SlideShare a Scribd company logo

Manual Code Review

n|u - The Open Security Community
n|u - The Open Security Community

This document discusses manual code review. It begins by introducing the author and their background and interests in security. It then asks why code review is important, noting that finding bugs early is cheaper and code review allows different visibility into code than other methods. Both automated and manual code review are discussed, saying they should be used complementarily. Manual review provides a 10,000 foot view by understanding the application and security controls. Specific vulnerabilities are then looked for. The document ends by stating manual code review can be done in 60 seconds by understanding the application, reviewing a security control, and looking for specific vulnerabilities.

EducationTechnology
1 of 10
Download to read offline
Manual Code Review - Sandesh Anand anand.sandesh@gmail.com www.linkedin.com/in/anandsandesh/
Who am I? • Security Consultant at Cigital Inc. • Ex-Developer • Areas of interest – Static analysis – Helping developers fix security bugs – Web App pen testing – Curious about all things security
What are we talking about? • Why review code? • Automated v/s Manual review • Manual review – 10,000 ft. view • Manual code review in 60 seconds
Why review code? • Finding bugs early in the lifecycle is cheaper • Different visibility to code – Reach all parts of code – Some issues only visible in code review (examples in the Demo) – Helps in identifying “where” the problem is
Why review code? • So, pen testing is useless, right? Not quite. Why not? – Don’t want to be killed by a room full of pen- testers – Better at proving “exploitability” – Makes it easier to evangelize security it an organization – Coverage different from code review (e.g.: Issues in application sever configuration) – Understand what a hacker is looking at
Automated v/s Manual This topic never ends. Here are some highlights: • Automated tools can plough through more code at lesser time. Very useful for large applications • Manual code review uses knowledge available to the tester • Tool support for certain programming languages stronger than the other (Java v/s Perl) • Quality of manual review depends on individual And so on….. Bottom line: Use both in a complimentary manner
Manual review – 10,000 ft. view • Understand the application – Purpose of the application – Flow of the application – Technologies used – Environment (type of DB, frameworks, AppServer etc.) – Business logic – Etc. • Understand the approach to security controls: – Authentication and Authorization – Handling un-trusted data – Handling sensitive information – Session handling – Network boundaries – Error handling and logging – Misuse of security related APIs (crypto, randomness etc.) – Etc. • Look for specific vulnerabilities – Issues common to most applications (e.g.: Race condition, resource management, information leakage, validation routines) – Language specific issues (e.g.: Format string attacks in C) – Framework specific issues (e.g.: review ACEGI configuration) – Looking for malicious code/ Insider threat
Manual code review in 60 seconds
Manual code review in 60 seconds • Understand the application • Review security control (Hint: Pick logging) • Look for specific vulnerabilities
Questions?

Recommended

Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Container Security
Container SecurityContainer Security
Container SecurityAmazon Web Services
 
Load balancing
Load balancingLoad balancing
Load balancingankur bhalla
 
Fault tolerant presentation
Fault tolerant presentationFault tolerant presentation
Fault tolerant presentationskadyan1
 
Hadoop Oozie
Hadoop OozieHadoop Oozie
Hadoop OozieMadhur Nawandar
 
Cloud Computing Principles and Paradigms: 4 the enterprise cloud computing pa...
Cloud Computing Principles and Paradigms: 4 the enterprise cloud computing pa...Cloud Computing Principles and Paradigms: 4 the enterprise cloud computing pa...
Cloud Computing Principles and Paradigms: 4 the enterprise cloud computing pa...Majid Hajibaba
 
3 tier architecture
3 tier architecture3 tier architecture
3 tier architecturetahir khan
 
Unit 3 -Data storage and cloud computing
Unit 3 -Data storage and cloud computingUnit 3 -Data storage and cloud computing
Unit 3 -Data storage and cloud computingMonishaNehkal
 

Recommended

Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Container Security
Container SecurityContainer Security
Container SecurityAmazon Web Services
 
Load balancing
Load balancingLoad balancing
Load balancingankur bhalla
 
Fault tolerant presentation
Fault tolerant presentationFault tolerant presentation
Fault tolerant presentationskadyan1
 
