Static or Dynamic Security? How to Prioritize Between SAST or DAST?

When it comes to picking up a security testing strategy there are multiple options and players with varied recommendations. One of the dilemma is to which of the testing strategies to choose between Static and Dynamic commonly known as SAST and DAST. 

The ideal way is obviously to have both but budget, technology and delivery considerations might throw up the questions, such as:

Which one to choose first? Which is more effective and needed?

Well the answers to these questions will obviously be dependent on the unique conditions of the project/domain/organization but knowing definitive aspects of SAST and DAST will help relate to circumstances.

SAST: Static Application Security Testing

As the name suggests SAST is static application security testing and is concerned with the static code analysis and finding vulnerabilities in code, binary, or the byte code. A running system is not required for vulnerability assessment in this technique of security testing. The advantages of this technique are:

ADVANTAGES of Using SAST

• Get to know the security flaws while the code is being developed
• Do not need a deployment environment to perform security testing
• Earliest possible detection of security flaws
• Encourages use of secure coding practices in organizations
• Enables identification of root cause of security issues
• Enables identification of developers following secure coding practices
• Ideal for development phase
• While it may seem that SAST is perfect it has its limitations most of which are addressed by dynamic application security testing.

DAST: Dynamic Application Security Testing

Dynamic application security testing technique aims at identifying security vulnerabilities in runtime environment. It aims at finding vulnerabilities by emulating hackers behaviors of attacking the application when it is fully deployed and running. This technique does not look at the source code or the binary to assess vulnerabilities in the application. The advantages of this technique are as follows:

ADVANTAGES of Using DAST

• Simulates hacker behavior
• Finds vulnerabilities created by the gaps in deployment
• Can find flaws in business logic
• Capable of detecting vulnerabilities in third party libraries
• Code submission is not needed
• Comparatively lower in cost
• Easier to adopt

Since DAST is not associated with development cycle it generally does not provide valuable feedback for infusing security in the development process. It is more of a preventive technique rather making secure applications as a part of the organizational DNA. It is also difficult to trace the location or origin of the threat/vulnerability to the exact location in the code.

False Positives

Common issue with both techniques is the issue of false positives. Minimizing the false positives returned using both the techniques remains a challenge though with the growth in maturity of the security testing group they are easily identified. Most of the tools enabling SAST or DAST enable users to customize them in order to shut/modify the rules that return false positives.

SAST and DAST Both Needed

DAST being the relatively cheaper and the quick fix type of option should always be used before production deployment. This certifies the strength of the application to counter actual hacker threats. While SAST usage enhances the development practices in terms of application security and addresses most of the issues in the root. Identification of security fixes for the vulnerabilities found out using SAST are relatively easier to fix most of the times. Both the techniques complement each other and address threats at different levels.

NoClassDefFoundError on Missing selenium-server-standalone JAR

Adding selenium-java-x.xx.x.jar makes it look like all is well and the script is ready to kick. However, when we run the program following error is returned:
 
Exception in thread "main" java.lang.NoClassDefFoundError: com/google/common/base/Function

The error returned is because of missing selenium-server-standalone-x.xx.x.jar missing from the class/build path. If you are using eclipse add the selenium-server-standalone-x.xx.x.jar to the project libraries using the following steps:

1. Right Click on the project
2. Click Properties
3. Click on Java Build Path
4. Click on the Libraries tab
5. Click on Add External JARs...
6. Navigate to the directory with 'selenium-server-standalone-x.xx.x.jar'
7. Select the file and click Open
8. Click Ok

Now run the script and the "Exception in thread "main" java.lang.NoClassDefFoundError: com/google/common/base/Function" error will be gone.

Managing the Ever Increasing Stack of Passwords

As per recent analysis 73 percent people use same password for accessing multiple sites, average number of characters used in a password is 6 and it takes around 3 minutes to crack an average password.

Remembering passwords is becoming increasingly difficult with ever increasing online functions and tasks. The increased consumer inclination/confidence towards online shopping/banking/travel etc has lead to generation of a heap of passwords. On the professional front as most offices are already computerized you have another set of passwords to remember, such as the Windows network logon, official e-mail account, your website's FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. From office to home to travel you need them all the time. Not only you need to remember passwords but you are need to keep them strong and change from time to time.

