simplified security code review - bsidesquebec2013
Post on 25-Jan-2015
123 Views
Preview:
DESCRIPTION
TRANSCRIPT
Softwar S cur
Simplifying Secure Code Reviews
Sherif Koussasherif@softwaresecured.com
BSides Quebec 2013
Monday, 3 June, 13
Softwar S cur
Security Teams
Development Teams
Monday, 3 June, 13
Softwar S cur
Softwar S cur
2007 2009 2011 2013
Bio
Principal Consultant @ SoftwareSecured✓ Application Security Assessment✓ Application Security Assurance Program Implementation✓ Application Security Training
Monday, 3 June, 13
Softwar S cur
Take Aways
Monday, 3 June, 13
Softwar S cur
Take Aways
Role of Security Code Review
Monday, 3 June, 13
Softwar S cur
Take Aways
Role of Security Code Review Effective Process
Monday, 3 June, 13
Softwar S cur
Take Aways
Role of Security Code Review Effective Process
Simplified Process
Monday, 3 June, 13
Softwar S cur
Take Aways
Role of Security Code Review Effective Process
Simplified Process Key Tools to Use
Monday, 3 June, 13
Softwar S cur
What This Presentation is NOT...
➡ Ground Breaking Research➡ New Tool➡ How to Fix Vulnerabilities
Monday, 3 June, 13
Softwar S cur
What IS Security Code Review?
Monday, 3 June, 13
Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
What IS Security Code Review?
Monday, 3 June, 13
Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Lifecycle
What IS Security Code Review?
Monday, 3 June, 13
Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Lifecycle
➡ Cross-Team Integration ➡ Development Teams
➡ Security Teams
➡ Project\Risk Management
What IS Security Code Review?
Monday, 3 June, 13
Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Lifecycle
➡ Cross-Team Integration ➡ Development Teams
➡ Security Teams
➡ Project\Risk Management
➡ Systematic Approach to Uncover Security Flaws
What IS Security Code Review?
Monday, 3 June, 13
Softwar S cur
Why Security Code Reviews
Monday, 3 June, 13
Softwar S cur
Why Security Code Reviews
Effectiveness of Security Controls
Monday, 3 June, 13
Softwar S cur
Why Security Code Reviews
Effectiveness of Security Controls
Exercise all code paths
Monday, 3 June, 13
Softwar S cur
Why Security Code Reviews
Effectiveness of Security Controls
Exercise all code paths All instances of a vulnerability
Monday, 3 June, 13
Softwar S cur
Why Security Code Reviews
Effectiveness of Security Controls
Exercise all code paths All instances of a vulnerability
Find design flawsMonday, 3 June, 13
Softwar S cur
Why Security Code Reviews
Effectiveness of Security Controls
Exercise all code paths All instances of a vulnerability
Find design flaws Remediation InstructionsMonday, 3 June, 13
Softwar S cur
Effective Security Code Review Process
Monday, 3 June, 13
Softwar S cur
Effective Security Code Review Process
➡ Reconnaissance
Monday, 3 June, 13
Softwar S cur
Effective Security Code Review Process
➡ Reconnaissance➡ Threat Modeling
Monday, 3 June, 13
Softwar S cur
Effective Security Code Review Process
➡ Reconnaissance➡ Threat Modeling➡ Automation
Monday, 3 June, 13
Softwar S cur
Effective Security Code Review Process
➡ Reconnaissance➡ Threat Modeling➡ Automation➡ Manual Review
Monday, 3 June, 13
Softwar S cur
Effective Security Code Review Process
➡ Reconnaissance➡ Threat Modeling➡ Automation➡ Manual Review➡ Confirmation & Proof-Of-Concept
Monday, 3 June, 13
Softwar S cur
Effective Security Code Review Process
➡ Reconnaissance➡ Threat Modeling➡ Automation➡ Manual Review➡ Confirmation & Proof-Of-Concept➡ Reporting
Monday, 3 June, 13
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
Monday, 3 June, 13
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals•Technology Stack•Use Case Scenarios•Network Deployment
Monday, 3 June, 13
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals•Technology Stack•Use Case Scenarios•Network Deployment
•Decompose Application•Attack Surface•Major Security Controls
Monday, 3 June, 13
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals•Technology Stack•Use Case Scenarios•Network Deployment
•Decompose Application•Attack Surface•Major Security Controls
•Low Hanging Fruit•Hot Spots•Missed Functionalities•Abandoned Code
Monday, 3 June, 13
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals•Technology Stack•Use Case Scenarios•Network Deployment
•Decompose Application•Attack Surface•Major Security Controls
•Low Hanging Fruit•Hot Spots•Missed Functionalities•Abandoned Code
•Security Controls•High Profile Code•Custom Rules
Monday, 3 June, 13
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals•Technology Stack•Use Case Scenarios•Network Deployment
•Decompose Application•Attack Surface•Major Security Controls
•Low Hanging Fruit•Hot Spots•Missed Functionalities•Abandoned Code
•Security Controls•High Profile Code•Custom Rules
•Confirmation•Evidences
Monday, 3 June, 13
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals•Technology Stack•Use Case Scenarios•Network Deployment
•Decompose Application•Attack Surface•Major Security Controls
•Low Hanging Fruit•Hot Spots•Missed Functionalities•Abandoned Code
•Security Controls•High Profile Code•Custom Rules
•Confirmation•Evidences
•Risk Rating•Role Based •Remediation Instructions
Monday, 3 June, 13
Softwar S cur
Simplified Security Code Review Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools !
