SlideShare a Scribd company logo

Security Code Review 101

Download as PPTX, PDF
P
Paul Ionescu

Code review is, hopefully, part of regular development practices for any organization. Adding security elements to code review can be the most effective measure in preventing vulnerabilities, very early in the development lifecycle, even before the first commit. This is an interactive presentation which will contain the basic elements to get you started. The audience will help review more than a dozen software examples in order to figure out the good from the ugly. The software examples are based on OWASP Top 10 and SANS Top 25 favourites such as Injection, Memory Flaws, Sensitive Data Exposure, Cross-Site Scripting and Broken Access Control.

Software
1 of 69
About Me
The Tip of the Iceberg Input Validation Parameterized Commands Safe functions Indirect Object References Encrypt Data Safe Memory Management Neutralize Output
Input Validation • Only allow input that you are expecting • Wouldyou letsomeonein your house ifyou thoughttheyshouldnot bethere? • Block lists are inefficient • Wouldyou maintaina block listofpeoplethatcannot cometoyour house? • Block listing-likegiving keys toyour house toeveryone excepta fewunwanted visitors.
LET'S PLAY, SPOT THE VALIDATION PROBLEM!
Answer: Both
Answer: Top
Special Characters Not Needed • Many parameter types not intended to contain symbols or punctuation • Many not even intended to contain Unicode characters • Parameters going into database queries such as ID, true/false, asc/desc have even a smaller character set Alphanumeric Alphanumeric + .-_
Input Validation Function Example
A Simple Multi-Purpose Function isAlphanumOrEx("true") isAlphanumOrEx("desc") isAlphanumOrEx("21845816438168") isAlphanumOrEx("0x0709750fa566") isAlphanumOrEx("Cr2i7nHq6qiMEs") isAlphanumOrEx("site.local",'.')
𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒊𝒆𝒔 = 𝑭( 𝑰𝒏𝒑𝒖𝒕 𝟏 + 𝑽𝒂𝒍𝒊𝒅𝒂𝒕𝒊𝒐𝒏 )
Attacks Prevented by Input Validation •Injection •Path Traversal •Cross-Site Scripting •Open Redirect •Deserialization …
How About the Irish? •Names, comments, articles, free text require quotes: •O'Brien, don't, "putting things in quotes" •While input validation reduces the attack surface, it cannot prevent all attacks
To sum all it up… •Input Validation reduces the attack surface and prevents many attack types •Block-listing is a bad practice •Many input types are alphanumeric •For those input types that need special characters we need different defenses
CONCATENATION … causes Injection! COMMAND +INPUT= INJECTION
CONCATENATION Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter … prevent Injection!
LET'S PLAY, SPOT THE INJECTION!
Answer: Top
Answer: Top
ORM Frameworks • ORM = Object Relational Mapping • ORM Frameworks keep developers away from SQL Queries • Popular ORM Framework: Hibernate Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter Object Field1 Input Field2 Input
To sum all it up… •Parameterized Commands handle situations where hazardous chars are needed •ORM Frameworks prevent mistakes
Problems with Memory •Classic Overflow •Incorrect Calculation of Buffer Size •Off by One •Format String Injection •Use-after-free
Memory Safer Functions fgets(dest_buff, BUFF_SIZE, stdin) snprintf(dest_buff, BUFF_SIZE, format, …); strncpy(dest_buff, src_buff, BUFF_SIZE); strncmp(buff1, buff2, BUFF_SIZE); If the BUFF_SIZE argument is larger than the size of the buffer: OVERFLOW!
Check Boundaries •A simple comparison against a known limit constant can go a long way to prevent serious logical attacks. •Pay special attention to comparison operators • < vs <=, <= can lead to off by one •Make sure the same constant is used to define buffer size and check boundaries
