SlideShare a Scribd company logo

Security Code Review 101

Download as PPTX, PDF
P
Paul Ionescu

Code review is, hopefully, part of regular development practices for any organization. Adding security elements to code review can be the most effective measure in preventing vulnerabilities, very early in the development lifecycle, even before the first commit. This is an interactive presentation which will contain the basic elements to get you started. The audience will help review more than a dozen software examples in order to figure out the good from the ugly. The software examples are based on OWASP Top 10 and SANS Top 25 favourites such as Injection, Memory Flaws, Sensitive Data Exposure, Cross-Site Scripting and Broken Access Control.

Software
1 of 69
About Me
The Tip of the Iceberg Input Validation Parameterized Commands Safe functions Indirect Object References Encrypt Data Safe Memory Management Neutralize Output
Input Validation • Only allow input that you are expecting • Wouldyou letsomeonein your house ifyou thoughttheyshouldnot bethere? • Block lists are inefficient • Wouldyou maintaina block listofpeoplethatcannot cometoyour house? • Block listing-likegiving keys toyour house toeveryone excepta fewunwanted visitors.
LET'S PLAY, SPOT THE VALIDATION PROBLEM!
Answer: Both
Answer: Top
Special Characters Not Needed • Many parameter types not intended to contain symbols or punctuation • Many not even intended to contain Unicode characters • Parameters going into database queries such as ID, true/false, asc/desc have even a smaller character set Alphanumeric Alphanumeric + .-_
Input Validation Function Example
A Simple Multi-Purpose Function isAlphanumOrEx("true") isAlphanumOrEx("desc") isAlphanumOrEx("21845816438168") isAlphanumOrEx("0x0709750fa566") isAlphanumOrEx("Cr2i7nHq6qiMEs") isAlphanumOrEx("site.local",'.')
𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒊𝒆𝒔 = 𝑭( 𝑰𝒏𝒑𝒖𝒕 𝟏 + 𝑽𝒂𝒍𝒊𝒅𝒂𝒕𝒊𝒐𝒏 )
Attacks Prevented by Input Validation •Injection •Path Traversal •Cross-Site Scripting •Open Redirect •Deserialization …
How About the Irish? •Names, comments, articles, free text require quotes: •O'Brien, don't, "putting things in quotes" •While input validation reduces the attack surface, it cannot prevent all attacks
To sum all it up… •Input Validation reduces the attack surface and prevents many attack types •Block-listing is a bad practice •Many input types are alphanumeric •For those input types that need special characters we need different defenses
CONCATENATION … causes Injection! COMMAND +INPUT= INJECTION
CONCATENATION Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter … prevent Injection!
LET'S PLAY, SPOT THE INJECTION!
Answer: Top
Answer: Top
ORM Frameworks • ORM = Object Relational Mapping • ORM Frameworks keep developers away from SQL Queries • Popular ORM Framework: Hibernate Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter Object Field1 Input Field2 Input
To sum all it up… •Parameterized Commands handle situations where hazardous chars are needed •ORM Frameworks prevent mistakes
Problems with Memory •Classic Overflow •Incorrect Calculation of Buffer Size •Off by One •Format String Injection •Use-after-free
Memory Safer Functions fgets(dest_buff, BUFF_SIZE, stdin) snprintf(dest_buff, BUFF_SIZE, format, …); strncpy(dest_buff, src_buff, BUFF_SIZE); strncmp(buff1, buff2, BUFF_SIZE); If the BUFF_SIZE argument is larger than the size of the buffer: OVERFLOW!
Check Boundaries •A simple comparison against a known limit constant can go a long way to prevent serious logical attacks. •Pay special attention to comparison operators • < vs <=, <= can lead to off by one •Make sure the same constant is used to define buffer size and check boundaries
• Format String Injection is a type of memory flaw caused by concatenating or using user input in a format parameter. Memory Injection?
LET'S PLAY, SPOT THE MEMORY PROBLEM!
Answer: Bottom (use of dangerous functions)
Answer: Bottom (incorrect calculation of buffer size)
Answer: Top (Format String Injection)
Answer: Top (Off by One)
To sum all it up… •Safer functions allow limiting the number of bytes read into the buffer •Even with safe functions special attention should be paid to size specified, very important to use constants to prevent mistakes •Do not allow user input in format strings •Careful with <= operator
Securing Data • The General Data Privacy Regulation (GDPR) has put additional emphasis on maintaining the security and privacy of data • Data should be transmitted and stored securely • Cryptography is one critical way to achieve this mandate • Secure protocols: TLS 1.2, TLS 1.3 • Secure ciphers: ECDHE • Strong digital signatures: SHA-2 • Reject invalid certificates and even more, enforce certificate pinning • Strong authenticated symmetric encryption in transit and at rest: AES 256 GCM • Other ways: • Anonymize private data • Do not collect or send private data • Short data retention • Ensure customer control over own data
LET'S PLAY, SPOT THE DATA BREACH!
Answer: Top (Password stored with weak un- salted hash)
Answer: Bottom (User and password transmitted in clear text)
Answer: Top (Person details and credit card number saved in the clear to S3 bucket)
To sum all it up… •Avoid collecting data for individuals •Pseudonymize the data. Strong salted hashes can be used, replace key data with * •Use strong cryptographic algorithms •All communication should be encrypted. •Data classification is risky so when in doubt, encrypt all data
Protect the Web UIs • Enterprise applications are using Web UIs • HTML is good looking, platform independent and powerful • JavaScript libraries such as jQuery, React and Angular make UIs responsive and versatile
Cross-Site Scripting (XSS) • The ability to inject arbitrary JavaScript into a web page • Reflected • Stored • DOM based • Easy to introduce • Easy to find • Leads to data breaches through spoofing attacks
Defending against XSS • Input validation ;) • Neutralize Output • Server Pages -> HTML Encoding (Escaping) • < becomes &lt; • > becomes &gt; • " becomes &quot; • JavaScript (DOM XSS) • Dangerous Attributes • innerHTML • src • onLoad, onClick, etc… • Dangerous Functions • eval • setTimeout • setInterval
HTML Encoding Neutralizes XSS
LET'S PLAY, SPOT THE XSS!
Answer: Bottom (User input is written into the page as is)
Answer: Bottom (Data is written into a dangerous HTML attribute)
Answer: Top (Code is executing a dangerous function, actually an example of code injection)
Answer: Bottom (Input is being reflected between the <script> tags)
To sum all it up… •XSS is easy to introduce and easy to find •Encoding should be applied to all server side generated content. •Additional encoding of single quotes required •Dangerous HTML contexts should be handled with care or avoided
Indirect Object References • Object accessed indirectly through an intermediary identifier • Prevent parameter path manipulation • fileId=1 vs file=/etc/passwd • Prevent transmission of potential sensitive data in URLs • userId=2 vs user=john_doe • Input validation facilitated (identifiers are numbers or GUIDs) 1 2 3
LET'S PLAY, SPOT THE PATH TRAVERSAL!
Answer: Top (Input is concatenated to a system path allowing manipulation)
To sum all it up… •Reduce the attack surface by enforcing accessing objects through identifiers rather than actual representation •Identifiers can be input validated easier, also solve encoding issues
Security Code Review 101
Security Code Review 101

