Secure Code Reviews
Upcoming SlideShare
Loading in...5
×
 

Secure Code Reviews

on

  • 6,946 views

 

Statistics

Views

Total Views
6,946
Views on SlideShare
6,923
Embed Views
23

Actions

Likes
1
Downloads
272
Comments
1

3 Embeds 23

http://www.slideshare.net 17
http://www.linkedin.com 3
http://www.scoop.it 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Hello. I would invite all who are interested in static code analysis, try our tool PVS-Studio.
    PVS-Studio is a static analyzer that detects errors in source code of C/C++/C++11 applications (Visual Studio 2005/2008/2010).
    Examples of use PVS-Studio:
    100 bugs in Open Source C/C++ projects
    http://www.viva64.com/en/a/0079/
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Secure Code Reviews Secure Code Reviews Presentation Transcript

  • Secure Code Reviews Marco Morana Senior Consultant Foundstone, A Division of McAfee Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 1 Orlando, Florida
  • Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 2 Orlando, Florida
  • Disclaimers Secure code reviews are not: 1. A stand alone activity separate from the SDLC 2. A process that just relies on tools: – Managed programming language – Automated code analysis 3. A method to rate un-attackable code – Not being scrutinized by security experts – False sense of security (i.e. false negatives) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 3 Orlando, Florida
  • Why we need secure code reviews ? 1. Compliance with governing policies 2. Assurance that code follows security best practices 3. Security assessment before releasing to QA and production 4. Measurement of adequacy of security controls to mitigate known threats Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 4 Orlando, Florida
  • Code Reviews • One to One (peer to peer) – Part of the sign-off before handing off to QA – Integrated with the check-in process • Group (team-driven) – Advantage of many eye-balls – Team members take different roles Both need preparation and organization Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 5 Orlando, Florida
  • Code Reviews - Team Code Review Approach • Optimal scenario: A team of 4 people in a conference room with a whiteboard and projector • Team Roles – Lead Reviewer – Narrator – Author – Subject Matter Experts Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 6 Orlando, Florida
  • Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 7 Orlando, Florida
  • Secure Code Reviews in the SDLC Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 8 Orlando, Florida
  • Code reviews in the Software Security Life Cycle The economics of security defects Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 9 Orlando, Florida
  • Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 10 Orlando, Florida
  • Methodology – Secure Code Review Process 1. Build a Threat Model – Identify, evaluate and mitigate risks for the particular application 2. Build an Attack Plan – Prioritize threats based on criticality – Map threats to code artifacts – Determine which high risk areas to focus the efforts based upon man-hours and costs 3. Code Review – Document each vulnerability under bugs or flaws – Review each section of the code for vulnerability categories Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 11 Orlando, Florida
  • What Is Threat Modeling? • Goal: Identify the threats against the system and the appropriate countermeasures to mitigate the risk they pose • Model the system as an attacker will see it: • Where are the entry points? • Which assets are targets? • Recognize the attacker’s advantage and defender’s dilemma: • Developers need to get the code 100 % correct, 100% of the time with limited resources and development time • Attackers need to find just one hole and can spend as much time finding it as they want Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 12 Orlando, Florida
  • Methodology - Secure Code Reviews Best Practices • Have clear goals – Tactical and strategic scenarios (e.g. new release vs. production) – Be specific on what must be accomplished • Decide which analysis style works best – Depth first vs. breadth first approach • Prioritize and simplify – Prioritize based upon critical areas – Break system complexity • Be methodical – Annotate the code you are reviewing (e.g. comments, IDE task lists) – Use checklists Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 13 Orlando, Florida
  • Methodology - Secure Code Reviews • Reduce complexity – Threat modeling – Rapid scan • Review critical sections of the code – Correlate and annotate – Use IDE tools (e.g. Visual Studio, Eclipse) • Categorize security defects – Threat categorization – Check lists – Bugs vs. flaws Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 14 Orlando, Florida
  • Methodology - Security Defects Categorization Can be categorized as: • Security Bugs – An implementation level software security problem (e.g. buffer overflows, SQL injection) • Security Flaws – A design level software security problem (e.g. an insecure authorization model or data access layer) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 15 Orlando, Florida
  • Methodology - Threat Categorization Un-secure code because of the following threats: • STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege Secure code by mapping to security controls: • CIA: Confidentiality, Integrity, Availability Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 16 Orlando, Florida
