Your SlideShare is downloading. ×
0
Simplifying Secure
Code Reviews
Sherif Koussa
sherif@softwaresecured.com

BSides Quebec 2013
Softwar S cur

Monday, 3 June...
De

Se
cu
r

ve
lo
pm
en
tT

ity
T

ea
ms

ea
ms
Softwar S cur

Monday, 3 June, 13
Bio

2007

2009

2011

2013

Softwar S cur

Principal Consultant @ SoftwareSecured
✓
✓
✓

Application Security Assessment
...
Take Aways

Softwar S cur
Monday, 3 June, 13
Take Aways

Role of Security Code Review

Softwar S cur
Monday, 3 June, 13
Take Aways

Role of Security Code Review

Effective Process

Softwar S cur
Monday, 3 June, 13
Take Aways

Role of Security Code Review

Effective Process

Simplified Process
Softwar S cur
Monday, 3 June, 13
Take Aways

Role of Security Code Review

Effective Process

Simplified Process

Key Tools to Use
Softwar S cur

Monday, 3 J...
What This Presentation is
NOT...
➡

Ground Breaking Research

➡

New Tool

➡

How to Fix Vulnerabilities

Softwar S cur
Mo...
What IS Security Code
Review?

Softwar S cur
Monday, 3 June, 13
What IS Security Code
Review?
➡

The Inspection of Source Code to Find Security Weakness

Softwar S cur
Monday, 3 June, 13
What IS Security Code
Review?
➡

The Inspection of Source Code to Find Security Weakness

➡

Integrated Activity into Soft...
What IS Security Code
Review?
➡

The Inspection of Source Code to Find Security Weakness

➡

Integrated Activity into Soft...
What IS Security Code
Review?
➡

The Inspection of Source Code to Find Security Weakness

➡

Integrated Activity into Soft...
Why Security Code Reviews

Softwar S cur
Monday, 3 June, 13
Why Security Code Reviews

Effectiveness of Security
Controls
Softwar S cur
Monday, 3 June, 13
Why Security Code Reviews

Exercise all code paths

Effectiveness of Security
Controls
Softwar S cur
Monday, 3 June, 13
Why Security Code Reviews

Exercise all code paths

All instances of a vulnerability

Effectiveness of Security
Controls
So...
Why Security Code Reviews

Exercise all code paths

All instances of a vulnerability

Effectiveness of Security
Controls
Fi...
Why Security Code Reviews

Exercise all code paths

All instances of a vulnerability

Find design flaws

Remediation Instru...
Effective Security Code
Review Process

Softwar S cur
Monday, 3 June, 13
Effective Security Code
Review Process
➡

Reconnaissance

Softwar S cur
Monday, 3 June, 13
Effective Security Code
Review Process
➡

Reconnaissance

➡

Threat Modeling

Softwar S cur
Monday, 3 June, 13
Effective Security Code
Review Process
➡

Reconnaissance

➡

Threat Modeling

➡

Automation

Softwar S cur
Monday, 3 June,...
Effective Security Code
Review Process
➡

Reconnaissance

➡

Threat Modeling

➡

Automation

➡

Manual Review

Softwar S c...
Effective Security Code
Review Process
➡

Reconnaissance

➡

Threat Modeling

➡

Automation

➡

Manual Review

➡

Confirmat...
Effective Security Code
Review Process
➡

Reconnaissance

➡

Threat Modeling

➡

Automation

➡

Manual Review

➡

Confirmat...
Full SCR Process
Reconnaissance!

Reporting!

Threat Modeling!

Skills!

Checklists!

Tools!

Confirmation &
PoC!

Automati...
Full SCR Process
• Business Goals
• Technology Stack
• Use Case Scenarios
• Network Deployment

Reconnaissance!

Reporting...
Full SCR Process
• Decompose Application
• Attack Surface
• Major Security Controls

• Business Goals
• Technology Stack
•...
Full SCR Process
• Decompose Application
• Attack Surface
• Major Security Controls

• Business Goals
• Technology Stack
•...
Full SCR Process
• Decompose Application
• Attack Surface
• Major Security Controls

• Business Goals
• Technology Stack
•...
Full SCR Process
• Decompose Application
• Attack Surface
• Major Security Controls

• Business Goals
• Technology Stack
•...
Full SCR Process
• Decompose Application
• Attack Surface
• Major Security Controls

• Business Goals
• Technology Stack
•...
Simplified Security
Code Review Process
Reconnaissance!

