Sherif Koussa, profile picture
Uploaded bySherif Koussa
2,031 views

Security Code Review: Magic or Art?

Here are the key things to report: - Vulnerability type - Location (file, line number) - Short description - Impact - Recommendation Provide enough context for developers to understand and fix. Prioritize vulnerabilities by severity and risk. 29 Softwar S cur REPORTING SQL Injection: Location: \source\ACMEPortal\updateinfo.aspx.cs: Description: The code below is build dynamic sql statement using • Weakness Metadata unvalidated data (i.e. name) which can lead to SQL Injection - High severity - Data exposure and system access - Recommend using parameterized

Embed presentation

SECURE CODE REVIEW: MAGIC OR ART? A Simplified Approach to Secure Code Review Sherif Koussa - AppSec USA Softwar S cur
2 Softwar S cur
ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
TAKE AWAYS 4 Softwar S cur
TAKE AWAYS • Components of an effective secure code review process 4 Softwar S cur
TAKE AWAYS • Components of an effective secure code review process • Simplified secure code review process 4 Softwar S cur
TAKE AWAYS • Components of an effective secure code review process • Simplified secure code review process • How to kickoff your internal security code review process 4 Softwar S cur
WHAT DOES CODE REVIEW DO BEST? 5 Softwar S cur
WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws 5 Softwar S cur
WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage 5 Softwar S cur
WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws 5 Softwar S cur
WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws • Find all instances of a certain vulnerability 5 Softwar S cur
WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws • Find all instances of a certain vulnerability • The only way to find certain types of vulnerabilities 5 Softwar S cur
6 Softwar S cur
6 Softwar S cur
Usain Bolt - Olympics 2012 6 Softwar S cur
How I think I Look at the Gym Usain Bolt - Olympics 2012 6 Softwar S cur
How I think I Look at the Gym Usain Bolt - Olympics 2012 How I Actually Look 6 Softwar S cur
How I think I Look at the Gym Usain Bolt - Olympics 2012 How I Actually Look 6 Softwar S cur
7 Softwar S cur
7 Softwar S cur
HOW DEVELOPERS THINK OF THEIR APPLICATIONS 7 Softwar S cur
HOW DEVELOPERS THINK OF THEIR APPLICATIONS 7 Softwar S cur
HOW DEVELOPERS THINK OF THEIR APPLICATIONS Until S**t Hits The Fan 7 Softwar S cur
HOW DEVELOPERS THINK OF THEIR APPLICATIONS Until S**t Hits The Fan 7 Softwar S cur
WHAT ARE WE LOOKING FOR? 8 Softwar S cur
WHAT ARE WE LOOKING FOR? • Software Weaknesses 8 Softwar S cur
WHAT ARE WE LOOKING FOR? • Software Weaknesses • Application Logic Issues 8 Softwar S cur
WHAT ARE WE LOOKING FOR? • Software Weaknesses • Application Logic Issues • DeadDebug Code 8 Softwar S cur
WHAT ARE WE LOOKING FOR? • Software Weaknesses • Application Logic Issues • DeadDebug Code • Misconfiguration Issues 8 Softwar S cur
WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW 9 Softwar S cur
WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset 9 Softwar S cur
WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset + 9 Softwar S cur
WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset + Security Code Review Process 9 Softwar S cur
10 Softwar S cur
10 Softwar S cur
SECURITY CODE REVIEW MINDSET 10 Softwar S cur
SECURITY CODE REVIEW MINDSET • Where is the data coming from? 10 Softwar S cur
SECURITY CODE REVIEW MINDSET • Where is the data coming from? • Original Intent -> Malicious Intent? 10 Softwar S cur
SECURITY CODE REVIEW MINDSET • Where is the data coming from? • Original Intent -> Malicious Intent? • Any mitigating controls? 10 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS 11 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app 11 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface 11 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits 11 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules 11 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules • Confirmation and PoC: Weed out false positive and confirm high-risk vulns. 11 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules • Confirmation and PoC: Weed out false positive and confirm high-risk vulns. • Reporting: Communication back to the development team. 11 Softwar S cur
