Your SlideShare is downloading. ×
0
Code Review for Secure Web       Applications       With java samples
Bibliography• OWASP – Open web applications security  projects – www.owasp.org• OWASP Code review guide
Introduction• Code reviews:  – Ad hoc reviews  – Pair programming  – Walkthrough  – Team review  – Inspection• Purpose – s...
Code review strategies• Automatic• Manual – use checklists  – Risk based  – Most encountered programming mistakes  – Mitig...
Checklist based on best practices•   Authentication•   Authorization•   Session management•   Input validation and output ...
Checklist based on best practices               To be presented next meeting•   Prevent Cross Site Request Forgery•   Cryp...
Authentication• Check user is not allowed to choose weak  passwordsBad:String password = request.getParameter("Password");...
Authentication• Check user is not allowed to choose weak  passwordsOK:if password.RegEx([a-z])    and password.RegEx([A-Z]...
Authentication• Password storage strategy: hashing using a  one-way hash algorithm + saltingOK hashing:import java.securit...
Authentication• Password storage strategy: hashing using a one-way  hash algorithm + saltingOK salting:import java.securit...
Authorization• Check the access roles matrix and make sure it is  created respecting the need-to-know and least-  privileg...
Authorization• Check if security by obscurity is used• Check if authorization is verified for every requestGood:String act...
Session Management• Check if only framework’s session manager is  used• Check the cryptographic strength, the length of  t...
Input validation and output                sanitization• Ensure 2 separate validations occur: first a  security validation...
Input validation and output               sanitization• Check that all input that traversed untrusted  zones is validated,...
Input validation and output                sanitizationpublic class DoStuff {public String executeCommand(String userName)...
Input validation and output               sanitizationString myQuery = “select food from foods where  name=?”;String sortO...
Input validation and output                 sanitizationimport java.io.*;import javax.servlet.http.*;import javax.servlet....
Thank you for the interestQuestions?
Prevent Cross Site Script Forgery
Cryptographic controls
Error handling
Logging
Prevent Race Conditions
Upcoming SlideShare
Loading in...5
×

Code review for secure web applications

1,249

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,249
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
47
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Code review for secure web applications"

  1. 1. Code Review for Secure Web Applications With java samples
  2. 2. Bibliography• OWASP – Open web applications security projects – www.owasp.org• OWASP Code review guide
  3. 3. Introduction• Code reviews: – Ad hoc reviews – Pair programming – Walkthrough – Team review – Inspection• Purpose – security
  4. 4. Code review strategies• Automatic• Manual – use checklists – Risk based – Most encountered programming mistakes – Mitigation of most encountered vulnerabilities exploited in the world – Security best practices
  5. 5. Checklist based on best practices• Authentication• Authorization• Session management• Input validation and output sanitization
  6. 6. Checklist based on best practices To be presented next meeting• Prevent Cross Site Request Forgery• Cryptographic controls• Error handling• Logging• Prevent Race conditions
  7. 7. Authentication• Check user is not allowed to choose weak passwordsBad:String password = request.getParameter("Password");if (password == Null) {throw InvalidPasswordException() }
  8. 8. Authentication• Check user is not allowed to choose weak passwordsOK:if password.RegEx([a-z]) and password.RegEx([A-Z]) and password.RegEx([0-9]) and password.RegEx({8-30}) and password.RexEX([!"£$%^&*()]) return true;elsereturn false;
  9. 9. Authentication• Password storage strategy: hashing using a one-way hash algorithm + saltingOK hashing:import java.security.MessageDigest;public byte[] getHash(String password) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-1"); digest.reset(); byte[] input = digest.digest(password.getBytes("UTF-8"));}
  10. 10. Authentication• Password storage strategy: hashing using a one-way hash algorithm + saltingOK salting:import java.security.MessageDigest;public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA- 256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8"));}
  11. 11. Authorization• Check the access roles matrix and make sure it is created respecting the need-to-know and least- privilege principle• Check the business logic for errorsBad:if user.equals("NormalUser") { grantUser(Normal_Permissions);} else{ //user must be admin/super grantUser("Super_Permissions);}
  12. 12. Authorization• Check if security by obscurity is used• Check if authorization is verified for every requestGood:String action = request.getParameter("action"); if (action.equals("doStuff"))boolean permit = session.authTable.isAuthorised(action);if (permit) doStuff();else{ throw new (InvalidRequestException("Unauthorised request"); session.invalidate();}
  13. 13. Session Management• Check if only framework’s session manager is used• Check the cryptographic strength, the length of the sessions and character pool• Check that sessionIds coming from clients are validated• Check there is a timeout implemented for idle sessions• Check session is destroyed on logout
  14. 14. Input validation and output sanitization• Ensure 2 separate validations occur: first a security validation, then a business validation• Ensure in the security validation, data are canonicalized firstpublic static void main(String[] args) {File x = new File("/cmd/" + args[1]);String absPath = x.getAbsolutePath();String canonicalPath = x.getCanonicalPath();}
  15. 15. Input validation and output sanitization• Check that all input that traversed untrusted zones is validated, not only user input• Check that validators or sanitizers are adapted for the modules that receives/uses data – encode, escape, etc• Check validators are applied in a safe side (never client side)
  16. 16. Input validation and output sanitizationpublic class DoStuff {public String executeCommand(String userName) { try { String myUid = userName; Runtime rt = Runtime.getRuntime(); rt.exec("cmd.exe /C doStuff.exe " +”-“ +myUid);}catch(Exception e) { e.printStackTrace(); } } }
  17. 17. Input validation and output sanitizationString myQuery = “select food from foods where name=?”;String sortOrder=request.getParameter(“order”);myQuery+=sortOrder;PreparedStatement preparedStatement = connection.prepareStatement(myQuery);preparedStatement.setString(1, “Shaorma”);ResultSet resultSet = preparedStatement.executeQuery();
  18. 18. Input validation and output sanitizationimport java.io.*;import javax.servlet.http.*;import javax.servlet.*;public class HelloServlet extends HttpServlet {public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { String input = req.getHeader(“USERINPUT”); PrintWriter out = res.getWriter(); out.println(Server.HTMLEncode(input)); out.close();}}
  19. 19. Thank you for the interestQuestions?
  20. 20. Prevent Cross Site Script Forgery
  21. 21. Cryptographic controls
  22. 22. Error handling
  23. 23. Logging
  24. 24. Prevent Race Conditions
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×