Security Code Review: Magic or Art?

1,492 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,492
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Security Code Review: Magic or Art?

    1. 1. SECURE CODE REVIEW: MAGIC OR ART?A Simplified Approach to Secure Code Review Sherif Koussa - AppSec USA Softwar S cur
    2. 2. 2 Softwar S cur
    3. 3. ABOUT METoday 2011 2009 2008 3 2006 Softwar S cur
    4. 4. ABOUT METoday 2011 2009 2008 3 2006 Softwar S cur
    5. 5. ABOUT METoday 2011 2009 2008 3 2006 Softwar S cur
    6. 6. ABOUT METoday 2011 2009 2008 3 2006 Softwar S cur
    7. 7. ABOUT METoday 2011 2009 2008 3 2006 Softwar S cur
    8. 8. TAKE AWAYS4 Softwar S cur
    9. 9. TAKE AWAYS• Components of an effective secure code review process4 Softwar S cur
    10. 10. TAKE AWAYS• Components of an effective secure code review process• Simplified secure code review process4 Softwar S cur
    11. 11. TAKE AWAYS• Components of an effective secure code review process• Simplified secure code review process• How to kickoff your internal security code review process4 Softwar S cur
    12. 12. WHAT DOES CODE REVIEW DO BEST?5 Softwar S cur
    13. 13. WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws5 Softwar S cur
    14. 14. WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage5 Softwar S cur
    15. 15. WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws5 Softwar S cur
    16. 16. WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws • Find all instances of a certain vulnerability5 Softwar S cur
    17. 17. WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws • Find all instances of a certain vulnerability • The only way to find certain types of vulnerabilities5 Softwar S cur
    18. 18. 6 Softwar S cur
    19. 19. 6 Softwar S cur
    20. 20. Usain Bolt - Olympics 20126 Softwar S cur
    21. 21. How I think I Look at the Gym Usain Bolt - Olympics 20126 Softwar S cur
    22. 22. How I think I Look at the Gym Usain Bolt - Olympics 2012 How I Actually Look6 Softwar S cur
    23. 23. How I think I Look at the Gym Usain Bolt - Olympics 2012 How I Actually Look6 Softwar S cur
    24. 24. 7 Softwar S cur
    25. 25. 7 Softwar S cur
    26. 26. HOW DEVELOPERS THINK OF THEIR APPLICATIONS7 Softwar S cur
    27. 27. HOW DEVELOPERS THINK OF THEIR APPLICATIONS7 Softwar S cur
    28. 28. HOW DEVELOPERS THINK OF THEIR APPLICATIONS Until S**tHits The Fan 7 Softwar S cur
    29. 29. HOW DEVELOPERS THINK OF THEIR APPLICATIONS Until S**tHits The Fan 7 Softwar S cur
    30. 30. WHAT ARE WE LOOKING FOR?8 Softwar S cur
    31. 31. WHAT ARE WE LOOKING FOR? • Software Weaknesses8 Softwar S cur
    32. 32. WHAT ARE WE LOOKING FOR? • Software Weaknesses • Application Logic Issues8 Softwar S cur
    33. 33. WHAT ARE WE LOOKING FOR? • Software Weaknesses • Application Logic Issues • DeadDebug Code8 Softwar S cur
    34. 34. WHAT ARE WE LOOKING FOR? • Software Weaknesses • Application Logic Issues • DeadDebug Code • Misconfiguration Issues8 Softwar S cur
    35. 35. WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW9 Softwar S cur
    36. 36. WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset9 Softwar S cur
    37. 37. WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset +9 Softwar S cur
    38. 38. WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset + Security Code Review Process9 Softwar S cur
    39. 39. 10 Softwar S cur
    40. 40. 10 Softwar S cur
    41. 41. SECURITY CODE REVIEW MINDSET10 Softwar S cur
    42. 42. SECURITY CODE REVIEW MINDSET • Where is the data coming from?10 Softwar S cur
    43. 43. SECURITY CODE REVIEW MINDSET • Where is the data coming from? • Original Intent -> Malicious Intent?10 Softwar S cur
    44. 44. SECURITY CODE REVIEW MINDSET • Where is the data coming from? • Original Intent -> Malicious Intent? • Any mitigating controls?10 Softwar S cur
    45. 45. IMPORTANT ASPECTS IN ANY PROCESS11 Softwar S cur
    46. 46. IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app11 Softwar S cur
    47. 47. IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface11 Softwar S cur
    48. 48. IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits11 Softwar S cur
    49. 49. IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules11 Softwar S cur
    50. 50. IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules • Confirmation and PoC: Weed out false positive and confirm high-risk vulns.11 Softwar S cur
    51. 51. IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules • Confirmation and PoC: Weed out false positive and confirm high-risk vulns. • Reporting: Communication back to the development team.11 Softwar S cur
    52. 52. FULL APPLICATION SECURITY CODE REVIEW PROCESS Reconnaissance! Reporting! Threat Modelling! Security Skills! Checklist! Tools! Confirmation & PoC! Automation! Manual Review!12 Softwar S cur
    53. 53. SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review13 Softwar S cur
    54. 54. SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* OWASP TOP Top*10* Checklists* 10 Driven Tools* Manual Reporting Review13 Softwar S cur
    55. 55. SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Automation OWASP Cheat Iden=fica=on* Sheets Series OWASP* OWASP TOP Top*10* Checklists* 10 Driven Tools* Manual Reporting Review13 Softwar S cur
    56. 56. DEFINE TRUST BOUNDARY Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 14 Softwar S cur
