Uploaded byrouanw
11 views

Is this okay!? DevSecCon ⚡ 2022

The document outlines essential considerations for reviewing code for security issues, emphasizing the importance of threat modeling, penetration testing, and proper input handling. Key areas to focus on include authentication, authorization, data leaks, dependency management, configuration, and caching issues. It provides practical tips for security awareness and improving security practices during code reviews.

Embed presentation

Download to read offline
Is this okay!? Rouan Wilsenach Engineering Lead, Haven @rouanw Reviewing code for security issues
Too much pressure Code reviews are great for catching issues but they can’t be the only thing. - Build awareness 💬 - Threat modelling 🐉 - Pen testing 🔦
Where’s the input going? - Is there new input? - Have we changed the way input is handled? - Where it’s stored? - How it’s used later? 1 .
Are the right AAA checks in place? - Authentication - have we checked the actor is who they say they are? - Authorisation - have we checked they’re allowed to do this? - Auditing - have we made a note of what happened? 2 .
Have the assets changed? Are we storing any personal or special information? E.g. - Emails - Health info - Credit cards - Racial or ethnic origin - Political or religious info 3 .
Are you leaking data? - Is your API returning extra bits? - Are you logging stuff you shouldn’t? - Don’t keep anything you don’t need 4 .
Any new dependencies? Do some research on new dependencies. Are they: - Trusted - Popular - Well maintained - Do you really need it? 5 .
Has the config changed? - Misconfiguration is a super common cause of security issues - If your config isn’t code, you can’t review it! 6 .
Is anything being cached? - Don’t show one user’s sensitive info to another! - Everyone should understand the default cache behaviour - Good cache keys 7 .
Have you checked the borders? Handy trick if you’re short on time is to focus on where data enters and leaves your system - e.g. where a web request comes in and where we talk to a database. 8 .
A few tricks that helped me learn Find your security mentor Turn up at post mortems Smashing Security Podcast Offer help during pen tests Find a security course online
1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . Inputs AAA Asset type Data leaks Dependencies Boundaries Config Caching Reviewing code for security issues – Cheat Sheet @rouanw
Is this okay!? Rouan Wilsenach Engineering Lead, Haven @rouanw Reviewing code for security issues

More Related Content

PDF
NDC Security 2023
byrouanw
 
PPTX
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
PPT
Code Review Looking for a vulnerable code. Vlad Savitsky.
byDrupalCampDN
 
PPTX
testtesttesttesttesttesttesttesttesttesttesttesttesttest
byyamisukehiro9843
 
PDF
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
bypiggsadamiso
 
PDF
Simplified security code review - BSidesQuebec2013
byBSidesQuebec2013
 
PPTX
Capability Building for Cyber Defense: Software Walk through and Screening
byMaven Logix
 
PDF
ProdSec: A Technical Approach
byJeremy Brown
 
NDC Security 2023
byrouanw
 
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
Code Review Looking for a vulnerable code. Vlad Savitsky.
byDrupalCampDN
 
testtesttesttesttesttesttesttesttesttesttesttesttesttest
byyamisukehiro9843
 
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
bypiggsadamiso
 
Simplified security code review - BSidesQuebec2013
byBSidesQuebec2013
 
Capability Building for Cyber Defense: Software Walk through and Screening
byMaven Logix
 
ProdSec: A Technical Approach
byJeremy Brown
 

Similar to Is this okay!? DevSecCon ⚡ 2022

PDF
SecurityBSides London - Agnitio: it's static analysis but not as we know it
bySecurity Ninja
 
PPTX
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
PPT
Intro to-ssdl--lone-star-php-2013
bynanderoo
 
PDF
Web Security... Level Up
byIzzet Mustafaiev
 
PDF
How to not suck at an audit-2.pdf
byHacken
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
PPTX
Code Review Cybersecurity: Comprehensive Guide to Secure Code Evaluation & B...
byhamdi71
 
ODP
Break it while you make it: writing (more) secure software
byLeigh Honeywell
 
PDF
Code reviews
byRaúl Araya Tauler
 
PDF
Using Analyzers to Resolve Security Problems
bykiansahafi
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PPT
software-security-intro Secure software Design and Development
bysahar62648
 
PDF
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
PDF
Professional Code Reviews - Bogdan Gusiev
byRuby Meditation
 
PDF
Simplified Security Code Review Process
bySherif Koussa
 
PDF
Cyber security webinar 6 - How to build systems that resist attacks?
byF-Secure Corporation
 
PPT
software-security.ppt
byPRALHAD MAGADUM
 
PPTX
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
bylior mazor
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
DOCX
Aardwolf Security's Expert Code Review Services
byAardwolf Security
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
bySecurity Ninja
 
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
Intro to-ssdl--lone-star-php-2013
bynanderoo
 
Web Security... Level Up
byIzzet Mustafaiev
 
How to not suck at an audit-2.pdf
byHacken
 
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
Code Review Cybersecurity: Comprehensive Guide to Secure Code Evaluation & B...
byhamdi71
 
Break it while you make it: writing (more) secure software
byLeigh Honeywell
 
Code reviews
byRaúl Araya Tauler
 
Using Analyzers to Resolve Security Problems
bykiansahafi
 
software-security-intro in information security.ppt
byismaeelsahib032
 
software-security-intro Secure software Design and Development
bysahar62648
 
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
Professional Code Reviews - Bogdan Gusiev
byRuby Meditation
 
Simplified Security Code Review Process
bySherif Koussa
 
Cyber security webinar 6 - How to build systems that resist attacks?
byF-Secure Corporation
 
software-security.ppt
byPRALHAD MAGADUM
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
bylior mazor
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
Aardwolf Security's Expert Code Review Services
byAardwolf Security
 

