SlideShare a Scribd company logo

SecurityBSides las vegas - Agnitio

S
Security Ninja

David Rook presents on Agnitio, a security code review tool. He discusses static analysis and the benefits of checklists for code reviews. Agnitio aims to help with manual code reviews through checklists, audit trails, and metrics to produce reports. It can link to automated code analysis and was demonstrated reviewing sample code and producing reports. Future goals include verification records and mobile app checklists.

Technology
1 of 54
Download to read offline
David Rook Agnitio Security code review swiss army knife SecurityBSides, Las Vegas Thursday, 28 July 2011
if (slide == introduction) System.out.println("I’m David Rook"); • Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms • Security Ninja (@securityninja) • Speaker at developer and security conferences • Microsoft Developer Security MVP • A mentor in the InfoSecMentors project • Developed and released Agnitio Thursday, 28 July 2011
Agenda • What is static analysis? • Security code reviews: the good, the bad and the ugly • Agnitio: security code review Swiss army knife • Agnitio v2.0 demo Thursday, 28 July 2011
Static analysis • What do I mean by static analysis? • A review of source code without executing the application • Can be either manual or automated through one or more tools • Human and/or tools analysing application source code Thursday, 28 July 2011
Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t software Thursday, 28 July 2011
Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t software • The worst thing about humans is that they are humans Thursday, 28 July 2011
Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1 Thursday, 28 July 2011
Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1 Thursday, 28 July 2011
Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t human Thursday, 28 July 2011
Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t human • The worst thing about software is that it’s software Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
The ugly security code reviews • “Ugly reviews” implies you do actually review code • An unplanned magical mystery tour at the end of the SDLC • Unstructured, not repeatable and heavily reliant on C H N O 8 10 4 2 • Too late in the SDLC making findings very expensive to fix Thursday, 28 July 2011
The ugly security code reviews • “Ugly reviews” implies you do actually review code • An unplanned magical mystery tour at the end of the SDLC • Unstructured, not repeatable and heavily reliant on C H N O 8 10 4 2 • Too late in the SDLC making findings very expensive to fix • Completely manual process, no tools used during reviews • No audit trails, no metrics........no security? • Better than nothing? Thursday, 28 July 2011
The bad security code reviews • “Bad reviews” might be fine for some companies • A single planned code review in your SDLC • Some structure, normally based on finding the OWASP top 10 • Still too late in the SDLC making findings very expensive to fix Thursday, 28 July 2011
The bad security code reviews • “Bad reviews” might be fine for some companies • A single planned code review in your SDLC • Some structure, normally based on finding the OWASP top 10 • Still too late in the SDLC making findings very expensive to fix • Some automation, usually basic code analysis tools • Basic audit trails still no metrics so hard to measure “anything” • Better than ugly reviews, might be fine for some companies Thursday, 28 July 2011
The good security code reviews • “Good reviews” don’t happen by accident • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases Thursday, 28 July 2011
