Softwar S cur
Simplifying Secure
Code Reviews
Sherif Koussa
sherif@softwaresecured.com
BSides Quebec 2013
Monday, 3 June, ...
Softwar S cur
Security Teams
Development Teams
Monday, 3 June, 13
Softwar S cur
Softwar S cur
2007 2009 2011 2013
Bio
Principal Consultant @ SoftwareSecured
✓ Application Security Assessme...
Softwar S cur
Take Aways
Monday, 3 June, 13
Softwar S cur
Take Aways
Role of Security Code Review
Monday, 3 June, 13
Softwar S cur
Take Aways
Role of Security Code Review Effective Process
Monday, 3 June, 13
Softwar S cur
Take Aways
Role of Security Code Review Effective Process
Simplified Process
Monday, 3 June, 13
Softwar S cur
Take Aways
Role of Security Code Review Effective Process
Simplified Process Key Tools to Use
Monday, 3 June, ...
Softwar S cur
What This Presentation is
NOT...
➡ Ground Breaking Research
➡ New Tool
➡ How to Fix Vulnerabilities
Monday, ...
Softwar S cur
What IS Security Code
Review?
Monday, 3 June, 13
Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
What IS Security Code
Review?
Monday, 3 June, 13
Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Li...
Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Li...
Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Li...
Softwar S cur
Why Security Code Reviews
Monday, 3 June, 13
Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Monday, 3 June, 13
Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Exercise all code paths
Monday, 3 June, 13
Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Exercise all code paths All instances of a vulne...
Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Exercise all code paths All instances of a vulne...
Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Exercise all code paths All instances of a vulne...
Softwar S cur
Effective Security Code
Review Process
Monday, 3 June, 13
Softwar S cur
Effective Security Code
Review Process
➡ Reconnaissance
Monday, 3 June, 13
Softwar S cur
Effective Security Code
Review Process
➡ Reconnaissance
➡ Threat Modeling
Monday, 3 June, 13
Softwar S cur
Effective Security Code
Review Process
➡ Reconnaissance
➡ Threat Modeling
➡ Automation
Monday, 3 June, 13
Softwar S cur
Effective Security Code
Review Process
➡ Reconnaissance
➡ Threat Modeling
➡ Automation
➡ Manual Review
Monda...
Softwar S cur
Effective Security Code
Review Process
➡ Reconnaissance
➡ Threat Modeling
➡ Automation
➡ Manual Review
➡ Con...
Softwar S cur
Effective Security Code
Review Process
➡ Reconnaissance
➡ Threat Modeling
➡ Automation
➡ Manual Review
➡ Con...
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
C...
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
C...
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
C...
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
C...
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
C...
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
C...
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
C...
Softwar S cur
Simplified Security
Code Review Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmat...
Softwar S cur
Simplified Security
Code Review Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmat...
Softwar S cur
Simplified Security
Code Review Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmat...
Softwar S cur
Usages of Simplified
Security Code Review
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*1...
Softwar S cur
Skills - OWASP
Top 10
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scrip...
Softwar S cur
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and
Session Management
A4. Insecure Direct ...
Softwar S cur
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and
Session Management
A4. Insecure Direct ...
Softwar S cur
A3
A6
A3
A6
A4
A1
A1 A3
A2
A9
A9
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and
Sessio...
Softwar S cur
A7
A10
A4
A1
A8
A4
A3
A9
A1
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and
Session Man...
Softwar S cur
A3
A6
A7
A1
A7
A2
A4
A7A4
A4
A2
A3
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and
Sess...
Softwar S cur
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Define Tru...
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Control...
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Control...
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Control...
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Control...
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Control...
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Control...
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Control...
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
B...
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
B...
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
B...
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
B...
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
B...
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
B...
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
B...
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
B...
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
B...
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
B...
Softwar S cur
How Can You Identify Trust
Boundary?
Monday, 3 June, 13
Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
Monday, ...
Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implem...
Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implem...
Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implem...
Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implem...
Softwar S cur
Making Unsecure Code Look
Unsecure - cc/Joel Spolsky
➡ Physical Source Code Separation.