Reporting!

Threat Modeling!

Skills!

Checklists!

Tools!

Confir...
Simplified Security
Code Review Process
Reconnaissance!

Reporting!

Threat Modeling!

Skills!

Checklists!

Tools!

Confir...
Simplified Security
Code Review Process
Reconnaissance!

Reporting!

Trust*Boundary*
Iden=fica=on*

Automation

Threat Mode...
Usages of Simplified
Security Code Review
➡

Ideal for Introducing
Development Teams To
Security Code Reviews

Trust*Bound...
Skills - OWASP
Top 10
Trust*Boundary*
Iden=fica=on*

➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 ...
OWASP TOP 10 - 2013

OWASP TOP 10 - 2010
A1. Injection

A2. Cross-Site Scripting

A3. Broken Authentication and
Session Ma...
OWASP TOP 10 - 2013

OWASP TOP 10 - 2010
A1. Injection

A1. Injection

A2. Cross-Site Scripting

A2. Broken Authentication...
Veracode Report - 2011

OWASP TOP 10 - 2013
A1. Injection
A3
A2. Broken Authentication and
Session Management
A6
A3. Cross...
Trustwave Report - 2013

OWASP TOP 10 - 2013
A1. Injection

A2. Broken Authentication and
Session Management

A3. Cross-Si...
Whitehat Report - 2012

OWASP TOP 10 - 2013
A1. Injection

A3

A2. Broken Authentication and
Session Management

A6
A3. Cr...
Softwar S cur

Trust*Boundary*
Iden=fica=on*

Automation

OWASP*
Top*10*

Checklists*

Tools*

Reporting

Manual
Review

De...
Mobile Client

Web Services

View

Admin Front
Controller

DB

LAN

Internet

SOAP Client

Front Controller

Data Access L...
Mobile Client

Web Services

View

Admin Front
Controller

DB

LAN

Internet

SOAP Client

Front Controller

Data Access L...
Mobile Client

Web Services

View

Admin Front
Controller

DB

LAN

Internet

SOAP Client

Front Controller

Data Access L...
Mobile Client

Web Services

View

Admin Front
Controller

DB

LAN

Internet

SOAP Client

Front Controller

Data Access L...
Mobile Client

Web Services

View

Admin Front
Controller

DB

LAN

Internet

SOAP Client

Front Controller

Data Access L...
Mobile Client

Web Services

View

Admin Front
Controller

DB

LAN

Internet

SOAP Client

Front Controller

Data Access L...
Mobile Client

Web Services

View

Admin Front
Controller

DB

LAN

Internet

SOAP Client

Front Controller

Data Access L...
View

Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡

A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Si...
A1

View

Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡

A1 Injection
A2 Broken Authentication and Session Management
A3 Cros...
Trust Boundary - OWASP Top 10

Web Services

A1

View

Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡

A1 Injection
A2 Broken ...
Trust Boundary - OWASP Top 10

Web Services

A3

A1

View

Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡

A1 Injection
A2 Bro...
Web Services

A3

A1

View

Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡

A1 Injection
A2 Broken Authentication and Session ...
Web Services

A3

Admin Front
Controller
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Script...
Trust Boundary - OWASP Top 10

Web Services

A3

DB

A5
A1

View

LAN

Front Controller

Data Access Layer

A2

A6

Busine...
Trust Boundary - OWASP Top 10

Web Services

A3

DB

A5
A1

View

LAN

Data Access Layer

A2

A6

Business Objects

A2
A4
...
Trust Boundary - OWASP Top 10

Web Services

A3

DB

A5
A1

View

LAN

Data Access Layer

A2

A6

Business Objects

A2
A4
...
Web Services A9

A3
A10

View

DB

A5
A1

A9

LAN

A2

A6
A9

Business Objects

A2
A4
A9
A7 Front Controller
A8

Data Acce...
How Can You Identify Trust
Boundary?

Softwar S cur
Monday, 3 June, 13
How Can You Identify Trust
Boundary?
➡

File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc

Softwar S cur
Monday...
How Can You Identify Trust
Boundary?
➡

File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc

➡

Implementations: ...
How Can You Identify Trust
Boundary?
➡

File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc

➡

Implementations: ...
How Can You Identify Trust
Boundary?
➡

File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc

➡

Implementations: ...
How Can You Identify Trust
Boundary?
➡

File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc

➡

Implementations: ...
Making Unsecure Code Look
Unsecure - cc/Joel Spolsky
➡

Physical Source Code Separation.