Skills!
Monday, 3 June, 13
Softwar S cur
Simplified Security Code Review Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools !
Skills!
Monday, 3 June, 13
Softwar S cur
Simplified Security Code Review Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools !
Skills!
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Monday, 3 June, 13
Softwar S cur
Usages of Simplified Security Code Review
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
➡ Ideal for Introducing Development Teams To Security Code Reviews
➡ Crossing The Gap Between Security and Development Teams
Monday, 3 June, 13
Softwar S cur
Skills - OWASP Top 10
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Monday, 3 June, 13
Softwar S cur
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and Session Management
A4. Insecure Direct Object References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A9. Insufficient Transport Layer Protection
A8. Failure to Restrict URL Access
A10. Unvalidated Redirects and Forwards
2010 Modified New
OWASP TOP 10 - 2010 OWASP TOP 10 - 2013
Monday, 3 June, 13
Softwar S cur
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and Session Management
A4. Insecure Direct Object References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A9. Insufficient Transport Layer Protection
A8. Failure to Restrict URL Access
A10. Unvalidated Redirects and Forwards
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
2010 Modified New
OWASP TOP 10 - 2010 OWASP TOP 10 - 2013
Monday, 3 June, 13
Softwar S cur
A3
A6
A3
A6
A4
A1
A1 A3
A2
A9
A9
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
OWASP TOP 10 - 2013
2010 Modified New
Veracode Report - 2011
Monday, 3 June, 13
Softwar S cur
A7
A10
A4
A1
A8
A4
A3
A9
A1
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
OWASP TOP 10 - 2013Trustwave Report - 2013
2010 Modified New
Monday, 3 June, 13
Softwar S cur
A3
A6
A7
A1
A7
A2
A4
A7A4
A4
A2
A3
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
OWASP TOP 10 - 2013Whitehat Report - 2012
2010 Modified New
Monday, 3 June, 13
Softwar S cur
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Define Trust Boundary
Monday, 3 June, 13
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
Monday, 3 June, 13
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
Monday, 3 June, 13
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
Monday, 3 June, 13
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A4
Monday, 3 June, 13
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
Monday, 3 June, 13
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A6
Monday, 3 June, 13
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A7
A6
Monday, 3 June, 13
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A7A8
A6
Monday, 3 June, 13
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A7A8
A10
A10
A6A9 A9
A9
A9
A9
Monday, 3 June, 13
Softwar S cur
How Can You Identify Trust Boundary?
Monday, 3 June, 13
Softwar S cur
How Can You Identify Trust Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
Monday, 3 June, 13
Softwar S cur
How Can You Identify Trust Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
Monday, 3 June, 13
Softwar S cur
How Can You Identify Trust Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
Monday, 3 June, 13
Softwar S cur
How Can You Identify Trust Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
➡ Tools: Spiders’ output
Monday, 3 June, 13
Softwar S cur
How Can You Identify Trust Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
➡ Tools: Spiders’ output
➡ Annotations: @WebMethods, @WebService
Monday, 3 June, 13
Softwar S cur
Making Unsecure Code Look Unsecure - cc/Joel Spolsky
➡ Physical Source Code Separation.
➡ File Naming Scheme:
➡ Trust Boundary Safe: tbsProcessNameChange.java
➡ Trust Boundary UnSafe: tbuEditProfile.jsp
➡ Variable Naming Convention:
➡ String usEmail = Request.getParameter(“email”);
➡ String sEmail = Validate(Request.getParameter(“email”);
Monday, 3 June, 13
Softwar S cur
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Automation
Monday, 3 June, 13
Softwar S cur
Automation Static Code Analysis
Pros Cons
Scales Well False Positives
Low Hanging Fruit Application Logic Issues
Could Be Customized Collections
Frameworks
Monday, 3 June, 13
Softwar S cur
Scripts
➡ Compliment Static Code Analysis Tools.➡ 3rd Party Libraries Discovery.➡ Data Input Sources (e,g. web services)➡ Tracing Data Through Collections (e.g.