Recommended

Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 

Recommended

Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review Guide
Nicola Pietroluongo
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
Sam Bowne
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentation
Mahdi Dolati
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
John Ashmead
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
Cliff Smith
 

More Related Content

What's hot

Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review Guide
Nicola Pietroluongo
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
Sam Bowne
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentation
Mahdi Dolati
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 

What's hot (20)

Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Application Security
Application SecurityApplication Security
Application Security
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review Guide
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Web application security
Web application securityWeb application security
Web application security
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentation
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 

Similar to Security Code Review 101

How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
John Ashmead
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
Cliff Smith
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
UC San Diego
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
Web Security
Web SecurityWeb Security
Web Security
KHOANGUYNNGANH
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
amiable_indian
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
dcervigni
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.Net
Önsel Akın
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Nelson Brito
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
Sam Bowne
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Websec
WebsecWebsec
Websec
Kristaps Kūlis
 
Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
lastrand
 

Similar to Security Code Review 101 (20)

How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
Web Security
Web SecurityWeb Security
Web Security
 
Open source security
Open source securityOpen source security
Open source security
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.Net
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
 

Recently uploaded

In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
e20449
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
Srikant77
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Jay Das
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 

Recently uploaded (20)

In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 

Security Code Review 101

  • 1.
  • 3. The Tip of the Iceberg Input Validation Parameterized Commands Safe functions Indirect Object References Encrypt Data Safe Memory Management Neutralize Output
  • 4. Input Validation • Only allow input that you are expecting • Wouldyou letsomeonein your house ifyou thoughttheyshouldnot bethere? • Block lists are inefficient • Wouldyou maintaina block listofpeoplethatcannot cometoyour house? • Block listing-likegiving keys toyour house toeveryone excepta fewunwanted visitors.
  • 6.
  • 8.
  • 10. Special Characters Not Needed • Many parameter types not intended to contain symbols or punctuation • Many not even intended to contain Unicode characters • Parameters going into database queries such as ID, true/false, asc/desc have even a smaller character set Alphanumeric Alphanumeric + .-_
  • 12. A Simple Multi-Purpose Function isAlphanumOrEx("true") isAlphanumOrEx("desc") isAlphanumOrEx("21845816438168") isAlphanumOrEx("0x0709750fa566") isAlphanumOrEx("Cr2i7nHq6qiMEs") isAlphanumOrEx("site.local",'.')
  • 14. Attacks Prevented by Input Validation •Injection •Path Traversal •Cross-Site Scripting •Open Redirect •Deserialization …
  • 15. How About the Irish? •Names, comments, articles, free text require quotes: •O'Brien, don't, "putting things in quotes" •While input validation reduces the attack surface, it cannot prevent all attacks
  • 16. To sum all it up… •Input Validation reduces the attack surface and prevents many attack types •Block-listing is a bad practice •Many input types are alphanumeric •For those input types that need special characters we need different defenses
  • 18. CONCATENATION Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter … prevent Injection!
  • 20.
  • 22.
  • 24. ORM Frameworks • ORM = Object Relational Mapping • ORM Frameworks keep developers away from SQL Queries • Popular ORM Framework: Hibernate Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter Object Field1 Input Field2 Input
