Protection and Verification of Security Design Flaws
Marcus Pinto, Roberto Velasco at Spring I/O 2017
Software vulnerabilities come in two basic flavors: security bugs and design flaws.
Security bugs, such as the popular SQL Injection and Cross-site Scripting vulnerabilities, are errors in coding and because all of them follow the same specific patterns, they can be detected easily by automated tools, even reporting the file and line where the security bug has been found making it simple for software developers to resolve them.
However, half of the software related security issues can not be detected by tools.
They are design flaws embedded in software and only a person who is familiar with the scope of the web application can identify such vulnerabilities. Until now, they had to be detected manually through pentesting, often resulting in the wholesale redesign of the application architecture.
This represents a huge problem for any business or organization, not only due to the economic cost, but more importantly because of the impact on time to market of applications.
So, what can we do to solve this problem?
This talk presents a solution to protect applications against design flaws and verify them automatically with application security architecture and testing tools working together for the first time.
Following a practical approach this talk presents practical examples using Spring reference applications (PetClinic) based on Spring MVC and Spring REST and using well known pentesting tools such as Burp.
Security bugs, such as the popular SQL Injection and Cross-site Scripting vulnerabilities, are errors in coding and because all of them follow the same specific patterns, they can be detected easily by automated tools, even reporting the file and line where the security bug has been found making it simple for software developers to resolve them.
However, half of the software related security issues can not be detected by tools.
They are design flaws embedded in software and only a person who is familiar with the scope of the web application can identify such vulnerabilities. Until now, they had to be detected manually through pentesting, often resulting in the wholesale redesign of the application architecture.
This represents a huge problem for any business or organization, not only due to the economic cost, but more importantly because of the impact on time to market of applications.
So, what can we do to solve this problem?
This talk presents a solution to protect applications against design flaws and verify them automatically with application security architecture and testing tools working together for the first time.
Following a practical approach this talk presents practical examples using Spring reference applications (PetClinic) based on Spring MVC and Spring REST and using well known pentesting tools such as Burp.