Manual Code Review
- Sandesh Anand
anand.sandesh@gmail.com
www.linkedin.com/in/anandsandesh/
Who am I?
• Security Consultant at Cigital Inc.
• Ex-Developer
• Areas of interest
– Static analysis
– Helping developers ...
What are we talking about?
• Why review code?
• Automated v/s Manual review
• Manual review – 10,000 ft. view
• Manual cod...
Why review code?
• Finding bugs early in the lifecycle is cheaper
• Different visibility to code
– Reach all parts of code...
Why review code?
• So, pen testing is useless, right? Not quite.
Why not?
– Don’t want to be killed by a room full of pen-...
Automated v/s Manual
This topic never ends. Here are some highlights:
• Automated tools can plough through more code
at le...
Manual review – 10,000 ft. view
• Understand the application
– Purpose of the application
– Flow of the application
– Tech...
Manual code review in 60 seconds
Manual code review in 60 seconds
• Understand the application
• Review security control (Hint: Pick logging)
• Look for sp...
Questions?
Upcoming SlideShare
Loading in...5
×

Manual Code Review

747

Published on

null Bangalore Chapter - March 2014 Meet

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
747
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
13
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Manual Code Review

  1. 1. Manual Code Review - Sandesh Anand anand.sandesh@gmail.com www.linkedin.com/in/anandsandesh/
  2. 2. Who am I? • Security Consultant at Cigital Inc. • Ex-Developer • Areas of interest – Static analysis – Helping developers fix security bugs – Web App pen testing – Curious about all things security
  3. 3. What are we talking about? • Why review code? • Automated v/s Manual review • Manual review – 10,000 ft. view • Manual code review in 60 seconds
  4. 4. Why review code? • Finding bugs early in the lifecycle is cheaper • Different visibility to code – Reach all parts of code – Some issues only visible in code review (examples in the Demo) – Helps in identifying “where” the problem is
  5. 5. Why review code? • So, pen testing is useless, right? Not quite. Why not? – Don’t want to be killed by a room full of pen- testers – Better at proving “exploitability” – Makes it easier to evangelize security it an organization – Coverage different from code review (e.g.: Issues in application sever configuration) – Understand what a hacker is looking at
  6. 6. Automated v/s Manual This topic never ends. Here are some highlights: • Automated tools can plough through more code at lesser time. Very useful for large applications • Manual code review uses knowledge available to the tester • Tool support for certain programming languages stronger than the other (Java v/s Perl) • Quality of manual review depends on individual And so on….. Bottom line: Use both in a complimentary manner
  7. 7. Manual review – 10,000 ft. view • Understand the application – Purpose of the application – Flow of the application – Technologies used – Environment (type of DB, frameworks, AppServer etc.) – Business logic – Etc. • Understand the approach to security controls: – Authentication and Authorization – Handling un-trusted data – Handling sensitive information – Session handling – Network boundaries – Error handling and logging – Misuse of security related APIs (crypto, randomness etc.) – Etc. • Look for specific vulnerabilities – Issues common to most applications (e.g.: Race condition, resource management, information leakage, validation routines) – Language specific issues (e.g.: Format string attacks in C) – Framework specific issues (e.g.: review ACEGI configuration) – Looking for malicious code/ Insider threat
  8. 8. Manual code review in 60 seconds
  9. 9. Manual code review in 60 seconds • Understand the application • Review security control (Hint: Pick logging) • Look for specific vulnerabilities
  10. 10. Questions?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×