More from rouanw

PDF
Ship Show Ask at Lean Agile Edinburgh 2025
byrouanw
 
PDF
Ship Show Ask - A modern branching strategy at Lean Agile Scotland 2024
byrouanw
 
PDF
Fail better with QA in Production
byrouanw
 
PDF
Qa in production singular 2019
byrouanw
 
PDF
How to review a pull request
byrouanw
 
PDF
Rouan's design principles
byrouanw
 
PDF
The curious case of the production incident
byrouanw
 
PDF
QA in Production: The tests we never wrote and the production monitoring we u...
byrouanw
 
PDF
Organised chaos: real-world JavaScript microservices
byrouanw
 
PDF
Contributing to open source is easier than you think
byrouanw
 
PDF
How to write a blog post
byrouanw
 
PDF
QA in Production
byrouanw
 
PDF
Dashboards: Using data to find out what's really going on
byrouanw
 
PDF
Tech lead tips
byrouanw
 
PDF
DevOps Culture
byrouanw
 
PDF
Techniques for stress free software releases
byrouanw
 
PDF
Be a polyglot programmer
byrouanw
 
PDF
Emergent design - PHP Jo'burg 2015
byrouanw
 
PDF
Infrastructure as code
byrouanw
 
PDF
ThoughtWorks Tech radar Jan 2014
byrouanw
 
Ship Show Ask at Lean Agile Edinburgh 2025
byrouanw
 
Ship Show Ask - A modern branching strategy at Lean Agile Scotland 2024
byrouanw
 
Fail better with QA in Production
byrouanw
 
Qa in production singular 2019
byrouanw
 
How to review a pull request
byrouanw
 
Rouan's design principles
byrouanw
 
The curious case of the production incident
byrouanw
 
QA in Production: The tests we never wrote and the production monitoring we u...
byrouanw
 
Organised chaos: real-world JavaScript microservices
byrouanw
 
Contributing to open source is easier than you think
byrouanw
 
How to write a blog post
byrouanw
 
QA in Production
byrouanw
 
Dashboards: Using data to find out what's really going on
byrouanw
 
Tech lead tips
byrouanw
 
DevOps Culture
byrouanw
 
Techniques for stress free software releases
byrouanw
 
Be a polyglot programmer
byrouanw
 
Emergent design - PHP Jo'burg 2015
byrouanw
 
Infrastructure as code
byrouanw
 
ThoughtWorks Tech radar Jan 2014
byrouanw
 

Recently uploaded

PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PPTX
Device Repair and Maintenance Management
byAxisTechnolabs
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Research-Driven Development: Navigating the Generative Era in Software
byCadabra Studio
 
PDF
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PPTX
SAP S4 HANA Conversion and Migration .pptx
bysabeenakouser
 
PDF
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Animated Safety Induction: A Smarter Way to Onboard for Workplace Safety
byTECH EHS Solution
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PPTX
Salesforce Spring '26 Release presentation - Melbourne Salesforce User Group
byAnne N
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Device Repair and Maintenance Management
byAxisTechnolabs
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Research-Driven Development: Navigating the Generative Era in Software
byCadabra Studio
 
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
SAP S4 HANA Conversion and Migration .pptx
bysabeenakouser
 
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Animated Safety Induction: A Smarter Way to Onboard for Workplace Safety
byTECH EHS Solution
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Salesforce Spring '26 Release presentation - Melbourne Salesforce User Group
byAnne N
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 

Is this okay!? DevSecCon ⚡ 2022

  • 1.
    Is this okay!? RouanWilsenach Engineering Lead, Haven @rouanw Reviewing code for security issues
  • 2.
    Too much pressure Code reviewsare great for catching issues but they can’t be the only thing. - Build awareness 💬 - Threat modelling 🐉 - Pen testing 🔦
  • 3.
    Where’s the input going? -Is there new input? - Have we changed the way input is handled? - Where it’s stored? - How it’s used later? 1 .
  • 5.
    Are the rightAAA checks in place? - Authentication - have we checked the actor is who they say they are? - Authorisation - have we checked they’re allowed to do this? - Auditing - have we made a note of what happened? 2 .
  • 7.
    Have the assets changed? Arewe storing any personal or special information? E.g. - Emails - Health info - Credit cards - Racial or ethnic origin - Political or religious info 3 .
  • 9.
    Are you leaking data? -Is your API returning extra bits? - Are you logging stuff you shouldn’t? - Don’t keep anything you don’t need 4 .
  • 11.
    Any new dependencies? Do someresearch on new dependencies. Are they: - Trusted - Popular - Well maintained - Do you really need it? 5 .
  • 13.
    Has the config changed? -Misconfiguration is a super common cause of security issues - If your config isn’t code, you can’t review it! 6 .
  • 15.
    Is anything being cached? -Don’t show one user’s sensitive info to another! - Everyone should understand the default cache behaviour - Good cache keys 7 .
  • 16.
    Have you checked theborders? Handy trick if you’re short on time is to focus on where data enters and leaves your system - e.g. where a web request comes in and where we talk to a database. 8 .
  • 17.
    A few tricksthat helped me learn Find your security mentor Turn up at post mortems Smashing Security Podcast Offer help during pen tests Find a security course online
  • 18.
    1 . 2 . 3. 4 . 5 . 6 . 7 . 8 . Inputs AAA Asset type Data leaks Dependencies Boundaries Config Caching Reviewing code for security issues – Cheat Sheet @rouanw
  • 19.
    Is this okay!? RouanWilsenach Engineering Lead, Haven @rouanw Reviewing code for security issues