Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
David RookAgnitioSecurity code review swiss army knifeSecurityBSides, Las VegasThursday, 28 July 2011
if (slide == introduction)                   System.out.println("I’m David Rook"); • Security Analyst, Realex Payments, Ir...
Agenda  • What is static analysis?  • Security code reviews: the good, the bad and the ugly  • Agnitio: security code revi...
Static analysis  • What do I mean by static analysis?        • A review of source code without executing the application  ...
Static analysis  • Wetware or software?        • Humans are needed with or without static analysis tools        • The best...
Static analysis  • Wetware or software?        • Humans are needed with or without static analysis tools        • The best...
Static analysis  • Wetware or software?  http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-r...
Static analysis  • Wetware or software?  http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-r...
Static analysis  • Wetware or software?        • Tools can cover more code in less time than a human        • The best thi...
Static analysis  • Wetware or software?        • Tools can cover more code in less time than a human        • The best thi...
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
The ugly security code reviews  • “Ugly reviews” implies you do actually review code        • An unplanned magical mystery...
The ugly security code reviews  • “Ugly reviews” implies you do actually review code        • An unplanned magical mystery...
The bad security code reviews  • “Bad reviews” might be fine for some companies        • A single planned code review in y...
The bad security code reviews  • “Bad reviews” might be fine for some companies        • A single planned code review in y...
The good security code reviews  • “Good reviews” don’t happen by accident        • Multiple reviews defined as deliverable...
The good security code reviews  • “Good reviews” don’t happen by accident        • Multiple reviews defined as deliverable...
Agnitio  • What is Agnitio?        • Tool to help with manual static analysis        • Checklist based with reviewer & dev...
Agnitio  • Checklists?        • An application for doing checklist reviews? *yawn* how boring!        • Checklists are for...
Thursday, 28 July 2011
Thursday, 28 July 2011
AgnitioThursday, 28 July 2011
AgnitioThursday, 28 July 2011
Agnitio  • Checklists?        • Do you use checklists for your source code reviews?        • Whats the worst that could ha...
Ariane 5 flight 501Thursday, 28 July 2011
Thursday, 28 July 2011
Ariane 5 flight 501   L_M_BV_32 := TBD.T_ENTIER_32S ((1.0/C_M_LSB_BV) * G_M_INFO_DERIVE(T_ALG.E_BV));   if L_M_BV_32 > 327...
Therac-25Thursday, 28 July 2011
Mars Climate OrbiterThursday, 28 July 2011
Mars Climate OrbiterThursday, 28 July 2011
Agnitio  • Checklists?        • Do you use checklist for your source code reviews?        • Whats the worst that could hap...
Agnitio  • So, why did I develop Agnitio?        • I love using checklists for security code reviews!Thursday, 28 July 2011
Agnitio  • So, why did I develop Agnitio?        • I love using checklists for security code reviews!        • Even if you...
Agnitio  • So, why did I develop Agnitio?        • I love using checklists for security code reviews!        • Even if you...
Agnitio  • So, why did I develop Agnitio?        • I love using checklists for security code reviews!        • Even if you...
Agnitio  • So, why did I develop Agnitio?        • I love using checklists for security code reviews!        • Even if you...
Why did I develop Agnitio?  • Demonstration: security code reviewsThursday, 28 July 2011
Why did I develop Agnitio?  • Demonstration: security code review reportsThursday, 28 July 2011
Why did I develop Agnitio?  • Demonstration: application security metricsThursday, 28 July 2011
Agnitio v2.0  • Automated code analysis module linked to checklist  • Android and iOS rules for the code analysis module  ...
Agnitio v2.0  • Agnitio v2.0 demonstrationThursday, 28 July 2011
Agnitio v2.1  • Verification records for the code you analyse  • Add/remove checklist items or whole checklists  • Save re...
Using Agnitio  • How you can use Agnitio in your reviews        • Download Agnitio from Source Forge        • Focus securi...
www.securityninja.co.uk    http://sourceforge.net/projects/agnitiotool/                     @securityninja                ...
QUESTIONS?              www.securityninja.co.uk    http://sourceforge.net/projects/agnitiotool/                     @secur...
Upcoming SlideShare
Loading in …5
×

