Abusing SAST tools! When scanners do more than just scanning

Presented at DEF CON 29 (2021), Aug. 6, 2021, 3 p.m. (45 minutes)

When we write code, we often run many scanners for different purposes on our code - from linters, to testing, security scanning, secret scanning, and more. Scanning the code occurs on developers' machines and in CI/CD pipelines, which assumes the code is untrusted and unverified and based on this assumption scanners shouldn't have the ability to dynamically run code. Our research focuses on the many static analyzers out there if this is really the case. Many of the scanners allow different ways of interaction - From requesting external resources, overriding the configuration and to remote code execution as part of the process.This talk will be technical and show examples of well-known scanning tools and how we created code that attacks them. TLDR - When integrating and using new tools in our CI systems and especially when running on unverified code, Which tools can we trust and how can we scan safe untrusted code in a secure way? REFERENCES: https://github.com/jonase/kibit/issues/235 - Issue I raised in the past in one of the tools Hiroki Suezawa in a thread in cloud security forum talked about exploiting terraform plan https://cloudsecurityforum.slack.com/archives/CNJKBFXMH/p1584035704035800 This reference was released after I've started my research but nevertheless a good resource and has interesting perspectives and I will reference it: https://alex.kaskaso.li/post/terraform-plan-rce

Presenters:

• Rotem Bar - Head of Marketplace Integrations @ Cider Security
  Rotem Bar has over a decade of experience in the security field including penetration testing both application and network, design reviews, code reviews, architecture reviews, tech management, and of course development. Over the years Rotem has gained experience in a diversity of industries from the financial services, to insurance, through high-tech & the automotive industry, along with other complex environments. In the last couple of years Rotem has been working in concept design and development, pen testing and working with hardware in Cymotive, which is a company that focuses on end to end cyber security for the automotive industry, and after that he served as an application security expert at AppsFlyer. Today Rotem is the Head of Marketplace Integrations at Cider Security, that is focusing on revolutionizing CI/CD security. During his free time, Rotem plays with robotics, bug-bounty and and enjoys traveling with his family. @rotembar www.rotem-bar.com

Links:

• https://defcon.org/html/defcon-29/dc-29-speakers.html#rbar
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Rotem Bar - Abusing SAST tools When scanners do more than just scanning.mp4
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 presentations/Rotem Bar - Abusing SAST tools When scanners do more than just scanning.pdf (slides)
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Rotem Bar - Abusing SAST tools When scanners do more than just scanning.srt (subtitles)
• https://www.youtube.com/watch?v=Jl-CU6G4Ofc

Similar Presentations:

• ShmooCon X (2014) / Closing Plenary Large Scale Network and Application Scanning
• AppSec USA 2015 / Security as Code: A New Frontier
• AppSec USA 2013 / Application Security: Everything we know is wrong