simplified security code review process

Softwar S cur

Simplifying Secure Code Reviews

Sherif [email protected]

BSides Quebec 2013

Monday, 3 June, 13

mailto:[email protected]


Softwar S cur

Security Teams

Development Teams

Monday, 3 June, 13

Softwar S cur

Softwar S cur

2007 2009 2011 2013

Bio

Principal Consultant @ SoftwareSecured✓ Application Security Assessment✓ Application Security Assurance Program Implementation✓ Application Security Training

Monday, 3 June, 13

Softwar S cur

Take Aways

Monday, 3 June, 13

Softwar S cur

Take Aways

Role of Security Code Review

Monday, 3 June, 13

Softwar S cur

Take Aways

Role of Security Code Review Effective Process

Monday, 3 June, 13

Softwar S cur

Take Aways


Simplified Process

Monday, 3 June, 13

Softwar S cur

Take Aways


Simplified Process Key Tools to Use

Monday, 3 June, 13

Softwar S cur

What This Presentation is NOT...

➡ Ground Breaking Research➡ New Tool➡ How to Fix Vulnerabilities

Monday, 3 June, 13

Softwar S cur

What IS Security Code Review?

Monday, 3 June, 13

Softwar S cur

➡ The Inspection of Source Code to Find Security Weakness


Monday, 3 June, 13

Softwar S cur


➡ Integrated Activity into Software Development Lifecycle


Monday, 3 June, 13

Softwar S cur



➡ Cross-Team Integration ➡ Development Teams

➡ Security Teams

➡ Project\Risk Management


Monday, 3 June, 13

Softwar S cur



➡ Cross-Team Integration ➡ Development Teams

➡ Security Teams

➡ Project\Risk Management

➡ Systematic Approach to Uncover Security Flaws


Monday, 3 June, 13

Softwar S cur

Why Security Code Reviews

Monday, 3 June, 13

Softwar S cur


Effectiveness of Security Controls

Monday, 3 June, 13

Softwar S cur



Exercise all code paths

Monday, 3 June, 13

Softwar S cur



Exercise all code paths All instances of a vulnerability

Monday, 3 June, 13

Softwar S cur




Find design flawsMonday, 3 June, 13

Softwar S cur




Find design flaws Remediation InstructionsMonday, 3 June, 13

Softwar S cur

Effective Security Code Review Process

Monday, 3 June, 13

Softwar S cur


➡ Reconnaissance

Monday, 3 June, 13

Softwar S cur


➡ Reconnaissance➡ Threat Modeling

Monday, 3 June, 13

Softwar S cur


➡ Reconnaissance➡ Threat Modeling➡ Automation

Monday, 3 June, 13

Softwar S cur


➡ Reconnaissance➡ Threat Modeling➡ Automation➡ Manual Review

Monday, 3 June, 13

Softwar S cur


➡ Reconnaissance➡ Threat Modeling➡ Automation➡ Manual Review➡ Confirmation & Proof-Of-Concept

Monday, 3 June, 13

Softwar S cur


➡ Reconnaissance➡ Threat Modeling➡ Automation➡ Manual Review➡ Confirmation & Proof-Of-Concept➡ Reporting

Monday, 3 June, 13

Softwar S cur

Full SCR Process

Reconnaissance!

Threat Modeling !

Automation !

Manual Review !

Confirmation & PoC!

Reporting!

Checklists!

Tools!

Skills!

Monday, 3 June, 13

Softwar S cur

Full SCR Process

Reconnaissance!

Threat Modeling !

Automation !

Manual Review !

Confirmation & PoC!

Reporting!

Checklists!

Tools!

Skills!

•Business Goals•Technology Stack•Use Case Scenarios•Network Deployment

Monday, 3 June, 13

Softwar S cur

Full SCR Process

Reconnaissance!

Threat Modeling !

Automation !

Manual Review !

Confirmation & PoC!

Reporting!

Checklists!

Tools!

Skills!


•Decompose Application•Attack Surface•Major Security Controls

Monday, 3 June, 13

Softwar S cur

Full SCR Process

Reconnaissance!

Threat Modeling !

Automation !

Manual Review !

Confirmation & PoC!