  • 25. To sum all it up… •Parameterized Commands handle situations where hazardous chars are needed •ORM Frameworks prevent mistakes
  • 26. Problems with Memory •Classic Overflow •Incorrect Calculation of Buffer Size •Off by One •Format String Injection •Use-after-free
  • 27. Memory Safer Functions fgets(dest_buff, BUFF_SIZE, stdin) snprintf(dest_buff, BUFF_SIZE, format, …); strncpy(dest_buff, src_buff, BUFF_SIZE); strncmp(buff1, buff2, BUFF_SIZE); If the BUFF_SIZE argument is larger than the size of the buffer: OVERFLOW!
  • 28. Check Boundaries •A simple comparison against a known limit constant can go a long way to prevent serious logical attacks. •Pay special attention to comparison operators • < vs <=, <= can lead to off by one •Make sure the same constant is used to define buffer size and check boundaries
  • 29. • Format String Injection is a type of memory flaw caused by concatenating or using user input in a format parameter. Memory Injection?
  • 30. LET'S PLAY, SPOT THE MEMORY PROBLEM!
  • 31.
  • 32. Answer: Bottom (use of dangerous functions)
  • 33.
  • 35.
  • 37.
  • 39. To sum all it up… •Safer functions allow limiting the number of bytes read into the buffer •Even with safe functions special attention should be paid to size specified, very important to use constants to prevent mistakes •Do not allow user input in format strings •Careful with <= operator
  • 40. Securing Data • The General Data Privacy Regulation (GDPR) has put additional emphasis on maintaining the security and privacy of data • Data should be transmitted and stored securely • Cryptography is one critical way to achieve this mandate • Secure protocols: TLS 1.2, TLS 1.3 • Secure ciphers: ECDHE • Strong digital signatures: SHA-2 • Reject invalid certificates and even more, enforce certificate pinning • Strong authenticated symmetric encryption in transit and at rest: AES 256 GCM • Other ways: • Anonymize private data • Do not collect or send private data • Short data retention • Ensure customer control over own data
  • 42.
  • 43. Answer: Top (Password stored with weak un- salted hash)
  • 44.
  • 45. Answer: Bottom (User and password transmitted in clear text)
  • 46.
  • 47. Answer: Top (Person details and credit card number saved in the clear to S3 bucket)
  • 48. To sum all it up… •Avoid collecting data for individuals •Pseudonymize the data. Strong salted hashes can be used, replace key data with * •Use strong cryptographic algorithms •All communication should be encrypted. •Data classification is risky so when in doubt, encrypt all data
  • 49. Protect the Web UIs • Enterprise applications are using Web UIs • HTML is good looking, platform independent and powerful • JavaScript libraries such as jQuery, React and Angular make UIs responsive and versatile
  • 50. Cross-Site Scripting (XSS) • The ability to inject arbitrary JavaScript into a web page • Reflected • Stored • DOM based • Easy to introduce • Easy to find • Leads to data breaches through spoofing attacks
  • 51. Defending against XSS • Input validation ;) • Neutralize Output • Server Pages -> HTML Encoding (Escaping) • < becomes &lt; • > becomes &gt; • " becomes &quot; • JavaScript (DOM XSS) • Dangerous Attributes • innerHTML • src • onLoad, onClick, etc… • Dangerous Functions • eval • setTimeout • setInterval
  • 54.
  • 55. Answer: Bottom (User input is written into the page as is)
  • 56.
  • 57. Answer: Bottom (Data is written into a dangerous HTML attribute)
  • 58.
  • 59. Answer: Top (Code is executing a dangerous function, actually an example of code injection)
  • 60.
  • 61. Answer: Bottom (Input is being reflected between the <script> tags)
  • 62. To sum all it up… •XSS is easy to introduce and easy to find •Encoding should be applied to all server side generated content. •Additional encoding of single quotes required •Dangerous HTML contexts should be handled with care or avoided
  • 63. Indirect Object References • Object accessed indirectly through an intermediary identifier • Prevent parameter path manipulation • fileId=1 vs file=/etc/passwd • Prevent transmission of potential sensitive data in URLs • userId=2 vs user=john_doe • Input validation facilitated (identifiers are numbers or GUIDs) 1 2 3
  • 64. LET'S PLAY, SPOT THE PATH TRAVERSAL!
  • 65.
  • 66. Answer: Top (Input is concatenated to a system path allowing manipulation)
  • 67. To sum all it up… •Reduce the attack surface by enforcing accessing objects through identifiers rather than actual representation •Identifiers can be input validated easier, also solve encoding issues