6-points strategy to get your application in security shape · 6-points strategy to get your...
TRANSCRIPT
Softwar S cur
6-Points Strategy to Get Your Application in
Security Shape Sherif Koussa
OWASP Ottawa Chapter Leader Static Analysis Technologies Evaluation Criteria Project Leader
Application Security Specialist - Software Secured
Softwar S cur
Why Security Code Reviews:
Effectiveness of Security Controls Against Known Threats Testing All Application Execution Paths Find All Instances of a Certain Vulnerability The Only Way to Find Certain Types of Vulnerabilities Effective Remediation Instructions
Softwar S cur
OWASP Top 10 - 2010 OWASP Top 10 - 2013A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and Session Management
A4. Insecure Direct Object References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A9. Insufficient Transport Layer Protection
A8. Failure to Restrict URL Access
A10. Unvalidated Redirects and Forwards
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
2010 Modified New
Softwar S cur
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklist!
Tools!
Security Skills!
Eff
ecti
ve A
ppli
cati
on
Secu
rity
Ass
essm
ent P
roce
ss
Softwar S cur
What Needs Manual Review? This REALLY Matters!
Authentication & Authorization Controls
Encryption Modules
File Upload and Download Operations
Validation Controls\Input Filters
Security-Sensitive Application Logic
Softwar S cur
Authentication and Authorization Controls
WebMethods Don’t Follow Regular ASP.net Page Lifecycle
Softwar S cur
Checklists Advances Technology
Aviation: Model 299-1934: “Too much airplane for one man to fly”.
B-17 plane (Model 299 Successor) gave the U.S. major strategic advantage in WWII
Intensive Care Units: Usage of checklists brought down infection rates in Michigan by 66%
Softwar S cur
Resources To Conduct Your Checklist
NIST Checklist Project
➡ http://checklists.nist.gov/
!Mozilla’s Secure Coding QA Checklist
➡ https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist
!Oracle’s Secure Coding Checklist -
➡ http://www.oracle.com/technetwork/java/seccodeguide-139067.html
!
Softwar S cur
Reporting
! Metadata
Thorough Description
Recommendation
Assign Appropriate Priority
SQL Injection: !Location: \source\ACMEPortal\updateinfo.aspx.cs: !Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection
51 SqlDataAdapter myCommand = new ! SqlDataAdapter(! 52 "SELECT au_lname, au_fname FROM ! author ! WHERE au_id = '" + ! 53 SSN.Text + "'", myConnection);!!
Priority: High !Recommendation: Use parameterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ff648339.aspx for details. !Owner: John Smith
Softwar S cur
The 6-Points Strategy...
1.Drastic Changes Requires Drastic Measures.
2.Cover The Basics First.
3.Focus on What Matters.
4.Get Your Hands Dirty.
5.Get Your B-17 Fix.
6.Finish Strong.
Softwar S cur
QUESTIONS? [email protected]