The good security code reviews • “Good reviews” don’t happen by accident • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases • Automation used where useful freeing up the reviewer • Ability to produce reports, metrics and measure improvements • External validation of the review process and SDLC Thursday, 28 July 2011
Agnitio • What is Agnitio? • Tool to help with manual static analysis • Checklist based with reviewer & developer guidance • Produces audit trails & enforces integrity checks • Single tool for security code review reports & metrics Thursday, 28 July 2011
Agnitio • Checklists? • An application for doing checklist reviews? *yawn* how boring! • Checklists are for n00bs! I don't need a checklist to review code! • I beg to differ, would you say Doctors and Pilots are n00bs? Thursday, 28 July 2011
Thursday, 28 July 2011
Thursday, 28 July 2011
Agnitio Thursday, 28 July 2011
Agnitio Thursday, 28 July 2011
Agnitio • Checklists? • Do you use checklists for your source code reviews? • What's the worst that could happen if you don’t? Thursday, 28 July 2011
Ariane 5 flight 501 Thursday, 28 July 2011
Thursday, 28 July 2011
Ariane 5 flight 501 L_M_BV_32 := TBD.T_ENTIER_32S ((1.0/C_M_LSB_BV) * G_M_INFO_DERIVE(T_ALG.E_BV)); if L_M_BV_32 > 32767 then P_M_DERIVE(T_ALG.E_BV) := 16#7FFF#; elsif L_M_BV_32 < -32768 then P_M_DERIVE(T_ALG.E_BV) := 16#8000#; else P_M_DERIVE(T_ALG.E_BV) := UC_16S_EN_16NS(TDB.T_ENTIER_16S(L_M_BV_32); end if; P_M_DERIVE(T_ALG.E_BH) := UC_16S_EN_16NS (TDB.T_ENTIER_16S ((1.0/C_M_LSB_BH) * G_M_INFO_DERIVE(T_ALG.E_BH))); http://moscova.inria.fr/~levy/talks/10enslongo/enslongo.pdf Thursday, 28 July 2011
Therac-25 Thursday, 28 July 2011
Mars Climate Orbiter Thursday, 28 July 2011
Mars Climate Orbiter Thursday, 28 July 2011
Agnitio • Checklists? • Do you use checklist for your source code reviews? • What's the worst that could happen if you don’t? • Four people dead and over €700m of equipment destroyed • Checklists can be useful to pilots, doctors and code reviewers! Thursday, 28 July 2011
Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! Thursday, 28 July 2011
Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart Thursday, 28 July 2011
Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit? Thursday, 28 July 2011
Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit? • How about producing metrics, useful reports & integrity checks? Thursday, 28 July 2011
Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit? • How about producing metrics, useful reports & integrity checks? • No? That’s why I developed Agnitio! Thursday, 28 July 2011
Why did I develop Agnitio? • Demonstration: security code reviews Thursday, 28 July 2011
Why did I develop Agnitio? • Demonstration: security code review reports Thursday, 28 July 2011
Why did I develop Agnitio? • Demonstration: application security metrics Thursday, 28 July 2011
Agnitio v2.0 • Automated code analysis module linked to checklist • Android and iOS rules for the code analysis module • Editor for code analysis rules and checklist items • Editor for developer and checklist guidance text • Plus lots of user suggested changes! Thursday, 28 July 2011
Agnitio v2.0 • Agnitio v2.0 demonstration Thursday, 28 July 2011
Agnitio v2.1 • Verification records for the code you analyse • Add/remove checklist items or whole checklists • Save reviews and come back to them at a later date • PHP and Java rules for the code analysis module Thursday, 28 July 2011
Using Agnitio • How you can use Agnitio in your reviews • Download Agnitio from Source Forge • Focus security code reviews on root causes not vulnerabilities • Use your language/s in all code examples and checklist items • Use Agnitio to conduct principles based security code reviews Thursday, 28 July 2011
www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninja Thursday, 28 July 2011
QUESTIONS? www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninja Thursday, 28 July 2011

