SlideShare une entreprise Scribd logo

Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)

OWASP Ottawa
OWASP Ottawa

Secure Code Review is the best approach to uncover the most security flaws, in addition to being the only approach to find certain types of flaws like design flaws. During this session, you will learn how to perform security code review and uncover vulnerabilities such as OWASP Top 10: Cross-site Scripting, SQL Injection, Access Control and much more in early stages of development. You will use a real life application. You will get an introduction to Static Code Analysis tools and how you can automate some parts of the process using tools like FxCop.

Technologie
1  sur  36
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Security Code Review For .Net Applications Sherif Koussa OWASP Ottawa Chapter Leader Software Secured sherif.koussa@owasp.org Education Project Thursday, 9 May, 13
OWASP 2 Softwar S cur 2007 2009 2011 2013 Bio Principal Consultant @ SoftwareSecured ✓ Security Code Review ✓ Penetration Testing ✓ Secure SDL Integration ✓ Application Security Training Thursday, 9 May, 13
OWASP Take Aways What is Security Code Review Effective Security Code Review Process How to Implement Your Own Process Key Tools to Use 3 Thursday, 9 May, 13
OWASP What Security Code Review is.........NOT? A Separate Activity From the SDLC Running a Tool Ad-hoc Activity Pentesting - (Just Say’n!) 4 Thursday, 9 May, 13
OWASP The Inspection of Source Code to Find Security Weakness Integrated Activity into Software Development Lifecycle Cross-Team Integration Development Teams Security Teams ProjectRisk Management Systematic Approach to Uncover Security Flaws What IS Security Code Review? 5 Thursday, 9 May, 13
OWASP Why Security Code Reviews Effectiveness of security controls against known threats Exercise all application execution paths Find all instances of a certain vulnerability The only way to find certain types of vulnerabilities Effective remediation instructions 6 Thursday, 9 May, 13
OWASP What Are We Looking For? Software Weaknesses SQL Injection Cross-site Scripting Insufficient Authentication Application Logic Issues Application Logic Bypass DeadDebug Code Misconfiguration Issues 7 Thursday, 9 May, 13
OWASP Important Steps For Effective Process Reconnaissance: Understand the application Threat Assessment: Enumerate inputs, threats and attack surface Automation: Low hanging fruits Manual Review: High-risk modules Confirmation & PoC: Confirm high-risk vulnerabilities. Reporting: Communicate back to the development team 8 Thursday, 9 May, 13
OWASP 9 Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklist! Tools! Security Skills! Thursday, 9 May, 13
OWASP 10 RECONNAISSANCE Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP Reconnaissance Primary Business Goal of the Application Use CasesAbuse Cases Different User Roles Technology Stack of the Application Environment Discovery Use the Application 11 Thursday, 9 May, 13
OWASP 12 THREAT ASSESSMENT Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP Enumerate Assets Data: personal data, financial data, etc Infrastructure: CPU, bandwidth, disk space, etc Users: malware, fishing, clicks Intellectual Property: software source code Other SystemsApplications: proxy to other more valuable systems. 13 Thursday, 9 May, 13
OWASP Enumerate Threats Data Theft Information Disclosure Spreading Malware Phishing Username Harvesting Fraudulent Transactions Likejacking 14 Thursday, 9 May, 13
OWASP Enumerate Vulnerabilities OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards 15 Thursday, 9 May, 13
OWASP 16 AUTOMATION Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP Automation Static Code Analysis Tools Scripts 17 Thursday, 9 May, 13
OWASP Automation with CAT.NET CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - Microsoft Comes with built-in rules: Reflected Cross-Site Scripting SQL Injection XPath Injection LDAP Injection File Canonicalization Issues Command Injection Information Disclosure Download from MSDN 18 Thursday, 9 May, 13
OWASP Demo... 19 Thursday, 9 May, 13
OWASP 20 MANUAL REVIEW Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP A1. Injection Start With Automation Database Script (*.sql, *.txt, etc) Pay Attention to Patterns & Coding Styles Second Order Injection 21 Manual Automatic Thursday, 9 May, 13
OWASP A2. Broken Authentication and Session Management Authentication Process Password Storage Password ResetChanges Session Generation Session Timeout Cookie DomainPath ViewState Protection 22 Manual Automatic Thursday, 9 May, 13
OWASP A3. Cross-Site Scripting Inspect application’s defenses (e.g. RequestValidation) Contextual HTML output encoding ASP.NET controls with no output encoding (MSDN) DOM-Based Cross-site Scripting HttpOnly Flag on Cookies. 23 Manual Automatic Thursday, 9 May, 13
OWASP A4. Insecure Direct Object Reference Parameters <-> resources relationship Hidden Fields JavaScript (JSON, AJAX) Querystring parameters 24 Manual Automatic Thursday, 9 May, 13
OWASP 25 CONFIRMATION & POC Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP Confirmation & PoC 26 Thursday, 9 May, 13
OWASP Confirmation & PoC 26 Thursday, 9 May, 13
OWASP Confirmation & PoC 26 Thursday, 9 May, 13
OWASP 27 REPORTING Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: Description:The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); Priority: High Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en- us/library/ff648339.aspx for details. Owner: John Smith OWASP Reporting Weakness Metadata Thorough Description Recommendation Assign Appropriate Priority 28 Thursday, 9 May, 13
OWASP 29 CHECKLISTS Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP Checklist - A bit of history Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident ICU: usage of checklists brought down infection rates in Michigan by 66% 30 Thursday, 9 May, 13
OWASP What Does a Checklist Cover? Data Validation and Encoding Controls Encryption Controls Authentication and Authorization Controls Session Management Exception Handling Auditing and Logging Security Configurations 31 Thursday, 9 May, 13
OWASP Resources to Conduct Your Checklist NIST Checklist Project http://checklists.nist.gov/ Mozilla’s Secure Coding QA Checklist https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist Oracle’s Secure Coding Checklist http://www.oracle.com/technetwork/java/seccodeguide-139067.html 32 Thursday, 9 May, 13
OWASP Full Application Security Code Review 33 Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP 34 QUESTIONS? sherif.koussa@owasp.org sherif@softwaresecured.com Thursday, 9 May, 13

