SlideShare a Scribd company logo
1 of 74
Download to read offline
David Rook

Agnitio
Security code review swiss army knife

Hack in Paris, Paris




Friday, 17 June 2011
if (slide == introduction)
                   System.out.println("I’m David Rook");

 • Security Analyst, Realex Payments, Ireland
      CISSP, CISA, GCIH and many other acronyms



 • Security Ninja (www.securityninja.co.uk)

 • Speaker at international security conferences

 • Nominated for multiple blog awards

 • A mentor in the InfoSecMentors project

 • Developed and released Agnitio

Friday, 17 June 2011
Agenda


  • What is static analysis?

  • Security code reviews: the good, the bad and the ugly

  • The principles of secure development

  • Agnitio: It’s static analysis, but not as we know it

  • A sneak preview of Agnitio v2.0


Friday, 17 June 2011
Static analysis


  • What do I mean by static analysis?

        • A review of source code without executing the application
        • Can be either manual or automated through one or more tools
        • Human and/or tools analysing application source code




Friday, 17 June 2011
Static analysis


  • Wetware or software?

        • Humans are needed with or without static analysis tools
        • The best thing about humans is that they aren’t software




Friday, 17 June 2011
Static analysis


  • Wetware or software?

        • Humans are needed with or without static analysis tools
        • The best thing about humans is that they aren’t software
        • The worst thing about humans is that they are humans




Friday, 17 June 2011
Static analysis


  • Wetware or software?




  http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1




Friday, 17 June 2011
Static analysis


  • Wetware or software?




  http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1




Friday, 17 June 2011
Static analysis


  • Wetware or software?

        • Tools can cover more code in less time than a human
        • The best thing about software is that it isn’t human




Friday, 17 June 2011
Static analysis


  • Wetware or software?

        • Tools can cover more code in less time than a human
        • The best thing about software is that it isn’t human
        • The worst thing about software is that it’s software




Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
The ugly security code reviews


  • “Ugly reviews” implies you do actually review code

        • An unplanned magical mystery tour at the end of the SDLC
        • Unstructured, not repeatable and heavily reliant on C H N O
                                                              8   10   4   2




        • Too late in the SDLC making findings very expensive to fix




Friday, 17 June 2011
The ugly security code reviews


  • “Ugly reviews” implies you do actually review code

        • An unplanned magical mystery tour at the end of the SDLC
        • Unstructured, not repeatable and heavily reliant on C H N O
                                                              8   10   4   2




        • Too late in the SDLC making findings very expensive to fix
        • Completely manual process, no tools used during reviews
        • No audit trails, no metrics........no security?
        • Better than nothing?




Friday, 17 June 2011
The bad security code reviews


  • “Bad reviews” might be fine for some companies

        • A single planned code review in your SDLC
        • Some structure, normally based on finding the OWASP top 10
        • Still too late in the SDLC making findings very expensive to fix




Friday, 17 June 2011
The bad security code reviews


  • “Bad reviews” might be fine for some companies

        • A single planned code review in your SDLC
        • Some structure, normally based on finding the OWASP top 10
        • Still too late in the SDLC making findings very expensive to fix
        • Some automation, usually basic code analysis tools
        • Basic audit trails still no metrics so hard to measure “anything”
        • Better than ugly reviews, might be fine for some companies




Friday, 17 June 2011
The good security code reviews


  • “Good reviews” don’t happen by accident

        • Multiple reviews defined as deliverables in your SDLC
        • Structured, repeatable process with management support
        • Reviews are exit criteria for the development and test phases




Friday, 17 June 2011
The good security code reviews


  • “Good reviews” don’t happen by accident

        • Multiple reviews defined as deliverables in your SDLC
        • Structured, repeatable process with management support
        • Reviews are exit criteria for the development and test phases
        • Automation used where useful freeing up the reviewer
        • Ability to produce reports, metrics and measure improvements
        • External validation of the review process and SDLC




Friday, 17 June 2011
The principles of secure development


  • What are the principles of secure development?




Friday, 17 June 2011
Philosophical Application Security


 Give a man a fish and you feed him for a day, teach
 him to fish and you feed him for a lifetime.




Friday, 17 June 2011
Philosophical Application Security


 Give a man a fish and you feed him for a day, teach
 him to fish and you feed him for a lifetime.

