Secure Code Reviews

4,954 views
4,864 views

Published on

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
  • Hello. I would invite all who are interested in static code analysis, try our tool PVS-Studio.
    PVS-Studio is a static analyzer that detects errors in source code of C/C++/C++11 applications (Visual Studio 2005/2008/2010).
    Examples of use PVS-Studio:
    100 bugs in Open Source C/C++ projects
    http://www.viva64.com/en/a/0079/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
4,954
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
285
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Secure Code Reviews

  1. 1. Secure Code Reviews Marco Morana Senior Consultant Foundstone, A Division of McAfee Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 1 Orlando, Florida
  2. 2. Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 2 Orlando, Florida
  3. 3. Disclaimers Secure code reviews are not: 1. A stand alone activity separate from the SDLC 2. A process that just relies on tools: – Managed programming language – Automated code analysis 3. A method to rate un-attackable code – Not being scrutinized by security experts – False sense of security (i.e. false negatives) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 3 Orlando, Florida
  4. 4. Why we need secure code reviews ? 1. Compliance with governing policies 2. Assurance that code follows security best practices 3. Security assessment before releasing to QA and production 4. Measurement of adequacy of security controls to mitigate known threats Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 4 Orlando, Florida
  5. 5. Code Reviews • One to One (peer to peer) – Part of the sign-off before handing off to QA – Integrated with the check-in process • Group (team-driven) – Advantage of many eye-balls – Team members take different roles Both need preparation and organization Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 5 Orlando, Florida
  6. 6. Code Reviews - Team Code Review Approach • Optimal scenario: A team of 4 people in a conference room with a whiteboard and projector • Team Roles – Lead Reviewer – Narrator – Author – Subject Matter Experts Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 6 Orlando, Florida
  7. 7. Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 7 Orlando, Florida
  8. 8. Secure Code Reviews in the SDLC Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 8 Orlando, Florida
  9. 9. Code reviews in the Software Security Life Cycle The economics of security defects Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 9 Orlando, Florida
  10. 10. Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 10 Orlando, Florida
  11. 11. Methodology – Secure Code Review Process 1. Build a Threat Model – Identify, evaluate and mitigate risks for the particular application 2. Build an Attack Plan – Prioritize threats based on criticality – Map threats to code artifacts – Determine which high risk areas to focus the efforts based upon man-hours and costs 3. Code Review – Document each vulnerability under bugs or flaws – Review each section of the code for vulnerability categories Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 11 Orlando, Florida
  12. 12. What Is Threat Modeling? • Goal: Identify the threats against the system and the appropriate countermeasures to mitigate the risk they pose • Model the system as an attacker will see it: • Where are the entry points? • Which assets are targets? • Recognize the attacker’s advantage and defender’s dilemma: • Developers need to get the code 100 % correct, 100% of the time with limited resources and development time • Attackers need to find just one hole and can spend as much time finding it as they want Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 12 Orlando, Florida
  13. 13. Methodology - Secure Code Reviews Best Practices • Have clear goals – Tactical and strategic scenarios (e.g. new release vs. production) – Be specific on what must be accomplished • Decide which analysis style works best – Depth first vs. breadth first approach • Prioritize and simplify – Prioritize based upon critical areas – Break system complexity • Be methodical – Annotate the code you are reviewing (e.g. comments, IDE task lists) – Use checklists Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 13 Orlando, Florida
  14. 14. Methodology - Secure Code Reviews • Reduce complexity – Threat modeling – Rapid scan • Review critical sections of the code – Correlate and annotate – Use IDE tools (e.g. Visual Studio, Eclipse) • Categorize security defects – Threat categorization – Check lists – Bugs vs. flaws Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 14 Orlando, Florida
  15. 15. Methodology - Security Defects Categorization Can be categorized as: • Security Bugs – An implementation level software security problem (e.g. buffer overflows, SQL injection) • Security Flaws – A design level software security problem (e.g. an insecure authorization model or data access layer) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 15 Orlando, Florida
  16. 16. Methodology - Threat Categorization Un-secure code because of the following threats: • STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege Secure code by mapping to security controls: • CIA: Confidentiality, Integrity, Availability Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 16 Orlando, Florida