➡

File Naming Scheme:
➡

➡

➡

...
Softwar S cur

Trust*Boundary*
Iden=fica=on*

Automation

OWASP*
Top*10*

Checklists*

Tools*

Reporting

Automation
Monday...
Automation
Static Code Analysis
Pros

Cons

Scales Well

False Positives

Low Hanging Fruit

Application Logic Issues

Cou...
Scripts
➡

Compliment Static Code Analysis Tools.

➡

3rd Party Libraries Discovery.

➡

Data Input Sources (e,g. web serv...
Softwar S cur

Trust*Boundary*
Iden=fica=on*

Automation

OWASP*
Top*10*

Checklists*

Tools*

Reporting

Manual
Review

Ma...
What Needs to Be Manually
Reviewed?
➡

Authentication & Authorization Controls

➡

Encryption Modules

➡

File Upload and ...
Authentication &
Authorization Flaws

Softwar S cur
Monday, 3 June, 13
Authentication &
Authorization Flaws

Softwar S cur
Monday, 3 June, 13
Authentication &
Authorization Flaws
Web Methods Do Not Follow
Regular ASP.NET Page Life Cycle

Softwar S cur
Monday, 3 Ju...
Authentication &
Authorization Flaws
Web Methods Do Not Follow
Regular ASP.NET Page Life Cycle

Softwar S cur
Monday, 3 Ju...
Encryption Flaws

Softwar S cur
Monday, 3 June, 13
Encryption Flaws

Softwar S cur
Monday, 3 June, 13
Encryption Flaws
Return value is
initialized

Softwar S cur
Monday, 3 June, 13
Encryption Flaws
Return value is
initialized

Softwar S cur
Monday, 3 June, 13
Encryption Flaws
Return value is
initialized

Softwar S cur
Monday, 3 June, 13
Encryption Flaws
Return value is
initialized

Classic fail-open
scenario

Softwar S cur
Monday, 3 June, 13
File UploadDownload Flaws

Softwar S cur
Monday, 3 June, 13
File UploadDownload Flaws

Softwar S cur
Monday, 3 June, 13
File UploadDownload Flaws
The value gets validated
first time around

Softwar S cur
Monday, 3 June, 13
File UploadDownload Flaws
The value gets validated
first time around

File path saved into a
hidden field

Softwar S cur
M...
File UploadDownload Flaws
The value gets validated
first time around

File path saved into a
hidden field
File path is not...
File UploadDownload Flaws
The value gets validated
first time around

File path saved into a
hidden field
File path is not...
Softwar S cur

Trust*Boundary*
Iden=fica=on*

Automation

OWASP*
Top*10*

Checklists*

Tools*

Reporting

Reporting
Monday,...
Reporting
SQL Injection:
Location: sourceACMEPortalupdateinfo.aspx.cs:

➡

Weakness Metadata

➡

Thorough Description

➡

...
Confirmation & PoC

Softwar S cur
Monday, 3 June, 13
Confirmation & PoC

Softwar S cur
Monday, 3 June, 13
Confirmation & PoC

Softwar S cur
Monday, 3 June, 13
Confirmation & PoC

Softwar S cur
Monday, 3 June, 13
Softwar S cur

Trust*Boundary*
Iden=fica=on*

Automation

OWASP*
Top*10*

Checklists*

Tools*

Reporting

Tools
Monday, 3 J...
Security Code Review Tools
➡

Static Code Analysis
➡

➡

➡

Free: (FindBugs, PMD, CAT.net, PCLint, etc)
Commercial: (Stati...
Open-Source Static
Code Analysis Tools
Java
.NET
C++
Softwar S cur
Monday, 3 June, 13
Softwar S cur

Trust*Boundary*
Iden=fica=on*

Automation

OWASP*
Top*10*

Checklists*

Tools*

Reporting

Checklists
Monday...
Usage of checklists

➡

➡

Aviation: led the modern airplanes evolution
after Major Hill’s famous 1934 incident
ICU: usage...
Security Code Review
Checklist
➡

Data Validation and Encoding Controls

➡

Encryption Controls

➡

Authentication and Aut...
Resources To Conduct Your
Checklist
➡

➡

➡

NIST Checklist Project - http://checklists.nist.gov/
Mozilla’s Secure Coding ...
Simplified Security
Code Review Process
Reconnaissance!

