SlideShare une entreprise Scribd logo

SecurityBSides London - Agnitio: it's static analysis but not as we know it

S
Security Ninja

David Rook presentation from SecurityBSides London 2011.

Technologie
1  sur  43
Télécharger pour lire hors ligne
David Rook Agnitio It’s static analysis, but not as we know it SecurityBSides, London
if (slide == introduction) System.out.println("I’m David Rook"); • Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms • Security Ninja (www.securityninja.co.uk) • Speaker at international security conferences • Nominated for multiple blog awards • A mentor in the InfoSecMentors project • Developed and released Agnitio
Agenda • What is static analysis? • Security code reviews: the good, the bad and the ugly • The principles of secure development • Agnitio: It’s static analysis, but not as we know it • A sneak preview of Agnitio v2.0
Static analysis • What do I mean by static analysis? • A review of source code without executing the application • Can be either manual or automated through one or more tools • Human and/or tools analysing application source code
Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t software • The worst thing about humans is that they are humans
Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1
Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1
Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t human • The worst thing about software is that it’s software
The ugly security code reviews • “Ugly reviews” implies you do actually review code • An unplanned magical mystery tour at the end of the SDLC • Unstructured, not repeatable and heavily reliant on C H N O 8 10 4 2 • Too late in the SDLC making findings very expensive to fix • Completely manual process, no tools used during reviews • No audit trails, no metrics........no security? • Better than nothing?
The bad security code reviews • “Bad reviews” might be fine for some companies • A single planned code review in your SDLC • Some structure, normally based on finding the OWASP top 10 • Still too late in the SDLC making findings very expensive to fix • Some automation, usually basic code analysis tools • Basic audit trails still no metrics so hard to measure “anything” • Better than ugly reviews, might be fine for some companies
The good security code reviews • “Good reviews” don’t happen by accident • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases • Automation used where useful freeing up the reviewer • Ability to produce reports, metrics and measure improvements • External validation of the review process and SDLC
The principles of secure development • What are the principles of secure development?
The principles of secure development • We put the cart before the application security horse • Security guys tell developers about specific vulnerabilities • We hope they figure out how to prevent them • Inevitably security flaws end up in live code • Security guys complain when data gets stolen
The principles of secure development • What if we taught drivers in the same way? • Instructor tells driver about the different ways to crash • We hope the driver figures out how not to crash • Inevitably the driver will crash • People complain when they get crashed into
The principles of secure development • Many lists of vulnerabilities • OWASP Top 10 • White Hat Sec Top 10 • SANS Top 25 • Others??
The principles of secure development Failure to Preserve Web Page Structure Failure to Preserve SQL Query Structure Reliance on Untrusted Inputs in a Security Decision Missing Encryption of Sensitive Data Incorrect Calculation of Buffer Size Improper Control of Filename for Include/Require Statement in PHP Program URL Redirection to Untrusted Site Buffer Copy without Checking Size on Input Content Spoofing Allocation of Resource Without Limits or Throttling Cross Site Request Forgery Information Leakage Injection Flaws Cross Site Scripting Improper Check for Unusual or Exceptional Conditions Insufficient Transport Layer Protection Failure to Preserve OS Command Structure Insufficient Authorisation Improper Limitation of a Pathname to a Restricted Directory Improper Access Control Insufficient Authentication Insecure Cryptographic Storage Race Condition Use of Hard-coded Credentials Session Management Insecure Direct Object Reference Improper Validation of Array Index Information Exposure Through an Error Message Abuse of Functionality Predictable Resource Location Download of Code Without Integrity Check Failure to Restrict URL Access Unvalidated Redirects and Forwards Buffer Access with Incorrect Length Value Security Misconfiguration SQL Injection Unrestricted Upload of File with Dangerous Type Broken Authentication Missing Authentication for Critical Function Integer Overflow or Wraparound Use of a Broken or Risky Cryptographic Algorithm Incorrect Permission Assignment for Critical Resource