➡ File Naming Scheme...
Softwar S cur
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Automation...
Softwar S cur
Automation
Static Code Analysis
Pros Cons
Scales Well False Positives
Low Hanging Fruit Application Logic Is...
Softwar S cur
Scripts
➡ Compliment Static Code Analysis Tools.
➡ 3rd Party Libraries Discovery.
➡ Data Input Sources (e,g....
Softwar S cur
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Manual Rev...
Softwar S cur
What Needs to Be Manually
Reviewed?
➡ Authentication & Authorization Controls
➡ Encryption Modules
➡ File Up...
Softwar S cur
Authentication &
Authorization Flaws
Monday, 3 June, 13
Softwar S cur
Authentication &
Authorization Flaws
Monday, 3 June, 13
Softwar S cur
Authentication &
Authorization Flaws
Web Methods Do Not Follow
Regular ASP.NET Page Life Cycle
Monday, 3 Jun...
Softwar S cur
Authentication &
Authorization Flaws
Web Methods Do Not Follow
Regular ASP.NET Page Life Cycle
Monday, 3 Jun...
Softwar S cur
Encryption Flaws
Monday, 3 June, 13
Softwar S cur
Encryption Flaws
Monday, 3 June, 13
Softwar S cur
Encryption Flaws
Return value is
initialized
Monday, 3 June, 13
Softwar S cur
Encryption Flaws
Return value is
initialized
Monday, 3 June, 13
Softwar S cur
Encryption Flaws
Return value is
initialized
Monday, 3 June, 13
Softwar S cur
Encryption Flaws
Return value is
initialized
Classic fail-open
scenario
Monday, 3 June, 13
Softwar S cur
File UploadDownload Flaws
Monday, 3 June, 13
Softwar S cur
File UploadDownload Flaws
Monday, 3 June, 13
Softwar S cur
File UploadDownload Flaws
The value gets validated
first time around
Monday, 3 June, 13
Softwar S cur
File UploadDownload Flaws
The value gets validated
first time around
File path saved into a
hidden field
Mon...
Softwar S cur
File UploadDownload Flaws
The value gets validated
first time around
File path saved into a
hidden field
Fil...
Softwar S cur
File UploadDownload Flaws
The value gets validated
first time around
File path saved into a
hidden field
Fil...
Softwar S cur
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Reporting
...
Softwar S cur
Reporting
➡ Weakness Metadata
➡ Thorough Description
➡ Recommendation
➡ Assign Priority
SQL Injection:
Locat...
Softwar S cur
Confirmation & PoC
Monday, 3 June, 13
Softwar S cur
Confirmation & PoC
Monday, 3 June, 13
Softwar S cur
Confirmation & PoC
Monday, 3 June, 13
Softwar S cur
Confirmation & PoC
Monday, 3 June, 13
Softwar S cur
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Tools
Mond...
Softwar S cur
Security Code Review Tools
➡ Static Code Analysis
➡ Free: (FindBugs, PMD, CAT.net, PCLint, etc)
➡ Commercial...
Softwar S cur
Open-Source Static
Code Analysis Tools
Java
.NET
C++
Monday, 3 June, 13
Softwar S cur
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Checklists...
Softwar S cur
Usage of checklists
➡ Aviation: led the modern airplanes evolution
after Major Hill’s famous 1934 incident
➡...
Softwar S cur
Security Code Review
Checklist
➡ Data Validation and Encoding Controls
➡ Encryption Controls
➡ Authenticatio...
Softwar S cur
Resources To Conduct Your
Checklist
➡ NIST Checklist Project - http://checklists.nist.gov/
➡ Mozilla’s Secur...
Softwar S cur
Simplified Security
Code Review Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmat...
Softwar S cur
Softwar S cur
QUESTIONS?