  I want to apply this to secure development education:

 Teach a developer about a vulnerability and he will
 prevent it, teach him how to develop securely and
 he will prevent many vulnerabilities.




Friday, 17 June 2011
The current approach
  Failure to Preserve Web Page Structure         Failure to Preserve SQL Query Structure
    Reliance on Untrusted Inputs in a Security Decision
        Missing Encryption of Sensitive Data          Incorrect Calculation of Buffer Size
 Improper Control of Filename for Include/Require Statement in PHP Program
URL Redirection to Untrusted Site              Buffer Copy without Checking Size on Input
   Content Spoofing                      Allocation of Resource Without Limits or Throttling
               Cross Site Request Forgery          Information Leakage       Injection Flaws
  Cross Site Scripting              Improper Check for Unusual or Exceptional Conditions
Insufficient Transport Layer Protection        Failure to Preserve OS Command Structure
Insufficient Authorisation      Improper Limitation of a Pathname to a Restricted Directory
   Improper Access Control Insufficient Authentication       Insecure Cryptographic Storage
           Race Condition          Use of Hard-coded Credentials Session Management
        Insecure Direct Object Reference                Improper Validation of Array Index
Information Exposure Through an Error Message                Abuse of Functionality
Predictable Resource Location        Download of Code Without Integrity Check
     Failure to Restrict URL Access                Unvalidated Redirects and Forwards
Buffer Access with Incorrect Length Value        Security Misconfiguration
              SQL Injection       Unrestricted Upload of File with Dangerous Type
Broken Authentication                    Missing Authentication for Critical Function
   Integer Overflow or Wraparound
                         Use of a Broken or Risky Cryptographic Algorithm
Incorrect Permission Assignment for Critical Resource
Friday, 17 June 2011
The Principles of Secure Development

             Secure Communications
                                                                Output Validation


     Input Validation
                                        Auditing and Logging

                                                                Authorisation
  Session Management


                       Error Handling                            Secure Resource Access



                                                        Authentication


                Secure Storage

Friday, 17 June 2011
Agnitio


  • What is Agnitio?

        • Tool to help with manual static analysis
        • Checklist based with reviewer & developer guidance
        • Produces audit trails & enforces integrity checks
        • Single tool for security code review reports & metrics




Friday, 17 June 2011
Agnitio


  • Checklists?

        • An application for doing checklist reviews? *yawn* how boring!
        • Checklists are for n00bs! I don't need a checklist to review code!
        • I beg to differ, would you say Doctors and Pilots are n00bs?




Friday, 17 June 2011
Friday, 17 June 2011
Friday, 17 June 2011
Agnitio




Friday, 17 June 2011
Agnitio




Friday, 17 June 2011
Agnitio


  • Checklists?

        • So you don't use a checklist for reviewing source code?
        • What's the worst that could happen?




Friday, 17 June 2011
Ariane 5 flight 501




Friday, 17 June 2011
Ariane 5 flight 501




Friday, 17 June 2011
Therac-25




Friday, 17 June 2011
Mars Climate Orbiter




Friday, 17 June 2011
Mars Climate Orbiter




Friday, 17 June 2011
Agnitio


  • Checklists?

        • So you don't use a checklist for reviewing source code?
        • What's the worst that could happen?
        • Four people dead and over €700m of equipment destroyed
        • Checklists can be useful to pilots, doctors and code reviewers!




Friday, 17 June 2011
Agnitio


  • So, why did I develop Agnitio?

        • I love using checklists for security code reviews!




Friday, 17 June 2011
Agnitio


  • So, why did I develop Agnitio?

        • I love using checklists for security code reviews!
        • Even if your process is good it might not be smart




Friday, 17 June 2011
Agnitio


  • So, why did I develop Agnitio?

        • I love using checklists for security code reviews!
        • Even if your process is good it might not be smart
        • Is your review process really repeatable and easy to audit?




Friday, 17 June 2011
Agnitio


  • So, why did I develop Agnitio?

        • I love using checklists for security code reviews!
        • Even if your process is good it might not be smart
        • Is your review process really repeatable and easy to audit?
        • How about producing metrics, useful reports & integrity checks?




Friday, 17 June 2011
Agnitio


  • So, why did I develop Agnitio?

