Application Security
While building Security Phoenix we had a thought on sharing some of the component (open source) to enable to build a custom arsenal of open source vulnerabilities
Various Phases
it all starts on pen and paper
I always like to start with a mindmap of the various component, might be old school but hey it works and helps to focus
What are the components of the framework:
*) Enumeration/Reconnaissance In this phase you list the various component of an application, web source, API etc...
Then you start the merry go round
Static code analyser - you look at code and identify with regular expression what's good and bad
Dependency-Check - this enables to create a software composition
Code relationships - again this is related to how the code and libraries interdepend with each other
Cloud Assessment - this is an extra component if you have a cloud deployment
Network assessment - there are multiple one (from Nmap to nettacker) depends really hwo deep you want to go
Web/API assessment - in this case, you want to test with script or interjection the code quality that you send to a web frontend (burp, zap are name in this case)
Vulnerability Managers not many aggregators, that's why we've created Security Phoenix https://www.nsc42.co.uk/securityphoenix
Intelligence framework - This is an extra step if you want to integrate a threat feed/scanner in the project
The core arsenal
*) Enumeration/Reconnasance
1) Static code analyser - https://github.com/ShiftLeftSecurity/sast-scan
2) Dependency-Check - https://github.com/jeremylong/DependencyCheck
3) Code relationships - https://github.com/crubier/code-to-graph
3) Cloud Assessment - Prowler - https://github.com/toniblyx/prowler
4) Network assessment - Nettacker - https://github.com/zdresearch/OWASP-Nettacker
*) Vulnerability Scanner/Management - Security Phoenix - https://landing.nsc42.com/register-phoenix
5. Intelligence framework - https://github.com/intelowlproject/IntelOwl
Some of the tool available
Network Vuln assessment
Website Crawelers
> DNS Scan: https://github.com/rbsec/dnscan
Vulns - https://vuls.io/
h4cker - https://h4cker.org
Network:
Network Vuln Build:
This could be a set of tools you could launch from a central location with a VM/docker images
Idea of the build: www.seccubus.com
h4cker - https://h4cker.org
3) Cloud Assessment - Prowler - https://github.com/toniblyx/prowler you can script the launch/scanresults
4) Network assessment - Nettacker - https://github.com/zdresearch/OWASP-Nettacker
Specialisation Code analysis (sub section)
There are many open-source analyser in the wild but most of them are specialized on one or two language
Good reference: https://github.com/analysis-tools-dev/static-analysis - Indext to other Code analysers
- Python - Bandit - Bandit is a comprehensive source vulnerability scanner for Python
- Ruby - Brakeman - Brakeman is an open-source vulnerability scanner specifically designed for Ruby on Rails applications
Dawnscanner - Dawnscanner is an open source security source code analyzer for Ruby, supporting major MVC frameworks like Ruby on Rails, Padrino, and Sinatra. It also works on non-web applications written in Ruby.
- Java - https://github.com/scovetta/yasca
- C - Flawfinder Flawfinder - Scans C and C++.
https://sourceforge.net/projects/visualcodegrepp/
- PHP - RIPS - A static source code analyzer for vulnerabilities in PHP web applications.
- SonarQube - Scans source code for 15 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by SonarLint.
HCL AppScan CodeSweep - This is the first Community edition version of AppScan. It is delivered as a VS Code plugin and scans files upon saving them. The results show the location of a finding, type and remediation advice. The tool currently supports Python, Ruby, JS (Node, Angular, JQuery, etc) , PHP, Perl, COBOL, APEX & a few more.
OWASP Tools for code analysis
Software Language(s)
OWASP Code Crawler .NET, Java
OWASP Orizon Project Java
OWASP LAPSE Project Java
OWASP O2 Platform
OWASP WAP-Web Application Protection PHP
- Also Full list here: https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
- Full list of open code analyser : https://owasp.org/www-community/controls/Static_Code_Analysis
Specialisation - AWS Specific assessments -
A list of different tools that you can deploy to test AWS infrastructure. Remember to fill out the form if doing testing like this.
1. prowler - Tool based on AWS-CLI commands for AWS account hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark (https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
2. nccgroup/Scout2 - Security auditing tool for AWS environments
3. cloudsploit/scans - AWS security scanning checks
4. The amazon inspector - https://aws.amazon.com/inspector/
5. Netflix/security_monkey - Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations
6. Aardvark - Aardvark is a multi-account AWS IAM Access Advisor API
7. Repokid - AWS Least Privilege for Distributed, High-Velocity Deployment
8. DenizParlak/Zeus - AWS Auditing & Hardening Tool http://www.denizparlak.com/?p=386
9. Nimbostratus - Tools for fingerprinting and exploiting Amazon cloud infrastructures + video presentation and intro blog post
10. Bucket finder - This is a fairly simple tool to run, all it requires is a wordlist and it will go off and check each word to see if that bucket name exists in the Amazon's S3 system. Any that it finds it will check to see if the bucket is public, private or a redirect.
11. Tony's mega AWS Tools: https://github.com/toniblyx/my-arsenal-of-aws-security-tools
Others:
https://github.com/ehrishirajsharma/Swiftness - Note tacking for vuln
This concludes the list for now but i'll continue updating this list
Comments