Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Is code review the solution?

769 views

Published on

In this talk I will present a brief introduction to Code Review, where we will try to understand its value and why it is so hard to implement effectively. I will also present some of the challenges we had at SAPO and how we tried to fix them.

Published in: Software
  • Be the first to comment

Is code review the solution?

  1. 1. Is Code Review the Solution? Versão 1.1 - 28/10/2014 Confraria da Segurança da Informação
  2. 2. Outline SAPO Websecurity Team 2 • What is code review • Mo9va9on • Open-­‐Source • How to • Tools • Problems
  3. 3. About me • Security Engineer at Portugal Telecom since 2004 – honeypots, SSAAPPOO WWeebbsseeccuurriittyy TTeeaamm traffic analysis, internal security • At SAPO since 2010 – pentes9ng of web applica9ons, iOS, Android, IPTV – all terrain security consultant • Trainer of Linux and network security courses at Citeforma • Speaker at security events like Codebits, Just4Mee9ng, Security Mee9ng, ISEL Tech, Create Tech, Confraria da Segurança da Informação and BSides Lisbon • Holds a MSc in Informa9on Technology/Informa9on Security from Carnegie Mellon and CISSP 3
  4. 4. What is code review • Code • Firefox SAPO Websecurity Team -­‐ 5 millions LOC (Lines of Code) • MySQL -­‐ 12 millions LOC • Debian 5 -­‐ 66 millions LOC • Windows Server 2003 -­‐ 50 millions LOC 4
  5. 5. What is code review • Review • “formal SAPO Websecurity Team assessment of something with the inten9on of ins9tu9ng change if necessary” 5
  6. 6. What is code review • Code review is the analysis of source code in order to find defects – security, SAPO Websecurity Team performance, func9onal, etc. – early detec9on – complements scanners and other tools 6
  7. 7. Motivation SAPO Websecurity Team 7
  8. 8. Motivation SAPO Websecurity Team 7
  9. 9. Motivation SAPO Websecurity Team 7
  10. 10. Motivation SAPO Websecurity Team 7
  11. 11. Motivation SAPO Websecurity Team 7
  12. 12. Motivation SAPO Websecurity Team 7
  13. 13. Motivation SAPO Websecurity Team 8
  14. 14. Motivation SAPO Websecurity Team 8
  15. 15. Motivation SAPO Websecurity Team 8
  16. 16. Motivation SAPO Websecurity Team 8
  17. 17. Motivation SAPO Websecurity Team 8
  18. 18. Motivation • Compliance • PCI-­‐DSS SAPO Websecurity Team -­‐ Payment Card Industry Data Security Standard • since 2005 • version 3.0 • Requirement 6.3.2 • “Review custom code prior to release to produc9on or customers in order to iden9fy any poten9al coding vulnerability (using either manual or automated processes) … “ 9
  19. 19. Open-Source • A requirement for code review is to have access to the source code • Open-­‐Source SAPO Websecurity Team Sobware (OSS) makes its source code available for anyone (to review) • Therefore, OSS is becer because its reviewed by the whole world • is it? 10
  20. 20. Open-Source SAPO Websecurity Team 11
  21. 21. Open-Source • Not all OSS is thoroughly reviewed, but… SAPO Websecurity Team 12
  22. 22. Open-Source • Not all OSS is thoroughly reviewed, but… SAPO Websecurity Team 12 • In 2011, a vulnerability that allowed backup decryp9on was found
  23. 23. Open-Source • Not all OSS is thoroughly reviewed, but… SAPO Websecurity Team 12 • In 2011, a vulnerability that allowed backup decryp9on was found
  24. 24. Open-Source • Not all OSS is thoroughly reviewed, but… SAPO Websecurity Team 12 • In 2011, a vulnerability that allowed backup decryp9on was found
  25. 25. Open-Source • Found SAPO Websecurity Team “by someone who was reading the Tarsnap source code purely of curiosity” • Lead to a bug bounty for security problems • “I'm a great fan of curiosity, but I've also learned that money can help to encourage curiosity.“ 13
  26. 26. Open-Source SAPO Websecurity Team 14
  27. 27. Open-Source • Apple SAPO Websecurity Team “goto fail” • CVE-­‐2014-­‐1266 -­‐ “acacker with a privileged network posi9on may capture or modify data in sessions protected by SSL/TLS” • Affected iOS and OS X • hcp://pi5.20.sl.pt 15
  28. 28. Open-Source • Apple SAPO Websecurity Team “goto fail” 16
  29. 29. Open-Source • Apple SAPO Websecurity Team “goto fail” 16
  30. 30. Open-Source • Likely SAPO Websecurity Team found by code review • “A test case could have caught this, but it's difficult because it's so deep into the handshake.” • “Code review can be effec9ve against these sorts of bug.” 17
  31. 31. Open-Source • In 2011, a Ph.D student pushed a commit to OpenSSL that implemented the Heartbeat extension • Reviewed SAPO Websecurity Team by one of OpenSSL’s four core developers • code in C • the problem was not detected 18
  32. 32. Open-Source SAPO Websecurity Team 19
  33. 33. Open-Source SAPO Websecurity Team 19
  34. 34. Open-Source SAPO Websecurity Team 19
  35. 35. Open-Source SAPO Websecurity Team 19
  36. 36. Open-Source SAPO Websecurity Team 19
  37. 37. Open-Source SAPO Websecurity Team 20
  38. 38. Open-Source SAPO Websecurity Team 20
  39. 39. Open-Source • Heartbleed • CVE-­‐2014-­‐0160 SAPO Websecurity Team -­‐ Allows reading of random data from the process memory • Affected OpenSSL -­‐ used by many exposed services such as www and mail • hcp://pi5.5l.sl.pt 21
  40. 40. Open-Source • Should SAPO Websecurity Team have been detected with code review • hcp://pi5.fp.sl.pt 22
  41. 41. Open-Source • SQL injec9on SAPO Websecurity Team 23
  42. 42. Open-Source • SQL injec9on SAPO Websecurity Team 23