SecurityBSides las vegas - Agnitio

1,971 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

SecurityBSides las vegas - Agnitio

  1. 1. David RookAgnitioSecurity code review swiss army knifeSecurityBSides, Las VegasThursday, 28 July 2011
  2. 2. if (slide == introduction) System.out.println("I’m David Rook"); • Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms • Security Ninja (@securityninja) • Speaker at developer and security conferences • Microsoft Developer Security MVP • A mentor in the InfoSecMentors project • Developed and released AgnitioThursday, 28 July 2011
  3. 3. Agenda • What is static analysis? • Security code reviews: the good, the bad and the ugly • Agnitio: security code review Swiss army knife • Agnitio v2.0 demoThursday, 28 July 2011
  4. 4. Static analysis • What do I mean by static analysis? • A review of source code without executing the application • Can be either manual or automated through one or more tools • Human and/or tools analysing application source codeThursday, 28 July 2011
  5. 5. Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t softwareThursday, 28 July 2011
  6. 6. Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t software • The worst thing about humans is that they are humansThursday, 28 July 2011
  7. 7. Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1Thursday, 28 July 2011
  8. 8. Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1Thursday, 28 July 2011
  9. 9. Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t humanThursday, 28 July 2011
  10. 10. Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t human • The worst thing about software is that it’s softwareThursday, 28 July 2011
  11. 11. Thursday, 28 July 2011
  12. 12. Thursday, 28 July 2011
  13. 13. Thursday, 28 July 2011
  14. 14. Thursday, 28 July 2011
  15. 15. Thursday, 28 July 2011
  16. 16. Thursday, 28 July 2011
  17. 17. Thursday, 28 July 2011
  18. 18. Thursday, 28 July 2011
  19. 19. Thursday, 28 July 2011
  20. 20. Thursday, 28 July 2011
  21. 21. The ugly security code reviews • “Ugly reviews” implies you do actually review code • An unplanned magical mystery tour at the end of the SDLC • Unstructured, not repeatable and heavily reliant on C H N O 8 10 4 2 • Too late in the SDLC making findings very expensive to fixThursday, 28 July 2011
  22. 22. The ugly security code reviews • “Ugly reviews” implies you do actually review code • An unplanned magical mystery tour at the end of the SDLC • Unstructured, not repeatable and heavily reliant on C H N O 8 10 4 2 • Too late in the SDLC making findings very expensive to fix • Completely manual process, no tools used during reviews • No audit trails, no metrics........no security? • Better than nothing?Thursday, 28 July 2011
  23. 23. The bad security code reviews • “Bad reviews” might be fine for some companies • A single planned code review in your SDLC • Some structure, normally based on finding the OWASP top 10 • Still too late in the SDLC making findings very expensive to fixThursday, 28 July 2011
  24. 24. The bad security code reviews • “Bad reviews” might be fine for some companies • A single planned code review in your SDLC • Some structure, normally based on finding the OWASP top 10 • Still too late in the SDLC making findings very expensive to fix • Some automation, usually basic code analysis tools • Basic audit trails still no metrics so hard to measure “anything” • Better than ugly reviews, might be fine for some companiesThursday, 28 July 2011
  25. 25. The good security code reviews • “Good reviews” don’t happen by accident • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phasesThursday, 28 July 2011
  26. 26. The good security code reviews • “Good reviews” don’t happen by accident • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases • Automation used where useful freeing up the reviewer • Ability to produce reports, metrics and measure improvements • External validation of the review process and SDLCThursday, 28 July 2011