Reporting!

Trust*Boundary*
Iden=fica=on*

Automation

Threat Mode...
QUESTIONS?
@skoussa
sherif.koussa@owasp.org
sherif@softwaresecured.com

Softwar S cur

Softwar S cur
Monday, 3 June, 13
Upcoming SlideShare
Loading in...5
×

Simplified security code review - BSidesQuebec2013

161

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
161
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Simplified security code review - BSidesQuebec2013"

  1. 1. Simplifying Secure Code Reviews Sherif Koussa sherif@softwaresecured.com BSides Quebec 2013 Softwar S cur Monday, 3 June, 13
  2. 2. De Se cu r ve lo pm en tT ity T ea ms ea ms Softwar S cur Monday, 3 June, 13
  3. 3. Bio 2007 2009 2011 2013 Softwar S cur Principal Consultant @ SoftwareSecured ✓ ✓ ✓ Application Security Assessment Application Security Assurance Program Implementation Application Security Training Monday, 3 June, 13 Softwar S cur
  4. 4. Take Aways Softwar S cur Monday, 3 June, 13
  5. 5. Take Aways Role of Security Code Review Softwar S cur Monday, 3 June, 13
  6. 6. Take Aways Role of Security Code Review Effective Process Softwar S cur Monday, 3 June, 13
  7. 7. Take Aways Role of Security Code Review Effective Process Simplified Process Softwar S cur Monday, 3 June, 13
  8. 8. Take Aways Role of Security Code Review Effective Process Simplified Process Key Tools to Use Softwar S cur Monday, 3 June, 13
  9. 9. What This Presentation is NOT... ➡ Ground Breaking Research ➡ New Tool ➡ How to Fix Vulnerabilities Softwar S cur Monday, 3 June, 13
  10. 10. What IS Security Code Review? Softwar S cur Monday, 3 June, 13
  11. 11. What IS Security Code Review? ➡ The Inspection of Source Code to Find Security Weakness Softwar S cur Monday, 3 June, 13
  12. 12. What IS Security Code Review? ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle Softwar S cur Monday, 3 June, 13
  13. 13. What IS Security Code Review? ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ Development Teams ➡ Security Teams ➡ ProjectRisk Management Softwar S cur Monday, 3 June, 13
  14. 14. What IS Security Code Review? ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ ➡ Security Teams ➡ ➡ Development Teams ProjectRisk Management Systematic Approach to Uncover Security Flaws Softwar S cur Monday, 3 June, 13
  15. 15. Why Security Code Reviews Softwar S cur Monday, 3 June, 13
  16. 16. Why Security Code Reviews Effectiveness of Security Controls Softwar S cur Monday, 3 June, 13
  17. 17. Why Security Code Reviews Exercise all code paths Effectiveness of Security Controls Softwar S cur Monday, 3 June, 13
  18. 18. Why Security Code Reviews Exercise all code paths All instances of a vulnerability Effectiveness of Security Controls Softwar S cur Monday, 3 June, 13
  19. 19. Why Security Code Reviews Exercise all code paths All instances of a vulnerability Effectiveness of Security Controls Find design flaws Monday, 3 June, 13 Softwar S cur
  20. 20. Why Security Code Reviews Exercise all code paths All instances of a vulnerability Find design flaws Remediation Instructions Effectiveness of Security Controls Monday, 3 June, 13 Softwar S cur
  21. 21. Effective Security Code Review Process Softwar S cur Monday, 3 June, 13
  22. 22. Effective Security Code Review Process ➡ Reconnaissance Softwar S cur Monday, 3 June, 13
  23. 23. Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling Softwar S cur Monday, 3 June, 13
  24. 24. Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation Softwar S cur Monday, 3 June, 13
  25. 25. Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review Softwar S cur Monday, 3 June, 13
  26. 26. Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept Softwar S cur Monday, 3 June, 13
  27. 27. Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept ➡ Reporting Softwar S cur Monday, 3 June, 13
  28. 28. Full SCR Process Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
  29. 29. Full SCR Process • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
  30. 30. Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
  31. 31. Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! • Low Hanging Fruit • Hot Spots • Missed Functionalities • Abandoned Code Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
  32. 32. Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! • Low Hanging Fruit • Hot Spots • Missed Functionalities • Abandoned Code Checklists! Tools! Confirmation & PoC! Automation! Manual Review! • Security Controls • High Profile Code • Custom Rules Softwar S cur Monday, 3 June, 13
