This document summarizes a presentation about simplifying secure code reviews. It discusses defining an effective security code review process, including reconnaissance, threat modeling, automation, manual review, confirmation, and reporting. It also discusses using the OWASP Top 10 list to focus code reviews, and defining trust boundaries to identify areas of code to review for specific vulnerabilities. The goal is to introduce a simplified process that can help development teams integrate security code reviews into their workflow.

1. Softwar S cur
Simplifying Secure
Code Reviews
Sherif Koussa
sherif@softwaresecured.com
BSides Quebec 2013
Monday, 3 June, 13

2. Softwar S cur
Security Teams
Development Teams
Monday, 3 June, 13

3. Softwar S cur
Softwar S cur
2007 2009 2011 2013
Bio
Principal Consultant @ SoftwareSecured
✓ Application Security Assessment
✓ Application Security Assurance Program Implementation
✓ Application Security Training
Monday, 3 June, 13

4. Softwar S cur
Take Aways
Monday, 3 June, 13

5. Softwar S cur
Take Aways
Role of Security Code Review
Monday, 3 June, 13

6. Softwar S cur
Take Aways
Role of Security Code Review Effective Process
Monday, 3 June, 13

7. Softwar S cur
Take Aways
Role of Security Code Review Effective Process
Simplified Process
Monday, 3 June, 13

8. Softwar S cur
Take Aways
Role of Security Code Review Effective Process
Simplified Process Key Tools to Use
Monday, 3 June, 13

9. Softwar S cur
What This Presentation is
NOT...
➡ Ground Breaking Research
➡ New Tool
➡ How to Fix Vulnerabilities
Monday, 3 June, 13

10. Softwar S cur
What IS Security Code
Review?
Monday, 3 June, 13

11. Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
What IS Security Code
Review?
Monday, 3 June, 13

12. Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Lifecycle
What IS Security Code
Review?
Monday, 3 June, 13

13. Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Lifecycle
➡ Cross-Team Integration
➡ Development Teams
➡ Security Teams
➡ ProjectRisk Management
What IS Security Code
Review?
Monday, 3 June, 13

14. Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Lifecycle
➡ Cross-Team Integration
➡ Development Teams
➡ Security Teams
➡ ProjectRisk Management
➡ Systematic Approach to Uncover Security Flaws
What IS Security Code
Review?
Monday, 3 June, 13

15. Softwar S cur
Why Security Code Reviews
Monday, 3 June, 13

16. Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Monday, 3 June, 13

17. Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Exercise all code paths
Monday, 3 June, 13

18. Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Exercise all code paths All instances of a vulnerability
Monday, 3 June, 13

19. Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Exercise all code paths All instances of a vulnerability
Find design flaws
Monday, 3 June, 13

20. Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Exercise all code paths All instances of a vulnerability
Find design flaws Remediation Instructions
Monday, 3 June, 13

21. Softwar S cur
Effective Security Code
Review Process
Monday, 3 June, 13

22. Softwar S cur
Effective Security Code
Review Process
➡ Reconnaissance
Monday, 3 June, 13

23. Softwar S cur
Effective Security Code
Review Process
➡ Reconnaissance
➡ Threat Modeling
Monday, 3 June, 13

24. Softwar S cur
Effective Security Code
Review Process
➡ Reconnaissance
➡ Threat Modeling
➡ Automation
Monday, 3 June, 13

25. Softwar S cur
Effective Security Code
Review Process
➡ Reconnaissance
➡ Threat Modeling
➡ Automation
➡ Manual Review
Monday, 3 June, 13

26. Softwar S cur
Effective Security Code
Review Process
➡ Reconnaissance
➡ Threat Modeling
➡ Automation
➡ Manual Review
➡ Confirmation & Proof-Of-Concept
Monday, 3 June, 13

27. Softwar S cur
Effective Security Code
Review Process
➡ Reconnaissance
➡ Threat Modeling
➡ Automation
➡ Manual Review
➡ Confirmation & Proof-Of-Concept
➡ Reporting
Monday, 3 June, 13

28. Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
Checklists!
Tools!
Skills!
Monday, 3 June, 13

29. Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals
•Technology Stack
•Use Case Scenarios
•Network Deployment
Monday, 3 June, 13

30. Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals
•Technology Stack
•Use Case Scenarios
•Network Deployment
•Decompose Application
•Attack Surface
•Major Security Controls
Monday, 3 June, 13

31. Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals
•Technology Stack
•Use Case Scenarios
•Network Deployment
•Decompose Application
•Attack Surface
•Major Security Controls
•Low Hanging Fruit
•Hot Spots
•Missed Functionalities
•Abandoned Code
Monday, 3 June, 13

32. Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals
•Technology Stack
•Use Case Scenarios
•Network Deployment
•Decompose Application
•Attack Surface
•Major Security Controls
•Low Hanging Fruit
•Hot Spots
•Missed Functionalities
•Abandoned Code
•Security Controls
•High Profile Code
•Custom Rules
Monday, 3 June, 13

33. Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals
•Technology Stack
•Use Case Scenarios
•Network Deployment
•Decompose Application
•Attack Surface
•Major Security Controls
•Low Hanging Fruit
•Hot Spots
•Missed Functionalities
•Abandoned Code
•Security Controls
•High Profile Code
•Custom Rules
•Confirmation
•Evidences
Monday, 3 June, 13

34. Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals
•Technology Stack
•Use Case Scenarios
•Network Deployment
•Decompose Application
•Attack Surface
•Major Security Controls
•Low Hanging Fruit
•Hot Spots
•Missed Functionalities
•Abandoned Code
•Security Controls
•High Profile Code
•Custom Rules
•Confirmation
•Evidences
•Risk Rating
•Role Based
•Remediation Instructions
Monday, 3 June, 13

35. Softwar S cur
Simplified Security
Code Review Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
Checklists!
Tools!
Skills!
Monday, 3 June, 13

36. Softwar S cur
Simplified Security
Code Review Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
Checklists!
Tools!
Skills!
Monday, 3 June, 13

37. Softwar S cur
Simplified Security
Code Review Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
Checklists!
Tools!
Skills!
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Monday, 3 June, 13

38. Softwar S cur
Usages of Simplified
Security Code Review
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
➡ Ideal for Introducing
Development Teams To
Security Code Reviews
➡ Crossing The Gap Between
Security and Development
Teams
Monday, 3 June, 13

39. Softwar S cur
Skills - OWASP
Top 10
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Monday, 3 June, 13

40. Softwar S cur
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A9. Insufficient Transport Layer
Protection
A8. Failure to Restrict URL Access
A10. Unvalidated Redirects and
Forwards
2010 Modified New
OWASP TOP 10 - 2010 OWASP TOP 10 - 2013
Monday, 3 June, 13

41. Softwar S cur
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A9. Insufficient Transport Layer
Protection
A8. Failure to Restrict URL Access
A10. Unvalidated Redirects and
Forwards
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access
Control
A9. Using Known Vulnerable
Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and
Forwards
2010 Modified New
OWASP TOP 10 - 2010 OWASP TOP 10 - 2013
Monday, 3 June, 13

42. Softwar S cur
A3
A6
A3
A6
A4
A1
A1 A3
A2
A9
A9
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access
Control
A9. Using Known Vulnerable
Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and
Forwards
OWASP TOP 10 - 2013
2010 Modified New
Veracode Report - 2011
Monday, 3 June, 13

43. Softwar S cur
A7
A10
A4
A1
A8
A4
A3
A9
A1
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access
Control
A9. Using Known Vulnerable
Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and
Forwards
OWASP TOP 10 - 2013Trustwave Report - 2013
2010 Modified New
Monday, 3 June, 13