Session, Request, Collection)
Monday, 3 June, 13
Softwar S cur
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Manual Review
Monday, 3 June, 13
Softwar S cur
What Needs to Be Manually Reviewed?
➡ Authentication & Authorization Controls➡ Encryption Modules➡ File Upload and Download Operations➡ Validation Controls\Input Filters➡ Security-Sensitive Application Logic
Monday, 3 June, 13
Softwar S cur
Authentication & Authorization Flaws
Monday, 3 June, 13
Softwar S cur
Authentication & Authorization Flaws
Monday, 3 June, 13
Softwar S cur
Authentication & Authorization Flaws
Web Methods Do Not Follow Regular ASP.NET Page Life Cycle
Monday, 3 June, 13
Softwar S cur
Authentication & Authorization Flaws
Web Methods Do Not Follow Regular ASP.NET Page Life Cycle
Monday, 3 June, 13
Softwar S cur
Encryption Flaws
Monday, 3 June, 13
Softwar S cur
Encryption Flaws
Monday, 3 June, 13
Softwar S cur
Encryption FlawsReturn value is
initialized
Monday, 3 June, 13
Softwar S cur
Encryption FlawsReturn value is
initialized
Monday, 3 June, 13
Softwar S cur
Encryption FlawsReturn value is
initialized
Monday, 3 June, 13
Softwar S cur
Encryption FlawsReturn value is
initialized
Classic fail-open scenario
Monday, 3 June, 13
Softwar S cur
File Upload\Download Flaws
Monday, 3 June, 13
Softwar S cur
File Upload\Download Flaws
Monday, 3 June, 13
Softwar S cur
File Upload\Download FlawsThe value gets validated
first time around
Monday, 3 June, 13
Softwar S cur
File Upload\Download FlawsThe value gets validated
first time around
File path saved into a hidden field
Monday, 3 June, 13
Softwar S cur
File Upload\Download FlawsThe value gets validated
first time around
File path saved into a hidden field
File path is not validated on post back
Monday, 3 June, 13
Softwar S cur
File Upload\Download FlawsThe value gets validated
first time around
File path saved into a hidden field
File path is not validated on post back
Path used without validation
Monday, 3 June, 13
Softwar S cur
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Reporting
Monday, 3 June, 13
Softwar S cur
Reporting
➡ Weakness Metadata➡ Thorough Description➡ Recommendation➡ Assign Priority
SQL Injection:
Location: \source\ACMEPortal\updateinfo.aspx.cs:
Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection
51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection);
Priority: High
Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ff648339.aspx for details.
Owner: John Smith
Monday, 3 June, 13
Softwar S cur
Confirmation & PoC
Monday, 3 June, 13
Softwar S cur
Confirmation & PoC
Monday, 3 June, 13
Softwar S cur
Confirmation & PoC
Monday, 3 June, 13
Softwar S cur
Confirmation & PoC
Monday, 3 June, 13
Softwar S cur
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Tools
Monday, 3 June, 13
Softwar S cur
Security Code Review Tools
➡ Static Code Analysis➡ Free: (FindBugs, PMD, CAT.net, PCLint, etc)
➡ Commercial: (Static Code Tools Evaluation Criteria - WASC)
➡ 3rd Party Libraries: (DependencyCheck - https://github.com/jeremylong/DependencyCheck)
➡ Scripts
Monday, 3 June, 13
Softwar S cur
Open-Source Static Code Analysis Tools
Java
.NET
C++Monday, 3 June, 13
Softwar S cur
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Checklists
Monday, 3 June, 13
Softwar S cur
Usage of checklists
➡ Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident
➡ ICU: usage of checklists brought down infection rates in Michigan by 66%
Monday, 3 June, 13
Softwar S cur
Security Code Review Checklist
➡ Data Validation and Encoding Controls➡ Encryption Controls➡ Authentication and Authorization Controls➡ Session Management➡ Exception Handling➡ Auditing and Logging➡ Security Configurations
Monday, 3 June, 13
Softwar S cur
Resources To Conduct Your Checklist
➡ NIST Checklist Project - http://checklists.nist.gov/➡ Mozilla’s Secure Coding QA Checklist - https://
wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist
➡ Oracle’s Secure Coding Checklist - http://www.oracle.com/technetwork/java/seccodeguide-139067.html
Monday, 3 June, 13
Softwar S cur
Simplified Security Code Review Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools !
Skills!
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Monday, 3 June, 13
Softwar S cur
Softwar S cur
QUESTIONS?@skoussa
sherif.koussa@owasp.orgsherif@softwaresecured.com
Monday, 3 June, 13
top related