Reporting!

Checklists!

Tools!

Skills!



•Low Hanging Fruit•Hot Spots•Missed Functionalities•Abandoned Code

Monday, 3 June, 13

Softwar S cur

Full SCR Process

Reconnaissance!

Threat Modeling !

Automation !

Manual Review !

Confirmation & PoC!

Reporting!

Checklists!

Tools!

Skills!




•Security Controls•High Profile Code•Custom Rules

Monday, 3 June, 13

Softwar S cur

Full SCR Process

Reconnaissance!

Threat Modeling !

Automation !

Manual Review !

Confirmation & PoC!

Reporting!

Checklists!

Tools!

Skills!





•Confirmation•Evidences

Monday, 3 June, 13

Softwar S cur

Full SCR Process

Reconnaissance!

Threat Modeling !

Automation !

Manual Review !

Confirmation & PoC!

Reporting!

Checklists!

Tools!

Skills!





•Confirmation•Evidences

•Risk Rating•Role Based •Remediation Instructions

Monday, 3 June, 13

Softwar S cur

Simplified Security Code Review Process

Reconnaissance!

Threat Modeling !

Automation !

Manual Review !

Confirmation & PoC!

Reporting!

Checklists!

Tools !

Skills!

Monday, 3 June, 13

Softwar S cur


Reconnaissance!

Threat Modeling !

Automation !

Manual Review !

Confirmation & PoC!

Reporting!

Checklists!

Tools !

Skills!