        • I love using checklists for security code reviews!
        • Even if your process is good it might not be smart
        • Is your review process really repeatable and easy to audit?
        • How about producing metrics, useful reports & integrity checks?
        • No? That’s why I developed Agnitio!




Friday, 17 June 2011
Agnitio


  • Why did I develop Agnitio?

        • My own review process was good but it wasn’t smart
        • Minimum of 2 code reviews per release
        • Three pieces of evidence produced per review
        • One central Excel sheet for metrics and “audit” trail




Friday, 17 June 2011
Why did I develop Agnitio?


  • 2 reviews: 3 deliverables x ~200 releases in 2010

  • 400 security code reviews

          x 10




Friday, 17 June 2011
Why did I develop Agnitio?


  • 2 reviews: 3 deliverables x ~200 releases in 2010

  • 400 security code reviews

          x 10




Friday, 17 June 2011
Why did I develop Agnitio?


  • Demonstration: security code reviews




Friday, 17 June 2011
Why did I develop Agnitio?


  • 2 reviews: 3 deliverables x ~200 releases in 2010

  • Minimum of 4 Word documents per release

          x 10




Friday, 17 June 2011
Why did I develop Agnitio?


  • 2 reviews: 3 deliverables x ~200 releases in 2010

  • Minimum of 4 Word documents per release

          x 10




Friday, 17 June 2011
Why did I develop Agnitio?


  • Demonstration: security code review reports




Friday, 17 June 2011
Why did I develop Agnitio?


  • 2 reviews: 3 deliverables x ~200 releases in 2010

  • Note pad file per release with notes, LOC etc

          x 10




Friday, 17 June 2011
Why did I develop Agnitio?


  • 2 reviews: 3 deliverables x ~200 releases in 2010

  • Note pad file per release with notes, LOC etc

          x 10




Friday, 17 June 2011
Why did I develop Agnitio?


  • Demonstration: application security metrics




Friday, 17 June 2011
Why did I develop Agnitio?




Friday, 17 June 2011
Why did I develop Agnitio?




Friday, 17 June 2011
Why did I develop Agnitio?




Friday, 17 June 2011
Agnitio v2.0


  • Agnitio deux sera bientôt disponible en Français!

  • Automated code analysis module linked to checklist

  • Data editor for developer and checklist guidance text

  • Checklist and guidance in multiple languages

  • Plus lots of user suggested changes!


Friday, 17 June 2011
Agnitio v2.0


  • Agnitio v2.0 demonstration




Friday, 17 June 2011
My “shoot for the moon” vision for Agnitio


  “we pretty much need a Burp Pro equivalent for Static
  Analysis – awesome, powerful in the right hands, and
  completely affordable!”
  http://www.securityninja.co.uk/application-security/can-you-implement-static-analysis-without-breaking-the-bank/comment-page-1#comment-9777




Friday, 17 June 2011
Using the principles and Agnitio


  • How you can apply the principles approach

        • Download principles documentation from Security Ninja
        • Focus secure development training on code not exploits
        • Use your language/s in all code examples and checklist items
        • Use Agnitio to conduct principles based security code reviews
        • Tie all security findings back to specific principles




Friday, 17 June 2011
www.securityninja.co.uk
    http://sourceforge.net/projects/agnitiotool/

                       @securityninja

                       /realexninja

                       /securityninja

                       /realexninja



Friday, 17 June 2011
QUESTIONS?
              www.securityninja.co.uk
    http://sourceforge.net/projects/agnitiotool/

                       @securityninja

                       /realexninja

                       /securityninja

                       /realexninja



Friday, 17 June 2011

More Related Content

Similar to Hack in Paris - Agnitio

SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurity Ninja
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurity Ninja
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...FINOS
 
Stamp Out Agile and DevOps Bottlenecks
Stamp Out Agile and DevOps BottlenecksStamp Out Agile and DevOps Bottlenecks
Stamp Out Agile and DevOps BottlenecksTechWell
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Security Ninja
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald BelchamGetting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham.NET Conf UY
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...Brian Huff
 
BruCON Agnitio Workshop
BruCON Agnitio WorkshopBruCON Agnitio Workshop
BruCON Agnitio WorkshopSecurity Ninja
 