44. Softwar S cur
A3
A6
A7
A1
A7
A2
A4
A7A4
A4
A2
A3
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access
Control
A9. Using Known Vulnerable
Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and
Forwards
OWASP TOP 10 - 2013Whitehat Report - 2012
2010 Modified New
Monday, 3 June, 13

45. Softwar S cur
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Define Trust Boundary
Monday, 3 June, 13

46. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13

47. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13

48. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13

49. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13

50. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13

51. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13

52. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13

53. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13

54. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
Monday, 3 June, 13

55. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
Monday, 3 June, 13

56. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
Monday, 3 June, 13

57. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A4
Monday, 3 June, 13

58. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
Monday, 3 June, 13

59. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A6
Monday, 3 June, 13

60. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A7
A6
Monday, 3 June, 13

61. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A7
A8
A6
Monday, 3 June, 13

62. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A7
A8
A10
A10
A6
A9 A9
A9
A9
A9
Monday, 3 June, 13

63. Softwar S cur
How Can You Identify Trust
Boundary?
Monday, 3 June, 13

64. Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
Monday, 3 June, 13

65. Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
Monday, 3 June, 13

66. Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
Monday, 3 June, 13

67. Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
➡ Tools: Spiders’ output
Monday, 3 June, 13

68. Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
➡ Tools: Spiders’ output
➡ Annotations: @WebMethods, @WebService
Monday, 3 June, 13

69. Softwar S cur
Making Unsecure Code Look
Unsecure - cc/Joel Spolsky
➡ Physical Source Code Separation.
➡ File Naming Scheme:
➡ Trust Boundary Safe: tbsProcessNameChange.java
➡ Trust Boundary UnSafe: tbuEditProfile.jsp
➡ Variable Naming Convention:
➡ String usEmail = Request.getParameter(“email”);
➡ String sEmail = Validate(Request.getParameter(“email”);
Monday, 3 June, 13

70. Softwar S cur
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Automation
Monday, 3 June, 13

71. Softwar S cur
Automation
Static Code Analysis
Pros Cons
Scales Well False Positives
Low Hanging Fruit Application Logic Issues
Could Be Customized Collections
Frameworks
Monday, 3 June, 13

72. Softwar S cur
Scripts
➡ Compliment Static Code Analysis Tools.
➡ 3rd Party Libraries Discovery.
➡ Data Input Sources (e,g. web services)
➡ Tracing Data Through Collections (e.g.
Session, Request, Collection)
Monday, 3 June, 13

73. Softwar S cur
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Manual Review
Monday, 3 June, 13

74. Softwar S cur
What Needs to Be Manually
Reviewed?
➡ Authentication & Authorization Controls
➡ Encryption Modules
➡ File Upload and Download Operations
➡ Validation ControlsInput Filters
➡ Security-Sensitive Application Logic
Monday, 3 June, 13

75. Softwar S cur
Authentication &
Authorization Flaws
Monday, 3 June, 13

76. Softwar S cur
Authentication &
Authorization Flaws
Monday, 3 June, 13

77. Softwar S cur
Authentication &
Authorization Flaws
Web Methods Do Not Follow
Regular ASP.NET Page Life Cycle
Monday, 3 June, 13

78. Softwar S cur
Authentication &
Authorization Flaws
Web Methods Do Not Follow
Regular ASP.NET Page Life Cycle
Monday, 3 June, 13

79. Softwar S cur
Encryption Flaws
Monday, 3 June, 13

80. Softwar S cur
Encryption Flaws
Monday, 3 June, 13

81. Softwar S cur
Encryption Flaws
Return value is
initialized
Monday, 3 June, 13

82. Softwar S cur
Encryption Flaws
Return value is
initialized
Monday, 3 June, 13

83. Softwar S cur
Encryption Flaws
Return value is
initialized
Monday, 3 June, 13

84. Softwar S cur
Encryption Flaws
Return value is
initialized
Classic fail-open
scenario
Monday, 3 June, 13

85. Softwar S cur
File UploadDownload Flaws
Monday, 3 June, 13

86. Softwar S cur
File UploadDownload Flaws
Monday, 3 June, 13

87. Softwar S cur
File UploadDownload Flaws
The value gets validated
first time around
Monday, 3 June, 13

88. Softwar S cur
File UploadDownload Flaws
The value gets validated
first time around
File path saved into a
hidden field
Monday, 3 June, 13