@skoussa
sherif.koussa@owasp.org
sherif@softwaresecured.com
Monday, 3 June, 13
Upcoming SlideShare
Loading in...5
×

Simplified Security Code Review Process

1,858

Published on

Published in: Technology, Business
1 Comment
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
1,858
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
116
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide

Simplified Security Code Review Process

  1. 1. Softwar S cur Simplifying Secure Code Reviews Sherif Koussa sherif@softwaresecured.com BSides Quebec 2013 Monday, 3 June, 13
  2. 2. Softwar S cur Security Teams Development Teams Monday, 3 June, 13
  3. 3. Softwar S cur Softwar S cur 2007 2009 2011 2013 Bio Principal Consultant @ SoftwareSecured ✓ Application Security Assessment ✓ Application Security Assurance Program Implementation ✓ Application Security Training Monday, 3 June, 13
  4. 4. Softwar S cur Take Aways Monday, 3 June, 13
  5. 5. Softwar S cur Take Aways Role of Security Code Review Monday, 3 June, 13
  6. 6. Softwar S cur Take Aways Role of Security Code Review Effective Process Monday, 3 June, 13
  7. 7. Softwar S cur Take Aways Role of Security Code Review Effective Process Simplified Process Monday, 3 June, 13
  8. 8. Softwar S cur Take Aways Role of Security Code Review Effective Process Simplified Process Key Tools to Use Monday, 3 June, 13
  9. 9. Softwar S cur What This Presentation is NOT... ➡ Ground Breaking Research ➡ New Tool ➡ How to Fix Vulnerabilities Monday, 3 June, 13
  10. 10. Softwar S cur What IS Security Code Review? Monday, 3 June, 13
  11. 11. Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness What IS Security Code Review? Monday, 3 June, 13
  12. 12. Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle What IS Security Code Review? Monday, 3 June, 13
  13. 13. Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ Development Teams ➡ Security Teams ➡ ProjectRisk Management What IS Security Code Review? Monday, 3 June, 13
  14. 14. Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ Development Teams ➡ Security Teams ➡ ProjectRisk Management ➡ Systematic Approach to Uncover Security Flaws What IS Security Code Review? Monday, 3 June, 13
  15. 15. Softwar S cur Why Security Code Reviews Monday, 3 June, 13
  16. 16. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Monday, 3 June, 13
  17. 17. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths Monday, 3 June, 13
  18. 18. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths All instances of a vulnerability Monday, 3 June, 13
  19. 19. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths All instances of a vulnerability Find design flaws Monday, 3 June, 13
  20. 20. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths All instances of a vulnerability Find design flaws Remediation Instructions Monday, 3 June, 13
  21. 21. Softwar S cur Effective Security Code Review Process Monday, 3 June, 13
  22. 22. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance Monday, 3 June, 13
  23. 23. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling Monday, 3 June, 13
  24. 24. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation Monday, 3 June, 13
  25. 25. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review Monday, 3 June, 13
  26. 26. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept Monday, 3 June, 13
  27. 27. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept ➡ Reporting Monday, 3 June, 13
  28. 28. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Monday, 3 June, 13
  29. 29. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment Monday, 3 June, 13
  30. 30. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls Monday, 3 June, 13
  31. 31. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code Monday, 3 June, 13
  32. 32. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code •Security Controls •High Profile Code •Custom Rules Monday, 3 June, 13
  33. 33. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code •Security Controls •High Profile Code •Custom Rules •Confirmation •Evidences Monday, 3 June, 13
  34. 34. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code •Security Controls •High Profile Code •Custom Rules •Confirmation •Evidences •Risk Rating •Role Based •Remediation Instructions Monday, 3 June, 13
  35. 35. Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Monday, 3 June, 13
  36. 36. Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Monday, 3 June, 13