Recommended

Exploratory testing Kari Kakkonen KDS2015
Exploratory testing Kari Kakkonen KDS2015Exploratory testing Kari Kakkonen KDS2015
Exploratory testing Kari Kakkonen KDS2015
Kari Kakkonen
 
BruCON Agnitio Workshop
BruCON Agnitio WorkshopBruCON Agnitio Workshop
BruCON Agnitio Workshop
Security Ninja
 
May: Automated Developer Testing: Achievements and Challenges
May: Automated Developer Testing: Achievements and ChallengesMay: Automated Developer Testing: Achievements and Challenges
May: Automated Developer Testing: Achievements and Challenges
TriTAUG
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald BelchamGetting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
.NET Conf UY
 
Digital Transformation, Testing and Automation
Digital Transformation, Testing and AutomationDigital Transformation, Testing and Automation
Digital Transformation, Testing and Automation
TEST Huddle
 
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Atlassian
 
Introduction of testing and verification of vlsi design
Introduction of testing and verification of vlsi designIntroduction of testing and verification of vlsi design
Introduction of testing and verification of vlsi design
Usha Mehta
 
App Assessments Reloaded
App Assessments ReloadedApp Assessments Reloaded
App Assessments Reloaded
Ernest Mueller
 

Recommended

Exploratory testing Kari Kakkonen KDS2015
Exploratory testing Kari Kakkonen KDS2015Exploratory testing Kari Kakkonen KDS2015
Exploratory testing Kari Kakkonen KDS2015
Kari Kakkonen
 
BruCON Agnitio Workshop
BruCON Agnitio WorkshopBruCON Agnitio Workshop
BruCON Agnitio Workshop
Security Ninja
 
May: Automated Developer Testing: Achievements and Challenges
May: Automated Developer Testing: Achievements and ChallengesMay: Automated Developer Testing: Achievements and Challenges
May: Automated Developer Testing: Achievements and Challenges
TriTAUG
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald BelchamGetting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
.NET Conf UY
 
Digital Transformation, Testing and Automation
Digital Transformation, Testing and AutomationDigital Transformation, Testing and Automation
Digital Transformation, Testing and Automation
TEST Huddle
 
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Atlassian
 
Introduction of testing and verification of vlsi design
Introduction of testing and verification of vlsi designIntroduction of testing and verification of vlsi design
Introduction of testing and verification of vlsi design
Usha Mehta
 
App Assessments Reloaded
App Assessments ReloadedApp Assessments Reloaded
App Assessments Reloaded
Ernest Mueller
 
1 why to_test
1 why to_test1 why to_test
1 why to_test
Usha Mehta
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
How to apply AI to Testing
How to apply AI to TestingHow to apply AI to Testing
How to apply AI to Testing
SAP SE
 
EuroSTAR_DUBLIN_2014_Albert_Witteveen_v6
EuroSTAR_DUBLIN_2014_Albert_Witteveen_v6EuroSTAR_DUBLIN_2014_Albert_Witteveen_v6
EuroSTAR_DUBLIN_2014_Albert_Witteveen_v6
Albert Witteveen
 
To Mock or Not To Mock
To Mock or Not To MockTo Mock or Not To Mock
To Mock or Not To Mock
Delft University of Technology
 
2019 1 testing and verification of vlsi design_introduction
2019 1 testing and verification of vlsi design_introduction2019 1 testing and verification of vlsi design_introduction
2019 1 testing and verification of vlsi design_introduction
Usha Mehta
 
Objects vs. Images: Choosing the Right GUI Test Tool Architecture
Objects vs. Images: Choosing the Right GUI Test Tool ArchitectureObjects vs. Images: Choosing the Right GUI Test Tool Architecture
Objects vs. Images: Choosing the Right GUI Test Tool Architecture
TechWell
 
Hack in Paris - Agnitio
Hack in Paris - AgnitioHack in Paris - Agnitio
Hack in Paris - Agnitio
Security Ninja
 
Reliable mobile test automation
Reliable mobile test automationReliable mobile test automation
Reliable mobile test automation
Vishal Banthia
 
The Future of AI-Based Test Automation
The Future of AI-Based Test AutomationThe Future of AI-Based Test Automation
The Future of AI-Based Test Automation
Applitools
 
Architectural Testability Workshop for Test Academy Barcelona
Architectural Testability Workshop for Test Academy BarcelonaArchitectural Testability Workshop for Test Academy Barcelona
Architectural Testability Workshop for Test Academy Barcelona
Ash Winter
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code Forensics
TechWell
 
Methodology: IT test
Methodology: IT testMethodology: IT test
Methodology: IT test
Jean-François Nguyen
 
What a DevOps specialist has to know about static code analysis
What a DevOps specialist has to know about static code analysisWhat a DevOps specialist has to know about static code analysis
What a DevOps specialist has to know about static code analysis
Andrey Karpov
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
Paul Gower
 
10 Lessons learned in test automation
10 Lessons learned in test automation10 Lessons learned in test automation
10 Lessons learned in test automation
Romania Testing
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
Automated testers agile evangelist
Automated testers agile evangelistAutomated testers agile evangelist
Automated testers agile evangelist
Arrows Group
 
Swiss Testing Day - Testautomation, 10 (sometimes painful) lessons learned
Swiss Testing Day - Testautomation, 10 (sometimes painful) lessons learnedSwiss Testing Day - Testautomation, 10 (sometimes painful) lessons learned
Swiss Testing Day - Testautomation, 10 (sometimes painful) lessons learned
Michael Palotas
 