Automation

Manual Review Reporting

Checklists*

Tools*

OWASP*Top*10*

Trust*Boundary*Iden=fica=on*

Monday, 3 June, 13

Softwar S cur

Usages of Simplified Security Code Review

Automation


Checklists*

Tools*

OWASP*Top*10*


➡ Ideal for Introducing Development Teams To Security Code Reviews

➡ Crossing The Gap Between Security and Development Teams

Monday, 3 June, 13

Softwar S cur

Skills - OWASP Top 10

➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards

Automation


Checklists*

Tools*

OWASP*Top*10*


Monday, 3 June, 13

Softwar S cur

A1. Injection

A2. Cross-Site Scripting

A3. Broken Authentication and Session Management

A4. Insecure Direct Object References

A5. Cross-Site Request Forgery

A6. Security Misconfiguration

A7. Insecure Cryptographic Storage

A9. Insufficient Transport Layer Protection

A8. Failure to Restrict URL Access

A10. Unvalidated Redirects and Forwards

2010 Modified New

OWASP TOP 10 - 2010 OWASP TOP 10 - 2013

Monday, 3 June, 13

Softwar S cur

A1. Injection






A7. Insecure Cryptographic Storage

A9. Insufficient Transport Layer Protection

A8. Failure to Restrict URL Access


A1. Injection




A6. Sensitive Data Exposure


A7. Missing Function Level Access Control

A9. Using Known Vulnerable Components



2010 Modified New

OWASP TOP 10 - 2010 OWASP TOP 10 - 2013

Monday, 3 June, 13

Softwar S cur

A3

A6

A3

A6

A4

A1

A1 A3

A2

A9

A9

A1. Injection










OWASP TOP 10 - 2013

2010 Modified New

Veracode Report - 2011

Monday, 3 June, 13

Softwar S cur

A7

A10

A4

A1

A8

A4

A3

A9

A1

A1. Injection










OWASP TOP 10 - 2013Trustwave Report - 2013

2010 Modified New

Monday, 3 June, 13

Softwar S cur

A3

A6

A7

A1

A7

A2

A4

A7A4

A4

A2

A3

A1. Injection










OWASP TOP 10 - 2013Whitehat Report - 2012

2010 Modified New

Monday, 3 June, 13

Softwar S cur

Automation


Checklists*

Tools*

OWASP*Top*10*


Define Trust Boundary

Monday, 3 June, 13

Softwar S cur

Trust Boundary - Example

Browser

SOAP Client

Mobile Client

Front Controller

Web Services

Admin Front Controller

LAN

DB

LDAP

File System

Internet

Busi

ness

Obj

ects

Dat

a A

cces

s La

yer

LAN

Browser

View

Monday, 3 June, 13

Softwar S cur

Trust Boundary - OWASP Top 10

Front Controller

Web Services


LAN

DB

LDAP

File System

Busi

ness

Obj

ects

Dat

a A

cces

s La

yer

View


Monday, 3 June, 13

Softwar S cur


Front Controller

Web Services


LAN

DB

LDAP

File System

Busi

ness

Obj

ects

Dat

a A

cces

s La

yer

View


A1

Monday, 3 June, 13

Softwar S cur


Front Controller

Web Services


LAN

DB

LDAP

File System

Busi

ness

Obj

ects

Dat

a A

cces

s La

yer

View


A1

A2

A2

A2

Monday, 3 June, 13

Softwar S cur


Front Controller

Web Services


LAN

DB

LDAP

File System

Busi

ness

Obj

ects

Dat

a A

cces

s La

yer

View


A1

A2

A2

A2

A3

Monday, 3 June, 13

Softwar S cur


Front Controller

Web Services


LAN

DB

LDAP

File System

Busi

ness

Obj

ects

Dat

a A

cces

s La

yer

View


A1

A2

A2

A2

A3

A4

A4

Monday, 3 June, 13

Softwar S cur


Front Controller

Web Services


LAN

DB

LDAP

File System

Busi

ness

Obj

ects

Dat

a A

cces

s La

yer

View


A1

A2

A2

A2

A3

A4

A5

A4

Monday, 3 June, 13

Softwar S cur


Front Controller

Web Services


LAN

DB

LDAP

File System

Busi

ness

Obj

ects

Dat

a A

cces

s La

yer

View


A1

A2

A2

A2

A3

A4

A5

A4

A6

A6

Monday, 3 June, 13

Softwar S cur


Front Controller

Web Services


LAN

DB

LDAP

File System

Busi

ness

Obj

ects

Dat

a A

cces

s La

yer

View


A1

A2

A2

A2

A3

A4

A5

A4

A6

A7

A6

Monday, 3 June, 13

Softwar S cur


Front Controller

Web Services


LAN

DB

LDAP

File System

Busi

ness

Obj

ects

Dat

a A

cces

s La

yer

View


A1

A2

A2

A2

A3

A4

A5

A4

A6

A7A8

A6

Monday, 3 June, 13

Softwar S cur


Front Controller

Web Services


LAN

DB

LDAP

File System

Busi

ness

Obj

ects

Dat

a A

cces

s La

yer

View


A1

A2

A2

A2

A3

A4

A5

A4

A6

A7A8

A10

A10

A6A9 A9

A9

A9

A9

Monday, 3 June, 13

Softwar S cur

How Can You Identify Trust Boundary?

Monday, 3 June, 13

Softwar S cur


➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc

Monday, 3 June, 13

Softwar S cur



➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc

Monday, 3 June, 13

Softwar S cur




➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc

Monday, 3 June, 13

Softwar S cur





➡ Tools: Spiders’ output

Monday, 3 June, 13

Softwar S cur





➡ Tools: Spiders’ output

➡ Annotations: @WebMethods, @WebService

Monday, 3 June, 13

Softwar S cur

Making Unsecure Code Look Unsecure - cc/Joel Spolsky

➡ Physical Source Code Separation.

➡ File Naming Scheme:

➡ Trust Boundary Safe: tbsProcessNameChange.java

➡ Trust Boundary UnSafe: tbuEditProfile.jsp

➡ Variable Naming Convention:

➡ String usEmail = Request.getParameter(“email”);

➡ String sEmail = Validate(Request.getParameter(“email”);

Monday, 3 June, 13

Softwar S cur

Automation


Checklists*

Tools*

OWASP*Top*10*


Automation

Monday, 3 June, 13

Softwar S cur

Automation Static Code Analysis

Pros Cons

Scales Well False Positives

Low Hanging Fruit Application Logic Issues

Could Be Customized Collections

Frameworks

Monday, 3 June, 13

Softwar S cur

Scripts

➡ Compliment Static Code Analysis Tools.➡ 3rd Party Libraries Discovery.➡ Data Input Sources (e,g. web services)➡ Tracing Data Through Collections (e.g.

