Simplified Security Code Review Process

3,948 views

Published on

Published in: Technology, Business

Simplified Security Code Review Process

  1. 1. Softwar S cur Simplifying Secure Code Reviews Sherif Koussa sherif@softwaresecured.com BSides Quebec 2013 Monday, 3 June, 13
  2. 2. Softwar S cur Security Teams Development Teams Monday, 3 June, 13
  3. 3. Softwar S cur Softwar S cur 2007 2009 2011 2013 Bio Principal Consultant @ SoftwareSecured ✓ Application Security Assessment ✓ Application Security Assurance Program Implementation ✓ Application Security Training Monday, 3 June, 13
  4. 4. Softwar S cur Take Aways Monday, 3 June, 13
  5. 5. Softwar S cur Take Aways Role of Security Code Review Monday, 3 June, 13
  6. 6. Softwar S cur Take Aways Role of Security Code Review Effective Process Monday, 3 June, 13
  7. 7. Softwar S cur Take Aways Role of Security Code Review Effective Process Simplified Process Monday, 3 June, 13
  8. 8. Softwar S cur Take Aways Role of Security Code Review Effective Process Simplified Process Key Tools to Use Monday, 3 June, 13
  9. 9. Softwar S cur What This Presentation is NOT... ➡ Ground Breaking Research ➡ New Tool ➡ How to Fix Vulnerabilities Monday, 3 June, 13
  10. 10. Softwar S cur What IS Security Code Review? Monday, 3 June, 13
  11. 11. Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness What IS Security Code Review? Monday, 3 June, 13
  12. 12. Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle What IS Security Code Review? Monday, 3 June, 13
  13. 13. Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ Development Teams ➡ Security Teams ➡ ProjectRisk Management What IS Security Code Review? Monday, 3 June, 13
  14. 14. Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ Development Teams ➡ Security Teams ➡ ProjectRisk Management ➡ Systematic Approach to Uncover Security Flaws What IS Security Code Review? Monday, 3 June, 13
  15. 15. Softwar S cur Why Security Code Reviews Monday, 3 June, 13
  16. 16. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Monday, 3 June, 13
  17. 17. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths Monday, 3 June, 13
  18. 18. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths All instances of a vulnerability Monday, 3 June, 13
  19. 19. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths All instances of a vulnerability Find design flaws Monday, 3 June, 13
  20. 20. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths All instances of a vulnerability Find design flaws Remediation Instructions Monday, 3 June, 13
  21. 21. Softwar S cur Effective Security Code Review Process Monday, 3 June, 13
  22. 22. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance Monday, 3 June, 13
  23. 23. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling Monday, 3 June, 13
  24. 24. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation Monday, 3 June, 13
  25. 25. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review Monday, 3 June, 13
  26. 26. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept Monday, 3 June, 13
  27. 27. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept ➡ Reporting Monday, 3 June, 13
  28. 28. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Monday, 3 June, 13
  29. 29. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment Monday, 3 June, 13
  30. 30. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls Monday, 3 June, 13
  31. 31. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code Monday, 3 June, 13
  32. 32. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code •Security Controls •High Profile Code •Custom Rules Monday, 3 June, 13
  33. 33. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code •Security Controls •High Profile Code •Custom Rules •Confirmation •Evidences Monday, 3 June, 13
  34. 34. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code •Security Controls •High Profile Code •Custom Rules •Confirmation •Evidences •Risk Rating •Role Based •Remediation Instructions Monday, 3 June, 13
  35. 35. Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Monday, 3 June, 13
  36. 36. Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Monday, 3 June, 13
  37. 37. Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Monday, 3 June, 13
