Secure Software Development

Mini ZengUniversity of Alabama in Huntsville

1

Outline

Introduction

Sample project ShareAlbum

Step by step instructions

Errors and mitigations

Discussion

2

Introduction Common Weakness Enumeration (CWE) provides a unified,

measurable set of software weaknesses.

The 2011 CWE/SANS Top 25 Most Dangerous Software Errors

is a list of the most widespread and critical errors that can lead to

serious vulnerabilities in software.

3

Step by step instructions: STEP 1 STEP 1 Go through the CWE website and identify potential software errors that exist in the program according to brief list of Top 25 Most Dangerous Software Errors. Automatic tools such as RIPS could be used to establish a raw error list.

CWE-79: Cross-site Scripting CWE-89: SQL Injection CWE-862: Missing Authorization CWE-798: Use of Hard-coded Credentials CWE-311: Missing Encryption of Sensitive Data CWE-434: Unrestricted Upload of File with Dangerous Type CWE-22: Path Traversal CWE-759: Use of a One-Way Hash without a Salt CWE-327: Use of a Broken or Risky Cryptographic Algorithm

4

Step by Step Instructions: STEP 2

STEP 2 For each error, check summary to find out errors with high attacker awareness, often attack frequency and low or medium prevent cost to fix in the first place.

5

Step by Step Instructions: Example

6

Step by Step Instructions: STEP 3

STEP 3 Check the Technique Details sections of the errors.  Select the list of the errors to mitigate.

Check the applicable platform part to find out if the error is applicable for your application.

Check the code examples in the technical details. Often, they are helpful.

STEP 4 Decide mitigation approaches and document the list of errors to fix, go through all your project code to mitigate them.

7

Errors and Mitigations: CWE-79

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

If you are not careful, attackers may inject javascript or other browser executable script into your web page

8

Errors and Mitigations: CWE-89

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')If attackers can influence the SQL that you use to communicate with your database, then suddenly all your fun and profit belongs to them.

9

Errors and Mitigations: CWE-862CWE-862  Missing Authorization : Users are often assigned different privileges. Programmers did not check the authentication to make sure that the user is authenticated to make some action.

10

Discussions

CWE-22: Improper limitation of a pathname to a restricted directory ('Path Traversal').

CWE-434: Unrestricted upload of file with dangerous type.

CWE-311: Missing encryption of sensitive data.

CWE-798: Use hard-code credentials may be convenient to our coding.

CWE-759: Use of a one-way hash without a salt. 

CWE-327: Use of a broken or risky cryptographic algorithm.

11

Thanks

12