Session, Request, Collection)

Monday, 3 June, 13

Softwar S cur

Automation


Checklists*

Tools*

OWASP*Top*10*


Manual Review

Monday, 3 June, 13

Softwar S cur

What Needs to Be Manually Reviewed?

➡ Authentication & Authorization Controls➡ Encryption Modules➡ File Upload and Download Operations➡ Validation Controls\Input Filters➡ Security-Sensitive Application Logic

Monday, 3 June, 13

Softwar S cur

Authentication & Authorization Flaws

Monday, 3 June, 13

Softwar S cur

Authentication & Authorization Flaws

Web Methods Do Not Follow Regular ASP.NET Page Life Cycle

Monday, 3 June, 13

Softwar S cur

Encryption Flaws

Monday, 3 June, 13

Softwar S cur

Encryption FlawsReturn value is

initialized

Monday, 3 June, 13

Softwar S cur

Encryption FlawsReturn value is

initialized

Classic fail-open scenario

Monday, 3 June, 13

Softwar S cur

File Upload\Download Flaws

Monday, 3 June, 13

Softwar S cur

File Upload\Download FlawsThe value gets validated

first time around

Monday, 3 June, 13

Softwar S cur


first time around

File path saved into a hidden field

Monday, 3 June, 13

Softwar S cur


first time around


File path is not validated on post back

Monday, 3 June, 13

Softwar S cur


first time around


File path is not validated on post back

Path used without validation

Monday, 3 June, 13

Softwar S cur

Automation


Checklists*

Tools*

OWASP*Top*10*


Reporting

Monday, 3 June, 13

Softwar S cur

Reporting

➡ Weakness Metadata➡ Thorough Description➡ Recommendation➡ Assign Priority

SQL Injection:

Location: \source\ACMEPortal\updateinfo.aspx.cs:

Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection

51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection);

Priority: High

Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ff648339.aspx for details.

Owner: John Smith

Monday, 3 June, 13

http://msdn.microsoft.com/en-us/library/ff648339.aspx




Softwar S cur

Confirmation & PoC

Monday, 3 June, 13

Softwar S cur

Automation


Checklists*

Tools*

OWASP*Top*10*


Tools

Monday, 3 June, 13

Softwar S cur

Security Code Review Tools

➡ Static Code Analysis➡ Free: (FindBugs, PMD, CAT.net, PCLint, etc)

➡ Commercial: (Static Code Tools Evaluation Criteria - WASC)

➡ 3rd Party Libraries: (DependencyCheck - https://github.com/jeremylong/DependencyCheck)

➡ Scripts

Monday, 3 June, 13

https://github.com/jeremylong/DependencyCheck




Softwar S cur

Open-Source Static Code Analysis Tools

Java

.NET

C++Monday, 3 June, 13

Softwar S cur

Automation


Checklists*

Tools*

OWASP*Top*10*


Checklists

Monday, 3 June, 13

Softwar S cur

Usage of checklists

➡ Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident

➡ ICU: usage of checklists brought down infection rates in Michigan by 66%

Monday, 3 June, 13

Softwar S cur

Security Code Review Checklist

➡ Data Validation and Encoding Controls➡ Encryption Controls➡ Authentication and Authorization Controls➡ Session Management➡ Exception Handling➡ Auditing and Logging➡ Security Configurations

Monday, 3 June, 13

Softwar S cur

Resources To Conduct Your Checklist

➡ NIST Checklist Project - http://checklists.nist.gov/➡ Mozilla’s Secure Coding QA Checklist - https://

wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist

➡ Oracle’s Secure Coding Checklist - http://www.oracle.com/technetwork/java/seccodeguide-139067.html

Monday, 3 June, 13

http://checklists.nist.gov/

http://checklists.nist.gov/

https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist












Softwar S cur


Reconnaissance!

Threat Modeling !

Automation !

Manual Review !

Confirmation & PoC!

Reporting!

Checklists!

Tools !

Skills!

Automation


Checklists*

Tools*

OWASP*Top*10*


Monday, 3 June, 13

Softwar S cur

Softwar S cur

QUESTIONS?@skoussa

[email protected]@softwaresecured.com

Monday, 3 June, 13