• Format String Injection is a type of memory flaw caused by concatenating or using user input in a format parameter. Memory Injection?
LET'S PLAY, SPOT THE MEMORY PROBLEM!
Answer: Bottom (use of dangerous functions)
Answer: Bottom (incorrect calculation of buffer size)
Answer: Top (Format String Injection)
Answer: Top (Off by One)
To sum all it up… •Safer functions allow limiting the number of bytes read into the buffer •Even with safe functions special attention should be paid to size specified, very important to use constants to prevent mistakes •Do not allow user input in format strings •Careful with <= operator
Securing Data • The General Data Privacy Regulation (GDPR) has put additional emphasis on maintaining the security and privacy of data • Data should be transmitted and stored securely • Cryptography is one critical way to achieve this mandate • Secure protocols: TLS 1.2, TLS 1.3 • Secure ciphers: ECDHE • Strong digital signatures: SHA-2 • Reject invalid certificates and even more, enforce certificate pinning • Strong authenticated symmetric encryption in transit and at rest: AES 256 GCM • Other ways: • Anonymize private data • Do not collect or send private data • Short data retention • Ensure customer control over own data
LET'S PLAY, SPOT THE DATA BREACH!
Answer: Top (Password stored with weak un- salted hash)
Answer: Bottom (User and password transmitted in clear text)
Answer: Top (Person details and credit card number saved in the clear to S3 bucket)
To sum all it up… •Avoid collecting data for individuals •Pseudonymize the data. Strong salted hashes can be used, replace key data with * •Use strong cryptographic algorithms •All communication should be encrypted. •Data classification is risky so when in doubt, encrypt all data
Protect the Web UIs • Enterprise applications are using Web UIs • HTML is good looking, platform independent and powerful • JavaScript libraries such as jQuery, React and Angular make UIs responsive and versatile
Cross-Site Scripting (XSS) • The ability to inject arbitrary JavaScript into a web page • Reflected • Stored • DOM based • Easy to introduce • Easy to find • Leads to data breaches through spoofing attacks
Defending against XSS • Input validation ;) • Neutralize Output • Server Pages -> HTML Encoding (Escaping) • < becomes &lt; • > becomes &gt; • " becomes &quot; • JavaScript (DOM XSS) • Dangerous Attributes • innerHTML • src • onLoad, onClick, etc… • Dangerous Functions • eval • setTimeout • setInterval
HTML Encoding Neutralizes XSS
LET'S PLAY, SPOT THE XSS!
Answer: Bottom (User input is written into the page as is)
Answer: Bottom (Data is written into a dangerous HTML attribute)
Answer: Top (Code is executing a dangerous function, actually an example of code injection)
Answer: Bottom (Input is being reflected between the <script> tags)
To sum all it up… •XSS is easy to introduce and easy to find •Encoding should be applied to all server side generated content. •Additional encoding of single quotes required •Dangerous HTML contexts should be handled with care or avoided
Indirect Object References • Object accessed indirectly through an intermediary identifier • Prevent parameter path manipulation • fileId=1 vs file=/etc/passwd • Prevent transmission of potential sensitive data in URLs • userId=2 vs user=john_doe • Input validation facilitated (identifiers are numbers or GUIDs) 1 2 3
LET'S PLAY, SPOT THE PATH TRAVERSAL!
Answer: Top (Input is concatenated to a system path allowing manipulation)
To sum all it up… •Reduce the attack surface by enforcing accessing objects through identifiers rather than actual representation •Identifiers can be input validated easier, also solve encoding issues
Security Code Review 101
Security Code Review 101