The principles of secure development • Many lists of vulnerabilities • OWASP Top 10 • White Hat Sec Top 10 • SANS Top 25 • Others?? • != Secure development guidance • 45 vulnerabilities, 41 unique names • Training courses etc based on these lists
Philosophical Application Security Give a man a fish and you feed him for a day, teach him to fish and you feed him for a lifetime. I want to apply this to secure development education: Teach a developer about a vulnerability and he will prevent it, teach him how to develop securely and he will prevent many vulnerabilities.
What we need to do • Put the application security horse before the cart • Security guys tell developers how to write secure code • Developer doesn’t need to guess anymore • Common vulnerabilities prevented in applications • Realistic or just a caffeine fueled dream?
The current approach Principles of Secure Development Failure to Preserve Web Page Structure Failure to Preserve SQL Query Structure Reliance on Untrusted Inputs in a Security Decision Secure Communications Missing Encryption of Sensitive Data Incorrect Calculation of Buffer Size Output Validation Improper Control of Filename for Include/Require Statement in PHP Program URL Redirection to Untrusted Site Buffer Copy without Checking Size on Input Content Spoofing Allocation of Resource Without Limits or Throttling Input Validation Cross Site Request Forgery and Logging Auditing Information Leakage Injection Flaws Cross Site Scripting Improper Check for Unusual or Exceptional Conditions Insufficient Transport Layer Protection Failure to Preserve OS Command Structure Authorisation Insufficient Authorisation Improper Limitation of a Pathname to a Restricted Directory Session Management Insecure Cryptographic Storage Improper Access Control Insufficient Authentication Race Condition Use of Hard-coded Credentials Session Management Insecure Direct Object Reference Improper Validation of Array Index Error Handling Secure Resource Access Information Exposure Through an Error Message Abuse of Functionality Predictable Resource Location Download of Code Without Integrity Check Failure to Restrict URL Access Unvalidated Redirects and Forwards Buffer Access with Incorrect Length Value Security Misconfiguration SQL Injection Authentication Unrestricted Upload of File with Dangerous Type Broken Authentication Missing Authentication for Critical Function Integer Overflow or Wraparound Secure Storage a Broken or Risky Cryptographic Algorithm Use of Incorrect Permission Assignment for Critical Resource
Agnitio • What is Agnitio? • Tool to help with manual static analysis • Checklist based with reviewer & developer guidance • Produces audit trails & enforces integrity checks • Single tool for security code review reports & metrics
Agnitio • Why did I develop Agnitio? • Even if your review process is good it might not be smart • Is your review process really repeatable and easy to audit? • How about producing metrics, useful reports & integrity checks? • No? That’s why I developed Agnitio!
Agnitio • Why did I develop Agnitio? • My own review process was good but it wasn’t smart • Minimum of 2 code reviews per release • Three pieces of evidence produced per review • One central Excel sheet for metrics and “audit” trail
Why did I develop Agnitio? • 2 reviews, 3 deliverables x ~200 releases in 2010 x2 x1 x2 x1
Why did I develop Agnitio? • 2 reviews: 3 deliverables x ~200 releases in 2010 • 400 security code reviews x 10
Why did I develop Agnitio? • Demonstration: security code reviews
Why did I develop Agnitio? • 2 reviews: 3 deliverables x ~200 releases in 2010 • Minimum of 4 Word documents per release x 10
Why did I develop Agnitio? • Demonstration: security code review reports
Why did I develop Agnitio? • 2 reviews: 3 deliverables x ~200 releases in 2010 • Note pad file per release with notes, LOC etc x 10
Why did I develop Agnitio? • Demonstration: application security metrics
Why did I develop Agnitio?
Agnitio v2.0 • Automated code analysis module linked to checklist • Data editor for developer and checklist guidance text • Checklist and guidance in multiple languages • Plus lots of user suggested changes!
Agnitio v2.0 • Agnitio v2.0 super early, Alpha demonstration
My “shoot for the moon” vision for Agnitio “we pretty much need a Burp Pro equivalent for Static Analysis – awesome, powerful in the right hands, and completely affordable!” http://www.securityninja.co.uk/application-security/can-you-implement-static-analysis-without-breaking-the-bank/comment-page-1#comment-9777
Using the principles and Agnitio • How you can apply the principles approach • Download principles documentation from Security Ninja • Focus secure development training on code not exploits • Use your language/s in all code examples • Use Agnitio to conduct principles based security code reviews • Tie all security findings back to specific principles
QUESTIONS? www.securityninja.co.uk @securityninja /realexninja /securityninja /realexninja