FULL APPLICATION SECURITY CODE REVIEW PROCESS Reconnaissance! Reporting! Threat Modelling! Security Skills! Checklist! Tools! Confirmation & PoC! Automation! Manual Review! 12 Softwar S cur
SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 13 Softwar S cur
SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* OWASP TOP Top*10* Checklists* 10 Driven Tools* Manual Reporting Review 13 Softwar S cur
SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Automation OWASP Cheat Iden=fica=on* Sheets Series OWASP* OWASP TOP Top*10* Checklists* 10 Driven Tools* Manual Reporting Review 13 Softwar S cur
DEFINE TRUST BOUNDARY Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 14 Softwar S cur
TRUST BOUNDARY • Trust Boundary is the virtual line where the trust level changes • Privileges Change • Untrusted Data Received • Untrusted Data Sent • Application’s Internal State Changes Writing Secure Code, Second Edition Michael Howard and David LeBlanc 15 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
WAYS TO MARK TRUST BOUNDARY • Physical Source Code Separation. • Naming Scheme • Trust Boundary Safe: tbsProcessNameChange.java • Trust Boundary UnSafe: tbuEditProfile.jsp 17 Softwar S cur
AUTOMATION Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 18
AUTOMATION • Super Greps (keyword Search) • Automated Unit-Tests • Static Code Analysis Tools 19 Softwar S cur
AUTOMATION STATIC CODE ANALYSIS TOOLS • Security Code Review <> Running a Tool Pros Cons Scales Well False Positives Low Hanging Fruit Application Logic Issues Can be Taught New Tricks Collections Frameworks 20 Softwar S cur
OPEN-SOURCE STATIC CODE ANALYSIS TOOLS Java .NET C++ 21 Softwar S cur
OPEN-SOURCE STATIC CODE ANALYSIS TOOLS Java .NET C++ 21 Softwar S cur
AUTOMATION 22 Softwar S cur
AUTOMATION • SQL Injection • Cross-Site Scripting • Parameter Tampering • Encryption Usage Flaws • Security Misconfiguration • External Code Reference • Log Forging 22 Softwar S cur
AUTOMATION • SQL Injection • Insecure Random Number Generation • Cross-Site Scripting • Command Injection • Parameter Tampering • XML Injection • Encryption Usage Flaws • XPATH Injection • Security Misconfiguration • External Code Reference • LDAP Injection • Log Forging • BufferOverflows 22 Softwar S cur
23 CUSTOMIZE YOUR TOOLS!cur Softwar S
MANUAL REVIEW Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 24 Softwar S cur
WHAT NEEDS TO BE MANUALLY REVIEWED? • Authentication & Authorization Controls • Encryption Modules • File Upload and Download Operations • Validation ControlsInput Filters • Security-Sensitive Application Logic 25 Softwar S cur
AUTHENTICATION & AUTHORIZATION FLAWS 26 Softwar S cur
AUTHENTICATION & AUTHORIZATION FLAWS 26 Softwar S cur
AUTHENTICATION & AUTHORIZATION FLAWS Web Methods Do Not Follow Regular ASP.NET Page Life Cycle 26 Softwar S cur
ENCRYPTION FLAWS 27 Softwar S cur
ENCRYPTION FLAWS 27 Softwar S cur
ENCRYPTION FLAWS There is a possibility of returning empty hashes on error 27 Softwar S cur
FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
FILE UPLOADDOWNLOAD FLAWS An attacker can bypass validation control 28 Softwar S cur
REPORTING Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 29 Softwar S cur
REPORTING SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: Description: The code below is build dynamic sql statement using • Weakness Metadata unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( • Thorough Description 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); • Recommendation Priority: High Recommendation: Use paramaterized SQL instead of dynamic • Assign Appropriate Priority concatenation, refer to http://msdn.microsoft.com/en-us/library/ ff648339.aspx for details. Owner: John Smith 30 Softwar S cur
SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 31 Softwar S cur
QUESTIONS? sherif.koussa@owasp.com sherif@softwaresecured.com Softwar S cur 32

