A technical look a Horusec - OpenSource Risk-driven Application Security for DevOps (SAST / DAST / CAST)

Tags: #<Tag:0x00007f8a170b5d80> #<Tag:0x00007f8a170b5c90> #<Tag:0x00007f8a170b5bc8> #<Tag:0x00007f8a170b5ad8> #<Tag:0x00007f8a170b5a10> #<Tag:0x00007f8a170b5948> #<Tag:0x00007f8a170b5880> #<Tag:0x00007f8a170b57b8> #<Tag:0x00007f8a170b56f0>

A technical look a Horusec - OpenSource Risk-driven Application Security for DevOps (SAST / DAST / CAST)

What is meant with:

  • SAST - Static Application Security Testing (code security checks)
  • DAST - Dynamic Application Security Testing (runtime security checks)
  • CAST - Composition Application Security Testing (security checks on dependencies / libraries incl. their dependency trees)

Usually, these *ST abbreviations get used in DevOps to emphasize Continuous Integration capabilities. That’s not as easy as it sounds, not in Quality Assurance (QA), and not in Application Security (AppSec).

At the moment (2021 Q2) horusec is SAST “only”.

  • Phase 4: Dependency analysis for all supported languages (Q3)
  • Phase 5: SAST with MVP Semantic Analysis (Q4)
  • Phase 6: DAST with MVP symbolic analysis (Q4)

Horusec?

Horusec is an open-source tool that orchestrates other security tools and identifies security flaws or vulnerabilities in projects and puts all results in a database for analysis and generation of metrics.

Installation next to my test Jenkins CI

Avoiding timeouts with container initialisation

export DOCKER_CLIENT_TIMEOUT=120
export COMPOSE_HTTP_TIMEOUT=120

Setting environment variables to configure client - web-server usage

Adding more vars.

#!/bin/bash
export DOCKER_CLIENT_TIMEOUT=120
export COMPOSE_HTTP_TIMEOUT=120
export HORUSEC_SMTP_USERNAME="foo"
export HORUSEC_SMTP_PASSWORD="bar"
export REACT_APP_HORUSEC_ENDPOINT_API="http:\/\/192.168.1.2:8000" 
export REACT_APP_HORUSEC_ENDPOINT_ANALYTIC="http:\/\/192.168.1.2:8005" 
export REACT_APP_HORUSEC_ENDPOINT_ACCOUNT="http:\/\/192.168.1.2:8003" 
export REACT_APP_HORUSEC_ENDPOINT_AUTH="http:\/\/192.168.1.2:8006"
make install

Test run of the CLI on a vulnerable code repo

[email protected]:~/Source/VeraInsecure$ horusec start -p="." -a "...-1ae3-48f9-8a11-..."

Results:

==================================================================================

Analysis StartedAt: 2021-05-19 00:00:00
Analysis FinishedAt: 2021-05-19 00:00:00

==================================================================================

Language: Java
Severity: HIGH
Line: 54
Column: 4
SecurityTool: HorusecJava
Confidence: LOW
File: /home/marius/Source/VeraInsecure/src/main/java/xyz/veracode/verainsecure/SQLInjection.java
Code: } catch (Exception e) {
Details: Information Exposure Through An Error Message
The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. For more information checkout the CWE-209 (https://cwe.mitre.org/data/definitions/209.html) advisory.
Type: Vulnerability
ReferenceHash: f7d3e96ddf535c1b7fecd5c567fcc10cb563cec315d247fbee0688886c618136


==================================================================================

Language: Java
Severity: MEDIUM
Line: 4
Column: 16
SecurityTool: HorusecJava
Confidence: LOW
File: /home/marius/Source/VeraInsecure/src/main/java/xyz/veracode/verainsecure/XSS.java
Code: import org.owasp.encoder.Encode;
Details: Base64 Encode
Basic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.
Type: Vulnerability
ReferenceHash: 634296845030adeaf079ce4d27b6e9a8797145ebb2a8886d64ed8a87d6fe6f48


==================================================================================

Language: Java
Severity: MEDIUM
Line: 12
Column: 19
SecurityTool: HorusecJava
Confidence: LOW
File: /home/marius/Source/VeraInsecure/src/main/java/xyz/veracode/verainsecure/Utilities.java
Code: return URLEncoder.encode(unsanitizedString, "UTF-8");
Details: Base64 Encode
Basic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.
Type: Vulnerability
ReferenceHash: dd88e8e27bb74588db4fa4b5f95fcaf627acc6f216d5a9e4a089f6826a8046e4


==================================================================================

Language: Java
Severity: MEDIUM
Line: 17
Column: 37
SecurityTool: HorusecJava
Confidence: LOW
File: /home/marius/Source/VeraInsecure/src/main/java/xyz/veracode/verainsecure/Utilities.java
Code: String sanitizedString = URLEncoder.encode(unsanitizedString, "UTF-8");
Details: Base64 Encode
Basic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.
Type: Vulnerability
ReferenceHash: 3851f42bd201c1073cfedb2b7c694ed0d7e5c61bb62df0ae3eeab86fefee51d6


==================================================================================

Language: Java
Severity: MEDIUM
Line: 41
Column: 39
SecurityTool: HorusecJava
Confidence: LOW
File: /home/marius/Source/VeraInsecure/src/main/java/xyz/veracode/verainsecure/CRLFInjection.java
Code: String sanitizedUsername = URLEncoder.encode(username, "UTF-8");
Details: Base64 Encode
Basic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.
Type: Vulnerability
ReferenceHash: e9c686584aa680e37ef5942a7422b1087b7bd872624e1ef7df021d6525c8658c


==================================================================================

Language: Java
Severity: MEDIUM
Line: 44
Column: 35
SecurityTool: HorusecJava
Confidence: LOW
File: /home/marius/Source/VeraInsecure/src/main/java/xyz/veracode/verainsecure/OpenRedirect.java
Code: response.sendRedirect(URLEncoder.encode(url, "UTF-8"));
Details: Base64 Encode
Basic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.
Type: Vulnerability
ReferenceHash: abc24b996c3887b39fdcc9f4fa38be78ab0e60fff2c149b58558d4119dd9bd23


==================================================================================

In this analysis, a total of 6 possible vulnerabilities were found and we classified them into:

Total of Vulnerability MEDIUM is: 5
Total of Vulnerability HIGH is: 1

==================================================================================

WARN[0240] [HORUSEC] 6 VULNERABILITIES WERE FOUND IN YOUR CODE SENT TO HORUSEC, TO SEE MORE DETAILS USE THE LOG LEVEL AS DEBUG AND TRY AGAIN

WARN[0240] {HORUSEC_CLI} Horusec not show info vulnerabilities in this analysis, to see info vulnerabilities add option "--information-severity=true". For more details use (horusec start --help) command.

==================================================================================

Does it find vulnerabilities? – Yes. Are the descriptions accurate? – No. This project is just starting, but…

Are these all vulnerabilities? – Not really. Should you fix vulnerabilities like that. – Jupp.

Summary

  • Today it’s a new multi-language SAST tool with limits (like even commercial-grade tools have them).
  • Tomorrow it will be very interesting :slight_smile:

This topic was automatically closed after 7 minutes. New replies are no longer allowed.