  • Methodology - Security Frame Categorization • Configuration Management – Issues stemming from insecure deployment and administration • Data Protection in Storage and Transit – Lack of adequate protection for secrets and other sensitive data • Authentication – Lack of strong protocols to verify the identity of a component outside the trust boundary • Authorization – Lack of mechanisms to enforce access controls on protected resources within the system Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 17 Orlando, Florida
  • Methodology – Security Frame Categorization • User and Session Management – Lack of mechanisms to maintain session independence between multiple logged-on users and insecure user provisioning and de- provisioning policies • Data Validation – Lack of input and output validation when data crosses system or trust boundaries • Error handling and Exception Management – Failure to deal with exceptions effectively and in a secure manner, resulting unauthorized disclosure of information • Logging and Auditing – Failure to maintain detailed and accurate application logs that can allow for traceability and non-repudiation Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 18 Orlando, Florida
  • Methodology - Secure Code Review Findings • Sections: – Bug vs. Flaws – Threat Categorization – Risk Rating – Module and LOC range – Code Snippet – Commendation or Recommendation • Recommendations are often not limited to the code but also the design and the deployment environment as well! Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 19 Orlando, Florida
  • Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 20 Orlando, Florida
  • Coding Mistakes - Configuration Management 1. # credentials for the application database 2. datasource.name=jdbc_1 3. datasource.url=jdbc:oracle:thin:@dhs:1521:ORA1 4. datasource.classname=oracle.jdbc.driver.OracleDriver 5. datasource.username=scott 6. datasource.password=tiger Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 21 Orlando, Florida
  • Coding Mistakes - Configuration Management 1. <pages validateRequest=“false”/> 2. <!– DYNAMIC DEBUG COMPILATION……..…--> 3. <compilation defaultLanguage=“c#” debug=“true”/> 4. <!– CUSTOM ERROR MESSAGES……-- > 5. <customErrors mode=“Off”/> 6. <!– APPLICATION-LEVEL TRACE LOGGING….. -- > 7. <trace enabled=“true” requiredLimit=“10” pageOutpur=“true” tracemode=“SortByTime”localOnly=“false”/> Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 22 Orlando, Florida
  • Coding Mistakes - Data Protection in Storage and Transit 1. final public static byte key[] = 2. {(byte) 0x31, (byte) 0xAB, (byte) 0x05, (byte) 0xF7, 3. (byte) 0x45, (byte) 0x65, (byte) 0x98, (byte) 0xAB}; 4. try 5. { 6. encryptor.setKey(key); 7. plainText = new String(encryptor.decrypt(text)); 8. } 9. catch (Throwable te) 10.{ 11. […] 12.} Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 23 Orlando, Florida
  • Coding Mistakes - Data Protection in Storage and Transit 1. public static String digest(String password) { 2. MessageDigest md5 =MessageDigest.getInstance(“MD5quot;); 3. byte[] hash = md5.update(password.getBytes()); 4. return makeStringFromBytes(hash);} 5. public static String makeStringFromBytes(byte[] bytes) { 6. String result = quot;quot;; 7. for (int i=0; i<bytes.length; ++i) { 8. int n = bytes[i]; 9. result = result + quot; quot; + Integer.toHexString(n); } 10. return result;} Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 24 Orlando, Florida
  • Coding Mistakes - Authentication 1. Http Cookie MyCookie; 2. MyCookie = Request.Cookies [“CookiesLoginAttempts”]; 3. MyCookie.Expires=now.AddHours(10); 4. //decrement 5. int logInAtt=Convert.ToInt32(MyCookie.Value.ToString()); 6. CookieVal=int.Parse (MyCookie.Value.ToString()); 7. If (CookieVal >0) 8. CookieVal-=1; 9. //store in response cookie 10. HttpCookie AttemptCntCookie = new HttpCookie (“CookieLoginAttempts”); 11. AttemptCntCookie.Value =CookieVal.ToString(); Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 25 Orlando, Florida
  • Coding Mistakes - Authorization 1. <input value=”true” type=”HIDDEN” bean=”thisFormHandler.verifyCreditCardNumber”/> 2. <input value=”true” type=”HIDDEN” 3. bean=”thisFormHandler.validatePrice”/> 4. <FORM method=post action=quot;http://www.acme.com/cgi- bin/shop/shoppingcart.exe/products/telephonedevices quot;> 5. <b><font size=quot;5quot;>Sale Price $169.95!</font></b><BR> 6. <input type=quot;HIDDENquot; name=quot;IDquot; value=quot;PESL100quot;> 7. <input type=quot;HIDDENquot; name=quot;Describequot; 8. value=quot;Pro Series Telephone Analyzerquot;> 9. <input name=quot;Qtyquot; size=3 value=quot;quot;> Quantity <BR> 10.<input type=quot;HIDDENquot; name=quot;Pricequot; VALUE=quot;169.95quot;> Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 26 Orlando, Florida
  • Coding Mistakes - Authorization 1. if (sess.getCurrentUser().isCSR()) { 2. URLList.add(“View Customer Detailsquot;, 3. quot;/jsp/Customer.do?action=view&id=“ + custId)); 4. URLList.add(“Edit Customer Detailsquot;, 5. quot;/jsp/Customer.do? action=edit&id=“ + custId)); 6. URLList.add(“Delete Customerquot;, 7. quot;/jsp/Customer.do?action=delete&id=“ + custId)); 8. } else { 9. URLList.add(“View Customer Detailsquot;, 10. quot;/jsp/Customer.do?action=view&id=“ + custId)); 11. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 27 Orlando, Florida