More Related Content

PDF
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
bySherif Koussa
 
PPTX
Static Analysis Security Testing for Dummies... and You
byKevin Fealey
 
PDF
Simplified Security Code Review Process
bySherif Koussa
 
PPTX
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
byKevin Fealey
 
PPTX
20160211 OWASP Charlotte RASP
bychadtindel
 
PDF
Secure Coding for Java - An Introduction
bySebastien Gioria
 
PPTX
Making Security Agile
byOleg Gryb
 
PPTX
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
byKevin Fealey
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
bySherif Koussa
 
Static Analysis Security Testing for Dummies... and You
byKevin Fealey
 
Simplified Security Code Review Process
bySherif Koussa
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
byKevin Fealey
 
20160211 OWASP Charlotte RASP
bychadtindel
 
Secure Coding for Java - An Introduction
bySebastien Gioria
 
Making Security Agile
byOleg Gryb
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
byKevin Fealey
 

What's hot

PPTX
Create code confidence for better application security
byRogue Wave Software
 
PDF
[OPD 2019] Governance as a missing part of IT security architecture
byOWASP
 
PDF
Best Practices of Static Code Analysis in the SDLC
byParasoft_Mitchell
 
PDF
Estimating Development Security Maturity in About an Hour
byPriyanka Aash
 
PPTX
Fortify technology
byImad Nom de famille
 
PPTX
From the Frontline of RASP Adoption
byGoran Begic
 
PPTX
What? Why? Who? How? Of Application Security Testing
byTEST Huddle
 
PDF
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
PPTX
Securing your web applications a pragmatic approach
byAntonio Parata
 
PPTX
Null meet Code Review
byNaga Venkata Sunil Alamuri
 
PDF
Lessons from a recovering runtime application self protection addict
byPriyanka Aash
 
PPTX
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
byJeff Williams
 
PPTX
AppSec California 2016 - Making Security Agile
byOleg Gryb
 
PPTX
Server Side Template Injection by Mandeep Jadon
byMandeep Jadon
 
PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
byOWASP
 
PDF
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 
PPTX
Student Spring 2021
byDenis Zakharov
 
PPTX
Static Code Analysis
byGeneva, Switzerland
 
PPTX
Security as a new metric for Business, Product and Development Lifecycle
byNazar Tymoshyk, CEH, Ph.D.
 
PDF
Making DevSecOps a Reality in your Spring Applications
byHdiv Security
 
Create code confidence for better application security
byRogue Wave Software
 
[OPD 2019] Governance as a missing part of IT security architecture
byOWASP
 
Best Practices of Static Code Analysis in the SDLC
byParasoft_Mitchell
 
Estimating Development Security Maturity in About an Hour
byPriyanka Aash
 
Fortify technology
byImad Nom de famille
 
From the Frontline of RASP Adoption
byGoran Begic
 
What? Why? Who? How? Of Application Security Testing
byTEST Huddle
 
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
Securing your web applications a pragmatic approach
byAntonio Parata
 
Null meet Code Review
byNaga Venkata Sunil Alamuri
 
Lessons from a recovering runtime application self protection addict
byPriyanka Aash
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
byJeff Williams
 
AppSec California 2016 - Making Security Agile
byOleg Gryb
 
Server Side Template Injection by Mandeep Jadon
byMandeep Jadon
 
[Wroclaw #5] OWASP Projects: beyond Top 10
byOWASP
 
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 
Student Spring 2021
byDenis Zakharov
 
Static Code Analysis
byGeneva, Switzerland
 
Security as a new metric for Business, Product and Development Lifecycle
byNazar Tymoshyk, CEH, Ph.D.
 
Making DevSecOps a Reality in your Spring Applications
byHdiv Security
 

Similar to Security Code Review: Magic or Art?