89. Softwar S cur
File UploadDownload Flaws
The value gets validated
first time around
File path saved into a
hidden field
File path is not validated on post
back
Monday, 3 June, 13

90. Softwar S cur
File UploadDownload Flaws
The value gets validated
first time around
File path saved into a
hidden field
File path is not validated on post
back
Path used without
validation
Monday, 3 June, 13

91. Softwar S cur
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Reporting
Monday, 3 June, 13

92. Softwar S cur
Reporting
➡ Weakness Metadata
➡ Thorough Description
➡ Recommendation
➡ Assign Priority
SQL Injection:
Location: sourceACMEPortalupdateinfo.aspx.cs:
Description:The code below is build dynamic sql statement using
unvalidated data (i.e. name) which can lead to SQL Injection
51 SqlDataAdapter myCommand = new SqlDataAdapter(
52 "SELECT au_lname, au_fname FROM author WHERE
au_id = '" +
53 SSN.Text + "'", myConnection);
Priority: High
Recommendation: Use paramaterized SQL instead of dynamic
concatenation, refer to http://msdn.microsoft.com/en-us/library/
ff648339.aspx for details.
Owner: John Smith
Monday, 3 June, 13

93. Softwar S cur
Confirmation & PoC
Monday, 3 June, 13

94. Softwar S cur
Confirmation & PoC
Monday, 3 June, 13

95. Softwar S cur
Confirmation & PoC
Monday, 3 June, 13

96. Softwar S cur
Confirmation & PoC
Monday, 3 June, 13

97. Softwar S cur
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Tools
Monday, 3 June, 13

98. Softwar S cur
Security Code Review Tools
➡ Static Code Analysis
➡ Free: (FindBugs, PMD, CAT.net, PCLint, etc)
➡ Commercial: (Static Code Tools Evaluation Criteria - WASC)
➡ 3rd Party Libraries: (DependencyCheck - https://github.com/
jeremylong/DependencyCheck)
➡ Scripts
Monday, 3 June, 13

99. Softwar S cur
Open-Source Static
Code Analysis Tools
Java
.NET
C++
Monday, 3 June, 13

100. Softwar S cur
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Checklists
Monday, 3 June, 13

101. Softwar S cur
Usage of checklists
➡ Aviation: led the modern airplanes evolution
after Major Hill’s famous 1934 incident
➡ ICU: usage of checklists brought down
infection rates in Michigan by 66%
Monday, 3 June, 13

102. Softwar S cur
Security Code Review
Checklist
➡ Data Validation and Encoding Controls
➡ Encryption Controls
➡ Authentication and Authorization Controls
➡ Session Management
➡ Exception Handling
➡ Auditing and Logging
➡ Security Configurations
Monday, 3 June, 13

103. Softwar S cur
Resources To Conduct Your
Checklist
➡ NIST Checklist Project - http://checklists.nist.gov/
➡ Mozilla’s Secure Coding QA Checklist - https://
wiki.mozilla.org/WebAppSec/
Secure_Coding_QA_Checklist
➡ Oracle’s Secure Coding Checklist - http://
www.oracle.com/technetwork/java/
seccodeguide-139067.html
Monday, 3 June, 13

104. Softwar S cur
Simplified Security
Code Review Process
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
Checklists!
Tools!
Skills!
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Monday, 3 June, 13

105. Softwar S cur
Softwar S cur
QUESTIONS?
@skoussa
sherif.koussa@owasp.org
sherif@softwaresecured.com
Monday, 3 June, 13