Some use a common password for access to different systems but it has the risk that if the common password is hacked then all the resources can be hacked from e-mail to bank account. So while it is a recommendable practice to keep unique password for accessing each system, it again leaves us with the difficult task of managing plethora of passwords.

Using Password Managers

One of the solutions to this problem is the use of password manager applications such as KeePass, and LastPass. KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). LastPass is another password manager which offers free as well as paid services for individual and enterprise password management solutions.  

Using a Private Pattern

The method of relying on another application/password manager is good but what about the cases when the system is down/unavailable? Or what about cases when the password to the password manager is compromised? Any data that is stored no matter how strong is the encryption or how safe is the place is vulnerable. Till date human brain is the safest place to store data if we can pull it out accurately when needed.

A solution to this problem is creating a pattern for generating unique passwords for each site. All we need to remember is the pattern for generating unique passwords. An example of a pattern used/suggested by a leading security expert is to split the pattern into two parts. First component would be the fixed and the second component is dependent of the domain name of the site you are accessing.

It is important to have the first/fixed part of 7 to 8 characters as complex as you can remember for example 1BeEradE

Now once you have decided on the fixed part, all you need to do is create a pattern based on the domain name of the site to be accessed. Pattern can be of your choice for example to increment or decrement first three or last three characters of the domain name of the site to be accessed. Let us say we need to access Flipkart.com and our pattern is to pick the next letter to the first three characters of the site name. So our password for Flipkart.com will be 1BeEradEgmj. Our password for snapdeal.com will be 1BeEradEtob.

Using this technique we can remember the passwords to any site that we access as all we need to remember is ONE fixed password and a secret pattern.  Wish you a Happy and a safe Browsing!

Fixing missing HttpServlet class in Web Project

The javax.servlet.http.HttpServlet class being part of javax package so may not directly be available in the CLASSPATH. So adding jsp pages invoking the javax classes will result in an error such as: "The superclass was not found on the java build path".

To fix this the javax packages can be included from the application server being used. If you are using eclipse then you can perform the following steps to get over this error:

1) Right click the project root folder

2) Click on properties to open the properties dialogue

3) Click on Java Build Path

4) Select the Libraries tab

5) Click on Add Libraries button to open the 'Add Libraries' dialogue

6) Select 'Server Runtime' and click next

7) Select the application server and click finish

How to look at application security, Top-Down or Bottom-Up?

As a software professional I have been infatuated to application security more than once in my career purely out of interest as none of the assignments directly held me responsible for application security.

The more I tried to understand the subject top-down the more slippery and complex it appeared. After many slips I realized it is a subject better understood bottom-up. You need to first understand a specific vulnerability in a piece of code and how it can be exploited by hackers. Then keep running through the list of vulnerabilities and break them one by one.

Once you have the dots of the vulnerabilities solved you need to connect them to see the holistic framework of application security. I personally found this approach less fuzzy than trolling through endless definitions, tools, tips and tricks.

So let us begin with some vulnerable pieces of codes and analyze them to see how they can be exploited by hackers.

Code Block 1:

String objectCount =  request.getParams("ObjCount");
int numObjCount = Integer.parseInt(objectCount);
ObjectArray [] arrayofObjects = new ObjectArray[numObjCount];

This code works fine functionally and should not cause an issue until exploited by a hacker to build a huge array whose size is determined by a request parameter. A huge number passed as a parameter which is used for determining the array size can lead to memory leaks and consequently DoS (Denial of Service) type of attacks.

