Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)


Published on

Secure Code Review is the best approach to uncover the most security flaws, in addition to being the only approach to find certain types of flaws like design flaws. During this session, you will learn how to perform security code review and uncover vulnerabilities such as OWASP Top 10: Cross-site Scripting, SQL Injection, Access Control and much more in early stages of development. You will use a real life application. You will get an introduction to Static Code Analysis tools and how you can automate some parts of the process using tools like FxCop.

Published in: Technology

Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)

  1. 1. Copyright 2007 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.The OWASP FoundationOWASPhttp://www.owasp.orgSecurity Code Review For .NetApplicationsSherif KoussaOWASP Ottawa Chapter LeaderSoftware Securedsherif.koussa@owasp.orgEducation ProjectThursday, 9 May, 13
  2. 2. OWASP 2Softwar S cur2007 2009 2011 2013BioPrincipal Consultant @ SoftwareSecured✓ Security Code Review✓ Penetration Testing✓ Secure SDL Integration✓ Application Security TrainingThursday, 9 May, 13
  3. 3. OWASPTake AwaysWhat is Security Code ReviewEffective Security Code Review ProcessHow to Implement Your Own ProcessKey Tools to Use3Thursday, 9 May, 13
  4. 4. OWASPWhat Security Code Reviewis.........NOT?A Separate Activity From the SDLCRunning a ToolAd-hoc ActivityPentesting - (Just Say’n!)4Thursday, 9 May, 13
  5. 5. OWASPThe Inspection of Source Code to Find SecurityWeaknessIntegrated Activity into Software DevelopmentLifecycleCross-Team IntegrationDevelopment TeamsSecurity TeamsProjectRisk ManagementSystematic Approach to Uncover Security FlawsWhat IS Security CodeReview?5Thursday, 9 May, 13
  6. 6. OWASPWhy Security Code ReviewsEffectiveness of security controls againstknown threatsExercise all application execution pathsFind all instances of a certain vulnerabilityThe only way to find certain types ofvulnerabilitiesEffective remediation instructions6Thursday, 9 May, 13
  7. 7. OWASPWhat Are We Looking For?Software WeaknessesSQL InjectionCross-site ScriptingInsufficient AuthenticationApplication Logic IssuesApplication Logic BypassDeadDebug CodeMisconfiguration Issues7Thursday, 9 May, 13
  8. 8. OWASPImportant Steps For EffectiveProcessReconnaissance: Understand the applicationThreat Assessment: Enumerate inputs,threats and attack surfaceAutomation: Low hanging fruitsManual Review: High-risk modulesConfirmation & PoC: Confirm high-riskvulnerabilities.Reporting: Communicate back to thedevelopment team8Thursday, 9 May, 13
  9. 9. OWASP 9Reconnaissance!ThreatAssessment!Automation!Manual Review!Confirmation &PoC!Reporting!Checklist!Tools!SecuritySkills!Thursday, 9 May, 13
  10. 10. OWASP 10RECONNAISSANCEReconnaissance!ThreatAssessment!Automation!Manual Review!Confirmation &PoC!Reporting!Checklists!Tools!OWASPTop 10!Thursday, 9 May, 13
  11. 11. OWASPReconnaissancePrimary Business Goal of the ApplicationUse CasesAbuse CasesDifferent User RolesTechnology Stack of the ApplicationEnvironment DiscoveryUse the Application11Thursday, 9 May, 13
  12. 12. OWASP 12THREAT ASSESSMENTReconnaissance!ThreatAssessment!Automation!Manual Review!Confirmation &PoC!Reporting!Checklists!Tools!OWASPTop 10!Thursday, 9 May, 13
  13. 13. OWASPEnumerate AssetsData: personal data, financial data, etcInfrastructure: CPU, bandwidth, diskspace, etcUsers: malware, fishing, clicksIntellectual Property: software source codeOther SystemsApplications: proxy toother more valuable systems.13Thursday, 9 May, 13
  14. 14. OWASPEnumerate ThreatsData TheftInformation DisclosureSpreading MalwarePhishingUsername HarvestingFraudulent TransactionsLikejacking14Thursday, 9 May, 13
  15. 15. OWASPEnumerate VulnerabilitiesOWASP Top 10A1 InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Known Vulnerable ComponentsA10 Unvalidated Redirects and Forwards15Thursday, 9 May, 13
