences, we add: • Plan and invest enough resources • Introducing SAST requires significant resources • Integration, Analysis, Education, . . . • Plan and invest enough infrastructure • If the tools are slow, nobody will use them • Do understand your developers as your friends • Do not follow the “security review” model • SAST tools should be understood as “debug tool” • Execute scans regularly • SAST is not a one-time effort © 2014 SAP AG. All Rights Reserved. Page 14 of 18
Lessons Learned: Recommendations (3/3) • Plan your changes and updates • All changes to the tools might change the results • Do get support (and commitment) from your management • Introducing SAST will cost money and effort • Minimize the risk of discussing “security vs. features” • Do not stop here. • Introducing SAST is only the first step • Use complementary techniques, e.g., • Threat modeling • Dynamic testing tools • Penetration tests • . . . © 2014 SAP AG. All Rights Reserved. Page 15 of 18
Conclusion “ You cannot pay people well enough, to do proper code audits. I tried it. Yaron Minsky, Jane Street Capital • We can confirm the results of Scandariato et al that show that SAST is the most effective and efficient security testing method • Embed your SAST efforts into a holistic security testing strategy © 2014 SAP AG. All Rights Reserved. Page 16 of 18
Thank you! http://xkcd.com/327/
Bibliography I Ruediger Bachmann and Achim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit, March 2014. Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In gi Sicherheit 2014, Lecture Notes in Informatics. gi, March 2014. © 2014 SAP AG. All Rights Reserved. Page 18 of 18
© 2014 SAP AG. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. © 2014 SAP AG. All Rights Reserved. Page 19 of 18

Recommended

Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
Achim D. Brucker
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
Sherif Koussa
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
Waratek Ltd
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter Meeting
Phil Agcaoili
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA Webinar
Waratek Ltd
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Phil Agcaoili
 

Recommended

Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
Achim D. Brucker
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
Sherif Koussa
 
Waratek overview 2016
Waratek overview 2016Waratek overview 2016
Waratek overview 2016
Waratek Ltd
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter Meeting
Phil Agcaoili
 
Waratek ISACA Webinar
Waratek ISACA WebinarWaratek ISACA Webinar
Waratek ISACA Webinar
Waratek Ltd
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Phil Agcaoili
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
ZAIYAUL HAQUE
 
Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
rustd
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
silviad74
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
Naga Venkata Sunil Alamuri
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
gmaran23
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
OWASP Ottawa
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
ASP.NET Core Security
ASP.NET Core SecurityASP.NET Core Security
ASP.NET Core Security
Albert Weinert
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
Lalit Kale
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
scmGalaxy Inc
 
Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015
Stacy Kvernmo
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Achim D. Brucker
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
Achim D. Brucker
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
SAP Customer Experience
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
Achim D. Brucker
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
Onapsis Inc.
 

More Related Content

Viewers also liked

Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
rustd
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
silviad74
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015
Stacy Kvernmo
 

Viewers also liked (17)

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
 
Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
 
ASP.NET Core Security
ASP.NET Core SecurityASP.NET Core Security
ASP.NET Core Security
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
 
Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015
 

Similar to Deploying Static Application Security Testing on a Large Scale

Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Achim D. Brucker
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
Achim D. Brucker
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
Onapsis Inc.
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
Onapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
akquinet enterprise solutions GmbH
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
Beyond PowerPlay: Choose the Right OLAP Tool for Your BI Environment (Cognos...
Beyond PowerPlay: Choose the Right OLAP Tool for Your BI Environment (Cognos... Beyond PowerPlay: Choose the Right OLAP Tool for Your BI Environment (Cognos...
Beyond PowerPlay: Choose the Right OLAP Tool for Your BI Environment (Cognos...
Senturus
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
akquinet enterprise solutions GmbH
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
ERPScan
 

Similar to Deploying Static Application Security Testing on a Large Scale (20)

Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
 
SAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection OverviewSAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection Overview
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP Backdoors
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
 