  33. 33. Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! • Low Hanging Fruit • Hot Spots • Missed Functionalities • Abandoned Code Checklists! Tools! Confirmation & PoC! • Confirmation • Evidences Automation! Manual Review! • Security Controls • High Profile Code • Custom Rules Softwar S cur Monday, 3 June, 13
  34. 34. Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! • Risk Rating • Role Based • Remediation Instructions Checklists! Tools! Confirmation & PoC! • Confirmation • Evidences • Low Hanging Fruit • Hot Spots • Missed Functionalities • Abandoned Code Automation! Manual Review! • Security Controls • High Profile Code • Custom Rules Softwar S cur Monday, 3 June, 13
  35. 35. Simplified Security Code Review Process Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
  36. 36. Simplified Security Code Review Process Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
  37. 37. Simplified Security Code Review Process Reconnaissance! Reporting! Trust*Boundary* Iden=fica=on* Automation Threat Modeling! Skills! OWASP* Top*10* Checklists! Tools* Tools! Confirmation & PoC! Checklists* Automation! Reporting Manual Review Manual Review! Softwar S cur Monday, 3 June, 13
  38. 38. Usages of Simplified Security Code Review ➡ Ideal for Introducing Development Teams To Security Code Reviews Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* ➡ Crossing The Gap Between Security and Development Teams Reporting Manual Review Softwar S cur Monday, 3 June, 13
  39. 39. Skills - OWASP Top 10 Trust*Boundary* Iden=fica=on* ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards Automation OWASP* Top*10* Checklists* Tools* Reporting Manual Review Softwar S cur Monday, 3 June, 13
  40. 40. OWASP TOP 10 - 2013 OWASP TOP 10 - 2010 A1. Injection A2. Cross-Site Scripting A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery A6. Security Misconfiguration A7. Insecure Cryptographic Storage A8. Failure to Restrict URL Access A9. Insufficient Transport Layer Protection A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
  41. 41. OWASP TOP 10 - 2013 OWASP TOP 10 - 2010 A1. Injection A1. Injection A2. Cross-Site Scripting A2. Broken Authentication and Session Management A3. Broken Authentication and Session Management A3. Cross-Site Scripting A4. Insecure Direct Object References A4. Insecure Direct Object References A5. Cross-Site Request Forgery A5. Security Misconfiguration A6. Security Misconfiguration A6. Sensitive Data Exposure A7. Insecure Cryptographic Storage A7. Missing Function Level Access Control A8. Failure to Restrict URL Access A8. Cross-Site Request Forgery A9. Insufficient Transport Layer Protection A9. Using Known Vulnerable Components A10. Unvalidated Redirects and Forwards A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
  42. 42. Veracode Report - 2011 OWASP TOP 10 - 2013 A1. Injection A3 A2. Broken Authentication and Session Management A6 A3. Cross-Site Scripting A3 A4. Insecure Direct Object References A6 A4 A5. Security Misconfiguration A1 A3 A1 A6. Sensitive Data Exposure A9 A7. Missing Function Level Access Control A2 A8. Cross-Site Request Forgery A9. Using Known Vulnerable Components A9 A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
  43. 43. Trustwave Report - 2013 OWASP TOP 10 - 2013 A1. Injection A2. Broken Authentication and Session Management A3. Cross-Site Scripting A1 A4. Insecure Direct Object References A4 A5. Security Misconfiguration A3 A7 A6. Sensitive Data Exposure A8 A1 A7. Missing Function Level Access Control A4 A10 A8. Cross-Site Request Forgery A9 A9. Using Known Vulnerable Components A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
  44. 44. Whitehat Report - 2012 OWASP TOP 10 - 2013 A1. Injection A3 A2. Broken Authentication and Session Management A6 A3. Cross-Site Scripting A3 A4. Insecure Direct Object References A4 A7 A5. Security Misconfiguration A7 A4 A7 A6. Sensitive Data Exposure A4 A7. Missing Function Level Access Control A1 A8. Cross-Site Request Forgery A2 A9. Using Known Vulnerable Components A2 A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
  45. 45. Softwar S cur Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* Reporting Manual Review Define Trust Boundary Monday, 3 June, 13
