secure coding part 1 - image and video upload, … · goal: have a guide for secure coding 3 when...
TRANSCRIPT
SECURE CODING
PART 1
ENTREPRENEUR | CISO ADVISOR | CYBERFEMINIST | PEERLYST BRAND AMBASSADOR | TOP 50 CYBER INFLUENCER | @RESPONSIBLE CYBER
MAGDA LILIA CHELLY
1
AGENDA
2
1. Introduction: What is security? How much security is necessary?
2. Security Framework
3. Design Principles - Least Privilege, Security vs. Obscurity
4. Good programming practices (OWASP TOP 10, CWE SANS TOP 25)
5. Practical Tools
6. Design (authentication, authorization, integrity)
7. C/C++ (buffer overflows, safe practices)
8. PHP (session handling, database)
9. OWASP TOP 10 Example SQL Injection
INTRODUCTION
Goal: Have a Guide for Secure Coding
3
When you are in charge of software development, ensure that you consider security:
• From the initial project requirements
• Throughout development
• Through deployment
• After deployment / During maintenance
SECURITY FRAMEWORK
I found the SD3 FRAMEWORK useful to have an overview for your secure coding approach.
4
SECURE BY DESIGN
Secure architecture and
code
Threat analysis
Vulnerability reduction
SECURE BY DEFAULT
Attack surface area
reduced
Unused features turned
off by default
Minimum privileges
used
SECURE IN DEPLOYMENT
Protection: Detection,
defence, recovery,
management
Process: Architecture
guides
People: Training
LEAST PRIVILEGE, SECURITY VS. OBSCURITY
5
Take in consideration:
OWASP TOP 10
‘’The Open Web Application Security Project (OWASP) is a 501(c) worldwide
not-for-profit charitable organization focused on improving the security of
software.’’
CWE SANS TOP 25
The CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most
critical programming errors that can lead to critical software vulnerabilities.
GOOD PROGRAMMING PRACTICES
6
Ensure that you:
▪ Raise security awareness of design team with ongoing training
▪ Get security right during the design phase
▪ Define security goals
▪ Integrate security in all requirements
▪ Use threat modelling
GOOD PROGRAMMING PRACTICES
7
Be Aware of the Insecure Interaction Between Components
Source: https://www.slideshare.net/blueinfy/advanced-applicationsarchitecturethreats
PRACTICAL TOOLS
8
Below are few of the tools that I have been using, and got also positive feedback from
the industry’s professionals:
• Burp Suite https://portswigger.net/burp
‘’Burp or Burp Suite is a graphical tool for testing Web application security. The tool is
written in Java and developed by PortSwigger Security.’’
• Veracode Static Analysis https://www.veracode.com/products/static-analysis-
sast/static-code-analysis
‘’Static code analysis, also commonly called "white-box" testing, is one of veracode's
code review tools that looks at applications in non-runtime environment. ‘’
DESIGN (AUTHENTICATION, AUTHORIZATION, INTEGRITY)
10
He is ‘’Yuri’’
He has access to the web admin page.
DESIGN (AUTHENTICATION, AUTHORIZATION, INTEGRITY)
11
▪ Identification is the first step when a user connects. It is identifying the user
without authenticating him. This means that the user needs to be identified
with a unique ID. Each value should be unique, for accountability.
▪ Authentication needs 3 general factors for authenticating a user.
• Something a person knows- E.g.: passwords
• Something a person has – E.g.: Access Card
• Something a person is- E.g.: Biometrics
DESIGN (AUTHENTICATION, AUTHORIZATION, INTEGRITY)
12
▪ Identification is the first step when a user connects. It is identifying the user
without authenticating him. This means that the user needs to be identified
with a unique ID. Each value should be unique, for accountability.
▪ Authentication needs 3 general factors for authenticating a user.
• Something a person knows- E.g.: passwords
• Something a person has – E.g.: Access Card
• Something a person is- E.g.: Biometrics
DESIGN (AUTHENTICATION, AUTHORIZATION, INTEGRITY)
13
▪ Authorization needs to be based on least privileged. Access should be
granted on least privilege basis.
▪ Integrity is an important aspect. Below are some of the important points to
take in consideration:
• Secure Database access
• Log all activity
• Define unique identifier for database admins
C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES)
16
Example: int arr[5]
▪ In the above example, ‘arr’ defines an array of 5 integers.
▪ Let’s assume that the size of an integer is 4 bytes, the total buffer size of
‘arr’ is 5*4 = 20 bytes.
▪ arr[0] is the left boundary and arr[4] is the right boundary.
Buffer overflow example:
char buff[5];
buff[5] = 'a';
C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES)
17
▪ The buffer overflow is mainly due to lack of verification of the amount of
data written in the buffer.