    57. 57. TRUST BOUNDARY• Trust Boundary is the virtual line where the trust level changes • Privileges Change • Untrusted Data Received • Untrusted Data Sent • Application’s Internal State Changes Writing Secure Code, Second Edition Michael Howard and David LeBlanc15 Softwar S cur
    58. 58. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LANSOAP Client Web Services LDAP Admin Front FileAD Server System Controller LAN Admin Client 16 Softwar S cur
    59. 59. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LANSOAP Client Web Services LDAP Admin Front FileAD Server System Controller LAN Admin Client 16 Softwar S cur
    60. 60. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LANSOAP Client Web Services LDAP Admin Front FileAD Server System Controller LAN Admin Client 16 Softwar S cur
    61. 61. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LANSOAP Client Web Services LDAP Admin Front FileAD Server System Controller LAN Admin Client 16 Softwar S cur
    62. 62. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LANSOAP Client Web Services LDAP Admin Front FileAD Server System Controller LAN Admin Client 16 Softwar S cur
    63. 63. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LANSOAP Client Web Services LDAP Admin Front FileAD Server System Controller LAN Admin Client 16 Softwar S cur
    64. 64. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LANSOAP Client Web Services LDAP Admin Front FileAD Server System Controller LAN Admin Client 16 Softwar S cur
    65. 65. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LANSOAP Client Web Services LDAP Admin Front FileAD Server System Controller LAN Admin Client 16 Softwar S cur
    66. 66. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LANSOAP Client Web Services LDAP Admin Front FileAD Server System Controller LAN Admin Client 16 Softwar S cur
    67. 67. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LANSOAP Client Web Services LDAP Admin Front FileAD Server System Controller LAN Admin Client 16 Softwar S cur
    68. 68. WAYS TO MARK TRUST BOUNDARY• Physical Source Code Separation.• Naming Scheme • Trust Boundary Safe: tbsProcessNameChange.java • Trust Boundary UnSafe: tbuEditProfile.jsp17 Softwar S cur
    69. 69. AUTOMATION Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 18
    70. 70. AUTOMATION• Super Greps (keyword Search)• Automated Unit-Tests• Static Code Analysis Tools19 Softwar S cur
    71. 71. AUTOMATIONSTATIC CODE ANALYSIS TOOLS • Security Code Review <> Running a Tool Pros Cons Scales Well False Positives Low Hanging Fruit Application Logic Issues Can be Taught New Tricks Collections Frameworks20 Softwar S cur
    72. 72. OPEN-SOURCE STATIC CODE ANALYSIS TOOLSJava.NETC++21 Softwar S cur
    73. 73. OPEN-SOURCE STATIC CODE ANALYSIS TOOLSJava.NETC++21 Softwar S cur
    74. 74. AUTOMATION 22 Softwar S cur
    75. 75. AUTOMATION• SQL Injection• Cross-Site Scripting• Parameter Tampering• Encryption Usage Flaws• Security Misconfiguration• External Code Reference• Log Forging 22 Softwar S cur
    76. 76. AUTOMATION• SQL Injection • Insecure Random Number Generation• Cross-Site Scripting • Command Injection• Parameter Tampering • XML Injection• Encryption Usage Flaws • XPATH Injection• Security Misconfiguration• External Code Reference • LDAP Injection• Log Forging • BufferOverflows 22 Softwar S cur
    77. 77. 23 CUSTOMIZE YOUR TOOLS!cur Softwar S
    78. 78. MANUALREVIEW Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 24 Softwar S cur
    79. 79. WHAT NEEDS TO BE MANUALLY REVIEWED?• Authentication & Authorization Controls• Encryption Modules• File Upload and Download Operations• Validation ControlsInput Filters• Security-Sensitive Application Logic25 Softwar S cur
    80. 80. AUTHENTICATION &AUTHORIZATION FLAWS 26 Softwar S cur
    81. 81. AUTHENTICATION &AUTHORIZATION FLAWS 26 Softwar S cur
    82. 82. AUTHENTICATION &AUTHORIZATION FLAWSWeb Methods Do Not Follow Regular ASP.NETPage Life Cycle 26 Softwar S cur
    83. 83. ENCRYPTION FLAWS 27 Softwar S cur
    84. 84. ENCRYPTION FLAWS 27 Softwar S cur
    85. 85. ENCRYPTION FLAWSThere is a possibility ofreturning empty hasheson error 27 Softwar S cur
    86. 86. FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
    87. 87. FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
    88. 88. FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
    89. 89. FILE UPLOADDOWNLOAD FLAWS An attacker can bypass validation control 28 Softwar S cur
    90. 90. REPORTING Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 29 Softwar S cur
    91. 91. REPORTING SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: Description: The code below is build dynamic sql statement using• Weakness Metadata unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter(• Thorough Description 52 "SELECT au_lname, au_fname FROM author WHERE au_id = " + 53 SSN.Text + "", myConnection);• Recommendation Priority: High Recommendation: Use paramaterized SQL instead of dynamic• Assign Appropriate Priority concatenation, refer to http://msdn.microsoft.com/en-us/library/ ff648339.aspx for details. Owner: John Smith 30 Softwar S cur
    92. 92. SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review31 Softwar S cur
    93. 93. QUESTIONS? sherif.koussa@owasp.comsherif@softwaresecured.com Softwar S cur 32

    ×