  17. 17. Methodology - Security Frame Categorization • Configuration Management – Issues stemming from insecure deployment and administration • Data Protection in Storage and Transit – Lack of adequate protection for secrets and other sensitive data • Authentication – Lack of strong protocols to verify the identity of a component outside the trust boundary • Authorization – Lack of mechanisms to enforce access controls on protected resources within the system Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 17 Orlando, Florida
  18. 18. Methodology – Security Frame Categorization • User and Session Management – Lack of mechanisms to maintain session independence between multiple logged-on users and insecure user provisioning and de- provisioning policies • Data Validation – Lack of input and output validation when data crosses system or trust boundaries • Error handling and Exception Management – Failure to deal with exceptions effectively and in a secure manner, resulting unauthorized disclosure of information • Logging and Auditing – Failure to maintain detailed and accurate application logs that can allow for traceability and non-repudiation Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 18 Orlando, Florida
  19. 19. Methodology - Secure Code Review Findings • Sections: – Bug vs. Flaws – Threat Categorization – Risk Rating – Module and LOC range – Code Snippet – Commendation or Recommendation • Recommendations are often not limited to the code but also the design and the deployment environment as well! Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 19 Orlando, Florida
  20. 20. Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 20 Orlando, Florida
  21. 21. Coding Mistakes - Configuration Management 1. # credentials for the application database 2. datasource.name=jdbc_1 3. datasource.url=jdbc:oracle:thin:@dhs:1521:ORA1 4. datasource.classname=oracle.jdbc.driver.OracleDriver 5. datasource.username=scott 6. datasource.password=tiger Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 21 Orlando, Florida
  22. 22. Coding Mistakes - Configuration Management 1. <pages validateRequest=“false”/> 2. <!– DYNAMIC DEBUG COMPILATION……..…--> 3. <compilation defaultLanguage=“c#” debug=“true”/> 4. <!– CUSTOM ERROR MESSAGES……-- > 5. <customErrors mode=“Off”/> 6. <!– APPLICATION-LEVEL TRACE LOGGING….. -- > 7. <trace enabled=“true” requiredLimit=“10” pageOutpur=“true” tracemode=“SortByTime”localOnly=“false”/> Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 22 Orlando, Florida
  23. 23. Coding Mistakes - Data Protection in Storage and Transit 1. final public static byte key[] = 2. {(byte) 0x31, (byte) 0xAB, (byte) 0x05, (byte) 0xF7, 3. (byte) 0x45, (byte) 0x65, (byte) 0x98, (byte) 0xAB}; 4. try 5. { 6. encryptor.setKey(key); 7. plainText = new String(encryptor.decrypt(text)); 8. } 9. catch (Throwable te) 10.{ 11. […] 12.} Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 23 Orlando, Florida
  24. 24. Coding Mistakes - Data Protection in Storage and Transit 1. public static String digest(String password) { 2. MessageDigest md5 =MessageDigest.getInstance(“MD5quot;); 3. byte[] hash = md5.update(password.getBytes()); 4. return makeStringFromBytes(hash);} 5. public static String makeStringFromBytes(byte[] bytes) { 6. String result = quot;quot;; 7. for (int i=0; i<bytes.length; ++i) { 8. int n = bytes[i]; 9. result = result + quot; quot; + Integer.toHexString(n); } 10. return result;} Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 24 Orlando, Florida
  25. 25. Coding Mistakes - Authentication 1. Http Cookie MyCookie; 2. MyCookie = Request.Cookies [“CookiesLoginAttempts”]; 3. MyCookie.Expires=now.AddHours(10); 4. //decrement 5. int logInAtt=Convert.ToInt32(MyCookie.Value.ToString()); 6. CookieVal=int.Parse (MyCookie.Value.ToString()); 7. If (CookieVal >0) 8. CookieVal-=1; 9. //store in response cookie 10. HttpCookie AttemptCntCookie = new HttpCookie (“CookieLoginAttempts”); 11. AttemptCntCookie.Value =CookieVal.ToString(); Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 25 Orlando, Florida
  26. 26. Coding Mistakes - Authorization 1. <input value=”true” type=”HIDDEN” bean=”thisFormHandler.verifyCreditCardNumber”/> 2. <input value=”true” type=”HIDDEN” 3. bean=”thisFormHandler.validatePrice”/> 4. <FORM method=post action=quot;http://www.acme.com/cgi- bin/shop/shoppingcart.exe/products/telephonedevices quot;> 5. <b><font size=quot;5quot;>Sale Price $169.95!</font></b><BR> 6. <input type=quot;HIDDENquot; name=quot;IDquot; value=quot;PESL100quot;> 7. <input type=quot;HIDDENquot; name=quot;Describequot; 8. value=quot;Pro Series Telephone Analyzerquot;> 9. <input name=quot;Qtyquot; size=3 value=quot;quot;> Quantity <BR> 10.<input type=quot;HIDDENquot; name=quot;Pricequot; VALUE=quot;169.95quot;> Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 26 Orlando, Florida
  27. 27. Coding Mistakes - Authorization 1. if (sess.getCurrentUser().isCSR()) { 2. URLList.add(“View Customer Detailsquot;, 3. quot;/jsp/Customer.do?action=view&id=“ + custId)); 4. URLList.add(“Edit Customer Detailsquot;, 5. quot;/jsp/Customer.do? action=edit&id=“ + custId)); 6. URLList.add(“Delete Customerquot;, 7. quot;/jsp/Customer.do?action=delete&id=“ + custId)); 8. } else { 9. URLList.add(“View Customer Detailsquot;, 10. quot;/jsp/Customer.do?action=view&id=“ + custId)); 11. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 27 Orlando, Florida
