Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get Your Applications in Top Security Shape
Upcoming SlideShare
Loading in...5
×
 

Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get Your Applications in Top Security Shape

on

  • 709 views

 

Statistics

Views

Total Views
709
Views on SlideShare
708
Embed Views
1

Actions

Likes
0
Downloads
6
Comments
0

1 Embed 1

https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get Your Applications in Top Security Shape Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get Your Applications in Top Security Shape Presentation Transcript

  • Security Code Reviews Does Your Code Need an Open Heart Surgery? 6-Points Strategy to Get Your Application in Security Shape Sherif Koussa OWASP Ottawa Chapter Leader OWASP Static Analysis Tools Evaluation Criteria Project Leader Application Security Specialist - Software Secured Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.orgSaturday, 13 April, 13
  • 2011 Bio Static Analysis Code Evaluation Criteria Project Lead 2008 Steering Committee Member GSSP-Java, GSSP-Net DEV-541, DEV0544, SEC540 2007 Softwar S cur OWASP Chapter Leader WebGoat 5.0 Developer OWASP 2Saturday, 13 April, 13 2
  • The 6 Points Strategy to Get Your Applications Back in Top Security Shape... OWASP 3Saturday, 13 April, 13
  • 1. DRASTIC CHANGES NEED DRASTIC MEASURES! Get to the bottom of things quickly! OWASP 4Saturday, 13 April, 13
  • Open Heart Surgery Steps: OWASP 5Saturday, 13 April, 13
  • Open Heart Surgery Steps: Step 1: Sawing Through the Sternum Step 2: Working on the Heart Step 3: Putting the Sternum Back Together Step 4: Stitching Up the Skin OWASP 5Saturday, 13 April, 13
  • Open Heart Surgery Steps: Step 1: Sawing Through the Sternum Step 2: Working on the Heart Step 3: Putting the Sternum Back Together Step 4: Stitching Up the Skin OWASP 5Saturday, 13 April, 13
  • Open Heart Surgery Steps: Step 1: Sawing Through the Sternum Step 2: Working on the Heart Step 3: Putting the Sternum Back Together Step 4: Stitching Up the Skin Causes: OWASP 5Saturday, 13 April, 13
  • Open Heart Surgery Steps: Step 1: Sawing Through the Sternum Step 2: Working on the Heart Step 3: Putting the Sternum Back Together Step 4: Stitching Up the Skin Causes: Repair or replace heart valves, which control blood flow through the heart Repair abnormal or damaged structures in the heart Implant medical devices that help control the heartbeat or support heart function and blood flow Replace a damaged heart with a healthy heart from a donor OWASP 5Saturday, 13 April, 13
  • Open Code Surgery (AKA Code Review) OWASP 6Saturday, 13 April, 13
  • Open Code Surgery (AKA Code Review) Why Security Code Reviews: OWASP 6Saturday, 13 April, 13
  • Open Code Surgery (AKA Code Review) Why Security Code Reviews: Effectiveness of Security Controls Against Known Threats Testing All Application Execution Paths Find All Instances of a Certain Vulnerability The Only Way to Find Certain Types of Vulnerabilities Effective Remediation Instructions OWASP 6Saturday, 13 April, 13
  • Code Review Types Peer Security Code Review: peer code reviews combined with secure coding best practices. Automatic Security Code Review: running a static code analysis tool. Modular Review: pure manual code review line by line. Ad-hoc Security Code Review: security done on selected modules of the application. Source-Code Driven Code Review: Full code review process combined with penetration testing. OWASP 7Saturday, 13 April, 13
  • Code Review Types Peer Security Code Review: peer code reviews combined with secure coding best practices. Automatic Security Code Review: running a static code analysis tool. Modular Review: pure manual code review line by line. Ad-hoc Security Code Review: security done on selected modules of the application. Source-Code Driven Code Review: Full code review process combined with penetration testing. OWASP 7Saturday, 13 April, 13
  • 2. COVER THE BASICS FIRST Don’t run before you can walk! OWASP 8Saturday, 13 April, 13
  • OWASP Top 10 - 2010 OWASP Top 10 - 2013 A1. Injection A2. Cross-Site Scripting A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery A6. Security Misconfiguration A7. Insecure Cryptographic Storage A8. Failure to Restrict URL Access A9. Insufficient Transport Layer Protection A10. Unvalidated Redirects and Forwards OWASP 9 2010 Modified NewSaturday, 13 April, 13
