Secure Code Review is the best approach to uncover the most security flaws, in addition to being the only approach to find certain types of flaws like design flaws. During this session, you will learn how to perform security code review and uncover vulnerabilities such as OWASP Top 10: Cross-site Scripting, SQL Injection, Access Control and much more in early stages of development. You will use a real life application. You will get an introduction to Static Code Analysis tools and how you can automate some parts of the process using tools like FxCop.
2. OWASP 2
Softwar S cur
2007 2009 2011 2013
Bio
Principal Consultant @ SoftwareSecured
✓ Security Code Review
✓ Penetration Testing
✓ Secure SDL Integration
✓ Application Security Training
Thursday, 9 May, 13
3. OWASP
Take Aways
What is Security Code Review
Effective Security Code Review Process
How to Implement Your Own Process
Key Tools to Use
3
Thursday, 9 May, 13
4. OWASP
What Security Code Review
is.........NOT?
A Separate Activity From the SDLC
Running a Tool
Ad-hoc Activity
Pentesting - (Just Say’n!)
4
Thursday, 9 May, 13
5. OWASP
The Inspection of Source Code to Find Security
Weakness
Integrated Activity into Software Development
Lifecycle
Cross-Team Integration
Development Teams
Security Teams
ProjectRisk Management
Systematic Approach to Uncover Security Flaws
What IS Security Code
Review?
5
Thursday, 9 May, 13
6. OWASP
Why Security Code Reviews
Effectiveness of security controls against
known threats
Exercise all application execution paths
Find all instances of a certain vulnerability
The only way to find certain types of
vulnerabilities
Effective remediation instructions
6
Thursday, 9 May, 13
7. OWASP
What Are We Looking For?
Software Weaknesses
SQL Injection
Cross-site Scripting
Insufficient Authentication
Application Logic Issues
Application Logic Bypass
DeadDebug Code
Misconfiguration Issues
7
Thursday, 9 May, 13
8. OWASP
Important Steps For Effective
Process
Reconnaissance: Understand the application
Threat Assessment: Enumerate inputs,
threats and attack surface
Automation: Low hanging fruits
Manual Review: High-risk modules
Confirmation & PoC: Confirm high-risk
vulnerabilities.
Reporting: Communicate back to the
development team
8
Thursday, 9 May, 13
11. OWASP
Reconnaissance
Primary Business Goal of the Application
Use CasesAbuse Cases
Different User Roles
Technology Stack of the Application
Environment Discovery
Use the Application
11
Thursday, 9 May, 13
18. OWASP
Automation with CAT.NET
CAT.NET is a binary code analysis tool that helps
identify common variants of certain prevailing
vulnerabilities that can give rise to common attack
vectors - Microsoft
Comes with built-in rules:
Reflected Cross-Site Scripting
SQL Injection
XPath Injection
LDAP Injection
File Canonicalization Issues
Command Injection
Information Disclosure
Download from MSDN 18
Thursday, 9 May, 13
21. OWASP
A1. Injection
Start With Automation
Database Script (*.sql, *.txt, etc)
Pay Attention to Patterns & Coding Styles
Second Order Injection
21
Manual Automatic
Thursday, 9 May, 13
22. OWASP
A2. Broken Authentication and
Session Management
Authentication Process
Password Storage
Password ResetChanges
Session Generation
Session Timeout
Cookie DomainPath
ViewState Protection 22
Manual Automatic
Thursday, 9 May, 13
23. OWASP
A3. Cross-Site Scripting
Inspect application’s defenses (e.g. RequestValidation)
Contextual HTML output encoding
ASP.NET controls with no output encoding
(MSDN)
DOM-Based Cross-site Scripting
HttpOnly Flag on Cookies.
23
Manual Automatic
Thursday, 9 May, 13
30. SQL Injection:
Location: sourceACMEPortalupdateinfo.aspx.cs:
Description:The code below is build dynamic sql statement
using unvalidated data (i.e. name) which can lead to SQL
Injection
51 SqlDataAdapter myCommand = new
SqlDataAdapter(
52 "SELECT au_lname, au_fname FROM author WHERE
au_id = '" +
53 SSN.Text + "'", myConnection);
Priority: High
Recommendation: Use paramaterized SQL instead of
dynamic concatenation, refer to http://msdn.microsoft.com/en-
us/library/ff648339.aspx for details.
Owner: John Smith OWASP
Reporting
Weakness Metadata
Thorough Description
Recommendation
Assign Appropriate Priority
28
Thursday, 9 May, 13
32. OWASP
Checklist - A bit of history
Aviation: led the modern airplanes
evolution after Major Hill’s famous 1934
incident
ICU: usage of checklists brought down
infection rates in Michigan by 66%
30
Thursday, 9 May, 13
33. OWASP
What Does a Checklist Cover?
Data Validation and Encoding Controls
Encryption Controls
Authentication and Authorization Controls
Session Management
Exception Handling
Auditing and Logging
Security Configurations
31
Thursday, 9 May, 13
34. OWASP
Resources to Conduct Your
Checklist
NIST Checklist Project
http://checklists.nist.gov/
Mozilla’s Secure Coding QA Checklist
https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist
Oracle’s Secure Coding Checklist
http://www.oracle.com/technetwork/java/seccodeguide-139067.html
32
Thursday, 9 May, 13
35. OWASP
Full Application Security Code
Review
33
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation &
PoC!
Reporting!
Checklists!
Tools!
OWASP
Top 10!
Thursday, 9 May, 13