Burp Suite Azure Devops

  1. Jul 10, 2019 Bryan Burman July 10, 2019 Application Security, DevOps No Comments Burp Suite is my go-to tool for performing penetration tests against web applications. I was recently asked if it was possible to integrate Burp into a development pipeline, so that a development team could automatically audit a web application that was in development.
  2. Bryan Burman July 10, 2019 Application Security, DevOps No Comments Burp Suite is my go-to tool for performing penetration tests against web applications. I was recently asked if it was possible to integrate Burp into a development pipeline, so.
  3. Optimizing your storage costs with Azure Blob Storage. Klaas Langhout shows Scott Hanselman how to use Azure Blob Storage for a variety of cloud workloads while optimizing costs related to controlling capacity and tier, Premium tier for transaction cost savings, choosing the right redundancy, and routing preference.Azure Blob Storage overviewAzure Blob Storage docsAzure Storage Day (29 April.

šŸ”„Edureka Microsoft Azure DevOps Solutions Certification: Edureka live video on 'Azure D. Burp Suite is my go-to tool for performing penetration tests against web applications. I was recently asked if it was possible to integrate Burp into a development pipeline, so that a development team could automatically audit a web application that was in development.

With everyone moving to a DevOps and Agile mentality, it is more important then ever to implement security checks and scans into your DevOps pipelines. In this post I will go through several tools and scenarios which I have tested and used.

We will be investigating four Azure DevOps extensions which are available in the Marketplace in this blog post. These extensions can help you improve security within our CI/CD pipelines.

Pipeline Security Overview

Microsoft Security Code Analysis

  • This extension is available through Microsoft Unified Support Services.
  • Pricing is per Azure DevOps instance per year. Thie extension is fairly pricey, but provides good value if you are a large organization.
  • It includes 6 different tools, 5 of which are included in the per year pricing:
    • Credential Scanner
      • Find credentials in source code.
    • BinSkim
      • Cutting edge binary static analysis.
    • TSLint
      • Security rules for TypeScript.
    • Roslyn Analyzers
      • .NET managed code analysis.
    • Microsoft Security Risk Detection
      • Binary fuzzing, which is a technique of passing random data to software in an attempt to find errors and security holes.
      • Separate onboarding process: it is not 'plug-and-play' as other tasks in this extension.
      • Pricing is based on subscription length.
      • Pricing for this can be for 1, 2, or 3 months at a time or for a full year.
      • This is an expensive service.
    • Anti-Malware Scanner
      • Run Defender on your build artifacts to find Malware.
  • Some of these tools are open source and are available online, like BinSkim and TSLint. You could in theory manage these yourself in a Pipeline, Microsoft's extension simplifies the usage.
  • There is 2 week trial available through Microsoft for this extension, so you can try before you buy. This extension is hidden in the marketplace by default, so you won't be able to see it until you are on-boarded.

Recommended Pattern

Using the recommended pattern, will perform all the scans with the exception of Risk Detection.

Artifacts and Report

Here is an example of some output artifacts, including the Microsoft Security Analysis Report which is highlighted.

The report can be sent to Pipeline Console, TSV and HTML file. When publishing your results, you can send them to an Azure DevOps or a file share.

SonarCloud


SonarCloud is the big brother of SonarQube, which is a very popular product, they are both used for Continuous Code Quality. It supports a wide range of programming languages! SonarCloud will improve code quality and security by finding bugs and vulnerabilities in your code.

SonarCloud as the name states is for the cloud, where as SonarQube is for on-premises. Since SonarCloud is a cloud based service, you don't need to stand up any server infrastructure like you have to with SonarQube.

When you configure the Service Connection for SonarCloud in Azure DevOps, you provide a token which is generated through the SonarCloud portal.

By default SonarCloud will scan all branches and all pull requests. You can also integrate SonarCloud into Branch Policies so there is build validation within your pull requests.

Pricing

There is currently 2 pricing options available. SonarCloud is free for all public projects (open source public repositories).

For private projects (private repositories), pricing is based on the number of lines of code to scan per month. There is a good plan and pricing breakdown on their website.

SonarCloud offers a 14 day trial for private projects.