  • OWASP Top 10 - 2010 OWASP Top 10 - 2013 A1. Injection A1. Injection A2. Cross-Site Scripting A2. Broken Authentication and Session Management A3. Broken Authentication and Session Management A3. Cross-Site Scripting A4. Insecure Direct Object A4. Insecure Direct Object References References A5. Security Misconfiguration A5. Cross-Site Request Forgery A6. Sensitive Data Exposure A6. Security Misconfiguration A7. Missing Function Level Access A7. Insecure Cryptographic Storage Control A8. Failure to Restrict URL Access A8. Cross-Site Request Forgery A9. Insufficient Transport Layer A9. Using Known Vulnerable Protection Components A10. Unvalidated Redirects and A10. Unvalidated Redirects and Forwards Forwards OWASP 9 2010 Modified NewSaturday, 13 April, 13
  • OWASP Top 10 - 2010 OWASP Top 10 - 2013 A1. Injection A1. Injection A2. Cross-Site Scripting A2. Broken Authentication and Session Management A3. Broken Authentication and Session Management A3. Cross-Site Scripting A4. Insecure Direct Object A4. Insecure Direct Object References References A5. Security Misconfiguration A5. Cross-Site Request Forgery A6. Sensitive Data Exposure A6. Security Misconfiguration A7. Missing Function Level Access A7. Insecure Cryptographic Storage Control A8. Failure to Restrict URL Access A8. Cross-Site Request Forgery A9. Insufficient Transport Layer A9. Using Known Vulnerable Protection Components A10. Unvalidated Redirects and A10. Unvalidated Redirects and Forwards Forwards OWASP 9 2010 Modified NewSaturday, 13 April, 13
  • Veracode Report - 2011 OWASP Top 10 - 2013 A1. Injection A3 A2. Broken Authentication and Session Management A6 A3. Cross-Site Scripting A3 A4. Insecure Direct Object References A6 A5. Security Misconfiguration A4 A6. Sensitive Data Exposure A1 A3 ... A1 A7. Missing Function Level Access Control A9 A8. Cross-Site Request Forgery A2 A9. Using Known Vulnerable Components A10. Unvalidated Redirects and Forwards A9 OWASP 10 2010 Modified NewSaturday, 13 April, 13
  • Trustwave Report - 2013 OWASP Top 10 - 2013 A1. Injection A2. Broken Authentication and Session Management A3. Cross-Site Scripting A4. Insecure Direct Object References A1 A5. Security Misconfiguration A4 A6. Sensitive Data Exposure A3 A7 A7. Missing Function Level Access Control A8 A1 A8. Cross-Site Request Forgery A4 A10 A9. Using Known Vulnerable Components A9 A10. Unvalidated Redirects and Forwards OWASP 11 2010 Modified NewSaturday, 13 April, 13
  • Whitehat Report - 2012 OWASP Top 10 - 2013 A3 A1. Injection A6 A2. Broken Authentication and Session Management A3 A3. Cross-Site Scripting A4 A7 A4. Insecure Direct Object References A5. Security Misconfiguration A7 A6. Sensitive Data Exposure A4 A7 A7. Missing Function Level Access Control A4 A8. Cross-Site Request Forgery A9. Using Known Vulnerable Components A1 A10. Unvalidated Redirects and Forwards A2 A2 OWASP 12 2010 Modified NewSaturday, 13 April, 13
  • 3.FOCUS ON WHAT MATTERS Really...focus on what matters! OWASP 13Saturday, 13 April, 13
  • Effective Security Code Review Process Reconnaissance: Understand the application Threat Assessment: Enumerate inputs, threats and attack surface Automation: Low hanging fruits Manual Review: High-risk modules Confirmation & PoC: Confirm high-risk vulnerabilities. Reporting: Communicate back to the development team OWASP 14Saturday, 13 April, 13
  • Code Review Process Reconnaissance!Effective Security Threat Reporting! Assessment! Security Checklist! Skills! Tools! Confirmation & Automation! PoC! Manual Review! OWASP 15 Saturday, 13 April, 13
  • Reconnaissance What REALLY Matters? Business Walkthrough: will get you right to the assets and the core business goal Reconnaissance! Threat Reporting! Assessment! Technical Walkthrough: will Security Skills! Checklist! get you right to the Tools! vulnerabilities Confirmation & PoC! Automation! Manual Review! Roles: better understand the application and attack surface OWASP 16Saturday, 13 April, 13
  • Threat & Risk Modeling What REALLY Matters? A library of Vulnerabilities/Threats Industry based Risk Based Reconnaissance! Threat Reporting! Assessment! Security Thorough Understanding of Assets Checklist! Skills! Tools! Confirmation & Automation! PoC! Manual Review! e od Att C ac ble k Lib era rar ln Vu y Assets OWASP 17Saturday, 13 April, 13