Better Governance Banking on Continuous Delivery
Better Governance Banking on Continuous DeliveryBetter Governance Banking on Continuous Delivery
Better Governance Banking on Continuous DeliveryTapabrata Pal
 
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet Puppet
 
Achieving Continuous Delivery with Puppet
Achieving Continuous Delivery with PuppetAchieving Continuous Delivery with Puppet
Achieving Continuous Delivery with PuppetDevoteam Revolve
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Selenium for everyone
Selenium for everyoneSelenium for everyone
Selenium for everyoneTft Us
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 
The Next Wave of Reliability Engineering
The Next Wave of Reliability EngineeringThe Next Wave of Reliability Engineering
The Next Wave of Reliability EngineeringMichael Kehoe
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_EndgameInc
 

Similar to Hack in Paris - Agnitio (20)

SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - Agnitio
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know it
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
 
Stamp Out Agile and DevOps Bottlenecks
Stamp Out Agile and DevOps BottlenecksStamp Out Agile and DevOps Bottlenecks
Stamp Out Agile and DevOps Bottlenecks
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald BelchamGetting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
 
BruCON Agnitio Workshop
BruCON Agnitio WorkshopBruCON Agnitio Workshop
BruCON Agnitio Workshop
 
Better Governance Banking on Continuous Delivery
Better Governance Banking on Continuous DeliveryBetter Governance Banking on Continuous Delivery
Better Governance Banking on Continuous Delivery
 
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
 
Achieving Continuous Delivery with Puppet
Achieving Continuous Delivery with PuppetAchieving Continuous Delivery with Puppet
Achieving Continuous Delivery with Puppet
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Selenium for everyone
Selenium for everyoneSelenium for everyone
Selenium for everyone
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
 
The Next Wave of Reliability Engineering
The Next Wave of Reliability EngineeringThe Next Wave of Reliability Engineering
The Next Wave of Reliability Engineering
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
 

More from Security Ninja

The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application StorySecurity Ninja
 
Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecuritySecurity Ninja
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7Security Ninja
 
OWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecurityOWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecuritySecurity Ninja
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...Security Ninja
 
The Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinThe Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinSecurity Ninja
 
Application security and PCI DSS
Application security and PCI DSSApplication security and PCI DSS
Application security and PCI DSSSecurity Ninja
 
The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17Security Ninja
 
Developing secure web applications
Developing secure web applicationsDeveloping secure web applications
Developing secure web applicationsSecurity Ninja
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Security Ninja
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure DevelopmentSecurity Ninja
 
Owasp talk-november-08
Owasp talk-november-08Owasp talk-november-08
Owasp talk-november-08Security Ninja
 

More from Security Ninja (14)

Hack in Paris 2013
Hack in Paris 2013Hack in Paris 2013
Hack in Paris 2013
 
The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application Story
 
Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 Security
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7
 
OWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecurityOWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application Security
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...
 
The Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinThe Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter Dublin
 
Application security and PCI DSS
Application security and PCI DSSApplication security and PCI DSS
Application security and PCI DSS
 
The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17
 
Developing secure web applications
Developing secure web applicationsDeveloping secure web applications
Developing secure web applications
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure Development
 
Owasp talk-november-08
Owasp talk-november-08Owasp talk-november-08
Owasp talk-november-08
 

Recently uploaded

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 

Recently uploaded (20)