  37. 37. Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Monday, 3 June, 13
  38. 38. Softwar S cur Usages of Simplified Security Code Review Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* ➡ Ideal for Introducing Development Teams To Security Code Reviews ➡ Crossing The Gap Between Security and Development Teams Monday, 3 June, 13
  39. 39. Softwar S cur Skills - OWASP Top 10 ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Monday, 3 June, 13
  40. 40. Softwar S cur A1. Injection A2. Cross-Site Scripting A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery A6. Security Misconfiguration A7. Insecure Cryptographic Storage A9. Insufficient Transport Layer Protection A8. Failure to Restrict URL Access A10. Unvalidated Redirects and Forwards 2010 Modified New OWASP TOP 10 - 2010 OWASP TOP 10 - 2013 Monday, 3 June, 13
  41. 41. Softwar S cur A1. Injection A2. Cross-Site Scripting A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery A6. Security Misconfiguration A7. Insecure Cryptographic Storage A9. Insufficient Transport Layer Protection A8. Failure to Restrict URL Access A10. Unvalidated Redirects and Forwards A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards 2010 Modified New OWASP TOP 10 - 2010 OWASP TOP 10 - 2013 Monday, 3 June, 13
  42. 42. Softwar S cur A3 A6 A3 A6 A4 A1 A1 A3 A2 A9 A9 A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards OWASP TOP 10 - 2013 2010 Modified New Veracode Report - 2011 Monday, 3 June, 13
  43. 43. Softwar S cur A7 A10 A4 A1 A8 A4 A3 A9 A1 A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards OWASP TOP 10 - 2013Trustwave Report - 2013 2010 Modified New Monday, 3 June, 13
  44. 44. Softwar S cur A3 A6 A7 A1 A7 A2 A4 A7A4 A4 A2 A3 A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards OWASP TOP 10 - 2013Whitehat Report - 2012 2010 Modified New Monday, 3 June, 13
  45. 45. Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Define Trust Boundary Monday, 3 June, 13
  46. 46. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  47. 47. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  48. 48. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  49. 49. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  50. 50. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  51. 51. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  52. 52. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  53. 53. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards Monday, 3 June, 13
  54. 54. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 Monday, 3 June, 13
  55. 55. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 Monday, 3 June, 13
  56. 56. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 Monday, 3 June, 13
  57. 57. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A4 Monday, 3 June, 13
  58. 58. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 Monday, 3 June, 13
  59. 59. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A6 Monday, 3 June, 13
  60. 60. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A7 A6 Monday, 3 June, 13
  61. 61. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A7 A8 A6 Monday, 3 June, 13
  62. 62. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A7 A8 A10 A10 A6 A9 A9 A9 A9 A9 Monday, 3 June, 13
  63. 63. Softwar S cur How Can You Identify Trust Boundary? Monday, 3 June, 13
  64. 64. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc Monday, 3 June, 13
  65. 65. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc Monday, 3 June, 13
  66. 66. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc Monday, 3 June, 13
  67. 67. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output Monday, 3 June, 13
  68. 68. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output ➡ Annotations: @WebMethods, @WebService Monday, 3 June, 13
  69. 69. Softwar S cur Making Unsecure Code Look Unsecure - cc/Joel Spolsky ➡ Physical Source Code Separation. ➡ File Naming Scheme: ➡ Trust Boundary Safe: tbsProcessNameChange.java ➡ Trust Boundary UnSafe: tbuEditProfile.jsp ➡ Variable Naming Convention: ➡ String usEmail = Request.getParameter(“email”); ➡ String sEmail = Validate(Request.getParameter(“email”); Monday, 3 June, 13
  70. 70. Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Automation Monday, 3 June, 13
  71. 71. Softwar S cur Automation Static Code Analysis Pros Cons Scales Well False Positives Low Hanging Fruit Application Logic Issues Could Be Customized Collections Frameworks Monday, 3 June, 13