Design testabilty
Design testabiltyDesign testabilty
Design testabilty
Richard Neeve
 
Unit3 software review control software
Unit3 software review control softwareUnit3 software review control software
Unit3 software review control software
Reetesh Gupta
 
We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?
mkujalowicz
 

More Related Content

What's hot

1 why to_test
1 why to_test1 why to_test
1 why to_test
Usha Mehta
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
How to apply AI to Testing
How to apply AI to TestingHow to apply AI to Testing
How to apply AI to Testing
SAP SE
 
EuroSTAR_DUBLIN_2014_Albert_Witteveen_v6
EuroSTAR_DUBLIN_2014_Albert_Witteveen_v6EuroSTAR_DUBLIN_2014_Albert_Witteveen_v6
EuroSTAR_DUBLIN_2014_Albert_Witteveen_v6
Albert Witteveen
 
To Mock or Not To Mock
To Mock or Not To MockTo Mock or Not To Mock
To Mock or Not To Mock
Delft University of Technology
 
2019 1 testing and verification of vlsi design_introduction
2019 1 testing and verification of vlsi design_introduction2019 1 testing and verification of vlsi design_introduction
2019 1 testing and verification of vlsi design_introduction
Usha Mehta
 
Objects vs. Images: Choosing the Right GUI Test Tool Architecture
Objects vs. Images: Choosing the Right GUI Test Tool ArchitectureObjects vs. Images: Choosing the Right GUI Test Tool Architecture
Objects vs. Images: Choosing the Right GUI Test Tool Architecture
TechWell
 

What's hot (7)

1 why to_test
1 why to_test1 why to_test
1 why to_test
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
 
How to apply AI to Testing
How to apply AI to TestingHow to apply AI to Testing
How to apply AI to Testing
 
EuroSTAR_DUBLIN_2014_Albert_Witteveen_v6
EuroSTAR_DUBLIN_2014_Albert_Witteveen_v6EuroSTAR_DUBLIN_2014_Albert_Witteveen_v6
EuroSTAR_DUBLIN_2014_Albert_Witteveen_v6
 
To Mock or Not To Mock
To Mock or Not To MockTo Mock or Not To Mock
To Mock or Not To Mock
 
2019 1 testing and verification of vlsi design_introduction
2019 1 testing and verification of vlsi design_introduction2019 1 testing and verification of vlsi design_introduction
2019 1 testing and verification of vlsi design_introduction
 
Objects vs. Images: Choosing the Right GUI Test Tool Architecture
Objects vs. Images: Choosing the Right GUI Test Tool ArchitectureObjects vs. Images: Choosing the Right GUI Test Tool Architecture
Objects vs. Images: Choosing the Right GUI Test Tool Architecture
 

Similar to SecurityBSides las vegas - Agnitio

Hack in Paris - Agnitio
Hack in Paris - AgnitioHack in Paris - Agnitio
Hack in Paris - Agnitio
Security Ninja
 
Reliable mobile test automation
Reliable mobile test automationReliable mobile test automation
Reliable mobile test automation
Vishal Banthia
 
The Future of AI-Based Test Automation
The Future of AI-Based Test AutomationThe Future of AI-Based Test Automation
The Future of AI-Based Test Automation
Applitools
 
Architectural Testability Workshop for Test Academy Barcelona
Architectural Testability Workshop for Test Academy BarcelonaArchitectural Testability Workshop for Test Academy Barcelona
Architectural Testability Workshop for Test Academy Barcelona
Ash Winter
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code Forensics
TechWell
 
Methodology: IT test
Methodology: IT testMethodology: IT test
Methodology: IT test
Jean-François Nguyen
 
What a DevOps specialist has to know about static code analysis
What a DevOps specialist has to know about static code analysisWhat a DevOps specialist has to know about static code analysis
What a DevOps specialist has to know about static code analysis
Andrey Karpov
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
Paul Gower
 
10 Lessons learned in test automation
10 Lessons learned in test automation10 Lessons learned in test automation
10 Lessons learned in test automation
Romania Testing
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
Automated testers agile evangelist
Automated testers agile evangelistAutomated testers agile evangelist
Automated testers agile evangelist
Arrows Group
 
