• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Manual Code Review
 

Manual Code Review

on

  • 366 views

null Bangalore Chapter - March 2014 Meet

null Bangalore Chapter - March 2014 Meet

Statistics

Views

Total Views
366
Views on SlideShare
250
Embed Views
116

Actions

Likes
1
Downloads
7
Comments
0

1 Embed 116

http://null.co.in 116

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Manual Code Review Manual Code Review Presentation Transcript

    • Manual Code Review - Sandesh Anand anand.sandesh@gmail.com www.linkedin.com/in/anandsandesh/
    • Who am I? • Security Consultant at Cigital Inc. • Ex-Developer • Areas of interest – Static analysis – Helping developers fix security bugs – Web App pen testing – Curious about all things security
    • What are we talking about? • Why review code? • Automated v/s Manual review • Manual review – 10,000 ft. view • Manual code review in 60 seconds
    • Why review code? • Finding bugs early in the lifecycle is cheaper • Different visibility to code – Reach all parts of code – Some issues only visible in code review (examples in the Demo) – Helps in identifying “where” the problem is
    • Why review code? • So, pen testing is useless, right? Not quite. Why not? – Don’t want to be killed by a room full of pen- testers – Better at proving “exploitability” – Makes it easier to evangelize security it an organization – Coverage different from code review (e.g.: Issues in application sever configuration) – Understand what a hacker is looking at
    • Automated v/s Manual This topic never ends. Here are some highlights: • Automated tools can plough through more code at lesser time. Very useful for large applications • Manual code review uses knowledge available to the tester • Tool support for certain programming languages stronger than the other (Java v/s Perl) • Quality of manual review depends on individual And so on….. Bottom line: Use both in a complimentary manner
    • Manual review – 10,000 ft. view • Understand the application – Purpose of the application – Flow of the application – Technologies used – Environment (type of DB, frameworks, AppServer etc.) – Business logic – Etc. • Understand the approach to security controls: – Authentication and Authorization – Handling un-trusted data – Handling sensitive information – Session handling – Network boundaries – Error handling and logging – Misuse of security related APIs (crypto, randomness etc.) – Etc. • Look for specific vulnerabilities – Issues common to most applications (e.g.: Race condition, resource management, information leakage, validation routines) – Language specific issues (e.g.: Format string attacks in C) – Framework specific issues (e.g.: review ACEGI configuration) – Looking for malicious code/ Insider threat
    • Manual code review in 60 seconds
    • Manual code review in 60 seconds • Understand the application • Review security control (Hint: Pick logging) • Look for specific vulnerabilities
    • Questions?