  43. 43. Open-Source • SQL injec9on SAPO Websecurity Team 23 • hcp://vuln.example/login?username=x’ or 1=1 limit 0,1-­‐-­‐%20 • SELECT id,group,full_name FROM users WHERE username=’x’ or 1=1 limit 0,1-­‐-­‐
  44. 44. How to • Code review methods vary a lot • highly SAPO Websecurity Team dependent on the depth of the analysis • Broad categories with different names depending on the author • Formal code review • Lightweight code review 24
  45. 45. How to • Formal SAPO Websecurity Team code review • line by line • mul9ple reviewers • group review • printed copies • Finds hard to find problems • Time consuming 25
  46. 46. How to • Lightweight SAPO Websecurity Team code review • shallow analysis • pacern based analysis • grep based • reviewing only cri9cal func9ons • Prone do miss some problems • Less 9me consuming • Good to easily find certain classes of vulnerabili9es 26
  47. 47. How to • Review SAPO Websecurity Team can be done • manually • automa9cally • using both approaches • Using both approaches • automa9cally find hotspots with pacern matching • manually review those areas 27
  48. 48. How to • Combining SAPO Websecurity Team approaches • milestone • mandatory review and approval before going to produc9on • a posteriori • detec9on vs preven9on • sampling • review just some code, chosen by • keyword • commiter • project 28
  49. 49. How to • Basic rules for code review to work • 1st rule: the reviewer must not be the one who wrote the code • if we could find bugs in our code we would be able to avoid them • biased SAPO Websecurity Team analysis • the reviewer will have a different and unbiased perspec9ve • the reviewer should be from a different project 29
  50. 50. How to • 2nd rule: the reviewer should understand the language being reviewed SAPO Websecurity Team 30
  51. 51. How to • 3rd rule: focus on the objec9ve: security, performance, feature, etc., but not on everything SAPO Websecurity Team 31
  52. 52. More motivation • How to mo9vate the reviewers? SAPO Websecurity Team 32
  53. 53. More motivation • Just saying “you must do code review” will not work • developers SAPO Websecurity Team have more interes9ng stuff to do • developers have more stuff to do • developers have deadlines and code review is easily not taken in considera9on (1st to drop) • developers don’t like others code • what to review? 33
  54. 54. How to • What SAPO Websecurity Team to review is a big ques9on • don’t let the developer choose what to review arbitrarily • Assign “reviews” to reviewers • use a tool to manage what is assigned to each reviewer • each reviewer has a queue of reviews to be done 34
  55. 55. How to • Assign “reviews” to reviewers • for instance, single commits • Ensures • coverage SAPO Websecurity Team -­‐ all code is reviewed • responsibility -­‐ the developer has something publicly assigned to him • deliverables -­‐ audit evidence; increases mo9va9on to review 35
  56. 56. How to • Even with task assignment the reviewer might let the work pile up • its like documenta9on: the applica9on will work fine without it • This will happen if the review is done individually and on their usual sirng place • gather SAPO Websecurity Team developers 36
  57. 57. How to • Book a mee9ng room • Get the developers there SAPO Websecurity Team 37
  58. 58. Tools • Suppor9ng SAPO Websecurity Team sobware • Phabricator • repository integra9on • assignment rules • issue tracking • pre and post commit hooking 38
  59. 59. Tools • Phabricator SAPO Websecurity Team 39
  60. 60. Tools • Phabricator SAPO Websecurity Team 40
  61. 61. Tools • Gerrit SAPO Websecurity Team 41
  62. 62. Tools • Gerrit • pre-­‐commit SAPO Websecurity Team only • Git only • Phabricator • pre-­‐commit • post-­‐commit • Subversion, Git, Mercurial 42
  63. 63. Tools • Security SAPO Websecurity Team Lib – less code to review 43
  64. 64. Tools • Watch SAPO Websecurity Team Commits 44
  65. 65. Tools • Do not confuse code review with other mechanisms • sta9c SAPO Websecurity Team analysis • dynamic analysis • These lack human intelligence • but do not get 9red 45
  66. 66. Problems • A portuguese company working in mission-­‐ cri9cal systems used (uses?) the following approach • developers SAPO Websecurity Team get a printed A4 page with code • they also get a 5/6 items checklist • 15 min mee9ng in the next morning to discuss the checklist issues • repeat every day • Scrum alike methodology 46
  67. 67. Problems • Problems SAPO Websecurity Team with this approach? 47 • Feels like homework • might review at work but subject to the usual constraints • Context • calls to func9ons outside the printed code • classes/objects defined elsewhere • inclusion of files and configura9ons
  68. 68. Problems SAPO Websecurity Team 48
  69. 69. Problems • Limita9ons • variables, SAPO Websecurity Team objects and func9ons define outside • configura9on dependent execu9on • scope limita9on 49
  70. 70. Is code review the solution? • Is code review the solu9on? SAPO Websecurity Team 50
  71. 71. Is code review the solution? • Is code review the solu9on? SAPO Websecurity Team 50 • No. • But it is a good complement • detects vulnerabili9es hard to find using blackbox approaches • detects potencial problems, before they are exploitable
  72. 72. More • Other SAPO Websecurity Team presenta9ons – slideshare.net/9agomendo – slideshare.net/nuno.loureiro – AP2SI -­‐ facebook.com/ap2si –OWASP -­‐ owasp.org 51
  73. 73. Questions? tiago.mendo@telecom.pt @tmendo

×