Beyond PowerPlay: Choose the Right OLAP Tool for Your BI Environment (Cognos...
Beyond PowerPlay: Choose the Right OLAP Tool for Your BI Environment (Cognos... Beyond PowerPlay: Choose the Right OLAP Tool for Your BI Environment (Cognos...
Beyond PowerPlay: Choose the Right OLAP Tool for Your BI Environment (Cognos...
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
Mobile pulse sept 2014
Mobile pulse sept 2014Mobile pulse sept 2014
Mobile pulse sept 2014
 

More from Achim D. Brucker

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
Achim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
Achim D. Brucker
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
Achim D. Brucker
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
Achim D. Brucker
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
Achim D. Brucker
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
Achim D. Brucker
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
Achim D. Brucker
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
Achim D. Brucker
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Achim D. Brucker
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
Achim D. Brucker
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
Achim D. Brucker
 

More from Achim D. Brucker (19)

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the Internet
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software Vendor
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof Assistant
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security Properties
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
 
Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...
 

Recently uploaded

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Deploying Static Application Security Testing on a Large Scale

  • 1. Deploying SAST on a Large Scale Achim D. Brucker joint work with Uwe Sodan {achim.brucker, uwe.sodan}@sap.com SAP AG, Germany
  • 2. Has Sony been Hacked this Week? http://hassonybeenhackedthisweek.com/ Time-line of the Sony Hack(s) (excerpt): 2011-04-20 Sony PSN goes down 2011-05-21 Sony BMG Greece: data 8300 users (SQL Injection) 2011-05-23 Sony Japanese database leaked (SQL Injection) 2011-05-24 Sony Canada: roughly 2,000 leaked (SQL Injection) 2011-06-05 Sony Pictures Russia (SQL Injection) 2011-06-06 Sony Portugal: SQL injection, iFrame injection and XSS 2011-06-20 20th breach within 2 months 177k email addresses were grabbed via a SQL injection (http://hassonybeenhackedthisweek.com/history) Consequences: • account data of close to 100 million individuals exposed • over 12 million credit and debit cards compromised • more than 55 class-action lawsuits • costs of $ 170 million only in 2011 © 2014 SAP AG. All Rights Reserved. Page 3 of 18
  • 3. A Bluffers Guide to SQL Injection • Assume an SQL Statement for selecting all users with “userName” from table “user” © 2014 SAP AG. All Rights Reserved. Page 4 of 18
  • 4. A Bluffers Guide to SQL Injection • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" © 2014 SAP AG. All Rights Reserved. Page 4 of 18
  • 5. A Bluffers Guide to SQL Injection • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" • What happens if we choose the following userName: userName = "’ or ’1’=’1" © 2014 SAP AG. All Rights Reserved. Page 4 of 18
  • 6. A Bluffers Guide to SQL Injection • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" • What happens if we choose the following userName: userName = "’ or ’1’=’1" • Resulting in the following statement: stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’’ or ’1’=’1’;" © 2014 SAP AG. All Rights Reserved. Page 4 of 18
  • 7. A Bluffers Guide to SQL Injection • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" • What happens if we choose the following userName: userName = "’ or ’1’=’1" • Resulting in the following statement: stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’’ or ’1’=’1’;" • Which is equivalent to stmt = "SELECT * FROM ‘users‘;" selecting the information of all users stored in the table ‘users’! © 2014 SAP AG. All Rights Reserved. Page 4 of 18
  • 8. Vulnerability types of CVE reports since 1999 Execute Code 28% Denial of Service 17% Overflow 12% XSS 11% SQL Injection 8% Gain Information 5% Bypass Something 4% Other 15% • Causes for most vulnerabilites are • programming errors • configuration errors • Patching is • expensive • may introduce new bugs How can we ensure that no vulnerable code is shipped? © 2014 SAP AG. All Rights Reserved. Page 5 of 18
  • 9. Finding Security Vulnerabilities © 2014 SAP AG. All Rights Reserved. Page 6 of 18
  • 10. Finding Security Vulnerabilities © 2014 SAP AG. All Rights Reserved. Page 6 of 18