Swiss Testing Day - Testautomation, 10 (sometimes painful) lessons learned
Swiss Testing Day - Testautomation, 10 (sometimes painful) lessons learnedSwiss Testing Day - Testautomation, 10 (sometimes painful) lessons learned
Swiss Testing Day - Testautomation, 10 (sometimes painful) lessons learned
Michael Palotas
 
Design testabilty
Design testabiltyDesign testabilty
Design testabilty
Richard Neeve
 
Unit3 software review control software
Unit3 software review control softwareUnit3 software review control software
Unit3 software review control software
Reetesh Gupta
 
We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?
mkujalowicz
 
PNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture JamPNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture Jam
Pacific Northwest Software Quality Conference
 
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
TEST Huddle
 
DBmaestro's State of the Database Continuous Delivery Survey- Findings Revealed
DBmaestro's State of the Database Continuous Delivery Survey- Findings RevealedDBmaestro's State of the Database Continuous Delivery Survey- Findings Revealed
DBmaestro's State of the Database Continuous Delivery Survey- Findings Revealed
DBmaestro - Database DevOps
 
Iasi code camp 20 april 2013 marian chicu - database unit tests in the sql se...
Iasi code camp 20 april 2013 marian chicu - database unit tests in the sql se...Iasi code camp 20 april 2013 marian chicu - database unit tests in the sql se...
Iasi code camp 20 april 2013 marian chicu - database unit tests in the sql se...
Codecamp Romania
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
Paul Gower
 

Similar to SecurityBSides las vegas - Agnitio (20)

Hack in Paris - Agnitio
Hack in Paris - AgnitioHack in Paris - Agnitio
Hack in Paris - Agnitio
 
Reliable mobile test automation
Reliable mobile test automationReliable mobile test automation
Reliable mobile test automation
 
The Future of AI-Based Test Automation
The Future of AI-Based Test AutomationThe Future of AI-Based Test Automation
The Future of AI-Based Test Automation
 
Architectural Testability Workshop for Test Academy Barcelona
Architectural Testability Workshop for Test Academy BarcelonaArchitectural Testability Workshop for Test Academy Barcelona
Architectural Testability Workshop for Test Academy Barcelona
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code Forensics
 
Methodology: IT test
Methodology: IT testMethodology: IT test
Methodology: IT test
 
What a DevOps specialist has to know about static code analysis
What a DevOps specialist has to know about static code analysisWhat a DevOps specialist has to know about static code analysis
What a DevOps specialist has to know about static code analysis
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
 
10 Lessons learned in test automation
10 Lessons learned in test automation10 Lessons learned in test automation
10 Lessons learned in test automation
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney
 
Automated testers agile evangelist
Automated testers agile evangelistAutomated testers agile evangelist
Automated testers agile evangelist
 
Swiss Testing Day - Testautomation, 10 (sometimes painful) lessons learned
Swiss Testing Day - Testautomation, 10 (sometimes painful) lessons learnedSwiss Testing Day - Testautomation, 10 (sometimes painful) lessons learned
Swiss Testing Day - Testautomation, 10 (sometimes painful) lessons learned
 
Design testabilty
Design testabiltyDesign testabilty
Design testabilty
 
Unit3 software review control software
Unit3 software review control softwareUnit3 software review control software
Unit3 software review control software
 
We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?
 
PNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture JamPNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture Jam
 
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
 
DBmaestro's State of the Database Continuous Delivery Survey- Findings Revealed
DBmaestro's State of the Database Continuous Delivery Survey- Findings RevealedDBmaestro's State of the Database Continuous Delivery Survey- Findings Revealed
DBmaestro's State of the Database Continuous Delivery Survey- Findings Revealed
 
Iasi code camp 20 april 2013 marian chicu - database unit tests in the sql se...
Iasi code camp 20 april 2013 marian chicu - database unit tests in the sql se...Iasi code camp 20 april 2013 marian chicu - database unit tests in the sql se...
Iasi code camp 20 april 2013 marian chicu - database unit tests in the sql se...
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
 

