How Does AttackFlow Work?

Motivation

Today there are many effective software production methodologies, however, in the very essence software development is a cycle that takes time. A software produced without proper security mentality breaks in the hands of an average hacker resulting in devastating costs.

So, the software should be developed with falsification in mind, but this takes even more time with classical security practices and solutions in DevOps. Security testing leads to more tickets, tickets lead to more development time and development leads to testing and deployment time.

Security should be taken care of as early as possible in order to be effective and incur less cost. By using AttackFlow, integrated right into the development environment, developers can find out the weaknesses as they code on-the-fly. With the detailed and on-time notifications the security bugs will not wait lingering for more weeks to be returned to development teams as tickets and fixed and tested and deployed again.

By Example

Here’s an end-to-end real life scenario that shows how the AttackFlow works. Here our developer accomplish to pull out a generic LDAP search operation method that takes LDAP credentials and a LDAP query filter to execute on.

After setting up the initialization and connection, a DirectorySearcher is initialized with the connection details, entry and a possibly dynamic query, filter. We used “possibly dynamic” on purpose here since we are not sure whether the filter is tainted (that is, it comes from a non-trusted user agent) or not. Depending upon this information we can, and AttackFlow does rightously, say that there’s an injection problem here.

Instantly finding the serious injection problem by taint flow analysis, the risk gauge that was previously containing two not-so-serious problems becomes red and increases to three findings. This is the notification our developer that we might accidentally implanted a critical security problem right now. Apart from the color and number changes, it is also possible to see the glimpse of the problem through the instant adornment of filter keyword!

LDAP Injection Example

The glory details of the attack explanation and mitigation is hidden here in the video, however, as the developer finds out the details and fixes the issue in a correct way the problem goes away.

The Inner-Workings

AttackFlow is a Visual Studio extension with an easy installation and update. Each time you type syntax error-free code into the development environment, AttackFlow runs in the background trying to find security vulnerabilities including the flow analysis.

Starting from the active module using heuristics and proprietary methods, AttackFlow searches for security vulnerabilities and code quality problems without interfering with the normal coding flow of the developer. Should any findings are revealed, AttackFlow notifies the developer both with a Risk Score badge at the top-right screen of the related code page, adornments under the related problematic code and a list of bugs in a separate window called Vulnerability Window. Developer may then want to delve into the finding details by clicking focused vulnerability and learning details of it opening Information Window.

AttackFlow can identify a large range of weaknesses including both code quality bugs, configurational and syntactic security vulnerabilities.

Code quality and configurational problems aside, injection type vulnerabilities are one of the most critical security weaknesses on web applications on Earth. For instance, SQL Injection is the most popular security vulnerability for both business owners, analysts, hackers and of course developers. There are more injection vulnerabilities than just SQL Injection, some of which are LDAP Injection, OS Command Injection, XPath Injection, Cross Site Scripting, etc.

Injection vulnerabilities occur because we, as developers, mix code and data coming from untrusted sources, such as end users without any validation. The data enters our application and travels through the variables and methods. When it’s concatenated with a piece code such as SQL statements, SQL Injection happens.

Finding any injection weaknesses begs flow analysis when doing static code analysis. So AttackFlow has the ability to execute flow analysis in its core with a different technique that is used for classical sink to source or source to sink taint analysis.

Being a solution applied at the right time, AttackFlow tries to fit in DevOps culture more closely in order to make it work for software security.

AttackFlow Team