  46. 46. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  47. 47. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  48. 48. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  49. 49. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  50. 50. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  51. 51. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  52. 52. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  53. 53. View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB LAN Web Services Data Access Layer Front Controller Business Objects Trust Boundary - OWASP Top 10 LDAP File System Softwar S cur
  54. 54. A1 View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB LAN Web Services Data Access Layer Front Controller Business Objects Trust Boundary - OWASP Top 10 LDAP File System Softwar S cur
  55. 55. Trust Boundary - OWASP Top 10 Web Services A1 View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB A2 LAN A2 Business Objects Front Controller Data Access Layer A2 LDAP File System Softwar S cur
  56. 56. Trust Boundary - OWASP Top 10 Web Services A3 A1 View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB A2 LAN A2 Business Objects Front Controller Data Access Layer A2 LDAP File System Softwar S cur
  57. 57. Web Services A3 A1 View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB A4 A2 LAN A2 Front Controller Business Objects A2 A4 Data Access Layer Trust Boundary - OWASP Top 10 LDAP File System Softwar S cur
  58. 58. Web Services A3 Admin Front Controller A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A5 A1 View ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ DB A4 A2 LAN A2 Front Controller Business Objects A2 A4 Data Access Layer Trust Boundary - OWASP Top 10 LDAP File System Softwar S cur
  59. 59. Trust Boundary - OWASP Top 10 Web Services A3 DB A5 A1 View LAN Front Controller Data Access Layer A2 A6 Business Objects A2 A4 LDAP A6 Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A4 A2 File System Softwar S cur
  60. 60. Trust Boundary - OWASP Top 10 Web Services A3 DB A5 A1 View LAN Data Access Layer A2 A6 Business Objects A2 A4 A7 Front Controller LDAP A6 Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A4 A2 File System Softwar S cur
  61. 61. Trust Boundary - OWASP Top 10 Web Services A3 DB A5 A1 View LAN Data Access Layer A2 A6 Business Objects A2 A4 A7 Front Controller A8 LDAP A6 Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A4 A2 File System Softwar S cur
  62. 62. Web Services A9 A3 A10 View DB A5 A1 A9 LAN A2 A6 A9 Business Objects A2 A4 A9 A7 Front Controller A8 Data Access Layer Trust Boundary - OWASP Top 10 LDAP A6 Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A4 A10 A2 A9 File System Softwar S cur
  63. 63. How Can You Identify Trust Boundary? Softwar S cur Monday, 3 June, 13
  64. 64. How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc Softwar S cur Monday, 3 June, 13
  65. 65. How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc Softwar S cur Monday, 3 June, 13
  66. 66. How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc *.master.cs, etc Softwar S cur Monday, 3 June, 13
  67. 67. How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output *.master.cs, etc Softwar S cur Monday, 3 June, 13
  68. 68. How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output ➡ Annotations: @WebMethods, @WebService *.master.cs, etc Softwar S cur Monday, 3 June, 13
  69. 69. Making Unsecure Code Look Unsecure - cc/Joel Spolsky ➡ Physical Source Code Separation. ➡ File Naming Scheme: ➡ ➡ ➡ Trust Boundary Safe: tbsProcessNameChange.java Trust Boundary UnSafe: tbuEditProfile.jsp Variable Naming Convention: ➡ String usEmail = Request.getParameter(“email”); ➡ String sEmail = Validate(Request.getParameter(“email”); Softwar S cur Monday, 3 June, 13
  70. 70. Softwar S cur Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* Reporting Automation Monday, 3 June, 13 Manual Review
  71. 71. Automation Static Code Analysis Pros Cons Scales Well False Positives Low Hanging Fruit Application Logic Issues Could Be Customized Collections Frameworks Softwar S cur Monday, 3 June, 13
  72. 72. Scripts ➡ Compliment Static Code Analysis Tools. ➡ 3rd Party Libraries Discovery. ➡ Data Input Sources (e,g. web services) ➡ Tracing Data Through Collections (e.g. Session, Request, Collection) Softwar S cur Monday, 3 June, 13
  73. 73. Softwar S cur Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* Reporting Manual Review Manual Review Monday, 3 June, 13