▪ The attacked can therefore insert data in the buffer.
▪ The problem is related to the fact that strcpy(), strcat(), sprint() has no
range checking.
▪ Stack buffer overflows are the most common.
C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES)
18
▪ The buffer overflow is mainly due to lack of verification of the amount of
data written in the buffer.
▪ The attacked can therefore insert data in the buffer.
▪ The problem is related to the fact that strcpy(), strcat(),
sprint() has no range checking.
▪ Stack buffer overflows are the most common.
C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES)
19
Prevention can be achieved through some of the below practices:
▪ Mark the stack (and heap) as non-executable Note that even with non-
executable heap and stack, exploits are still possible using the return-oriented
programming
▪ Randomize stack location or Address space layout randomization (ASLR) It
may still be possible to inject self contained code with relative memory
references when running malicious code
▪ Make sure that the memory auditing is properly done (Configure minimum and
maximum memory)
C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES)
20
▪ Use fgets() instead of gets()
fgets() reads input and saves to a buffer until: (char *fgets(char *str, int n,
FILE *stream)
1) The buffer is 1 shy of being full - or -
2) '\n' is encountered - or -
3) The stream reaches an end-of-file condition - or -
4) An input error occurs.
C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES)
21
▪ I owe a proper explanation of buffer
overflow as in the last course, I just
mentioned an issue with the memory.
▪ I cant forget the funny story about
buffalos related to buffer overflow.
Comment if you want to know what it
is about ;)
PHP (SESSION HANDLING, DATABASE)
24
Sessions keep track of the user with a unique ID.
Session Handling security practices rely on the below actions:
▪ Store session data in different locations
▪ Use built-in frameworks
▪ Encrypt session data
▪ “Secure” cookie attribute (Use only HTTPS)
▪ Http only cookies (Not to allow scripts)
▪ Session ID renewal after privilege change
PHP (SESSION HANDLING, DATABASE)
25
Database security practices rely on the below actions:
▪ Limit admin access to declared IP addresses
▪ Always use .php extension when it comes to related files so they are not
accessible and readable
▪ Ensure that you do not save the .php files within the public folder
▪ Ensure that you create users for each application database
OWASP TOP 10 SQL INJECTION
27
▪ SQL injection is a popular attack and is a simple technique.
▪ It is based on code injection that will affect your database. It can for
example the voiding of transactions or the change of balances.
▪ It will place malicious code/SQL query, using an unsecure web page input.
▪ It is very common with PHP and ASP applications.
OWASP TOP 10 SQL INJECTION
28
A SQL attack is achieved in two phases:
▪ Research: Attacker submits different unexpected values, analysis how the application
responds, and defines an attack (Identify injectable parameters, Identify the database
type and version, Discover database schema, etc. )
▪ Attack: Attacker injects a predefined and chosen value in the SQL query and it is
executed as part of a SQL command. The command, then is executed by the
database. (Denial of service by locking or deleting tables, Bypassing authentication,
Privilege escalation, etc. )
OWASP TOP 10 SQL INJECTION
29
SELECT accountnumber, balance FROM accounts WHERE accountowner_id = 24
This is a query to return the account balance for the user with the id 24.
If the attacker changes the user_id to 0 OR 1=1, as per below:
SELECT accountnumber, balance FROM accounts WHERE accountowner_id = 0 OR
1=1
The result will return all the account numbers and respective balances.
OWASP TOP 10 SQL INJECTION
30
I found an educational web application at http://www.techpanda.org/ that is vulnerable to SQL
Injection attacks for demonstration purposes only.
You can exploit the password field. By entering xxx') OR 1 = 1 -- ] in the password field, you get the
result and the details of the database.
OWASP TOP 10 SQL INJECTION
31
OWASP Mutillidae II Web Pen-Test Practice Application is another tool that
you can use to practice.
‘’OWASP Mutillidae II is a free, open
source, deliberately vulnerable web-
application providing a target for web-
security enthusiast. Mutillidae can be
installed on Linux and Windows using
LAMP, WAMP, and XAMMP. It is pre-
installed on SamuraiWTF and OWASP
BWA.’’
OWASP TOP 10 SQL INJECTION
32
Over the time, we can find several
hacks with a simple SQL injection.
This is one example, when Sony
Pictures has been attacked.
In 2011, PlayStation Network has
been as well attacked with a SQL
injection.
OWASP TOP 10 SQL INJECTION
33
The most common defences are:
▪ Neutralizing all special characters Escaping single quotes isn’t enough to
neutralize a SQL string
▪ Input validation Ensure that your input is valid. If you're expecting letters, it
shouldn't contain numbers or special characters. Nor should the date of birth be
allowed to be a sentence.
▪ Whitelisting Technique