  72. 72. Softwar S cur Scripts ➡ Compliment Static Code Analysis Tools. ➡ 3rd Party Libraries Discovery. ➡ Data Input Sources (e,g. web services) ➡ Tracing Data Through Collections (e.g. Session, Request, Collection) Monday, 3 June, 13
  73. 73. Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Manual Review Monday, 3 June, 13
  74. 74. Softwar S cur What Needs to Be Manually Reviewed? ➡ Authentication & Authorization Controls ➡ Encryption Modules ➡ File Upload and Download Operations ➡ Validation ControlsInput Filters ➡ Security-Sensitive Application Logic Monday, 3 June, 13
  75. 75. Softwar S cur Authentication & Authorization Flaws Monday, 3 June, 13
  76. 76. Softwar S cur Authentication & Authorization Flaws Monday, 3 June, 13
  77. 77. Softwar S cur Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Monday, 3 June, 13
  78. 78. Softwar S cur Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Monday, 3 June, 13
  79. 79. Softwar S cur Encryption Flaws Monday, 3 June, 13
  80. 80. Softwar S cur Encryption Flaws Monday, 3 June, 13
  81. 81. Softwar S cur Encryption Flaws Return value is initialized Monday, 3 June, 13
  82. 82. Softwar S cur Encryption Flaws Return value is initialized Monday, 3 June, 13
  83. 83. Softwar S cur Encryption Flaws Return value is initialized Monday, 3 June, 13
  84. 84. Softwar S cur Encryption Flaws Return value is initialized Classic fail-open scenario Monday, 3 June, 13
  85. 85. Softwar S cur File UploadDownload Flaws Monday, 3 June, 13
  86. 86. Softwar S cur File UploadDownload Flaws Monday, 3 June, 13
  87. 87. Softwar S cur File UploadDownload Flaws The value gets validated first time around Monday, 3 June, 13
  88. 88. Softwar S cur File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field Monday, 3 June, 13
  89. 89. Softwar S cur File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Monday, 3 June, 13
  90. 90. Softwar S cur File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Path used without validation Monday, 3 June, 13
  91. 91. Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Reporting Monday, 3 June, 13
  92. 92. Softwar S cur Reporting ➡ Weakness Metadata ➡ Thorough Description ➡ Recommendation ➡ Assign Priority SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: Description:The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); Priority: High Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ ff648339.aspx for details. Owner: John Smith Monday, 3 June, 13
  93. 93. Softwar S cur Confirmation & PoC Monday, 3 June, 13
  94. 94. Softwar S cur Confirmation & PoC Monday, 3 June, 13
  95. 95. Softwar S cur Confirmation & PoC Monday, 3 June, 13
  96. 96. Softwar S cur Confirmation & PoC Monday, 3 June, 13
  97. 97. Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Tools Monday, 3 June, 13
  98. 98. Softwar S cur Security Code Review Tools ➡ Static Code Analysis ➡ Free: (FindBugs, PMD, CAT.net, PCLint, etc) ➡ Commercial: (Static Code Tools Evaluation Criteria - WASC) ➡ 3rd Party Libraries: (DependencyCheck - https://github.com/ jeremylong/DependencyCheck) ➡ Scripts Monday, 3 June, 13
  99. 99. Softwar S cur Open-Source Static Code Analysis Tools Java .NET C++ Monday, 3 June, 13
  100. 100. Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Checklists Monday, 3 June, 13
  101. 101. Softwar S cur Usage of checklists ➡ Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident ➡ ICU: usage of checklists brought down infection rates in Michigan by 66% Monday, 3 June, 13
  102. 102. Softwar S cur Security Code Review Checklist ➡ Data Validation and Encoding Controls ➡ Encryption Controls ➡ Authentication and Authorization Controls ➡ Session Management ➡ Exception Handling ➡ Auditing and Logging ➡ Security Configurations Monday, 3 June, 13
  103. 103. Softwar S cur Resources To Conduct Your Checklist ➡ NIST Checklist Project - http://checklists.nist.gov/ ➡ Mozilla’s Secure Coding QA Checklist - https:// wiki.mozilla.org/WebAppSec/ Secure_Coding_QA_Checklist ➡ Oracle’s Secure Coding Checklist - http:// www.oracle.com/technetwork/java/ seccodeguide-139067.html Monday, 3 June, 13
  104. 104. Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Monday, 3 June, 13
  105. 105. Softwar S cur Softwar S cur QUESTIONS? @skoussa sherif.koussa@owasp.org sherif@softwaresecured.com Monday, 3 June, 13
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×