DIY Continuous Security

Building a security program for free

seceng.guide ·

Use ← → to navigate. Click the slide number to jump.

Agenda

Introductions

Who We Are
Who You Are
What is Continuous Security
What We’ll Be Covering

Labs

SAST & Exercises
DAST & Exercises
AI-assisted Code Review

Introductions

Why we created this workshop?

We’ve had to re-do this over and over again at different orgs.
Sharing tips we’ve learned over time.
We’ve struggled so you don’t have to!

What is Continuous Security?

You may have seen it referred to as “shifting left”

Generally it means the deeper you are in the Software Development Life Cycle (SDLC), the more expensive fixing a security vulnerability can be

Think about it in the simplest cases: a SQL injection is much easier to fix in the development phase compared to the maintenance phase

In the maintenance phase, the feature with the vulnerability may be harder to modify (e.g. backwards compatibility, deployed less often, etc) and will require incident response to make sure it wasn’t exploited
In the development phase, we haven’t progressed far enough for it to be a problem

The “continuous” part here refers to automation

By leaning on automation, you can “continuously” look for security issues with minimal effort on your part

Image: “Cost of Fixing Security Vulnerabilities Increases”

What is this workshop?

Our goal for this workshop is for you to build familiarity with the concepts of Continuous Security, not the tools. Of course, we’ll use the tools first to get a handle on what we’re doing, but that won’t be our focus.

The idea is for you to take these concepts and apply them to other contexts

We’ll be focusing on looking for bugs in our applications but you could just as easily apply the concepts here to any other security tool

We like the tools we recommend in this workshop, but each organization has their own needs and preferences.

This is what the “DIY” part of the DIY Continuous Security refers to: doing it yourself by selecting off-the-shelf open source tools that make the most sense for you, without having to depend on paid products to do everything for you.

Who’s this workshop for?

The intended audience for this workshop are

Appsec people looking to broaden their impact
Security consultants looking to go in house
Software engineers looking to bring security into their practices
Technical people looking to pivot into security engineering
The first security hire or engineer with similar responsibilities looking to establish a good baseline

This isn’t an exhaustive list — it’s just meant more so for assuming a baseline level of experience before we start jumping into workshops.

Feel free to interrupt to ask questions at any time. If there’s something that feels unclear or you run into an error, chances are you might not be the only one!

What will we be covering?

SAST: Static Application Security Testing

Automating application security code reviews

DAST: Dynamic Application Security Testing

Automating interacting the app to manually find vulnerabilities

SCA: Software Composition Analysis

Detecting out of date and vulnerable libraries

Secrets Detection

Looking for secrets like API keys and PII being pushed in code

AI-Assisted Code Review

Using Claude Code’s /security-review locally, then running it within CI as a GitHub Action

Getting started

Create a Github account if you don’t already have one
- Tell us your username so we can invite you to our organization
Install Docker
- docs.docker.com/desktop/setup/install/mac-install/
- docs.docker.com/desktop/setup/install/windows-install/
- Confirm it works by running these commands in your terminal
  - docker pull hello-world
  - docker run hello-world
Fork & clone seceng-sandbox/jester-social to your computer
- This will only work after being added to the Github organization
- No need to do anything with this code — we will be using it for labs later

We will be using the Github Web UI to make our code changes, so don’t worry about setting up a developer environment.

Part 2

Static Application Security Testing

(or, SAST for short)

What is Static Application Security Testing (SAST)?

Fundamentally, it’s automating the code review process

Not strictly from an application security perspective, but ours today will be

When performing an application security code review, you might ask questions like

Can I control the data that this function uses?
Is this function being used correctly? Does it pose any risk if not?
What will this function return?

SAST tools allow you to answer questions like these automatically, but faster and more efficiently.

SAST for Vulnerability Detection

Here’s a sample Python/Django API for getting information about an item
There’s a trivial SQL injection vulnerability here
We could have caught this manually by making sure everyone who writes code includes us on code reviews, but that’s pretty unrealistic

from django.urls import path
from django.http import JsonResponse
from django.db import connection

def item_view(request, item_id):
    with connection.cursor() as cursor:
        cursor.execute(f"SELECT * FROM store_item WHERE id = {item_id}")
        row = cursor.fetchone()

    if row:
        return JsonResponse({
            "id": row[0],
            "name": row[1],
            "price": row[2],
        })
    else:
        return JsonResponse({"error": "Item not found"}, status=404)

urlpatterns = [
    path("items/<item_id>/", item_view),
]

Enter Semgrep

Semgrep is an open source tool that can automatically detect many types of vulnerabilities in code

It covers more languages and frameworks than any one of us could all possibly be familiar with

These detections are made public as community maintained rules

Being able to write rules means we can write our own ones tailored to the codebases and organizations we work with

Let’s run Semgrep against the sample from before.

Image: Semgrep Logo

Running Semgrep

view_item.py
>> python.lang.security.audit.formatted-sql-query.formatted-sql-query
      Detected possible formatted SQL query. Use parameterized queries instead.
      Details: https://sg.run/EkWw

        7| cursor.execute(f"SELECT * FROM store_item WHERE id = {item_id}")

This is feedback that a developer can make sense of without us having to get involved!

It told us the line number, included a sample of the affected code, tells us what we might have done wrong and even makes a recommendation.

How is automating SAST useful?

It frees up time for us to work on other security problems

A lot of the questions asked during an application security code review are fundamentally simple questions
Having the basics covered for us means we can work on more complex, in-depth questions

It increases the impact you can have as a security practitioner

With the time freed up from doing code reviews, we can work on projects to address other security problems

It means you’re not the blocker for providing a baseline level of security

If your coworkers needed you to sign off on every piece of code that goes to production, they would hate you and your team ☹
You would hate it too — doing nothing but code reviews all week can be exhausting

But what are its limitations?

Like all automated tooling, SAST has its limitations.

We need to be aware of these limitations before going into this kind of work, or we risk wasting our time and annoying our coworkers.

SAST Tools Don’t Have Context

SAST tools can only find vulnerabilities they’re designed to look for; this may sound obvious but in practice this means they can only operate on context available in code

For example, if you’re looking at a piece of encryption code, SAST may complain that you’re using a weak algorithm or an improper configuration. However, if you were dealing with passwords, this feedback would be wrong. SAST tools typically cannot pick up on this and will not be able to recommend that you should be hashing instead.
More succinctly: SAST tools do not have the “product context” of your code and cannot determine its authors’ intentions.

SAST tools are meant to augment your capabilities — not replace them.

Cipher.getInstance("AES/ECB/NoPadding");

Cipher.getInstance("AES/GCM/NoPadding");

Static analysis tools can tell the difference between these, but will not be able to tell you that you should probably use something like bcrypt instead.

SAST Tools are False Positive Prone

Static analysis tools can have high false positive rates

Because they don’t have full context, they may not be able to tell that certain types of vulnerabilities are not relevant to you
Other detections may be overzealous and err on the side of caution way too often

Typically you will have some sort of “tuning” stage where you disable rules that are false positive prone

Specific to your organization
This step is crucial, otherwise you risk annoying your coworkers and training them to ignore all findings, including true positives!

Deploying Static Analysis Tools

For larger organizations and codebases, deploying a static analysis tool is more complicated than just installing it and walking away

The limitations we talked about will haunt your organization if you don’t take care of them early on

Any security tool — not just static analysis ones — need to be set up in such a way that maintenance and overhead is addressed ahead of time, otherwise you risk wasting time and effort

Maintenance can include things like modifying rules, adding new ones, and vendor updates