Hadoop Oozie
Hadoop OozieHadoop Oozie
Hadoop OozieMadhur Nawandar
 
Cloud Computing Principles and Paradigms: 4 the enterprise cloud computing pa...
Cloud Computing Principles and Paradigms: 4 the enterprise cloud computing pa...Cloud Computing Principles and Paradigms: 4 the enterprise cloud computing pa...
Cloud Computing Principles and Paradigms: 4 the enterprise cloud computing pa...Majid Hajibaba
 
3 tier architecture
3 tier architecture3 tier architecture
3 tier architecturetahir khan
 
Unit 3 -Data storage and cloud computing
Unit 3 -Data storage and cloud computingUnit 3 -Data storage and cloud computing
Unit 3 -Data storage and cloud computingMonishaNehkal
 
Intro to Amazon S3
Intro to Amazon S3Intro to Amazon S3
Intro to Amazon S3Yu Lun Teo
 
Intro to Cassandra
Intro to CassandraIntro to Cassandra
Intro to CassandraDataStax Academy
 
AWS Simple Storage Service (s3)
AWS Simple Storage Service (s3) AWS Simple Storage Service (s3)
AWS Simple Storage Service (s3) zekeLabs Technologies
 
7. Key-Value Databases: In Depth
7. Key-Value Databases: In Depth7. Key-Value Databases: In Depth
7. Key-Value Databases: In DepthFabio Fumarola
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNinh Nguyen
 
IaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud ComputingIaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud ComputingSoftware Park Thailand
 
Corba concepts & corba architecture
Corba concepts & corba architectureCorba concepts & corba architecture
Corba concepts & corba architecturenupurmakhija1211
 
Concurrency Control in Distributed Database.
Concurrency Control in Distributed Database.Concurrency Control in Distributed Database.
Concurrency Control in Distributed Database.Meghaj Mallick
 
Function as a Service
Function as a ServiceFunction as a Service
Function as a Servicerich fernandez
 
Cloud Computing Architecture
Cloud Computing ArchitectureCloud Computing Architecture
Cloud Computing ArchitectureAnimesh Chaturvedi
 
Introduction to Amazon EC2
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2Amazon Web Services
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsViresh Suri
 
Amazon S3 Masterclass
Amazon S3 MasterclassAmazon S3 Masterclass
Amazon S3 MasterclassAmazon Web Services
 
Cloud deployment models
Cloud deployment modelsCloud deployment models
Cloud deployment modelsAshok Kumar
 
AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...
AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...
AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...Edureka!
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Web Services
 
Intro to AWS: EC2 & Compute Services
Intro to AWS: EC2 & Compute ServicesIntro to AWS: EC2 & Compute Services
Intro to AWS: EC2 & Compute ServicesAmazon Web Services
 
Cloud Service Models
Cloud Service ModelsCloud Service Models
Cloud Service ModelsAbhishek Pachisia
 
Dichotomy of parallel computing platforms
Dichotomy of parallel computing platformsDichotomy of parallel computing platforms
Dichotomy of parallel computing platformsSyed Zaid Irshad
 
Go micro framework to build microservices
Go micro framework to build microservicesGo micro framework to build microservices
Go micro framework to build microservicesTechMaster Vietnam
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...IBM Security
 
Analysis of Software Development Life Cycle and Quality Management
Analysis of Software Development Life Cycle and Quality ManagementAnalysis of Software Development Life Cycle and Quality Management
Analysis of Software Development Life Cycle and Quality ManagementAbhay Yadav
 

More Related Content

What's hot

Intro to Amazon S3
Intro to Amazon S3Intro to Amazon S3
Intro to Amazon S3Yu Lun Teo
 
7. Key-Value Databases: In Depth
7. Key-Value Databases: In Depth7. Key-Value Databases: In Depth
7. Key-Value Databases: In DepthFabio Fumarola
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNinh Nguyen
 
Corba concepts & corba architecture
Corba concepts & corba architectureCorba concepts & corba architecture
Corba concepts & corba architecturenupurmakhija1211
 