More from Security Ninja

Hack in Paris 2013
Hack in Paris 2013Hack in Paris 2013
Hack in Paris 2013
Security Ninja
 
The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application Story
Security Ninja
 
Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 Security
Security Ninja
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7
Security Ninja
 
OWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecurityOWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application Security
Security Ninja
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...
Security Ninja
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know it
Security Ninja
 
The Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinThe Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter Dublin
Security Ninja
 
Application security and PCI DSS
Application security and PCI DSSApplication security and PCI DSS
Application security and PCI DSS
Security Ninja
 
The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17
Security Ninja
 
Developing secure web applications
Developing secure web applicationsDeveloping secure web applications
Developing secure web applications
Security Ninja
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010
Security Ninja
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010
Security Ninja
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
Security Ninja
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure Development
Security Ninja
 
Owasp talk-november-08
Owasp talk-november-08Owasp talk-november-08
Owasp talk-november-08
Security Ninja
 

More from Security Ninja (16)

Hack in Paris 2013
Hack in Paris 2013Hack in Paris 2013
Hack in Paris 2013
 
The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application Story
 
Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 Security
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7
 
OWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecurityOWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application Security
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know it
 
The Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinThe Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter Dublin
 
Application security and PCI DSS
Application security and PCI DSSApplication security and PCI DSS
Application security and PCI DSS
 
The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17
 
Developing secure web applications
Developing secure web applicationsDeveloping secure web applications
Developing secure web applications
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure Development
 
Owasp talk-november-08
Owasp talk-november-08Owasp talk-november-08
Owasp talk-november-08
 

Recently uploaded

GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 

Recently uploaded (20)

GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 

SecurityBSides las vegas - Agnitio

  • 1. David Rook Agnitio Security code review swiss army knife SecurityBSides, Las Vegas Thursday, 28 July 2011
  • 2. if (slide == introduction) System.out.println("I’m David Rook"); • Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms • Security Ninja (@securityninja) • Speaker at developer and security conferences • Microsoft Developer Security MVP • A mentor in the InfoSecMentors project • Developed and released Agnitio Thursday, 28 July 2011
  • 3. Agenda • What is static analysis? • Security code reviews: the good, the bad and the ugly • Agnitio: security code review Swiss army knife • Agnitio v2.0 demo Thursday, 28 July 2011
  • 4. Static analysis • What do I mean by static analysis? • A review of source code without executing the application • Can be either manual or automated through one or more tools • Human and/or tools analysing application source code Thursday, 28 July 2011
  • 5. Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t software Thursday, 28 July 2011
  • 6. Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t software • The worst thing about humans is that they are humans Thursday, 28 July 2011
  • 7. Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1 Thursday, 28 July 2011
  • 8. Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1 Thursday, 28 July 2011
  • 9. Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t human Thursday, 28 July 2011
  • 10. Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t human • The worst thing about software is that it’s software Thursday, 28 July 2011
  • 21. The ugly security code reviews • “Ugly reviews” implies you do actually review code • An unplanned magical mystery tour at the end of the SDLC • Unstructured, not repeatable and heavily reliant on C H N O 8 10 4 2 • Too late in the SDLC making findings very expensive to fix Thursday, 28 July 2011
  • 22. The ugly security code reviews • “Ugly reviews” implies you do actually review code • An unplanned magical mystery tour at the end of the SDLC • Unstructured, not repeatable and heavily reliant on C H N O 8 10 4 2 • Too late in the SDLC making findings very expensive to fix • Completely manual process, no tools used during reviews • No audit trails, no metrics........no security? • Better than nothing? Thursday, 28 July 2011
  • 23. The bad security code reviews • “Bad reviews” might be fine for some companies • A single planned code review in your SDLC • Some structure, normally based on finding the OWASP top 10 • Still too late in the SDLC making findings very expensive to fix Thursday, 28 July 2011
  • 24. The bad security code reviews • “Bad reviews” might be fine for some companies • A single planned code review in your SDLC • Some structure, normally based on finding the OWASP top 10 • Still too late in the SDLC making findings very expensive to fix • Some automation, usually basic code analysis tools • Basic audit trails still no metrics so hard to measure “anything” • Better than ugly reviews, might be fine for some companies Thursday, 28 July 2011
  • 25. The good security code reviews • “Good reviews” don’t happen by accident • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases Thursday, 28 July 2011
  • 26. The good security code reviews • “Good reviews” don’t happen by accident • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases • Automation used where useful freeing up the reviewer • Ability to produce reports, metrics and measure improvements • External validation of the review process and SDLC Thursday, 28 July 2011
  • 27. Agnitio • What is Agnitio? • Tool to help with manual static analysis • Checklist based with reviewer & developer guidance • Produces audit trails & enforces integrity checks • Single tool for security code review reports & metrics Thursday, 28 July 2011
  • 28. Agnitio • Checklists? • An application for doing checklist reviews? *yawn* how boring! • Checklists are for n00bs! I don't need a checklist to review code! • I beg to differ, would you say Doctors and Pilots are n00bs? Thursday, 28 July 2011
  • 33. Agnitio • Checklists? • Do you use checklists for your source code reviews? • What's the worst that could happen if you don’t? Thursday, 28 July 2011
  • 34. Ariane 5 flight 501 Thursday, 28 July 2011
  • 36. Ariane 5 flight 501 L_M_BV_32 := TBD.T_ENTIER_32S ((1.0/C_M_LSB_BV) * G_M_INFO_DERIVE(T_ALG.E_BV)); if L_M_BV_32 > 32767 then P_M_DERIVE(T_ALG.E_BV) := 16#7FFF#; elsif L_M_BV_32 < -32768 then P_M_DERIVE(T_ALG.E_BV) := 16#8000#; else P_M_DERIVE(T_ALG.E_BV) := UC_16S_EN_16NS(TDB.T_ENTIER_16S(L_M_BV_32); end if; P_M_DERIVE(T_ALG.E_BH) := UC_16S_EN_16NS (TDB.T_ENTIER_16S ((1.0/C_M_LSB_BH) * G_M_INFO_DERIVE(T_ALG.E_BH))); http://moscova.inria.fr/~levy/talks/10enslongo/enslongo.pdf Thursday, 28 July 2011
  • 40. Agnitio • Checklists? • Do you use checklist for your source code reviews? • What's the worst that could happen if you don’t? • Four people dead and over €700m of equipment destroyed • Checklists can be useful to pilots, doctors and code reviewers! Thursday, 28 July 2011
  • 41. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! Thursday, 28 July 2011
  • 42. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart Thursday, 28 July 2011
  • 43. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit? Thursday, 28 July 2011
  • 44. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit? • How about producing metrics, useful reports & integrity checks? Thursday, 28 July 2011
  • 45. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit? • How about producing metrics, useful reports & integrity checks? • No? That’s why I developed Agnitio! Thursday, 28 July 2011
  • 46. Why did I develop Agnitio? • Demonstration: security code reviews Thursday, 28 July 2011
  • 47. Why did I develop Agnitio? • Demonstration: security code review reports Thursday, 28 July 2011
  • 48. Why did I develop Agnitio? • Demonstration: application security metrics Thursday, 28 July 2011
  • 49. Agnitio v2.0 • Automated code analysis module linked to checklist • Android and iOS rules for the code analysis module • Editor for code analysis rules and checklist items • Editor for developer and checklist guidance text • Plus lots of user suggested changes! Thursday, 28 July 2011
  • 50. Agnitio v2.0 • Agnitio v2.0 demonstration Thursday, 28 July 2011
  • 51. Agnitio v2.1 • Verification records for the code you analyse • Add/remove checklist items or whole checklists • Save reviews and come back to them at a later date • PHP and Java rules for the code analysis module Thursday, 28 July 2011
  • 52. Using Agnitio • How you can use Agnitio in your reviews • Download Agnitio from Source Forge • Focus security code reviews on root causes not vulnerabilities • Use your language/s in all code examples and checklist items • Use Agnitio to conduct principles based security code reviews Thursday, 28 July 2011
  • 53. www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninja Thursday, 28 July 2011
  • 54. QUESTIONS? www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninja Thursday, 28 July 2011