  38. 38. Softwar S cur Usages of Simplified Security Code Review Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* ➡ Ideal for Introducing Development Teams To Security Code Reviews ➡ Crossing The Gap Between Security and Development Teams Monday, 3 June, 13
  39. 39. Softwar S cur Skills - OWASP Top 10 ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Monday, 3 June, 13
  40. 40. Softwar S cur A1. Injection A2. Cross-Site Scripting A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery A6. Security Misconfiguration A7. Insecure Cryptographic Storage A9. Insufficient Transport Layer Protection A8. Failure to Restrict URL Access A10. Unvalidated Redirects and Forwards 2010 Modified New OWASP TOP 10 - 2010 OWASP TOP 10 - 2013 Monday, 3 June, 13
  41. 41. Softwar S cur A1. Injection A2. Cross-Site Scripting A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery A6. Security Misconfiguration A7. Insecure Cryptographic Storage A9. Insufficient Transport Layer Protection A8. Failure to Restrict URL Access A10. Unvalidated Redirects and Forwards A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards 2010 Modified New OWASP TOP 10 - 2010 OWASP TOP 10 - 2013 Monday, 3 June, 13
  42. 42. Softwar S cur A3 A6 A3 A6 A4 A1 A1 A3 A2 A9 A9 A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards OWASP TOP 10 - 2013 2010 Modified New Veracode Report - 2011 Monday, 3 June, 13
  43. 43. Softwar S cur A7 A10 A4 A1 A8 A4 A3 A9 A1 A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards OWASP TOP 10 - 2013Trustwave Report - 2013 2010 Modified New Monday, 3 June, 13
  44. 44. Softwar S cur A3 A6 A7 A1 A7 A2 A4 A7A4 A4 A2 A3 A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards OWASP TOP 10 - 2013Whitehat Report - 2012 2010 Modified New Monday, 3 June, 13
  45. 45. Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Define Trust Boundary Monday, 3 June, 13
  46. 46. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  47. 47. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  48. 48. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  49. 49. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  50. 50. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  51. 51. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  52. 52. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  53. 53. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards Monday, 3 June, 13
  54. 54. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 Monday, 3 June, 13
  55. 55. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 Monday, 3 June, 13
  56. 56. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 Monday, 3 June, 13
  57. 57. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A4 Monday, 3 June, 13
  58. 58. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 Monday, 3 June, 13
  59. 59. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A6 Monday, 3 June, 13
  60. 60. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A7 A6 Monday, 3 June, 13
  61. 61. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A7 A8 A6 Monday, 3 June, 13
  62. 62. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A7 A8 A10 A10 A6 A9 A9 A9 A9 A9 Monday, 3 June, 13
  63. 63. Softwar S cur How Can You Identify Trust Boundary? Monday, 3 June, 13
  64. 64. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc Monday, 3 June, 13
  65. 65. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc Monday, 3 June, 13
  66. 66. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc Monday, 3 June, 13
  67. 67. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output Monday, 3 June, 13
  68. 68. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output ➡ Annotations: @WebMethods, @WebService Monday, 3 June, 13
  69. 69. Softwar S cur Making Unsecure Code Look Unsecure - cc/Joel Spolsky ➡ Physical Source Code Separation. ➡ File Naming Scheme: ➡ Trust Boundary Safe: tbsProcessNameChange.java ➡ Trust Boundary UnSafe: tbuEditProfile.jsp ➡ Variable Naming Convention: ➡ String usEmail = Request.getParameter(“email”); ➡ String sEmail = Validate(Request.getParameter(“email”); Monday, 3 June, 13
  70. 70. Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Automation Monday, 3 June, 13
  71. 71. Softwar S cur Automation Static Code Analysis Pros Cons Scales Well False Positives Low Hanging Fruit Application Logic Issues Could Be Customized Collections Frameworks Monday, 3 June, 13
