UK
Uploaded byUsman Khan
PPTX, PDF461 views

Source code review - Usman Khan

The document discusses source code review as part of the software development lifecycle. It outlines why source code review is important due to security not being a focus during development. The processes described identify business processes, review critical processes, identify data used, prioritize processes, and review application architecture. The document also lists strategies for protective, preventive, and deceptive reviews, as well as breaking your own system. Services provided include secure architecture reviews, deployment reviews, source code reviews across multiple platforms, automated testing, and manual reviews.

Embed presentation

Download to read offline
Source Code Review The DTS Approach – Usman Khan
Why ? • SDLC – Security Not focused. • Less trained and awareness of developers. • Not following standards. • QA focus more on application functions delivery. • Beta testing can not generate security scenarios or risks. • SRS are too much focused towards.
What : The processes to secure. • Identify all Business processes. • Critical processes Review. • Type of data dealing with every process. • Prioritization of processes. • Business Process processes communication. • Identifying Approach of Application Designer/Architect. Application Architecture Focus
How - Looking at the Big Picture • Intent of Code Review. • Previous Breaches. • Major weaknesses in Business processes. Deployment. Application Model Authentication. Authorization. Session management. Data validation. Error handling. Memory allocation. SQL Parsing. Logging. Encryption. Boundary Checks. Concentrate on critical points.
Strategies • Protective strategy. • Preventive Strategy. • Deception. • Breaking your own system. • Code Exposure.
Service Delivery • Secure Application Architecture Review. • Secure Application Deployment Review. • Source Code Review of multiple platforms like .NET C/C++, Java , Ruby etc. etc. • Automated testing – Static and Dynamic Code Reviews ESC/Java (Extended Static Checking for Java) VCG – Java, C/C++, C#, PL/SQL BugScout – All Platform FxCop – Managed .NET Code RIPS - PHP PScan - C/C++ Scans Flawfinder – C/C++ Scans RATS (Rough Auditing Tool for Security) – C/C++ , PHP, Perl, Python • Manual Reviews • VAPT Review of reports.

More Related Content

PPTX
Application lifecycle management
byAchintya Kumar
 
PPTX
Testing Tools and Tips
bySoftServe
 
PPT
The security sdlc
byMohamed Siraj
 
PDF
Non-Functional Requirements
byYuriy Guts
 
PPTX
Agility reboot iv
byAndrew Chum
 
PDF
Software Infrastructure requirements elicitation and design roadmap - Innovat...
byInnovate Vancouver
 
PPTX
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
PPTX
Adressing nonfunctional requirements with agile practices
byMario Cardinal
 
Application lifecycle management
byAchintya Kumar
 
Testing Tools and Tips
bySoftServe
 
The security sdlc
byMohamed Siraj
 
Non-Functional Requirements
byYuriy Guts
 
Agility reboot iv
byAndrew Chum
 
Software Infrastructure requirements elicitation and design roadmap - Innovat...
byInnovate Vancouver
 
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
Adressing nonfunctional requirements with agile practices
byMario Cardinal
 

What's hot

PPT
Network security
byNur Aishah Roslan
 
PPTX
Agile and Secure Development
byNazar Tymoshyk, CEH, Ph.D.
 
PDF
Non-Functional Requirements
byDavid Simons
 
PPTX
Software test engineer
byAbdul Riyaz
 
PPT
Ch01
byKodok Ngorex
 
PPTX
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
OWASP Top 10 practice workshop by Stanislav Breslavskyi
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
Digital Product Security
bySoftServe
 
PPTX
Security as a new metric for Business, Product and Development Lifecycle
byNazar Tymoshyk, CEH, Ph.D.
 
PPT
Sergey Gordeychik, Security Metrics for PCI DSS Compliance
byqqlan
 
PDF
Building Quality in Legacy Systems - The Art of Asking Questions
byMufrid Krilic
 
PPT
Ch02
byKodok Ngorex
 
PDF
SAST vs. DAST: What’s the Best Method For Application Security Testing?
byCigital
 
PPTX
Security Testing - Tools & Techniques
byRamakrishnan Seshagiri
 
Network security
byNur Aishah Roslan
 
Agile and Secure Development
byNazar Tymoshyk, CEH, Ph.D.
 
Non-Functional Requirements
byDavid Simons
 
Software test engineer
byAbdul Riyaz
 
Ch01
byKodok Ngorex
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
byNazar Tymoshyk, CEH, Ph.D.
 
Digital Product Security
bySoftServe
 
Security as a new metric for Business, Product and Development Lifecycle
byNazar Tymoshyk, CEH, Ph.D.
 