  16. 16. OWASP 16AUTOMATIONReconnaissance!ThreatAssessment!Automation!Manual Review!Confirmation &PoC!Reporting!Checklists!Tools!OWASPTop 10!Thursday, 9 May, 13
  17. 17. OWASPAutomationStatic Code Analysis ToolsScripts17Thursday, 9 May, 13
  18. 18. OWASPAutomation with CAT.NETCAT.NET is a binary code analysis tool that helpsidentify common variants of certain prevailingvulnerabilities that can give rise to common attackvectors - MicrosoftComes with built-in rules:Reflected Cross-Site ScriptingSQL InjectionXPath InjectionLDAP InjectionFile Canonicalization IssuesCommand InjectionInformation DisclosureDownload from MSDN 18Thursday, 9 May, 13
  19. 19. OWASPDemo...19Thursday, 9 May, 13
  20. 20. OWASP 20MANUAL REVIEWReconnaissance!Threat Modeling!Automation!Manual Review!Confirmation &PoC!Reporting!Checklists!Tools!OWASPTop 10!Thursday, 9 May, 13
  21. 21. OWASPA1. InjectionStart With AutomationDatabase Script (*.sql, *.txt, etc)Pay Attention to Patterns & Coding StylesSecond Order Injection21Manual AutomaticThursday, 9 May, 13
  22. 22. OWASPA2. Broken Authentication andSession ManagementAuthentication ProcessPassword StoragePassword ResetChangesSession GenerationSession TimeoutCookie DomainPathViewState Protection 22Manual AutomaticThursday, 9 May, 13
  23. 23. OWASPA3. Cross-Site ScriptingInspect application’s defenses (e.g. RequestValidation)Contextual HTML output encodingASP.NET controls with no output encoding(MSDN)DOM-Based Cross-site ScriptingHttpOnly Flag on Cookies.23Manual AutomaticThursday, 9 May, 13
  24. 24. OWASPA4. Insecure Direct ObjectReferenceParameters <-> resources relationshipHidden FieldsJavaScript (JSON, AJAX)Querystring parameters24Manual AutomaticThursday, 9 May, 13
  25. 25. OWASP 25CONFIRMATION & POCReconnaissance!Threat Modeling!Automation!Manual Review!Confirmation &PoC!Reporting!Checklists!Tools!OWASPTop 10!Thursday, 9 May, 13
  26. 26. OWASPConfirmation & PoC26Thursday, 9 May, 13
  27. 27. OWASPConfirmation & PoC26Thursday, 9 May, 13
  28. 28. OWASPConfirmation & PoC26Thursday, 9 May, 13
  29. 29. OWASP 27REPORTINGReconnaissance!Threat Modeling!Automation!Manual Review!Confirmation &PoC!Reporting!Checklists!Tools!OWASPTop 10!Thursday, 9 May, 13
  30. 30. SQL Injection:Location: sourceACMEPortalupdateinfo.aspx.cs:Description:The code below is build dynamic sql statementusing unvalidated data (i.e. name) which can lead to SQLInjection51 SqlDataAdapter myCommand = newSqlDataAdapter(52 "SELECT au_lname, au_fname FROM author WHEREau_id = " +53 SSN.Text + "", myConnection);Priority: HighRecommendation: Use paramaterized SQL instead ofdynamic concatenation, refer to for details.Owner: John Smith OWASPReportingWeakness MetadataThorough DescriptionRecommendationAssign Appropriate Priority28Thursday, 9 May, 13
  31. 31. OWASP 29CHECKLISTSReconnaissance!Threat Modeling!Automation!Manual Review!Confirmation &PoC!Reporting!Checklists!Tools!OWASPTop 10!Thursday, 9 May, 13
  32. 32. OWASPChecklist - A bit of historyAviation: led the modern airplanesevolution after Major Hill’s famous 1934incidentICU: usage of checklists brought downinfection rates in Michigan by 66%30Thursday, 9 May, 13
  33. 33. OWASPWhat Does a Checklist Cover?Data Validation and Encoding ControlsEncryption ControlsAuthentication and Authorization ControlsSession ManagementException HandlingAuditing and LoggingSecurity Configurations31Thursday, 9 May, 13
  34. 34. OWASPResources to Conduct YourChecklistNIST Checklist Project’s Secure Coding QA Checklist’s Secure Coding Checklist, 9 May, 13
  35. 35. OWASPFull Application Security CodeReview33Reconnaissance!Threat Modeling!Automation!Manual Review!Confirmation &PoC!Reporting!Checklists!Tools!OWASPTop 10!Thursday, 9 May, 13
  36. 36. OWASP 34QUESTIONS?sherif.koussa@owasp.orgsherif@softwaresecured.comThursday, 9 May, 13