  • Coding Mistakes - User and Session Management 1. HTTP/1.1 302 Found 2. Date: Tue, 21 Feb 2006 19:16:08 GMT 3. Server: Apache/2.0.46 (Red Hat) 4. Accept-Ranges: bytes 5. X-Powered-By: PHP/4.3.2 6. Expires: Thu, 19 Nov 1981 08:52:00 GMT 7. Cache-Control: no-store, no-cache, must-revalidate, post- check=0, pre-check=0 8. Pragma: no-cache 9. Set-Cookie: userid=mmorana; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ 10.Set-Cookie: password=xxxxxxx; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ 11.Set-Cookie: communityid=202; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 28 Orlando, Florida
  • Coding Mistakes - Data Validation 1. public List getProductsByTitleKeyWords(String[] keywords) 2. { 3. JdbcTemplate jt = new JdbcTemplate(getDataSource()); 4. String query = quot;select * from products where quot;+ createCriteria(keywords); 5. List list = jt.query(query, new 6. ProductRowMapper()); 7. Iterator iter = list.iterator(); 8. while (iter.hasNext()) { Product prod = (Product) iter.next(); 9. prod.setFeedback(getFeedBacks(prod)); 10. } 11. return list; 12. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 29 Orlando, Florida
  • Coding Mistakes - Error Handling And Exception Handling 1. try 2. { 3. ElevatePrivilege(); 4. ReadSecretFile(); 5. LowerPrivilege(); 6. } 7. catch(Exception e) 8. { 9. ReportException(); 10. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 30 Orlando, Florida
  • Coding Mistakes - Error Handling And Exception Handling Error Message: executeRSProcedure Exception: Java.sql.SQLException: ORA- 06502:PL/SQL:numeric or value error: character to number conversion error Server Name: host1.acme.com Server Info: IBM WebSphere Application Server/5.1 Remote Address: 192.168.12.34 Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 31 Orlando, Florida
  • Coding Mistakes - Error Handling And Exception Handling • “The password is invalid for the account” • “The username does not exist” • “The DOB you entered is invalid” • “Your account has been locked due to too many invalid attempts” Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 32 Orlando, Florida
  • Coding Mistakes - Logging And Auditing 1. private void btnLogin_Click(object sender, System.EventArgs e) { 2. //.. 3. LogString(“User” + txtUserName.Text + “ with password “ + txtPassword.Text + “logged in at “+ DateTime.Now.ToString()); 4. //.. 5. DataSet ds = GetUserTable(); 6. //.. 7. Logdata(ds); 8. //.. 9. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 33 Orlando, Florida
  • Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 34 Orlando, Florida
  • Tools - Tools for Static Code Analysis Advantages: • Perform preliminary scanning of large code sets in little time • Provide consistent results • Can be used as secure code check-in gateway • Identify common coding bugs (low hanging fruits) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 35 Orlando, Florida
  • Tools - Tools for Static Code Analysis Common bugs identified by static parsers: • Un-secure functions • Lack of proper input validation and output filtering • Weak crypto algorithms • Exception handling errors • Hard coded passwords, keys, connection strings Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 36 Orlando, Florida
  • Tools - Tools for Static Code Analysis Disadvantages: • Do not identify security flaws • Generate a large amount of false positives • Provide a false sense of security Examples: • ITS4 • RATS • FlawFinder • CodeAssure • PreFIX/PreFAST • Foundstone CodeScout Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 37 Orlando, Florida
  • Tools - Tools for Dynamic Analysis Advantages: • Integrate with Debuggers and IDE • Monitor Access to Resources (Files, Libraries, Data, Registry Keys) • Monitor Network Access • Help Identify Data Flows Examples: • CLR Profiler • NProf • Sysinternals Tools – FileMon, RegMon • Foundstone .NETMon Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 38 Orlando, Florida
  • Tips And Tricks 1. Have a plan – Focus on clear objectives – Organize the team – Review incrementally 2. Follow a methodology – Identify threats and countermeasures – Use vulnerability check lists and tools – Categorize security defects Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 39 Orlando, Florida
  • Tips And Tricks 3. Integrate With Other Activities in the S-SDLC – Information risk management – Metrics and measurements – Training and awareness 4. Revise the Plan and the Process – Threats and vulnerabilities – New techniques – People, process and technology Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 40 Orlando, Florida
  • Questions ? Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 41 Orlando, Florida
  • Resources • Software Security Code Review: Code Inspection Finds Problems, R. Araujo and M. Curphey – http://www.softwaremag.com • A Process for Performing Security Code Reviews, M. Howard – http://www.computer.org • How To: Perform a Security Code Review for Managed Code, Microsoft Patterns & Practices – http://msdn.microsoft.com Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 42 Orlando, Florida
  • Contact Information • Presenter Email: – marco.morana@foundstone.com • Foundstone Software Application Security Services (SASS) – www.foundstone.com/sass • Foundstone Training – www.foundstone.com/education Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 43 Orlando, Florida