Sergey Gordeychik, Security Metrics for PCI DSS Compliance
byqqlan
 
Building Quality in Legacy Systems - The Art of Asking Questions
byMufrid Krilic
 
Ch02
byKodok Ngorex
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
byCigital
 
Security Testing - Tools & Techniques
byRamakrishnan Seshagiri
 

Similar to Source code review - Usman Khan

PPTX
How To Avoid Continuously Delivering Faulty Software
byErika Barron
 
PPTX
How to Avoid Continuously Delivering Faulty Software
byPerforce
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PPTX
Static Code Analysis
byObika Gellineau
 
PPTX
Secure App Aspirations: Why it is very difficult in the real world
byOllie Whitehouse
 
PPTX
Static analysis for security
byFadi Abdulwahab
 
PDF
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
PPTX
Introduction of Secure Software Development Lifecycle
byRishi Kant
 
PPTX
Software engineering
byGuruAbirami2
 
PPTX
Secure SDLC in mobile software development.
byMykhailo Antonishyn
 
PPT
Software Security Engineering
byMarco Morana
 
PPTX
Hacker vs tools
byGeoffrey Vaughan
 
PPTX
Hacker vs Tools: Which to Choose?
bySecurity Innovation
 
PPTX
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
byQADay
 
PDF
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPT
Verifcation &validation
byssusere50573
 
PPTX
prepare a complete 2 hours lecture for me on the topic of "source code analys...
bysabaamina001
 
PPTX
Software_Testing_Presentationsinsds.pptx
bycharushresthaa
 
How To Avoid Continuously Delivering Faulty Software
byErika Barron
 
How to Avoid Continuously Delivering Faulty Software
byPerforce
 
AppSec in an Agile World
byDavid Lindner
 
Static Code Analysis
byObika Gellineau
 
Secure App Aspirations: Why it is very difficult in the real world
byOllie Whitehouse
 
Static analysis for security
byFadi Abdulwahab
 
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
Introduction of Secure Software Development Lifecycle
byRishi Kant
 
Software engineering
byGuruAbirami2
 
Secure SDLC in mobile software development.
byMykhailo Antonishyn
 
Software Security Engineering
byMarco Morana
 
Hacker vs tools
byGeoffrey Vaughan
 
Hacker vs Tools: Which to Choose?
bySecurity Innovation
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
byQADay
 
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
Software security engineering
byAHM Pervej Kabir
 
Software security engineering
byAHM Pervej Kabir
 
Verifcation &validation
byssusere50573
 
prepare a complete 2 hours lecture for me on the topic of "source code analys...
bysabaamina001
 
Software_Testing_Presentationsinsds.pptx
bycharushresthaa
 

Recently uploaded

PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
final.pdf
byomarbishtawi04
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
apidays New York 2025 | AI in Application Security
byapidays
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
final.pdf
byomarbishtawi04
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 

Source code review - Usman Khan

  • 1.
    Source Code Review TheDTS Approach – Usman Khan
  • 2.
    Why ? • SDLC– Security Not focused. • Less trained and awareness of developers. • Not following standards. • QA focus more on application functions delivery. • Beta testing can not generate security scenarios or risks. • SRS are too much focused towards.
  • 3.
    What : Theprocesses to secure. • Identify all Business processes. • Critical processes Review. • Type of data dealing with every process. • Prioritization of processes. • Business Process processes communication. • Identifying Approach of Application Designer/Architect. Application Architecture Focus
  • 4.
    How - Lookingat the Big Picture • Intent of Code Review. • Previous Breaches. • Major weaknesses in Business processes. Deployment. Application Model Authentication. Authorization. Session management. Data validation. Error handling. Memory allocation. SQL Parsing. Logging. Encryption. Boundary Checks. Concentrate on critical points.
  • 5.
    Strategies • Protective strategy. •Preventive Strategy. • Deception. • Breaking your own system. • Code Exposure.
  • 6.
    Service Delivery • SecureApplication Architecture Review. • Secure Application Deployment Review. • Source Code Review of multiple platforms like .NET C/C++, Java , Ruby etc. etc. • Automated testing – Static and Dynamic Code Reviews ESC/Java (Extended Static Checking for Java) VCG – Java, C/C++, C#, PL/SQL BugScout – All Platform FxCop – Managed .NET Code RIPS - PHP PScan - C/C++ Scans Flawfinder – C/C++ Scans RATS (Rough Auditing Tool for Security) – C/C++ , PHP, Perl, Python • Manual Reviews • VAPT Review of reports.

Editor's Notes

  • #5 Implementation – in coherence and present behind a firewall, does give access to database ? Server/client signatures verification to execute application. Application Model – MVC , three tier, Hierarchical Pattern, Authentication – The user has permissions to access the process and most importantly data associated with it. Authorization – Is authorization implemented , the level of access is being checked or not. Session Management – the time of staying logged in , logging in from multiple location , geo location sessions check. Data Validation – Is the data validated both on server and client side or at multiple tiers. Error Handling – Incase of error or unexpected situation does it is handled, if hacker breaches it from one layer than can you ensure it the error is handled at all level. Memory Allocation – Is the memory used and declared as per needed or extensible – why? If hacker can break all validation checks will he be able to generate memory or buffer overflow. Logging- Style of logs ? Security of logs and are the standards maintained to support SIEM and central logging. Boundary Checks- To meet special conditions at boundaries.
  • #7 We perform automated and manual testing for entire application in addition to secure architecture and secure deployment. These Review reports are than sent to VAPT team for further analysis and final report.