  27. 27. Agnitio • What is Agnitio? • Tool to help with manual static analysis • Checklist based with reviewer & developer guidance • Produces audit trails & enforces integrity checks • Single tool for security code review reports & metricsThursday, 28 July 2011
  28. 28. Agnitio • Checklists? • An application for doing checklist reviews? *yawn* how boring! • Checklists are for n00bs! I dont need a checklist to review code! • I beg to differ, would you say Doctors and Pilots are n00bs?Thursday, 28 July 2011
  29. 29. Thursday, 28 July 2011
  30. 30. Thursday, 28 July 2011
  31. 31. AgnitioThursday, 28 July 2011
  32. 32. AgnitioThursday, 28 July 2011
  33. 33. Agnitio • Checklists? • Do you use checklists for your source code reviews? • Whats the worst that could happen if you don’t?Thursday, 28 July 2011
  34. 34. Ariane 5 flight 501Thursday, 28 July 2011
  35. 35. Thursday, 28 July 2011
  36. 36. Ariane 5 flight 501 L_M_BV_32 := TBD.T_ENTIER_32S ((1.0/C_M_LSB_BV) * G_M_INFO_DERIVE(T_ALG.E_BV)); if L_M_BV_32 > 32767 then P_M_DERIVE(T_ALG.E_BV) := 16#7FFF#; elsif L_M_BV_32 < -32768 then P_M_DERIVE(T_ALG.E_BV) := 16#8000#; else P_M_DERIVE(T_ALG.E_BV) := UC_16S_EN_16NS(TDB.T_ENTIER_16S(L_M_BV_32); end if; P_M_DERIVE(T_ALG.E_BH) := UC_16S_EN_16NS (TDB.T_ENTIER_16S ((1.0/C_M_LSB_BH) * G_M_INFO_DERIVE(T_ALG.E_BH))); http://moscova.inria.fr/~levy/talks/10enslongo/enslongo.pdfThursday, 28 July 2011
  37. 37. Therac-25Thursday, 28 July 2011
  38. 38. Mars Climate OrbiterThursday, 28 July 2011
  39. 39. Mars Climate OrbiterThursday, 28 July 2011
  40. 40. Agnitio • Checklists? • Do you use checklist for your source code reviews? • Whats the worst that could happen if you don’t? • Four people dead and over €700m of equipment destroyed • Checklists can be useful to pilots, doctors and code reviewers!Thursday, 28 July 2011
  41. 41. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews!Thursday, 28 July 2011
  42. 42. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smartThursday, 28 July 2011
  43. 43. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit?Thursday, 28 July 2011
  44. 44. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit? • How about producing metrics, useful reports & integrity checks?Thursday, 28 July 2011
  45. 45. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit? • How about producing metrics, useful reports & integrity checks? • No? That’s why I developed Agnitio!Thursday, 28 July 2011
  46. 46. Why did I develop Agnitio? • Demonstration: security code reviewsThursday, 28 July 2011
  47. 47. Why did I develop Agnitio? • Demonstration: security code review reportsThursday, 28 July 2011
  48. 48. Why did I develop Agnitio? • Demonstration: application security metricsThursday, 28 July 2011
  49. 49. Agnitio v2.0 • Automated code analysis module linked to checklist • Android and iOS rules for the code analysis module • Editor for code analysis rules and checklist items • Editor for developer and checklist guidance text • Plus lots of user suggested changes!Thursday, 28 July 2011
  50. 50. Agnitio v2.0 • Agnitio v2.0 demonstrationThursday, 28 July 2011
  51. 51. Agnitio v2.1 • Verification records for the code you analyse • Add/remove checklist items or whole checklists • Save reviews and come back to them at a later date • PHP and Java rules for the code analysis moduleThursday, 28 July 2011
  52. 52. Using Agnitio • How you can use Agnitio in your reviews • Download Agnitio from Source Forge • Focus security code reviews on root causes not vulnerabilities • Use your language/s in all code examples and checklist items • Use Agnitio to conduct principles based security code reviewsThursday, 28 July 2011
  53. 53. www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninjaThursday, 28 July 2011
  54. 54. QUESTIONS? www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninjaThursday, 28 July 2011

×