Concurrency Control in Distributed Database.
Concurrency Control in Distributed Database.Concurrency Control in Distributed Database.
Concurrency Control in Distributed Database.Meghaj Mallick
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsViresh Suri
 
Cloud deployment models
Cloud deployment modelsCloud deployment models
Cloud deployment modelsAshok Kumar
 
AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...
AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...
AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...Edureka!
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Web Services
 
Intro to AWS: EC2 & Compute Services
Intro to AWS: EC2 & Compute ServicesIntro to AWS: EC2 & Compute Services
Intro to AWS: EC2 & Compute ServicesAmazon Web Services
 
Dichotomy of parallel computing platforms
Dichotomy of parallel computing platformsDichotomy of parallel computing platforms
Dichotomy of parallel computing platformsSyed Zaid Irshad
 
Go micro framework to build microservices
Go micro framework to build microservicesGo micro framework to build microservices
Go micro framework to build microservicesTechMaster Vietnam
 

What's hot (20)

Intro to Amazon S3
Intro to Amazon S3Intro to Amazon S3
Intro to Amazon S3
 
Intro to Cassandra
Intro to CassandraIntro to Cassandra
Intro to Cassandra
 
AWS Simple Storage Service (s3)
AWS Simple Storage Service (s3) AWS Simple Storage Service (s3)
AWS Simple Storage Service (s3)
 
7. Key-Value Databases: In Depth
7. Key-Value Databases: In Depth7. Key-Value Databases: In Depth
7. Key-Value Databases: In Depth
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
IaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud ComputingIaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud Computing
 
Corba concepts & corba architecture
Corba concepts & corba architectureCorba concepts & corba architecture
Corba concepts & corba architecture
 
Concurrency Control in Distributed Database.
Concurrency Control in Distributed Database.Concurrency Control in Distributed Database.
Concurrency Control in Distributed Database.
 
Function as a Service
Function as a ServiceFunction as a Service
Function as a Service
 
Cloud Computing Architecture
Cloud Computing ArchitectureCloud Computing Architecture
Cloud Computing Architecture
 
Introduction to Amazon EC2
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
 
Amazon S3 Masterclass
Amazon S3 MasterclassAmazon S3 Masterclass
Amazon S3 Masterclass
 
Cloud deployment models
Cloud deployment modelsCloud deployment models
Cloud deployment models
 
AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...
AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...
AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)
 
Intro to AWS: EC2 & Compute Services
Intro to AWS: EC2 & Compute ServicesIntro to AWS: EC2 & Compute Services
Intro to AWS: EC2 & Compute Services
 
Cloud Service Models
Cloud Service ModelsCloud Service Models
Cloud Service Models
 
Dichotomy of parallel computing platforms
Dichotomy of parallel computing platformsDichotomy of parallel computing platforms
Dichotomy of parallel computing platforms
 
Go micro framework to build microservices
Go micro framework to build microservicesGo micro framework to build microservices
Go micro framework to build microservices
 

Viewers also liked

Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...IBM Security
 
Analysis of Software Development Life Cycle and Quality Management
Analysis of Software Development Life Cycle and Quality ManagementAnalysis of Software Development Life Cycle and Quality Management
Analysis of Software Development Life Cycle and Quality ManagementAbhay Yadav
 
Code Review
Code ReviewCode Review
Code Reviewrantav
 
1 Quality Assurance Presentation
1 Quality Assurance Presentation1 Quality Assurance Presentation
1 Quality Assurance Presentationguest337c19
 
Introduction To Software Quality Assurance
Introduction To Software Quality AssuranceIntroduction To Software Quality Assurance
Introduction To Software Quality Assuranceruth_reategui
 
requirements analysis and design
requirements analysis and designrequirements analysis and design
requirements analysis and designPreeti Mishra
 

Viewers also liked (7)

Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
 
Analysis of Software Development Life Cycle and Quality Management
Analysis of Software Development Life Cycle and Quality ManagementAnalysis of Software Development Life Cycle and Quality Management
Analysis of Software Development Life Cycle and Quality Management
 
Code Review
Code ReviewCode Review
Code Review
 
Quality Assurance in Software Ind.
Quality Assurance in Software Ind.Quality Assurance in Software Ind.
Quality Assurance in Software Ind.
 