PDF
Simplified security code review - BSidesQuebec2013
byBSidesQuebec2013
 
PDF
Streamlining AppSec Policy Definition.pptx
bytmbainjr131
 
PDF
Security YMCA
bySecurity BSides London
 
PPT
Software quality assurance
byProf. Erwin Globio
 
PPT
Software Security in the Real World
byMark Curphey
 
PDF
The Laws of User Experience: Making it or breaking it with the UX Factor
byEffectiveUI
 
PDF
The Laws of User Experience: Making it or Breaking It with the UX Factor
byEffective
 
PPT
Slides chapter 1
by13harpreet
 
PDF
Designing your applications with a security twist 2007
byBlue Slate Solutions
 
PPTX
Integrating security into Continuous Delivery
byTom Stiehm
 
PDF
Why AppSec Matters
byInnoTech
 
PDF
The Permanent Campaign
byDenim Group
 
KEY
Application Security Done Right
bypvanwoud
 
PPTX
chap-1 : Vulnerabilities in Information Systems
byKashfUlHuda1
 
PDF
Security testing
byMaheshwar Kanitkar
 
PDF
2011 App Failures - Year in Review CAST
byCAST
 
PDF
Threat modelling & apps testing
byAdrian Munteanu
 
PDF
Application Security, in Six Parts (HackPra 2012)
byjohnwilander
 
PDF
Who Owns Software Security?
byColdFusionConference
 
PDF
Who owns Software Security
bydevObjective
 
Simplified security code review - BSidesQuebec2013
byBSidesQuebec2013
 
Streamlining AppSec Policy Definition.pptx
bytmbainjr131
 
Security YMCA
bySecurity BSides London
 
Software quality assurance
byProf. Erwin Globio
 
Software Security in the Real World
byMark Curphey
 
The Laws of User Experience: Making it or breaking it with the UX Factor
byEffectiveUI
 
The Laws of User Experience: Making it or Breaking It with the UX Factor
byEffective
 
Slides chapter 1
by13harpreet
 
Designing your applications with a security twist 2007
byBlue Slate Solutions
 
Integrating security into Continuous Delivery
byTom Stiehm
 
Why AppSec Matters
byInnoTech
 
The Permanent Campaign
byDenim Group
 
Application Security Done Right
bypvanwoud
 
chap-1 : Vulnerabilities in Information Systems
byKashfUlHuda1
 
Security testing
byMaheshwar Kanitkar
 
2011 App Failures - Year in Review CAST
byCAST
 
Threat modelling & apps testing
byAdrian Munteanu
 
Application Security, in Six Parts (HackPra 2012)
byjohnwilander
 
Who Owns Software Security?
byColdFusionConference
 
Who owns Software Security
bydevObjective
 

Recently uploaded

PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 

Security Code Review: Magic or Art?