Recommended

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 

Recommended

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP CodingNarudom Roongsiriwong, CISSP
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 

More Related Content

What's hot

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 

What's hot (20)

Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Security testing
Security testingSecurity testing
Security testing
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
 

Similar to Security Code Review 101

How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)Sam Bowne
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworkslastrand
 

Similar to Security Code Review 101 (20)

How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
Web Security
Web SecurityWeb Security
Web Security
 
Open source security
Open source securityOpen source security
Open source security
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.Net
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Websec
WebsecWebsec
Websec
 
Web security 101
Web security 101Web security 101
Web security 101
 
Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
 

Recently uploaded

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 

Recently uploaded (20)

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 

Security Code Review 101

  • 1.
  • 3. The Tip of the Iceberg Input Validation Parameterized Commands Safe functions Indirect Object References Encrypt Data Safe Memory Management Neutralize Output
  • 4. Input Validation • Only allow input that you are expecting • Wouldyou letsomeonein your house ifyou thoughttheyshouldnot bethere? • Block lists are inefficient • Wouldyou maintaina block listofpeoplethatcannot cometoyour house? • Block listing-likegiving keys toyour house toeveryone excepta fewunwanted visitors.
  • 6.
  • 8.
  • 10. Special Characters Not Needed • Many parameter types not intended to contain symbols or punctuation • Many not even intended to contain Unicode characters • Parameters going into database queries such as ID, true/false, asc/desc have even a smaller character set Alphanumeric Alphanumeric + .-_
  • 12. A Simple Multi-Purpose Function isAlphanumOrEx("true") isAlphanumOrEx("desc") isAlphanumOrEx("21845816438168") isAlphanumOrEx("0x0709750fa566") isAlphanumOrEx("Cr2i7nHq6qiMEs") isAlphanumOrEx("site.local",'.')
  • 14. Attacks Prevented by Input Validation •Injection •Path Traversal •Cross-Site Scripting •Open Redirect •Deserialization …
  • 15. How About the Irish? •Names, comments, articles, free text require quotes: •O'Brien, don't, "putting things in quotes" •While input validation reduces the attack surface, it cannot prevent all attacks
  • 16. To sum all it up… •Input Validation reduces the attack surface and prevents many attack types •Block-listing is a bad practice •Many input types are alphanumeric •For those input types that need special characters we need different defenses
  • 18. CONCATENATION Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter … prevent Injection!
  • 20.
  • 22.
  • 24. ORM Frameworks • ORM = Object Relational Mapping • ORM Frameworks keep developers away from SQL Queries • Popular ORM Framework: Hibernate Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter Object Field1 Input Field2 Input
  • 25. To sum all it up… •Parameterized Commands handle situations where hazardous chars are needed •ORM Frameworks prevent mistakes
  • 26. Problems with Memory •Classic Overflow •Incorrect Calculation of Buffer Size •Off by One •Format String Injection •Use-after-free
  • 27. Memory Safer Functions fgets(dest_buff, BUFF_SIZE, stdin) snprintf(dest_buff, BUFF_SIZE, format, …); strncpy(dest_buff, src_buff, BUFF_SIZE); strncmp(buff1, buff2, BUFF_SIZE); If the BUFF_SIZE argument is larger than the size of the buffer: OVERFLOW!
  • 28. Check Boundaries •A simple comparison against a known limit constant can go a long way to prevent serious logical attacks. •Pay special attention to comparison operators • < vs <=, <= can lead to off by one •Make sure the same constant is used to define buffer size and check boundaries
  • 29. • Format String Injection is a type of memory flaw caused by concatenating or using user input in a format parameter. Memory Injection?
  • 30. LET'S PLAY, SPOT THE MEMORY PROBLEM!
  • 31.
  • 32. Answer: Bottom (use of dangerous functions)
  • 33.
  • 35.
  • 37.
  • 39. To sum all it up… •Safer functions allow limiting the number of bytes read into the buffer •Even with safe functions special attention should be paid to size specified, very important to use constants to prevent mistakes •Do not allow user input in format strings •Careful with <= operator
  • 40. Securing Data • The General Data Privacy Regulation (GDPR) has put additional emphasis on maintaining the security and privacy of data • Data should be transmitted and stored securely • Cryptography is one critical way to achieve this mandate • Secure protocols: TLS 1.2, TLS 1.3 • Secure ciphers: ECDHE • Strong digital signatures: SHA-2 • Reject invalid certificates and even more, enforce certificate pinning • Strong authenticated symmetric encryption in transit and at rest: AES 256 GCM • Other ways: • Anonymize private data • Do not collect or send private data • Short data retention • Ensure customer control over own data
  • 42.
  • 43. Answer: Top (Password stored with weak un- salted hash)
  • 44.
  • 45. Answer: Bottom (User and password transmitted in clear text)
  • 46.
  • 47. Answer: Top (Person details and credit card number saved in the clear to S3 bucket)
  • 48. To sum all it up… •Avoid collecting data for individuals •Pseudonymize the data. Strong salted hashes can be used, replace key data with * •Use strong cryptographic algorithms •All communication should be encrypted. •Data classification is risky so when in doubt, encrypt all data
  • 49. Protect the Web UIs • Enterprise applications are using Web UIs • HTML is good looking, platform independent and powerful • JavaScript libraries such as jQuery, React and Angular make UIs responsive and versatile
  • 50. Cross-Site Scripting (XSS) • The ability to inject arbitrary JavaScript into a web page • Reflected • Stored • DOM based • Easy to introduce • Easy to find • Leads to data breaches through spoofing attacks
  • 51. Defending against XSS • Input validation ;) • Neutralize Output • Server Pages -> HTML Encoding (Escaping) • < becomes &lt; • > becomes &gt; • " becomes &quot; • JavaScript (DOM XSS) • Dangerous Attributes • innerHTML • src • onLoad, onClick, etc… • Dangerous Functions • eval • setTimeout • setInterval
  • 54.
  • 55. Answer: Bottom (User input is written into the page as is)
  • 56.
  • 57. Answer: Bottom (Data is written into a dangerous HTML attribute)
  • 58.
  • 59. Answer: Top (Code is executing a dangerous function, actually an example of code injection)
  • 60.
  • 61. Answer: Bottom (Input is being reflected between the <script> tags)
  • 62. To sum all it up… •XSS is easy to introduce and easy to find •Encoding should be applied to all server side generated content. •Additional encoding of single quotes required •Dangerous HTML contexts should be handled with care or avoided
  • 63. Indirect Object References • Object accessed indirectly through an intermediary identifier • Prevent parameter path manipulation • fileId=1 vs file=/etc/passwd • Prevent transmission of potential sensitive data in URLs • userId=2 vs user=john_doe • Input validation facilitated (identifiers are numbers or GUIDs) 1 2 3
  • 64. LET'S PLAY, SPOT THE PATH TRAVERSAL!
  • 65.
  • 66. Answer: Top (Input is concatenated to a system path allowing manipulation)
  • 67. To sum all it up… •Reduce the attack surface by enforcing accessing objects through identifiers rather than actual representation •Identifiers can be input validated easier, also solve encoding issues