  • Automation: What REALLY Matters - Fitted Tool Static Analysis Tools Evaluation Criteria Deployment Model Technology Support Reconnaissance! Scan, Command and Control Support Reporting! Threat Assessment! Product Signature Update Security Skills! Checklist! Triage and Remediation Support Tools! Confirmation & Automation! PoC! Reporting Capabilities Manual Review! Enterprise Level Support Find more at http://projects.webappsec.org/w/page/41188978/Static Analysis Tools Evaluation Criteria OWASP 18Saturday, 13 April, 13
  • Automation: What REALLY Matters - 3rd Party Libs 3rd Party Libraries Discovery. DependencyCheck (https://github.com/jeremylong/DependencyCheck) Reconnaissance! Threat Reporting! Assessment! Security Checklist! Skills! Tools! Confirmation & Automation! PoC! Manual Review! OWASP 19Saturday, 13 April, 13
  • 4. GET YOUR HANDS DIRTY! No pain...no gain... OWASP 20Saturday, 13 April, 13
  • What Needs Manual Review? This REALLY Matters! Authentication & Authorization Controls Reconnaissance! Encryption Modules Reporting! Threat Assessment! File Upload and Download Operations Security Checklist! Skills! Tools! Validation ControlsInput Filters Confirmation & PoC! Automation! Security-Sensitive Application Logic Manual Review! OWASP 21Saturday, 13 April, 13
  • Authentication and Authorization Controls OWASP 22Saturday, 13 April, 13
  • Authentication and Authorization Controls OWASP 22Saturday, 13 April, 13
  • Authentication and Authorization Controls WebMethods Don’t Follow Regular ASP.net Page Lifecycle OWASP 22Saturday, 13 April, 13
  • Encryption Modules OWASP 23Saturday, 13 April, 13
  • Encryption Modules OWASP 23Saturday, 13 April, 13
  • Encryption Modules OWASP 23Saturday, 13 April, 13
  • Encryption Modules There is a possibility of returning empty hashes on error OWASP 23Saturday, 13 April, 13
  • Security Controls OWASP 24 Saturday, 13 April, 13
  • Security Controls OWASP 24 Saturday, 13 April, 13
  • Security Controls OWASP 24 Saturday, 13 April, 13
  • Security Controls OWASP 24 Saturday, 13 April, 13
  • Security Controls Directory traversal is possible on post-back. OWASP 24 Saturday, 13 April, 13
  • 5. GET YOUR B-17 FIX! Gain strategic advantage over the attackers... OWASP 25Saturday, 13 April, 13
  • Checklists Advances Technology Aviation: Model 299-1934: “Too much airplane for one man to fly”. B-17 plane (Model 299 Successor) gave the U.S. major strategic advantage in WWII Intensive Care Units: Usage of checklists brought down infection rates in Michigan by 66% OWASP 26Saturday, 13 April, 13
  • Resources To Conduct Your Checklist NIST Checklist Project  http://checklists.nist.gov/ Mozilla’s Secure Coding QA Checklist  https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist Oracle’s Secure Coding Checklist -  http://www.oracle.com/technetwork/java/seccodeguide-139067.html MSDN Managed Code Checklist  http://msdn.microsoft.com/en-us/library/ff648189.aspx OWASP 27Saturday, 13 April, 13
  • 6. FINISH STRONG! Flex your communications muscles! OWASP 28Saturday, 13 April, 13
  • Reporting SQL Injection: Weakness Metadata Location: sourceACMEPortalupdateinfo.aspx.cs: Thorough Description Description: The code below is build dynamic sql Recommendation statement using unvalidated data (i.e. name) which can lead to SQL Injection Assign Appropriate 51 SqlDataAdapter myCommand = new SqlDataAdapter( Priority 52 "SELECT au_lname, au_fname FROM author WHERE au_id = " + 53 SSN.Text + "", myConnection); Reconnaissance! Priority: High Threat Reporting! Assessment! Recommendation: Use parameterized SQL Security Skills! Checklist! instead of dynamic concatenation, refer to http:// Tools! msdn.microsoft.com/en-us/library/ff648339.aspx for Confirmation & Automation! details. PoC! Manual Review! Owner: John Smith OWASP 29Saturday, 13 April, 13
  • The 6-Points Strategy... 1. Drastic Changes Requires Drastic Measures. 2. Cover The Basics First. 3. Focus on What Matters. 4. Get Your Hands Dirty. 5. Get Your B-17 Fix. 6. Finish Strong. OWASP 30Saturday, 13 April, 13
  • QUESTIONS? sherif.koussa@owasp.org sherif@softwaresecured.com OWASP 31Saturday, 13 April, 13