Free Labs

There are a couple of free labs available from Microsoft to get you up to speed with SonarCloud.

  1. Microsoft Learn for setting up SonarCloud in an Azure Pipeline.

OWASP ZAP Scanner


OWASP ZAP is recommended by Microsoft as a continuous security validation tool that can be added to the CI/CD pipeline.

The OWASP ZAP Scanner Azure DevOps extension can be used to perform penetration testing within your pipelines. It can scan url endpoints along with scanning detached containers. It is available for free.

During my testing it was determined that this extension is using owasp/zap2docker-stable docker container and not the owasp/zap2docker-weekly one which I prefer. owasp/zap2docker-stable is updated less frequently so it may not have the latest updates.

Keep in mind that there no support for authentication with this extension, however if you feel that you require authentication to scan your web app as an authorized user, you can use OWASP Zed Attack Proxy as it supports authentication whereas the other mechanisms do not. With OWASP Zed Attack Proxy installed on a Virtual Machine in Azure, you can create the necessary contexts and use the OWASP Zed Attack Proxy Scan Azure DevOps Extension within your CI/CD pipelines to point to your OWASP Zed Attack Proxy endpoint and context.

Sample Process

Keep in mind this is an example and can be adapted for any CI/CD pipeline.

  1. Developer writes/updates code for web app and submits pull request.
  2. Code is reviewed and approved. (assuming this is the gating process for said application)
  3. Build pipeline is triggered, completes the build.
  4. Release pipeline is triggered based on continuous deployment trigger.
  5. Release pipeline deploys the code to an App Service in Azure as an example.
  6. OWASP ZAP Scanner DevOps Extension is activated to run an automated scan against the website.
  7. If any checks are failed, results are shown on the Tests tab of the pipeline job.

Release Pipeline

In our example we will create a release pipeline with continuous deployment enabled, the pipeline will do the following:

  • Deploy our CI build to Microsoft Azure App Service.
  • Perform penetration testing using OWASP ZAP Scanner extension to scan url for vulnerabilities.
  • Attach any failures to the Tests tab of the pipeline job.
  1. Add your build artifact(s), the Deploy Web App and Run OWASP Scan stages in your release pipeline, it should look something like this.
  2. Add the necessary tasks to the Run OWASP Scan stage. The tasks 2-4 are related to reporting and details can be found in the extension documentation.

ZAP Scanner

Suite
  • Task Type: OWASP Zap Scanner
  • Scan Type: Targeted Scan
  • Root URL to begin crawling:https://www.yourdomainhere.com

owasp nunit template

  • Task Type: Bash
  • Type: Inline
  • Run this task: Even if a previous task has failed, even if the deployment was canceled
  • Script:

generate nunit type file

  • Task Type: Bash
  • Type: Inline
  • Run this task: Even if a previous task has failed, even if the deployment was canceled
  • Script:

Publish Test Results owaspzap/test-results.xml

  • Task Type: Publish Test Results
  • Test result format: NUnit
  • Test results files: owaspzap/test-results.xml
  • Run this task: Even if a previous task has failed, even if the deployment was canceled
Burp suite azure devops login
Sample Output


Sample Containerized Application Process

Keep in mind this is an example and can be adapted for any CI/CD pipeline.

  1. Developer writes/updates code for containerized application and submits pull request.
  2. Code is reviewed and approved. (assuming this is the gating process for said application)
  3. Build pipeline is triggered.
  4. The container image is built using the Dockerfile.
  5. The image is run as a locally detached container.
  6. OWASP ZAP Scanner DevOps Extension is activated to run an automated scan against the container.
  7. If any checks are failed, results are shown on the Tests tab of the pipeline job.

Build Pipeline

In our example we will create a build pipeline, the pipeline will do the following:

  • Build a docker container image from source.
  • Perform penetration testing using OWASP ZAP Scanner extension to scan our container for vulnerabilities.
  • Attach any failures to the Tests tab of the pipeline job.