Recommandé

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİBGA Cyber Security
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 

Recommandé

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİBGA Cyber Security
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for JavaSébastien GIORIA
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Hacklenmis Linux Sistem Analizi
Hacklenmis Linux Sistem AnaliziHacklenmis Linux Sistem Analizi
Hacklenmis Linux Sistem AnaliziBGA Cyber Security
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Cloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo MontoroCloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo MontoroClavis Segurança da Informação
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetRahmat Nurfauzi
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Red Team Operasyonu ve İzlenen Bir Sisteme Sızmak
Red Team Operasyonu ve İzlenen Bir Sisteme SızmakRed Team Operasyonu ve İzlenen Bir Sisteme Sızmak
Red Team Operasyonu ve İzlenen Bir Sisteme SızmakBGA Cyber Security
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 

Contenu connexe

Tendances

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Hacklenmis Linux Sistem Analizi
Hacklenmis Linux Sistem AnaliziHacklenmis Linux Sistem Analizi
Hacklenmis Linux Sistem AnaliziBGA Cyber Security
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetRahmat Nurfauzi
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Red Team Operasyonu ve İzlenen Bir Sisteme Sızmak
Red Team Operasyonu ve İzlenen Bir Sisteme SızmakRed Team Operasyonu ve İzlenen Bir Sisteme Sızmak
Red Team Operasyonu ve İzlenen Bir Sisteme SızmakBGA Cyber Security
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 

Tendances (20)

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for Java
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Hacklenmis Linux Sistem Analizi
Hacklenmis Linux Sistem AnaliziHacklenmis Linux Sistem Analizi
Hacklenmis Linux Sistem Analizi
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Cloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo MontoroCloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo Montoro
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat Sheet
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
 
Red Team Operasyonu ve İzlenen Bir Sisteme Sızmak
Red Team Operasyonu ve İzlenen Bir Sisteme SızmakRed Team Operasyonu ve İzlenen Bir Sisteme Sızmak
Red Team Operasyonu ve İzlenen Bir Sisteme Sızmak
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 

En vedette

Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...OWASP Ottawa
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Sherif Koussa
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...Cyber Security Alliance
 
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & TricksTop 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & TricksAppDynamics
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity securityrustd
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applicationssilviad74
 
Natural Laws of Software Performance
Natural Laws of Software PerformanceNatural Laws of Software Performance
Natural Laws of Software PerformanceGibraltar Software
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...gmaran23
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
 

En vedette (20)

Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
 
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & TricksTop 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
 
Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
 
Natural Laws of Software Performance
Natural Laws of Software PerformanceNatural Laws of Software Performance
Natural Laws of Software Performance
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
 

Similaire à Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)

OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptjangomanso
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciMatteo Meucci
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universeSébastien GIORIA
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 

Similaire à Security Code Review for .NET - Sherif Koussa (OWASP Ottawa) (20)

OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo Meucci
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universe
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 

Dernier

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Dernier (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)

