DYI security audits - half a year later

#security Jun 2, 2019 2 min Mike Kowalski

At the end of 2018, I had a pleasure to give a talk at Testwarez - the oldest testing-oriented conference organized in Poland. The recording recently appeared on YouTube, so I decided to take this opportunity to figure out what has changed through the past few months in terms of tools that I presented.

The goal of my talk was to present some practices and open source tools for improving the overall security of Java-based projects. Including them as a part of the delivery pipeline (static code analysis, build process, Docker images creation, etc.) sets up a regular and automated “security audits” routine even without a dedicated security team. Please don’t get me wrong - it doesn’t mean that we don’t need pentesters (“security magicians” in general) or external audits anymore. I believe that if some of their work could be done in an automated manner every day then it should make our apps noticeably more secure and reduce the number of vulnerabilities that could be found later on.

OWASP Find Security Bugs

On March 2019 (version 1.9.0) Find Security Bugs became an official OWASP project. That’s a piece of great news - the project should now gain better recognizability and more community interest. Apart from that, Find Security Bugs should now better support codebases written in Kotlin. So is there any good reason to not use it by default in all Java or Kotlin projects? I (still) don’t think so!

Google Jib

Through the past few months, Jib received few interesting updates, finally hitting version 1.x with:

  • out of the box support for Java 9+ projects (up to 11)
  • automated selection of the Java version based on projects’ configuration (distroless/java images are currently available in Java 8 & Java 11 flavors)
  • offline build mode (with --offline flag)

In my opinion, it’s still the best solution for hassle-free & secure dockerized Java (JVM based in general) applications on the market.

OWASP Dependency Check

The good news is that the project is still actively maintained. At the time of writing this article, Dependency Check almost hit 5.0 stable version (5.0.0-M3) with pretty impressive rework done under the hood. Unfortunately, it looks like, in terms of automated results analysis there was no major changes. Although it’s still not as functional & easy to use as some commercial tools, it just does its job pretty well and, what’s even more important, it does it for free.

Summary

Luckily, tools that I discussed during the last Testwarez conference are still useful for improving the security of JVM oriented projects. It’s really great to know that they are actively maintained and getting even more focus from the community including one of the most important players - OWASP. The most important task now is to educate more and more people to convince them, that with some quite simple steps it’s possible to make our applications significantly more secure.

Mike Kowalski

Software engineer believing in craftsmanship and the power of fresh espresso. Writing in & about Java, distributed systems, and beyond. Mikes his own opinions and bytes.