SlideShare a Scribd company logo

Code Review Strategies for Secure Web Applications

Download as PPT, PDF
S
silviad74
Technology
1 of 24
Code Review for Secure Web Applications With java samples
Bibliography • OWASP – Open web applications security projects – www.owasp.org • OWASP Code review guide
Introduction • Code reviews: – Ad hoc reviews – Pair programming – Walkthrough – Team review – Inspection • Purpose – security
Code review strategies • Automatic • Manual – use checklists – Risk based – Most encountered programming mistakes – Mitigation of most encountered vulnerabilities exploited in the world – Security best practices
Checklist based on best practices • Authentication • Authorization • Session management • Input validation and output sanitization
Checklist based on best practices To be presented next meeting • Prevent Cross Site Request Forgery • Cryptographic controls • Error handling • Logging • Prevent Race conditions
Authentication • Check user is not allowed to choose weak passwords Bad: String password = request.getParameter("Password"); if (password == Null) {throw InvalidPasswordException() }
Authentication • Check user is not allowed to choose weak passwords OK: if password.RegEx([a-z]) and password.RegEx([A-Z]) and password.RegEx([0-9]) and password.RegEx({8-30}) and password.RexEX([!"£$%^&*()]) return true; else return false;
Authentication • Password storage strategy: hashing using a one-way hash algorithm + salting OK hashing: import java.security.MessageDigest; public byte[] getHash(String password) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-1"); digest.reset(); byte[] input = digest.digest(password.getBytes("UTF-8")); }
Authentication • Password storage strategy: hashing using a one-way hash algorithm + salting OK salting: import java.security.MessageDigest; public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA- 256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8")); }
Authorization • Check the access roles matrix and make sure it is created respecting the need-to-know and least- privilege principle • Check the business logic for errors Bad: if user.equals("NormalUser") { grantUser(Normal_Permissions); } else{ //user must be admin/super grantUser("Super_Permissions); }
Authorization • Check if security by obscurity is used • Check if authorization is verified for every request Good: String action = request.getParameter("action"); if (action.equals("doStuff")) boolean permit = session.authTable.isAuthorised(action); if (permit) doStuff(); else{ throw new (InvalidRequestException("Unauthorised request"); session.invalidate(); }
Session Management • Check if only framework’s session manager is used • Check the cryptographic strength, the length of the sessions and character pool • Check that sessionIds coming from clients are validated • Check there is a timeout implemented for idle sessions • Check session is destroyed on logout
Input validation and output sanitization • Ensure 2 separate validations occur: first a security validation, then a business validation • Ensure in the security validation, data are canonicalized first public static void main(String[] args) { File x = new File("/cmd/" + args[1]); String absPath = x.getAbsolutePath(); String canonicalPath = x.getCanonicalPath(); }
Input validation and output sanitization • Check that all input that traversed untrusted zones is validated, not only user input • Check that validators or sanitizers are adapted for the modules that receives/uses data – encode, escape, etc • Check validators are applied in a safe side (never client side)
Input validation and output sanitization public class DoStuff { public String executeCommand(String userName) { try { String myUid = userName; Runtime rt = Runtime.getRuntime(); rt.exec("cmd.exe /C doStuff.exe " +”-“ +myUid); } catch(Exception e) { e.printStackTrace(); } } }
Input validation and output sanitization String myQuery = “select food from foods where name=?”; String sortOrder=request.getParameter(“order”); myQuery+=sortOrder; PreparedStatement preparedStatement = connection.prepareStatement(myQuery); preparedStatement.setString(1, “Shaorma”); ResultSet resultSet = preparedStatement.executeQuery();
Input validation and output sanitization import java.io.*; import javax.servlet.http.*; import javax.servlet.*; public class HelloServlet extends HttpServlet { public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { String input = req.getHeader(“USERINPUT”); PrintWriter out = res.getWriter(); out.println(Server.HTMLEncode(input)); out.close(); } }
Thank you for the interest Questions?
Prevent Cross Site Script Forgery
Cryptographic controls
Error handling
Logging
Prevent Race Conditions

Recommended

Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code ReviewNaga Venkata Sunil Alamuri
 
Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review ChecklistMahesh Chopker
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++Dan-Claudiu Dragoș
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 

Recommended

Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code ReviewNaga Venkata Sunil Alamuri
 
Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review ChecklistMahesh Chopker
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++Dan-Claudiu Dragoș
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
Code review
Code reviewCode review
Code reviewAbhishek Sur
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniqueAndrey Karpov
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsWouter de Kort
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsOrest Ivasiv
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCParasoft_Mitchell
 
Java exception handling
Java exception handlingJava exception handling
Java exception handlingBHUVIJAYAVELU
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelinesLalit Kale
 
L27
L27L27
L27NathannyabvureMapisa
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 

More Related Content

What's hot

Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniqueAndrey Karpov
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsWouter de Kort
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsOrest Ivasiv
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCParasoft_Mitchell
 
Java exception handling
Java exception handlingJava exception handling
Java exception handlingBHUVIJAYAVELU
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelinesLalit Kale
 

What's hot (20)

Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
 
Code review
Code reviewCode review
Code review
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis technique
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOps
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
 
Java exception handling
Java exception handlingJava exception handling
Java exception handling
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
L27
L27L27
L27
 

Viewers also liked

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity securityrustd
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...gmaran23
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015Stacy Kvernmo
 
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...OWASP Russia
 
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...OWASP Russia
 

Viewers also liked (16)

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
 
ASP.NET Core Security
ASP.NET Core SecurityASP.NET Core Security
ASP.NET Core Security
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015
 
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
 
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
 

Similar to Code Review Strategies for Secure Web Applications

How to use Approval Tests for C++ Effectively
How to use Approval Tests for C++ EffectivelyHow to use Approval Tests for C++ Effectively
How to use Approval Tests for C++ EffectivelyClare Macrae
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of BreachesKarthik Bhat
 