  74. 74. What Needs to Be Manually Reviewed? ➡ Authentication & Authorization Controls ➡ Encryption Modules ➡ File Upload and Download Operations ➡ Validation ControlsInput Filters ➡ Security-Sensitive Application Logic Softwar S cur Monday, 3 June, 13
  75. 75. Authentication & Authorization Flaws Softwar S cur Monday, 3 June, 13
  76. 76. Authentication & Authorization Flaws Softwar S cur Monday, 3 June, 13
  77. 77. Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Softwar S cur Monday, 3 June, 13
  78. 78. Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Softwar S cur Monday, 3 June, 13
  79. 79. Encryption Flaws Softwar S cur Monday, 3 June, 13
  80. 80. Encryption Flaws Softwar S cur Monday, 3 June, 13
  81. 81. Encryption Flaws Return value is initialized Softwar S cur Monday, 3 June, 13
  82. 82. Encryption Flaws Return value is initialized Softwar S cur Monday, 3 June, 13
  83. 83. Encryption Flaws Return value is initialized Softwar S cur Monday, 3 June, 13
  84. 84. Encryption Flaws Return value is initialized Classic fail-open scenario Softwar S cur Monday, 3 June, 13
  85. 85. File UploadDownload Flaws Softwar S cur Monday, 3 June, 13
  86. 86. File UploadDownload Flaws Softwar S cur Monday, 3 June, 13
  87. 87. File UploadDownload Flaws The value gets validated first time around Softwar S cur Monday, 3 June, 13
  88. 88. File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field Softwar S cur Monday, 3 June, 13
  89. 89. File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Softwar S cur Monday, 3 June, 13
  90. 90. File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Path used without validation Softwar S cur Monday, 3 June, 13
  91. 91. Softwar S cur Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* Reporting Reporting Monday, 3 June, 13 Manual Review
  92. 92. Reporting SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: ➡ Weakness Metadata ➡ Thorough Description ➡ Recommendation ➡ Assign Priority Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); Priority: High Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ ff648339.aspx for details. Owner: John Smith Softwar S cur Monday, 3 June, 13
  93. 93. Confirmation & PoC Softwar S cur Monday, 3 June, 13
  94. 94. Confirmation & PoC Softwar S cur Monday, 3 June, 13
  95. 95. Confirmation & PoC Softwar S cur Monday, 3 June, 13
  96. 96. Confirmation & PoC Softwar S cur Monday, 3 June, 13
  97. 97. Softwar S cur Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* Reporting Tools Monday, 3 June, 13 Manual Review
  98. 98. Security Code Review Tools ➡ Static Code Analysis ➡ ➡ ➡ Free: (FindBugs, PMD, CAT.net, PCLint, etc) Commercial: (Static Code Tools Evaluation Criteria - WASC) 3rd Party Libraries: (DependencyCheck - https://github.com/ jeremylong/DependencyCheck) ➡ Scripts Softwar S cur Monday, 3 June, 13
  99. 99. Open-Source Static Code Analysis Tools Java .NET C++ Softwar S cur Monday, 3 June, 13
  100. 100. Softwar S cur Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* Reporting Checklists Monday, 3 June, 13 Manual Review
  101. 101. Usage of checklists ➡ ➡ Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident ICU: usage of checklists brought down infection rates in Michigan by 66% Softwar S cur Monday, 3 June, 13
  102. 102. Security Code Review Checklist ➡ Data Validation and Encoding Controls ➡ Encryption Controls ➡ Authentication and Authorization Controls ➡ Session Management ➡ Exception Handling ➡ Auditing and Logging ➡ Security Configurations Softwar S cur Monday, 3 June, 13
  103. 103. Resources To Conduct Your Checklist ➡ ➡ ➡ NIST Checklist Project - http://checklists.nist.gov/ Mozilla’s Secure Coding QA Checklist - https:// wiki.mozilla.org/WebAppSec/ Secure_Coding_QA_Checklist Oracle’s Secure Coding Checklist - http:// www.oracle.com/technetwork/java/ seccodeguide-139067.html Softwar S cur Monday, 3 June, 13
  104. 104. Simplified Security Code Review Process Reconnaissance! Reporting! Trust*Boundary* Iden=fica=on* Automation Threat Modeling! Skills! OWASP* Top*10* Checklists! Tools* Tools! Confirmation & PoC! Checklists* Automation! Reporting Manual Review Manual Review! Softwar S cur Monday, 3 June, 13
  105. 105. QUESTIONS? @skoussa sherif.koussa@owasp.org sherif@softwaresecured.com Softwar S cur Softwar S cur Monday, 3 June, 13
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×