  72. 72. Softwar S cur Scripts ➡ Compliment Static Code Analysis Tools. ➡ 3rd Party Libraries Discovery. ➡ Data Input Sources (e,g. web services) ➡ Tracing Data Through Collections (e.g. Session, Request, Collection) Monday, 3 June, 13
  73. 73. Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Manual Review Monday, 3 June, 13
  74. 74. Softwar S cur What Needs to Be Manually Reviewed? ➡ Authentication & Authorization Controls ➡ Encryption Modules ➡ File Upload and Download Operations ➡ Validation ControlsInput Filters ➡ Security-Sensitive Application Logic Monday, 3 June, 13
  75. 75. Softwar S cur Authentication & Authorization Flaws Monday, 3 June, 13
  76. 76. Softwar S cur Authentication & Authorization Flaws Monday, 3 June, 13
  77. 77. Softwar S cur Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Monday, 3 June, 13
  78. 78. Softwar S cur Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Monday, 3 June, 13
  79. 79. Softwar S cur Encryption Flaws Monday, 3 June, 13
  80. 80. Softwar S cur Encryption Flaws Monday, 3 June, 13
  81. 81. Softwar S cur Encryption Flaws Return value is initialized Monday, 3 June, 13
  82. 82. Softwar S cur Encryption Flaws Return value is initialized Monday, 3 June, 13
  83. 83. Softwar S cur Encryption Flaws Return value is initialized Monday, 3 June, 13
  84. 84. Softwar S cur Encryption Flaws Return value is initialized Classic fail-open scenario Monday, 3 June, 13
  85. 85. Softwar S cur File UploadDownload Flaws Monday, 3 June, 13
  86. 86. Softwar S cur File UploadDownload Flaws Monday, 3 June, 13
  87. 87. Softwar S cur File UploadDownload Flaws The value gets validated first time around Monday, 3 June, 13
  88. 88. Softwar S cur File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field Monday, 3 June, 13
  89. 89. Softwar S cur File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Monday, 3 June, 13
  90. 90. Softwar S cur File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Path used without validation Monday, 3 June, 13
  91. 91. Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Reporting Monday, 3 June, 13
  92. 92. Softwar S cur Reporting ➡ Weakness Metadata ➡ Thorough Description ➡ Recommendation ➡ Assign Priority SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: Description:The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); Priority: High Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ ff648339.aspx for details. Owner: John Smith Monday, 3 June, 13
  93. 93. Softwar S cur Confirmation & PoC Monday, 3 June, 13
  94. 94. Softwar S cur Confirmation & PoC Monday, 3 June, 13
  95. 95. Softwar S cur Confirmation & PoC Monday, 3 June, 13
  96. 96. Softwar S cur Confirmation & PoC Monday, 3 June, 13
  97. 97. Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Tools Monday, 3 June, 13
  98. 98. Softwar S cur Security Code Review Tools ➡ Static Code Analysis ➡ Free: (FindBugs, PMD, CAT.net, PCLint, etc) ➡ Commercial: (Static Code Tools Evaluation Criteria - WASC) ➡ 3rd Party Libraries: (DependencyCheck - https://github.com/ jeremylong/DependencyCheck) ➡ Scripts Monday, 3 June, 13
  99. 99. Softwar S cur Open-Source Static Code Analysis Tools Java .NET C++ Monday, 3 June, 13
  100. 100. Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Checklists Monday, 3 June, 13
  101. 101. Softwar S cur Usage of checklists ➡ Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident ➡ ICU: usage of checklists brought down infection rates in Michigan by 66% Monday, 3 June, 13
  102. 102. Softwar S cur Security Code Review Checklist ➡ Data Validation and Encoding Controls ➡ Encryption Controls ➡ Authentication and Authorization Controls ➡ Session Management ➡ Exception Handling ➡ Auditing and Logging ➡ Security Configurations Monday, 3 June, 13
  103. 103. Softwar S cur Resources To Conduct Your Checklist ➡ NIST Checklist Project - http://checklists.nist.gov/ ➡ Mozilla’s Secure Coding QA Checklist - https:// wiki.mozilla.org/WebAppSec/ Secure_Coding_QA_Checklist ➡ Oracle’s Secure Coding Checklist - http:// www.oracle.com/technetwork/java/ seccodeguide-139067.html Monday, 3 June, 13
  104. 104. Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Monday, 3 June, 13
  105. 105. Softwar S cur Softwar S cur QUESTIONS? @skoussa sherif.koussa@owasp.org sherif@softwaresecured.com Monday, 3 June, 13

×