  • 1.
    SECURE CODE REVIEW: MAGIC OR ART? A Simplified Approach to Secure Code Review Sherif Koussa - AppSec USA Softwar S cur
  • 2.
    2 Softwar S cur
  • 3.
    ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
  • 4.
    ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
  • 5.
    ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
  • 6.
    ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
  • 7.
    ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
  • 8.
    TAKE AWAYS 4 Softwar S cur
  • 9.
    TAKE AWAYS • Components of an effective secure code review process 4 Softwar S cur
  • 10.
    TAKE AWAYS • Components of an effective secure code review process • Simplified secure code review process 4 Softwar S cur
  • 11.
    TAKE AWAYS • Components of an effective secure code review process • Simplified secure code review process • How to kickoff your internal security code review process 4 Softwar S cur
  • 12.
    WHAT DOES CODEREVIEW DO BEST? 5 Softwar S cur
  • 13.
    WHAT DOES CODEREVIEW DO BEST? • Systematic approach to uncover security flaws 5 Softwar S cur
  • 14.
    WHAT DOES CODEREVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage 5 Softwar S cur
  • 15.
    WHAT DOES CODEREVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws 5 Softwar S cur
  • 16.
    WHAT DOES CODEREVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws • Find all instances of a certain vulnerability 5 Softwar S cur
  • 17.
    WHAT DOES CODEREVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws • Find all instances of a certain vulnerability • The only way to find certain types of vulnerabilities 5 Softwar S cur
  • 18.
    6 Softwar S cur
  • 19.
    6 Softwar S cur
  • 20.
    Usain Bolt - Olympics 2012 6 Softwar S cur
  • 21.
    How I thinkI Look at the Gym Usain Bolt - Olympics 2012 6 Softwar S cur
  • 22.
    How I thinkI Look at the Gym Usain Bolt - Olympics 2012 How I Actually Look 6 Softwar S cur
  • 23.
    How I thinkI Look at the Gym Usain Bolt - Olympics 2012 How I Actually Look 6 Softwar S cur
  • 24.
    7 Softwar S cur
  • 25.
    7 Softwar S cur
  • 26.
    HOW DEVELOPERS THINK OF THEIR APPLICATIONS 7 Softwar S cur
  • 27.
    HOW DEVELOPERS THINK OF THEIR APPLICATIONS 7 Softwar S cur
  • 28.
    HOW DEVELOPERS THINK OF THEIR APPLICATIONS Until S**t Hits The Fan 7 Softwar S cur
  • 29.
    HOW DEVELOPERS THINK OF THEIR APPLICATIONS Until S**t Hits The Fan 7 Softwar S cur
  • 30.
    WHAT ARE WELOOKING FOR? 8 Softwar S cur
  • 31.
    WHAT ARE WELOOKING FOR? • Software Weaknesses 8 Softwar S cur
  • 32.
    WHAT ARE WELOOKING FOR? • Software Weaknesses • Application Logic Issues 8 Softwar S cur
  • 33.
    WHAT ARE WELOOKING FOR? • Software Weaknesses • Application Logic Issues • DeadDebug Code 8 Softwar S cur
  • 34.
    WHAT ARE WELOOKING FOR? • Software Weaknesses • Application Logic Issues • DeadDebug Code • Misconfiguration Issues 8 Softwar S cur
  • 35.
    WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW 9 Softwar S cur
  • 36.
    WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset 9 Softwar S cur
  • 37.
    WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset + 9 Softwar S cur
  • 38.
    WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset + Security Code Review Process 9 Softwar S cur
  • 39.
    10 Softwar S cur
  • 40.
    10 Softwar S cur
  • 41.
    SECURITY CODE REVIEW MINDSET 10 Softwar S cur
  • 42.
    SECURITY CODE REVIEW MINDSET • Where is the data coming from? 10 Softwar S cur
  • 43.
    SECURITY CODE REVIEW MINDSET • Where is the data coming from? • Original Intent -> Malicious Intent? 10 Softwar S cur
  • 44.
    SECURITY CODE REVIEW MINDSET • Where is the data coming from? • Original Intent -> Malicious Intent? • Any mitigating controls? 10 Softwar S cur
  • 45.
    IMPORTANT ASPECTS INANY PROCESS 11 Softwar S cur
  • 46.
    IMPORTANT ASPECTS INANY PROCESS • Reconnaissance: Understand the app 11 Softwar S cur
  • 47.
    IMPORTANT ASPECTS INANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface 11 Softwar S cur
  • 48.
    IMPORTANT ASPECTS INANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits 11 Softwar S cur
  • 49.
    IMPORTANT ASPECTS INANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules 11 Softwar S cur
  • 50.
    IMPORTANT ASPECTS INANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules • Confirmation and PoC: Weed out false positive and confirm high-risk vulns. 11 Softwar S cur
  • 51.
    IMPORTANT ASPECTS INANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules • Confirmation and PoC: Weed out false positive and confirm high-risk vulns. • Reporting: Communication back to the development team. 11 Softwar S cur
  • 52.