  • 1. Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Security Code Review For .Net Applications Sherif Koussa OWASP Ottawa Chapter Leader Software Secured sherif.koussa@owasp.org Education Project Thursday, 9 May, 13
  • 2. OWASP 2 Softwar S cur 2007 2009 2011 2013 Bio Principal Consultant @ SoftwareSecured ✓ Security Code Review ✓ Penetration Testing ✓ Secure SDL Integration ✓ Application Security Training Thursday, 9 May, 13
  • 3. OWASP Take Aways What is Security Code Review Effective Security Code Review Process How to Implement Your Own Process Key Tools to Use 3 Thursday, 9 May, 13
  • 4. OWASP What Security Code Review is.........NOT? A Separate Activity From the SDLC Running a Tool Ad-hoc Activity Pentesting - (Just Say’n!) 4 Thursday, 9 May, 13
  • 5. OWASP The Inspection of Source Code to Find Security Weakness Integrated Activity into Software Development Lifecycle Cross-Team Integration Development Teams Security Teams ProjectRisk Management Systematic Approach to Uncover Security Flaws What IS Security Code Review? 5 Thursday, 9 May, 13
  • 6. OWASP Why Security Code Reviews Effectiveness of security controls against known threats Exercise all application execution paths Find all instances of a certain vulnerability The only way to find certain types of vulnerabilities Effective remediation instructions 6 Thursday, 9 May, 13
  • 7. OWASP What Are We Looking For? Software Weaknesses SQL Injection Cross-site Scripting Insufficient Authentication Application Logic Issues Application Logic Bypass DeadDebug Code Misconfiguration Issues 7 Thursday, 9 May, 13
  • 8. OWASP Important Steps For Effective Process Reconnaissance: Understand the application Threat Assessment: Enumerate inputs, threats and attack surface Automation: Low hanging fruits Manual Review: High-risk modules Confirmation & PoC: Confirm high-risk vulnerabilities. Reporting: Communicate back to the development team 8 Thursday, 9 May, 13
  • 9. OWASP 9 Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklist! Tools! Security Skills! Thursday, 9 May, 13
  • 10. OWASP 10 RECONNAISSANCE Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 11. OWASP Reconnaissance Primary Business Goal of the Application Use CasesAbuse Cases Different User Roles Technology Stack of the Application Environment Discovery Use the Application 11 Thursday, 9 May, 13
  • 12. OWASP 12 THREAT ASSESSMENT Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 13. OWASP Enumerate Assets Data: personal data, financial data, etc Infrastructure: CPU, bandwidth, disk space, etc Users: malware, fishing, clicks Intellectual Property: software source code Other SystemsApplications: proxy to other more valuable systems. 13 Thursday, 9 May, 13
  • 14. OWASP Enumerate Threats Data Theft Information Disclosure Spreading Malware Phishing Username Harvesting Fraudulent Transactions Likejacking 14 Thursday, 9 May, 13
  • 15. OWASP Enumerate Vulnerabilities OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards 15 Thursday, 9 May, 13
  • 16. OWASP 16 AUTOMATION Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 17. OWASP Automation Static Code Analysis Tools Scripts 17 Thursday, 9 May, 13
  • 18. OWASP Automation with CAT.NET CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - Microsoft Comes with built-in rules: Reflected Cross-Site Scripting SQL Injection XPath Injection LDAP Injection File Canonicalization Issues Command Injection Information Disclosure Download from MSDN 18 Thursday, 9 May, 13
  • 20. OWASP 20 MANUAL REVIEW Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 21. OWASP A1. Injection Start With Automation Database Script (*.sql, *.txt, etc) Pay Attention to Patterns & Coding Styles Second Order Injection 21 Manual Automatic Thursday, 9 May, 13
  • 22. OWASP A2. Broken Authentication and Session Management Authentication Process Password Storage Password ResetChanges Session Generation Session Timeout Cookie DomainPath ViewState Protection 22 Manual Automatic Thursday, 9 May, 13
  • 23. OWASP A3. Cross-Site Scripting Inspect application’s defenses (e.g. RequestValidation) Contextual HTML output encoding ASP.NET controls with no output encoding (MSDN) DOM-Based Cross-site Scripting HttpOnly Flag on Cookies. 23 Manual Automatic Thursday, 9 May, 13
  • 24. OWASP A4. Insecure Direct Object Reference Parameters <-> resources relationship Hidden Fields JavaScript (JSON, AJAX) Querystring parameters 24 Manual Automatic Thursday, 9 May, 13
  • 25. OWASP 25 CONFIRMATION & POC Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 29. OWASP 27 REPORTING Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 30. SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: Description:The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); Priority: High Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en- us/library/ff648339.aspx for details. Owner: John Smith OWASP Reporting Weakness Metadata Thorough Description Recommendation Assign Appropriate Priority 28 Thursday, 9 May, 13
  • 31. OWASP 29 CHECKLISTS Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 32. OWASP Checklist - A bit of history Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident ICU: usage of checklists brought down infection rates in Michigan by 66% 30 Thursday, 9 May, 13
  • 33. OWASP What Does a Checklist Cover? Data Validation and Encoding Controls Encryption Controls Authentication and Authorization Controls Session Management Exception Handling Auditing and Logging Security Configurations 31 Thursday, 9 May, 13
  • 34. OWASP Resources to Conduct Your Checklist NIST Checklist Project http://checklists.nist.gov/ Mozilla’s Secure Coding QA Checklist https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist Oracle’s Secure Coding Checklist http://www.oracle.com/technetwork/java/seccodeguide-139067.html 32 Thursday, 9 May, 13
  • 35. OWASP Full Application Security Code Review 33 Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13