  • 11. Evolution of Source Code • Increase in • code size • code complexity • number of products • product versions © 2014 SAP AG. All Rights Reserved. Page 7 of 18
  • 12. SAST as Part of SAP’s SDL © 2014 SAP AG. All Rights Reserved. Page 8 of 18
  • 13. SAST as Part of SAP’s SDL © 2014 SAP AG. All Rights Reserved. Page 8 of 18
  • 14. So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. © 2014 SAP AG. All Rights Reserved. Page 9 of 18
  • 15. So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): © 2014 SAP AG. All Rights Reserved. Page 9 of 18
  • 16. So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): • The cat tool reports each line, that might contain a vulnerability: © 2014 SAP AG. All Rights Reserved. Page 9 of 18
  • 17. So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): • The cat tool reports each line, that might contain a vulnerability: • It supports also a mode that reports no false positives: © 2014 SAP AG. All Rights Reserved. Page 9 of 18
  • 18. Continuous Improvements Further input channels: • Development teams • Internal research • Scan reviews • Code reviews • . . . © 2014 SAP AG. All Rights Reserved. Page 10 of 18
  • 19. SAST Solutions Applied at SAP ABAP 42% C/C++ 13% Java 30% JavaScript 7% Others 8% • Mandatory for all products • Multiple billions lines analyzed Language Tool Vendor ABAP CVA (SLIN_SEC) SAP C/C++ Coverity Coverity Others Fortify HP Other important pillars of SAP’s SDL: • Secure programming training’s • Pen tests on the final product In addition: • Own research (e.g., JS, Mobile) • Ongoing evaluation of • alternative tools and • complementary techniques. © 2014 SAP AG. All Rights Reserved. Page 11 of 18
  • 20. Open Issues • Estimating the risk of not fixing security issues is hard • How to prioritize security vs. functionality • In case of doubt, functionality wins • Pushing SAST across the software supply chain • Consumed software (OSS, third-party products) • SAP Customers, partners, and OEM products • Huge and hybrid multi-language applications • Client-server applications • Web-frameworks • Dynamic programming paradigms and languages • JavaScript, Ruby, etc. • Lack of standardized regression test suites • Different tools • Different versions of the same tool © 2014 SAP AG. All Rights Reserved. Page 12 of 18
  • 21. Lessons Learned: Recommendations (1/3) Follow the recommendations given by Chandra et al: • Start small • Start with one pilot • Succeed with pilot before larger roll-out • Go for the throat • Start with the main security threat • Appoint a champion • Identify a developer that knows all parts of the application • Make this developer your tool champion • Measure the outcome • Track and measure the generated data • Make it your own • Adapt the tool to your needs • SAST tools are not “off-the-shelf” products © 2014 SAP AG. All Rights Reserved. Page 13 of 18
  • 22. Lessons Learned: Recommendations (2/3) Based on our experiences, we add: • Plan and invest enough resources • Introducing SAST requires significant resources • Integration, Analysis, Education, . . . • Plan and invest enough infrastructure • If the tools are slow, nobody will use them • Do understand your developers as your friends • Do not follow the “security review” model • SAST tools should be understood as “debug tool” • Execute scans regularly • SAST is not a one-time effort © 2014 SAP AG. All Rights Reserved. Page 14 of 18
  • 23. Lessons Learned: Recommendations (3/3) • Plan your changes and updates • All changes to the tools might change the results • Do get support (and commitment) from your management • Introducing SAST will cost money and effort • Minimize the risk of discussing “security vs. features” • Do not stop here. • Introducing SAST is only the first step • Use complementary techniques, e.g., • Threat modeling • Dynamic testing tools • Penetration tests • . . . © 2014 SAP AG. All Rights Reserved. Page 15 of 18
  • 24. Conclusion “ You cannot pay people well enough, to do proper code audits. I tried it. Yaron Minsky, Jane Street Capital • We can confirm the results of Scandariato et al that show that SAST is the most effective and efficient security testing method • Embed your SAST efforts into a holistic security testing strategy © 2014 SAP AG. All Rights Reserved. Page 16 of 18
  • 26. Bibliography I Ruediger Bachmann and Achim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit, March 2014. Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In gi Sicherheit 2014, Lecture Notes in Informatics. gi, March 2014. © 2014 SAP AG. All Rights Reserved. Page 18 of 18
  • 27. © 2014 SAP AG. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. © 2014 SAP AG. All Rights Reserved. Page 19 of 18