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 

Hack in Paris - Agnitio

  • 1. David Rook Agnitio Security code review swiss army knife Hack in Paris, Paris Friday, 17 June 2011
  • 2. if (slide == introduction) System.out.println("I’m David Rook"); • Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms • Security Ninja (www.securityninja.co.uk) • Speaker at international security conferences • Nominated for multiple blog awards • A mentor in the InfoSecMentors project • Developed and released Agnitio Friday, 17 June 2011
  • 3. Agenda • What is static analysis? • Security code reviews: the good, the bad and the ugly • The principles of secure development • Agnitio: It’s static analysis, but not as we know it • A sneak preview of Agnitio v2.0 Friday, 17 June 2011
  • 4. Static analysis • What do I mean by static analysis? • A review of source code without executing the application • Can be either manual or automated through one or more tools • Human and/or tools analysing application source code Friday, 17 June 2011
  • 5. Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t software Friday, 17 June 2011
  • 6. Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t software • The worst thing about humans is that they are humans Friday, 17 June 2011
  • 7. Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1 Friday, 17 June 2011
  • 8. Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1 Friday, 17 June 2011
  • 9. Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t human Friday, 17 June 2011
  • 10. Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t human • The worst thing about software is that it’s software Friday, 17 June 2011
  • 27. The ugly security code reviews • “Ugly reviews” implies you do actually review code • An unplanned magical mystery tour at the end of the SDLC • Unstructured, not repeatable and heavily reliant on C H N O 8 10 4 2 • Too late in the SDLC making findings very expensive to fix Friday, 17 June 2011
  • 28. The ugly security code reviews • “Ugly reviews” implies you do actually review code • An unplanned magical mystery tour at the end of the SDLC • Unstructured, not repeatable and heavily reliant on C H N O 8 10 4 2 • Too late in the SDLC making findings very expensive to fix • Completely manual process, no tools used during reviews • No audit trails, no metrics........no security? • Better than nothing? Friday, 17 June 2011
  • 29. The bad security code reviews • “Bad reviews” might be fine for some companies • A single planned code review in your SDLC • Some structure, normally based on finding the OWASP top 10 • Still too late in the SDLC making findings very expensive to fix Friday, 17 June 2011
  • 30. The bad security code reviews • “Bad reviews” might be fine for some companies • A single planned code review in your SDLC • Some structure, normally based on finding the OWASP top 10 • Still too late in the SDLC making findings very expensive to fix • Some automation, usually basic code analysis tools • Basic audit trails still no metrics so hard to measure “anything” • Better than ugly reviews, might be fine for some companies Friday, 17 June 2011
  • 31. The good security code reviews • “Good reviews” don’t happen by accident • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases Friday, 17 June 2011
  • 32. The good security code reviews • “Good reviews” don’t happen by accident • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases • Automation used where useful freeing up the reviewer • Ability to produce reports, metrics and measure improvements • External validation of the review process and SDLC Friday, 17 June 2011
  • 33. The principles of secure development • What are the principles of secure development? Friday, 17 June 2011
  • 34. Philosophical Application Security Give a man a fish and you feed him for a day, teach him to fish and you feed him for a lifetime. Friday, 17 June 2011
  • 35. Philosophical Application Security Give a man a fish and you feed him for a day, teach him to fish and you feed him for a lifetime. I want to apply this to secure development education: Teach a developer about a vulnerability and he will prevent it, teach him how to develop securely and he will prevent many vulnerabilities. Friday, 17 June 2011
  • 36. The current approach Failure to Preserve Web Page Structure Failure to Preserve SQL Query Structure Reliance on Untrusted Inputs in a Security Decision Missing Encryption of Sensitive Data Incorrect Calculation of Buffer Size Improper Control of Filename for Include/Require Statement in PHP Program URL Redirection to Untrusted Site Buffer Copy without Checking Size on Input Content Spoofing Allocation of Resource Without Limits or Throttling Cross Site Request Forgery Information Leakage Injection Flaws Cross Site Scripting Improper Check for Unusual or Exceptional Conditions Insufficient Transport Layer Protection Failure to Preserve OS Command Structure Insufficient Authorisation Improper Limitation of a Pathname to a Restricted Directory Improper Access Control Insufficient Authentication Insecure Cryptographic Storage Race Condition Use of Hard-coded Credentials Session Management Insecure Direct Object Reference Improper Validation of Array Index Information Exposure Through an Error Message Abuse of Functionality Predictable Resource Location Download of Code Without Integrity Check Failure to Restrict URL Access Unvalidated Redirects and Forwards Buffer Access with Incorrect Length Value Security Misconfiguration SQL Injection Unrestricted Upload of File with Dangerous Type Broken Authentication Missing Authentication for Critical Function Integer Overflow or Wraparound Use of a Broken or Risky Cryptographic Algorithm Incorrect Permission Assignment for Critical Resource Friday, 17 June 2011