1 Quality Assurance Presentation
1 Quality Assurance Presentation1 Quality Assurance Presentation
1 Quality Assurance Presentation
 
Introduction To Software Quality Assurance
Introduction To Software Quality AssuranceIntroduction To Software Quality Assurance
Introduction To Software Quality Assurance
 
requirements analysis and design
requirements analysis and designrequirements analysis and design
requirements analysis and design
 

Similar to Manual Code Review

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.pptch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.pptgealehegn
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilitiesMohit Dholakiya
 
Agility reboot iv
Agility reboot ivAgility reboot iv
Agility reboot ivAndrew Chum
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Code Review to the Rescue
Code Review to the RescueCode Review to the Rescue
Code Review to the RescueAndrei Sviridov
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceSecurity Innovation
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Security Innovation
 
Test driven development
Test driven developmentTest driven development
Test driven developmentDennis Ahaus
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)Rich Mills
 
The computer says no v2
The computer says no v2The computer says no v2
The computer says no v2Matteo Emili
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security GovernanceCan Demirel
 

Similar to Manual Code Review (20)

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.pptch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilities
 
Agility reboot iv
Agility reboot ivAgility reboot iv
Agility reboot iv
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Salesforce static code analysis
Salesforce static code analysisSalesforce static code analysis
Salesforce static code analysis
 
Code Review to the Rescue
Code Review to the RescueCode Review to the Rescue
Code Review to the Rescue
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surface
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
 
Test driven development
Test driven developmentTest driven development
Test driven development
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
 
The computer says no v2
The computer says no v2The computer says no v2
The computer says no v2
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security Governance
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 

Recently uploaded (20)

Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 

Manual Code Review

  • 1. Manual Code Review - Sandesh Anand anand.sandesh@gmail.com www.linkedin.com/in/anandsandesh/
  • 2. Who am I? • Security Consultant at Cigital Inc. • Ex-Developer • Areas of interest – Static analysis – Helping developers fix security bugs – Web App pen testing – Curious about all things security
  • 3. What are we talking about? • Why review code? • Automated v/s Manual review • Manual review – 10,000 ft. view • Manual code review in 60 seconds
  • 4. Why review code? • Finding bugs early in the lifecycle is cheaper • Different visibility to code – Reach all parts of code – Some issues only visible in code review (examples in the Demo) – Helps in identifying “where” the problem is
  • 5. Why review code? • So, pen testing is useless, right? Not quite. Why not? – Don’t want to be killed by a room full of pen- testers – Better at proving “exploitability” – Makes it easier to evangelize security it an organization – Coverage different from code review (e.g.: Issues in application sever configuration) – Understand what a hacker is looking at
  • 6. Automated v/s Manual This topic never ends. Here are some highlights: • Automated tools can plough through more code at lesser time. Very useful for large applications • Manual code review uses knowledge available to the tester • Tool support for certain programming languages stronger than the other (Java v/s Perl) • Quality of manual review depends on individual And so on….. Bottom line: Use both in a complimentary manner
  • 7. Manual review – 10,000 ft. view • Understand the application – Purpose of the application – Flow of the application – Technologies used – Environment (type of DB, frameworks, AppServer etc.) – Business logic – Etc. • Understand the approach to security controls: – Authentication and Authorization – Handling un-trusted data – Handling sensitive information – Session handling – Network boundaries – Error handling and logging – Misuse of security related APIs (crypto, randomness etc.) – Etc. • Look for specific vulnerabilities – Issues common to most applications (e.g.: Race condition, resource management, information leakage, validation routines) – Language specific issues (e.g.: Format string attacks in C) – Framework specific issues (e.g.: review ACEGI configuration) – Looking for malicious code/ Insider threat
  • 8. Manual code review in 60 seconds
  • 9. Manual code review in 60 seconds • Understand the application • Review security control (Hint: Pick logging) • Look for specific vulnerabilities