Preparing your app for Secure Coding
Introduction
QRadar applications are not only validation by the App Validation team, these are also validated by our Secure Coding team.
This is not just an automated scanning process, the Secure Coding team also runs tests specific to QRadar and manual PEN testing.
So here is the journey of Application/Content Pack after submitted by the developer/publisher:
Information Required for Secure Coding
As Secure Coding scans the code with security tools AND also performs their own checks, we always need:
- The full app code in plaintext
- The version of any external dependencies in plaintext
If the code is not plaintext we need:
- 1. Plaintext Code/Source
- 2. The list of the dependencies/build files
As apps are written in Python, the app code itself is usually plaintext. However, we find most of the time the UI code is not plaintext and then we need to request the code.
Note: If you use package managers, or UI frameworks that minify the code please provide the package list.
The file name varies, for npm it will be package.json.
If the .js code is minified but clearly states at the top of the code what version of dependencies are used, this is also acceptable.
Example of build dependencies with required files
Uploading your own Security Testing Findings
As the secure coding team also performs tests specific to QRadar and manual PEN testing, your app can still fail secure coding if you have ran a dependency scan.
However, it can speed up the validation process if you share the results of your own security testing.
You can upload this in the file under "Testing Information"
Running Scans for your app
Tools used by our Secure Coding Team
- · Twistlock
- · Mend
- · Owasp dependency scanner
Reports from all tools are accepted. If you want to run your own scans, OWASP is free. It is less accurate if you use RPMs, but should find most issues if you use Python pypi dependencies/Javascript only.
OWASP Dependency Check
https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
Request a free API key or scans will fail often
https://nvd.nist.gov/developers/request-an-api-key
adding the script to path is not mandatory, you can run like so
[mydir]/dependency-check/bin/dependency-check.sh --project "My App Name" --scan "directory to scan, note all the code must be unzipped and must be all plaintext" --enableExperimental --nvdApiKey [apikey]
Secure Coding Scan Failures
· What if the code uses a vulnerable dependency, but the CVE does not apply as it cannot be exploited?
· The app will still be rejected
Note that if the CVE is disputed or being investigated on the NIST page, it is recommended to check another source. As sometimes the vulnerability has been confirmed, but the NIST page has not yet been updated.
Secure Coding: Best Practices
QRadar: Developing applications and security best practices
Security issues are always a concern and all applications published for IBM Security QRadar include security reviews. This article advises developers on best practices to review when you create an application for QRadar®.
https://www.ibm.com/support/pages/qradar-developing-applications-and-security-best-practices
Secure data storage and encryption
Securely storing app data is very important when developing an app. Use the following methods to safely store data in a QRadar app.
https://ibmsecuritydocs.github.io/qradar_appfw_v2/docs/documentation/secure_data_storage_and_encryption.html
Secure Coding: Common issues
Non-admin configuration pages
Ensure you set the correct permissions in manifest.json so that admin endpoints are restricted to admin users only.
Lack of CSRF protection
All apps require CSRF protection on PUT, POST, and DELETE endpoints. GET endpoints do not need it, however it is fine if it is present. To test this, capture one of these requests in BurpSuite and remove the CSRF token from the request data. Forwarding the request should result in a "CSRF token invalid" error, or something similar. If the request is successful with an invalid CSRF token then there is a problem. If there is no CSRF token in the request data, that is also a problem.
Endpoint has both POST and GET methods
Ensure that you differentiate between GET and POST requests in the code for endpoints that accept both, as otherwise the CSRF protection can break.
Exporting an integration that only contains QRadar content
NOTE: If you do not have app code, you can also export content via the following methods:
https://www.ibm.com/support/pages/qradar-how-use-content-managment-tool-cmt-version-2
https://www.ibm.com/docs/en/qsip/7.5?topic=qradar-exporting-contents-from-dsm-editor
Exporting and signing your Integration
There are four key steps to get your .zip file ready for submission to the App Submission portal. All extensions published to the IBM® Security App Exchange must include a manifest.txt and must be signed by two IBM® issued certificates. You must include these certificates in order to pass validation.
https://www.ibm.com/support/pages/node/6442125