  • 37. The Principles of Secure Development Secure Communications Output Validation Input Validation Auditing and Logging Authorisation Session Management Error Handling Secure Resource Access Authentication Secure Storage Friday, 17 June 2011
  • 38. Agnitio • What is Agnitio? • Tool to help with manual static analysis • Checklist based with reviewer & developer guidance • Produces audit trails & enforces integrity checks • Single tool for security code review reports & metrics Friday, 17 June 2011
  • 39. Agnitio • Checklists? • An application for doing checklist reviews? *yawn* how boring! • Checklists are for n00bs! I don't need a checklist to review code! • I beg to differ, would you say Doctors and Pilots are n00bs? Friday, 17 June 2011
  • 44. Agnitio • Checklists? • So you don't use a checklist for reviewing source code? • What's the worst that could happen? Friday, 17 June 2011
  • 45. Ariane 5 flight 501 Friday, 17 June 2011
  • 46. Ariane 5 flight 501 Friday, 17 June 2011
  • 50. Agnitio • Checklists? • So you don't use a checklist for reviewing source code? • What's the worst that could happen? • Four people dead and over €700m of equipment destroyed • Checklists can be useful to pilots, doctors and code reviewers! Friday, 17 June 2011
  • 51. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! Friday, 17 June 2011
  • 52. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart Friday, 17 June 2011
  • 53. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit? Friday, 17 June 2011
  • 54. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit? • How about producing metrics, useful reports & integrity checks? Friday, 17 June 2011
  • 55. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit? • How about producing metrics, useful reports & integrity checks? • No? That’s why I developed Agnitio! Friday, 17 June 2011
  • 56. Agnitio • Why did I develop Agnitio? • My own review process was good but it wasn’t smart • Minimum of 2 code reviews per release • Three pieces of evidence produced per review • One central Excel sheet for metrics and “audit” trail Friday, 17 June 2011
  • 57. Why did I develop Agnitio? • 2 reviews: 3 deliverables x ~200 releases in 2010 • 400 security code reviews x 10 Friday, 17 June 2011
  • 58. Why did I develop Agnitio? • 2 reviews: 3 deliverables x ~200 releases in 2010 • 400 security code reviews x 10 Friday, 17 June 2011
  • 59. Why did I develop Agnitio? • Demonstration: security code reviews Friday, 17 June 2011
  • 60. Why did I develop Agnitio? • 2 reviews: 3 deliverables x ~200 releases in 2010 • Minimum of 4 Word documents per release x 10 Friday, 17 June 2011
  • 61. Why did I develop Agnitio? • 2 reviews: 3 deliverables x ~200 releases in 2010 • Minimum of 4 Word documents per release x 10 Friday, 17 June 2011
  • 62. Why did I develop Agnitio? • Demonstration: security code review reports Friday, 17 June 2011
  • 63. Why did I develop Agnitio? • 2 reviews: 3 deliverables x ~200 releases in 2010 • Note pad file per release with notes, LOC etc x 10 Friday, 17 June 2011
  • 64. Why did I develop Agnitio? • 2 reviews: 3 deliverables x ~200 releases in 2010 • Note pad file per release with notes, LOC etc x 10 Friday, 17 June 2011
  • 65. Why did I develop Agnitio? • Demonstration: application security metrics Friday, 17 June 2011
  • 66. Why did I develop Agnitio? Friday, 17 June 2011
  • 67. Why did I develop Agnitio? Friday, 17 June 2011
  • 68. Why did I develop Agnitio? Friday, 17 June 2011
  • 69. Agnitio v2.0 • Agnitio deux sera bientôt disponible en Français! • Automated code analysis module linked to checklist • Data editor for developer and checklist guidance text • Checklist and guidance in multiple languages • Plus lots of user suggested changes! Friday, 17 June 2011
  • 70. Agnitio v2.0 • Agnitio v2.0 demonstration Friday, 17 June 2011
  • 71. My “shoot for the moon” vision for Agnitio “we pretty much need a Burp Pro equivalent for Static Analysis – awesome, powerful in the right hands, and completely affordable!” http://www.securityninja.co.uk/application-security/can-you-implement-static-analysis-without-breaking-the-bank/comment-page-1#comment-9777 Friday, 17 June 2011
  • 72. Using the principles and Agnitio • How you can apply the principles approach • Download principles documentation from Security Ninja • Focus secure development training on code not exploits • Use your language/s in all code examples and checklist items • Use Agnitio to conduct principles based security code reviews • Tie all security findings back to specific principles Friday, 17 June 2011
  • 73. www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninja Friday, 17 June 2011
  • 74. QUESTIONS? www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninja Friday, 17 June 2011