A simple check can deny a hacker the potential to exploit the vulnerability:

String objectCount =  request.getParams("ObjCount");
int numObjCount = Integer.parseInt(objectCount);
if(numObjCount <= protectedAcceptableNo)
ObjectArray [] arrayofObjects = new ObjectArray[numObjCount];

Code Block 2:

class CustomerDAO {

    … …

   public void createCustomer(CustInfo cust) 

                 throws CustCreationException {

       … …

           try {

            Connection conn = DAOFactory.getConnection();

            CallableStatement  calaStmt = conn.prepareCall(…);

          …  …             

           calStmt.executeUpdate();

           calStmt.close();

          conn.close();

       }  catch (java.sql.SQLException e) {

            throw CustCreationException (...);

       }

    }

}

As we can see in the code block above the connection is closed in the try block. If  a SQLException happens before the close() call then the connection will not be closed. If an attacker comes to know about this vulnerability, they can exploit it by sending multiple requests that result in SQLExceptions and hence exhausting the connection pool. A small change can make the code secure from such attacks.

class CustomerDAO {

    … …

   public void createCustomer(CustInfo cust) 

                 throws CustCreationException {

       … …

           try {

            Connection conn = DAOFactory.getConnection();

            CallableStatement  calaStmt = conn.prepareCall(…);

          …  …             

           calStmt.executeUpdate();

           calStmt.close();

          conn.close();

       }  catch (java.sql.SQLException e) {

            throw CustCreationException (...);

       }finally{

       if (conn != null) {
        try {
            conn.close();
        } catch (SQLException e) { /* ignored */}
    } 

}

    }

}

The above two examples show how gaps in code can be used to exploit and perpetrate DoS type of attacks on an application. In subsequent posts I will try to bring more vulnerable code examples to demonstrate different type of security threats. However the moot point that I wanted to drive is that: Application security risk mitigation or a contingency plan is better prepared using a bottom up approach instead of a top down approach.

What is Transaction Banking All About?

Transaction Banking Definition:

Transaction Banking is a set of compliant products, processes and systems to enable core banking functions such as cash and securities management, trade finance, payments, collections, documentary credits etc.

Customer Vs Bank Perspective

From a bank customer perspective it is the ability to perform banking functions, such as cash control, investment, trade etc. However from a bank/organization perspective it might be a vertical/product or set of products/services that enable the bank customers to perform banking functions to help increase banks business and profitability.

The core function of a transaction banking unit is to develop/procure/implement/streamline and enable the customer for core transaction requirements, such as payments, collections, documents credits etc

Different Verticals

Transaction Banking can be categorized into various groups depending on what market requirement it is catering to, such as:

-- Trade Finance (Domestic and international trade transactions)
-- Documentary Credits (Letters of Credit, Bankers Guarantee)
-- Documentary Collections
-- Financial Services (Investment, Stocks, Banking, Insurance)
-- Cash management
-- Investment Services

Summary

Thus we can say that transaction banking allows efficient, complaint and safe movement/management of cash and securities around the global financial system. Depending on the bank/market requirement it may include providing institutional cash management services, facilitating trade finance deals and providing securities processing and agency services to retail and business customers.

Fixing Step Download Timeout Error in LoadRunner

While working with Load Runner to Create load generation scripts we might encounter the following error:

Error -27726: Step download timeout (120 seconds) has expired

This error is returned when the timeout (which defaults to 120 seconds) limit is exceeded. This might happen due to network latency or slow response from the application.

To get over this you can increase the timeout limit. Open the load runner VuGen screen and Press the F4 key to open the Run-Time Settings screen. Alternately you can click the Replay --> Run-Time Settings screen option from the Menu Bar. 

Now click Preferences under Internet Protocol 
Click Options on the preferences screen to open the Advanced Options dialogue
Now scroll down to the Step download timeout (sec) section and set the Timeout Value to the desired level as shown in the image below.

Fixing missing files in Oracle 12c installation

Oracle 12c has a pretty dumb way of packaging the installer into two zip files along with the instructions of extracting the two zip files into one directory. This is commonly misunderstood as putting winx64_12c_database_1of2 directory and  winx64_12c_database_2of2 directory in the one directory say oracle. This is also due to the default setting of the common extraction tools, such as Winzip etc.

However on using this instruction when the installation is started using the setup.exe the following error is returned:

Files, such as dr0ulib.sql.sbs are reported by the installer as not found. To solve these you need to do the following:

1) Abort the current installer

2) Open the winx64_12c_database_2of2 directory and navigate to ..\winx64_12c_database_2of2\database\stage\Components directory copy all the files

3) Paste all files to the following location ..\winx64_12c_database_1of2\database\stage\Components

Now run the setup.exe as admin and follow the instructions to complete the installation without error.