  28. 28. Coding Mistakes - User and Session Management 1. HTTP/1.1 302 Found 2. Date: Tue, 21 Feb 2006 19:16:08 GMT 3. Server: Apache/2.0.46 (Red Hat) 4. Accept-Ranges: bytes 5. X-Powered-By: PHP/4.3.2 6. Expires: Thu, 19 Nov 1981 08:52:00 GMT 7. Cache-Control: no-store, no-cache, must-revalidate, post- check=0, pre-check=0 8. Pragma: no-cache 9. Set-Cookie: userid=mmorana; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ 10.Set-Cookie: password=xxxxxxx; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ 11.Set-Cookie: communityid=202; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 28 Orlando, Florida
  29. 29. Coding Mistakes - Data Validation 1. public List getProductsByTitleKeyWords(String[] keywords) 2. { 3. JdbcTemplate jt = new JdbcTemplate(getDataSource()); 4. String query = quot;select * from products where quot;+ createCriteria(keywords); 5. List list = jt.query(query, new 6. ProductRowMapper()); 7. Iterator iter = list.iterator(); 8. while (iter.hasNext()) { Product prod = (Product) iter.next(); 9. prod.setFeedback(getFeedBacks(prod)); 10. } 11. return list; 12. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 29 Orlando, Florida
  30. 30. Coding Mistakes - Error Handling And Exception Handling 1. try 2. { 3. ElevatePrivilege(); 4. ReadSecretFile(); 5. LowerPrivilege(); 6. } 7. catch(Exception e) 8. { 9. ReportException(); 10. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 30 Orlando, Florida
  31. 31. Coding Mistakes - Error Handling And Exception Handling Error Message: executeRSProcedure Exception: Java.sql.SQLException: ORA- 06502:PL/SQL:numeric or value error: character to number conversion error Server Name: host1.acme.com Server Info: IBM WebSphere Application Server/5.1 Remote Address: 192.168.12.34 Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 31 Orlando, Florida
  32. 32. Coding Mistakes - Error Handling And Exception Handling • “The password is invalid for the account” • “The username does not exist” • “The DOB you entered is invalid” • “Your account has been locked due to too many invalid attempts” Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 32 Orlando, Florida
  33. 33. Coding Mistakes - Logging And Auditing 1. private void btnLogin_Click(object sender, System.EventArgs e) { 2. //.. 3. LogString(“User” + txtUserName.Text + “ with password “ + txtPassword.Text + “logged in at “+ DateTime.Now.ToString()); 4. //.. 5. DataSet ds = GetUserTable(); 6. //.. 7. Logdata(ds); 8. //.. 9. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 33 Orlando, Florida
  34. 34. Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 34 Orlando, Florida
  35. 35. Tools - Tools for Static Code Analysis Advantages: • Perform preliminary scanning of large code sets in little time • Provide consistent results • Can be used as secure code check-in gateway • Identify common coding bugs (low hanging fruits) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 35 Orlando, Florida
  36. 36. Tools - Tools for Static Code Analysis Common bugs identified by static parsers: • Un-secure functions • Lack of proper input validation and output filtering • Weak crypto algorithms • Exception handling errors • Hard coded passwords, keys, connection strings Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 36 Orlando, Florida
  37. 37. Tools - Tools for Static Code Analysis Disadvantages: • Do not identify security flaws • Generate a large amount of false positives • Provide a false sense of security Examples: • ITS4 • RATS • FlawFinder • CodeAssure • PreFIX/PreFAST • Foundstone CodeScout Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 37 Orlando, Florida
  38. 38. Tools - Tools for Dynamic Analysis Advantages: • Integrate with Debuggers and IDE • Monitor Access to Resources (Files, Libraries, Data, Registry Keys) • Monitor Network Access • Help Identify Data Flows Examples: • CLR Profiler • NProf • Sysinternals Tools – FileMon, RegMon • Foundstone .NETMon Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 38 Orlando, Florida
  39. 39. Tips And Tricks 1. Have a plan – Focus on clear objectives – Organize the team – Review incrementally 2. Follow a methodology – Identify threats and countermeasures – Use vulnerability check lists and tools – Categorize security defects Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 39 Orlando, Florida
  40. 40. Tips And Tricks 3. Integrate With Other Activities in the S-SDLC – Information risk management – Metrics and measurements – Training and awareness 4. Revise the Plan and the Process – Threats and vulnerabilities – New techniques – People, process and technology Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 40 Orlando, Florida
  41. 41. Questions ? Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 41 Orlando, Florida
  42. 42. Resources • Software Security Code Review: Code Inspection Finds Problems, R. Araujo and M. Curphey – http://www.softwaremag.com • A Process for Performing Security Code Reviews, M. Howard – http://www.computer.org • How To: Perform a Security Code Review for Managed Code, Microsoft Patterns & Practices – http://msdn.microsoft.com Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 42 Orlando, Florida
  43. 43. Contact Information • Presenter Email: – marco.morana@foundstone.com • Foundstone Software Application Security Services (SASS) – www.foundstone.com/sass • Foundstone Training – www.foundstone.com/education Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 43 Orlando, Florida

×