Web Services Automated Testing via SoapUI Tool
Web Services Automated Testing via SoapUI ToolWeb Services Automated Testing via SoapUI Tool
Web Services Automated Testing via SoapUI ToolSperasoft
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능Hyperledger Korea User Group
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiContinuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiStephen de Vries
 
Continuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldContinuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldStephen de Vries
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
 
Testing Ext JS and Sencha Touch
Testing Ext JS and Sencha TouchTesting Ext JS and Sencha Touch
Testing Ext JS and Sencha TouchMats Bryntse
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnDan Rinzel
 

Similar to Code Review Strategies for Secure Web Applications (20)

How to use Approval Tests for C++ Effectively
How to use Approval Tests for C++ EffectivelyHow to use Approval Tests for C++ Effectively
How to use Approval Tests for C++ Effectively
 
Security in Node.JS and Express:
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of Breaches
 
Web Services Automated Testing via SoapUI Tool
Web Services Automated Testing via SoapUI ToolWeb Services Automated Testing via SoapUI Tool
Web Services Automated Testing via SoapUI Tool
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiContinuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinki
 
Continuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldContinuous Security Testing in a Devops World
Continuous Security Testing in a Devops World
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
Testing Ext JS and Sencha Touch
Testing Ext JS and Sencha TouchTesting Ext JS and Sencha Touch
Testing Ext JS and Sencha Touch
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Security testing
Security testingSecurity testing
Security testing
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard Learn
 

Recently uploaded

Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

Code Review Strategies for Secure Web Applications

  • 1. Code Review for Secure Web Applications With java samples
  • 2. Bibliography • OWASP – Open web applications security projects – www.owasp.org • OWASP Code review guide
  • 3. Introduction • Code reviews: – Ad hoc reviews – Pair programming – Walkthrough – Team review – Inspection • Purpose – security
  • 4. Code review strategies • Automatic • Manual – use checklists – Risk based – Most encountered programming mistakes – Mitigation of most encountered vulnerabilities exploited in the world – Security best practices
  • 5. Checklist based on best practices • Authentication • Authorization • Session management • Input validation and output sanitization
  • 6. Checklist based on best practices To be presented next meeting • Prevent Cross Site Request Forgery • Cryptographic controls • Error handling • Logging • Prevent Race conditions
  • 7. Authentication • Check user is not allowed to choose weak passwords Bad: String password = request.getParameter("Password"); if (password == Null) {throw InvalidPasswordException() }
  • 8. Authentication • Check user is not allowed to choose weak passwords OK: if password.RegEx([a-z]) and password.RegEx([A-Z]) and password.RegEx([0-9]) and password.RegEx({8-30}) and password.RexEX([!"£$%^&*()]) return true; else return false;
  • 9. Authentication • Password storage strategy: hashing using a one-way hash algorithm + salting OK hashing: import java.security.MessageDigest; public byte[] getHash(String password) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-1"); digest.reset(); byte[] input = digest.digest(password.getBytes("UTF-8")); }
  • 10. Authentication • Password storage strategy: hashing using a one-way hash algorithm + salting OK salting: import java.security.MessageDigest; public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA- 256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8")); }
  • 11. Authorization • Check the access roles matrix and make sure it is created respecting the need-to-know and least- privilege principle • Check the business logic for errors Bad: if user.equals("NormalUser") { grantUser(Normal_Permissions); } else{ //user must be admin/super grantUser("Super_Permissions); }
  • 12. Authorization • Check if security by obscurity is used • Check if authorization is verified for every request Good: String action = request.getParameter("action"); if (action.equals("doStuff")) boolean permit = session.authTable.isAuthorised(action); if (permit) doStuff(); else{ throw new (InvalidRequestException("Unauthorised request"); session.invalidate(); }
  • 13. Session Management • Check if only framework’s session manager is used • Check the cryptographic strength, the length of the sessions and character pool • Check that sessionIds coming from clients are validated • Check there is a timeout implemented for idle sessions • Check session is destroyed on logout
  • 14. Input validation and output sanitization • Ensure 2 separate validations occur: first a security validation, then a business validation • Ensure in the security validation, data are canonicalized first public static void main(String[] args) { File x = new File("/cmd/" + args[1]); String absPath = x.getAbsolutePath(); String canonicalPath = x.getCanonicalPath(); }
  • 15. Input validation and output sanitization • Check that all input that traversed untrusted zones is validated, not only user input • Check that validators or sanitizers are adapted for the modules that receives/uses data – encode, escape, etc • Check validators are applied in a safe side (never client side)
  • 16. Input validation and output sanitization public class DoStuff { public String executeCommand(String userName) { try { String myUid = userName; Runtime rt = Runtime.getRuntime(); rt.exec("cmd.exe /C doStuff.exe " +”-“ +myUid); } catch(Exception e) { e.printStackTrace(); } } }
  • 17. Input validation and output sanitization String myQuery = “select food from foods where name=?”; String sortOrder=request.getParameter(“order”); myQuery+=sortOrder; PreparedStatement preparedStatement = connection.prepareStatement(myQuery); preparedStatement.setString(1, “Shaorma”); ResultSet resultSet = preparedStatement.executeQuery();
  • 18. Input validation and output sanitization import java.io.*; import javax.servlet.http.*; import javax.servlet.*; public class HelloServlet extends HttpServlet { public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { String input = req.getHeader(“USERINPUT”); PrintWriter out = res.getWriter(); out.println(Server.HTMLEncode(input)); out.close(); } }
  • 19. Thank you for the interest Questions?
  • 20. Prevent Cross Site Script Forgery