Security Workshop - Tools

Jacob Aae Mikkelsen

Updateable Dependencies

plugins {
  id 'com.github.ben-manes.versions' version '0.17.0'
}
./gradlew dependencyUpdates

Updateable Dependencies

------------------------------------------------------------
: Project Dependency Updates (report to plain text file)
------------------------------------------------------------

The following dependencies are using the latest milestone version:
 - org.grails.plugins:async:3.3.2
 - org.grails.plugins:events:3.3.2
 - com.github.ben-manes:gradle-versions-plugin:0.17.0
 - org.grails:grails-console:3.3.2
 - org.grails:grails-core:3.3.2
 - org.grails:grails-gradle-plugin:3.3.2
 - org.grails:grails-logging:3.3.2
 - org.grails:grails-plugin-databinding:3.3.2
 - org.grails:grails-plugin-i18n:3.3.2
 - org.grails:grails-plugin-rest:3.3.2
 - org.grails:grails-plugin-services:3.3.2
 - org.grails:grails-plugin-url-mappings:3.3.2
 - org.grails:grails-web-boot:3.3.2
 - com.h2database:h2:1.4.196
 - org.grails.plugins:hibernate5:6.1.8
 - gradle.plugin.com.energizedwork:idea-gradle-plugins:1.4
 - org.grails.plugins:scaffolding:3.4.1
 - org.springframework:springloaded:1.2.8.RELEASE

Updateable Dependencies

The following dependencies exceed the version found at the milestone revision level:
 - org.hibernate:hibernate-core [5.1.5.Final <- 4.3.11.Final]

The following dependencies have later milestone versions:
 - com.bertramlabs.plugins:asset-pipeline-gradle [2.14.6 -> 2.14.8]
 - com.bertramlabs.plugins:asset-pipeline-grails [2.14.6 -> 2.14.8]
 - io.methvin:directory-watcher [0.3.0 -> 0.5.0]
 - org.grails:grails-gorm-testing-support [1.1.3 -> 1.1.4]
 - org.grails:grails-web-testing-support [1.1.3 -> 1.1.4]
 - org.grails.plugins:gsp [3.3.0 -> 3.3.1]
 - javax.servlet:javax.servlet-api [3.1.0 -> 4.0.0]
 - org.springframework.boot:spring-boot-autoconfigure [1.5.8.RELEASE -> 2.0.0.RELEASE]
 - org.springframework.boot:spring-boot-starter-actuator [1.5.8.RELEASE -> 2.0.0.RELEASE]
 - org.springframework.boot:spring-boot-starter-logging [1.5.8.RELEASE -> 2.0.0.RELEASE]
 - org.springframework.boot:spring-boot-starter-tomcat [1.5.8.RELEASE -> 2.0.0.RELEASE]
 - org.apache.tomcat:tomcat-jdbc [8.5.23 -> 9.0.5]
 - org.grails.profiles:web [3.3.1 -> 3.3.2]
 - gradle.plugin.com.energizedwork.webdriver-binaries:webdriver-binaries-gradle-plugin [1.1 -> 1.4]

Updateable Dependencies

Failed to determine the latest version for the following dependencies (use --info for details):
 - org.glassfish.web:el-impl

Generated report file build/dependencyUpdates/report.txt

BUILD SUCCESSFUL

Total time: 1 mins 55.724 secs

Where Are They From

./gradlew  dependencies
compile - Dependencies for source set 'main' (deprecated, use 'implementation ' instead).
+--- org.springframework.boot:spring-boot-starter-logging: -> 1.5.8.RELEASE
|    +--- ch.qos.logback:logback-classic:1.1.11
|    |    +--- ch.qos.logback:logback-core:1.1.11
|    |    \--- org.slf4j:slf4j-api:1.7.22 -> 1.7.25
|    +--- org.slf4j:jcl-over-slf4j:1.7.25
|    |    \--- org.slf4j:slf4j-api:1.7.25
|    +--- org.slf4j:jul-to-slf4j:1.7.25
|    |    \--- org.slf4j:slf4j-api:1.7.25
|    \--- org.slf4j:log4j-over-slf4j:1.7.25
|         \--- org.slf4j:slf4j-api:1.7.25
+--- org.springframework.boot:spring-boot-autoconfigure: -> 1.5.8.RELEASE
|    \--- org.springframework.boot:spring-boot:1.5.8.RELEASE
|         +--- org.springframework:spring-core:4.3.12.RELEASE
|         |    \--- commons-logging:commons-logging:1.2

Check for Known Vulnerabilities

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'org.owasp:dependency-check-gradle:3.1.1'
    }
}

apply plugin: 'org.owasp.dependencycheck'
./gradlew  dependencyCheckAnalyze --info

Result in build/reports

Check for Known Vulnerabilities

dependency check

OWASP Zed Attack Proxy Project

owasp zap

Important Features

  • Active and passive scanner

  • Spider

  • Report Generation

Proxy

Intercepting web requests

Example for Firefox

Simple Test

  • Configure Proxy for browser

  • Explore manually

  • Use Spider to find 'hidden' content

  • See what passive scanne have found

  • Use active scanner

Other Features

Port Scanner

To see if too much is open

API and Headless Mode

To include in automatic testing pipeline

Thank You

Questions and Comments are welcome :)