Some items to keep in mind:

Devops
  • The container must be run in detached mode.
  • The extension documentation states 'By default, that 'Scan Type' used is 'Scan on Agent.' This type of scan is beneficial in pipelines for containerized applications'. However, I found that using 'Scan on Agent' did not work in my scenario, it kept trying to scan an IP address that was not associated to any container that was running.
Sample Output


Sample Report

Summary of Alerts

Risk
Level
Number
of Alerts
High0
Medium1
Low3
Informational0

Medium (Medium)X-Frame-Options Header Not Set
DescriptionX-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
URLhttps://lj-devsecops.azurewebsites.net/Home/Privacy
MethodGET
ParameterX-Frame-Options
URLhttps://lj-devsecops.azurewebsites.net
MethodGET
ParameterX-Frame-Options
URLhttps://lj-devsecops.azurewebsites.net/
MethodGET
ParameterX-Frame-Options
Instances3
Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id16
WASC Id15
Source ID3

Low (Medium)Web Browser XSS Protection Not Enabled
Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URLhttps://lj-devsecops.azurewebsites.net/Home/Privacy
MethodGET
ParameterX-XSS-Protection
URLhttps://lj-devsecops.azurewebsites.net/
MethodGET
ParameterX-XSS-Protection
URLhttps://lj-devsecops.azurewebsites.net
MethodGET
ParameterX-XSS-Protection
Instances3
Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/

CWE Id933
WASC Id14
Source ID3

Burp Suite Azure Devops Login


Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set
Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URLhttps://lj-devsecops.azurewebsites.net/Home/Privacy
MethodGET
ParameterCache-Control
URLhttps://lj-devsecops.azurewebsites.net/css/site.css
MethodGET
ParameterCache-Control
URLhttps://lj-devsecops.azurewebsites.net/
MethodGET
ParameterCache-Control
URLhttps://lj-devsecops.azurewebsites.net
MethodGET
ParameterCache-Control
Instances4
Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id525
WASC Id13
Source ID3
Azure devops account
Low (Medium)X-Content-Type-Options Header Missing
Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URLhttps://lj-devsecops.azurewebsites.net/css/site.css
MethodGET
ParameterX-Content-Type-Options
URLhttps://lj-devsecops.azurewebsites.net/Home/Privacy
MethodGET
ParameterX-Content-Type-Options
URLhttps://lj-devsecops.azurewebsites.net/js/site.js?v=4q1jwFhaPaZgr8WAUSrux6hAuh0XDg9kPS3xIVq36I0
MethodGET
ParameterX-Content-Type-Options
URLhttps://lj-devsecops.azurewebsites.net
MethodGET
ParameterX-Content-Type-Options
URLhttps://lj-devsecops.azurewebsites.net/
MethodGET
ParameterX-Content-Type-Options
Instances5
Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At 'High' threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id16
WASC Id15
Source ID3

WhiteSource Bolt

WhiteSource Bolt is an extension for Azure DevOps that looks for open source components in your software, without scanning the code.

When added to your build pipeline, it provides real time alerts for outdated and vulnerable open source components. It also provides feedback on the licensing for the open source components that are found. Suggested solutions are provided for issues that are flagged.

After installing the extension you will need to provide additional registration details for the project.

The WhiteSource Bolt reporting console is available from the Pipelines menu within Azure DevOps.

WhiteSource Bolt should be added to your build pipeline to scan the repository for open source files with any build steps preceding eg. npm

Pricing

  • WhiteSource Bolt can be used free of charge but is limited to 5 scans per day per repository.
  • Pricing is not black and white, but it starts at ~$4000 for an annual license.
  • The annual license gives you these additional features:
    • Manage your entire pipeline, including your binary repositories, package managers, build tools and CI servers.
    • Enforce policies automatically to approve, reject, reassign or even open an issue ticket to get full control and automate current manual time-consuming tracking and approval processes.
    • Prioritization tool that can reduce 70% of all security alerts by usage analysis (effective usage analysis).
    • Unlimited number of scans available.

Build Pipeline

This basic build pipeline will scan your project with WhiteSource Bolt.

Reporting

The report can be exported to JSON, Excel, PDF and HTML.

Azure Portal

There is the ability to exclude files/folders and add additional folders to scan.

Burp Suite Azure Devops Login

Keep in mind there may be some false positives that are flagged, do your due diligence to determine this.

Burp Suite Azure Devops Certification

Sample Report