    FULL APPLICATION SECURITY CODE REVIEW PROCESS Reconnaissance! Reporting! Threat Modelling! Security Skills! Checklist! Tools! Confirmation & PoC! Automation! Manual Review! 12 Softwar S cur
  • 53.
    SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 13 Softwar S cur
  • 54.
    SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* OWASP TOP Top*10* Checklists* 10 Driven Tools* Manual Reporting Review 13 Softwar S cur
  • 55.
    SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Automation OWASP Cheat Iden=fica=on* Sheets Series OWASP* OWASP TOP Top*10* Checklists* 10 Driven Tools* Manual Reporting Review 13 Softwar S cur
  • 56.
    DEFINE TRUST BOUNDARY Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 14 Softwar S cur
  • 57.
    TRUST BOUNDARY • Trust Boundary is the virtual line where the trust level changes • Privileges Change • Untrusted Data Received • Untrusted Data Sent • Application’s Internal State Changes Writing Secure Code, Second Edition Michael Howard and David LeBlanc 15 Softwar S cur
  • 58.
    TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 59.
    TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 60.
    TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 61.
    TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 62.
    TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 63.
    TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 64.
    TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 65.
    TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 66.
    TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 67.
    TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 68.
    WAYS TO MARKTRUST BOUNDARY • Physical Source Code Separation. • Naming Scheme • Trust Boundary Safe: tbsProcessNameChange.java • Trust Boundary UnSafe: tbuEditProfile.jsp 17 Softwar S cur
  • 69.
    AUTOMATION Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 18
  • 70.
    AUTOMATION • Super Greps (keyword Search) • Automated Unit-Tests • Static Code Analysis Tools 19 Softwar S cur
  • 71.
    AUTOMATION STATIC CODE ANALYSISTOOLS • Security Code Review <> Running a Tool Pros Cons Scales Well False Positives Low Hanging Fruit Application Logic Issues Can be Taught New Tricks Collections Frameworks 20 Softwar S cur
  • 72.
    OPEN-SOURCE STATIC CODE ANALYSIS TOOLS Java .NET C++ 21 Softwar S cur
  • 73.
    OPEN-SOURCE STATIC CODE ANALYSIS TOOLS Java .NET C++ 21 Softwar S cur
  • 74.
    AUTOMATION 22 Softwar S cur
  • 75.
    AUTOMATION • SQL Injection • Cross-Site Scripting • Parameter Tampering • Encryption Usage Flaws • Security Misconfiguration • External Code Reference • Log Forging 22 Softwar S cur
  • 76.
    AUTOMATION • SQL Injection • Insecure Random Number Generation • Cross-Site Scripting • Command Injection • Parameter Tampering • XML Injection • Encryption Usage Flaws • XPATH Injection • Security Misconfiguration • External Code Reference • LDAP Injection • Log Forging • BufferOverflows 22 Softwar S cur
  • 77.
    23 CUSTOMIZE YOUR TOOLS!cur Softwar S
  • 78.
    MANUAL REVIEW Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 24 Softwar S cur
  • 79.
    WHAT NEEDS TOBE MANUALLY REVIEWED? • Authentication & Authorization Controls • Encryption Modules • File Upload and Download Operations • Validation ControlsInput Filters • Security-Sensitive Application Logic 25 Softwar S cur
  • 80.
  • 81.
  • 82.
    AUTHENTICATION & AUTHORIZATION FLAWS WebMethods Do Not Follow Regular ASP.NET Page Life Cycle 26 Softwar S cur
  • 83.
    ENCRYPTION FLAWS 27 Softwar S cur
  • 84.
    ENCRYPTION FLAWS 27 Softwar S cur
  • 85.
    ENCRYPTION FLAWS There isa possibility of returning empty hashes on error 27 Softwar S cur
  • 86.
    FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
  • 87.
    FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
  • 88.
    FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
  • 89.
    FILE UPLOADDOWNLOAD FLAWS An attacker can bypass validation control 28 Softwar S cur
  • 90.
    REPORTING Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 29 Softwar S cur
  • 91.
    REPORTING SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: Description: The code below is build dynamic sql statement using • Weakness Metadata unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( • Thorough Description 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); • Recommendation Priority: High Recommendation: Use paramaterized SQL instead of dynamic • Assign Appropriate Priority concatenation, refer to http://msdn.microsoft.com/en-us/library/ ff648339.aspx for details. Owner: John Smith 30 Softwar S cur
  • 92.
    SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 31 Softwar S cur
  • 93.

Editor's Notes