Recommandé

Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Security Ninja
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
Code securely
Code securelyCode securely
Code securelyMaksym Hopei
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop Priyanka Aash
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 

Recommandé

Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Security Ninja
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
Code securely
Code securelyCode securely
Code securelyMaksym Hopei
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop Priyanka Aash
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through InjectionsNazar Tymoshyk, CEH, Ph.D.
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code ReviewNaga Venkata Sunil Alamuri
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding PracticesInfosys Finacle
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile appskunwaratul hax0r
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityOWASPKerala
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP AdoptionGoran Begic
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Security Ninja
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 

Contenu connexe

Tendances

Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding PracticesInfosys Finacle
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityOWASPKerala
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP AdoptionGoran Begic
 

Tendances (19)

Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application Security
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP Adoption
 

Similaire à SecurityBSides London - Agnitio: it's static analysis but not as we know it

Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Security Ninja
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...apidays
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdfsecuring-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdfMelissa Kaulfuss
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeThuan Ng
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development processJerod Brennen
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTshiriskumar
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 

Similaire à SecurityBSides London - Agnitio: it's static analysis but not as we know it (20)

Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdfsecuring-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development process
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 

Plus de Security Ninja

The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application StorySecurity Ninja
 
Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecuritySecurity Ninja
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7Security Ninja
 
OWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecurityOWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecuritySecurity Ninja
 
BruCON Agnitio Workshop
BruCON Agnitio WorkshopBruCON Agnitio Workshop
BruCON Agnitio WorkshopSecurity Ninja
 
SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurity Ninja
 
Hack in Paris - Agnitio
Hack in Paris - AgnitioHack in Paris - Agnitio
Hack in Paris - AgnitioSecurity Ninja
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...Security Ninja
 
The Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinThe Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinSecurity Ninja
 
Application security and PCI DSS
Application security and PCI DSSApplication security and PCI DSS
Application security and PCI DSSSecurity Ninja
 
The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17Security Ninja
 
Developing secure web applications
Developing secure web applicationsDeveloping secure web applications
Developing secure web applicationsSecurity Ninja
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure DevelopmentSecurity Ninja
 
Owasp talk-november-08
Owasp talk-november-08Owasp talk-november-08
Owasp talk-november-08Security Ninja
 

Plus de Security Ninja (16)

Hack in Paris 2013
Hack in Paris 2013Hack in Paris 2013
Hack in Paris 2013
 
The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application Story
 
Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 Security
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7
 
OWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecurityOWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application Security
 
BruCON Agnitio Workshop
BruCON Agnitio WorkshopBruCON Agnitio Workshop
BruCON Agnitio Workshop
 
SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - Agnitio
 
Hack in Paris - Agnitio
Hack in Paris - AgnitioHack in Paris - Agnitio
Hack in Paris - Agnitio
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...
 
The Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinThe Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter Dublin
 
Application security and PCI DSS
Application security and PCI DSSApplication security and PCI DSS
Application security and PCI DSS
 
The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17
 
Developing secure web applications
Developing secure web applicationsDeveloping secure web applications
Developing secure web applications
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure Development
 
Owasp talk-november-08
Owasp talk-november-08Owasp talk-november-08
Owasp talk-november-08
 

Dernier

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Dernier (20)

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

SecurityBSides London - Agnitio: it's static analysis but not as we know it

  • 1. David Rook Agnitio It’s static analysis, but not as we know it SecurityBSides, London
  • 2. if (slide == introduction) System.out.println("I’m David Rook"); • Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms • Security Ninja (www.securityninja.co.uk) • Speaker at international security conferences • Nominated for multiple blog awards • A mentor in the InfoSecMentors project • Developed and released Agnitio
  • 3. Agenda • What is static analysis? • Security code reviews: the good, the bad and the ugly • The principles of secure development • Agnitio: It’s static analysis, but not as we know it • A sneak preview of Agnitio v2.0
  • 4. Static analysis • What do I mean by static analysis? • A review of source code without executing the application • Can be either manual or automated through one or more tools • Human and/or tools analysing application source code
  • 5. Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t software • The worst thing about humans is that they are humans
  • 6. Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1
  • 7. Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1
  • 8. Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t human • The worst thing about software is that it’s software
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16. The ugly security code reviews • “Ugly reviews” implies you do actually review code • An unplanned magical mystery tour at the end of the SDLC • Unstructured, not repeatable and heavily reliant on C H N O 8 10 4 2 • Too late in the SDLC making findings very expensive to fix • Completely manual process, no tools used during reviews • No audit trails, no metrics........no security? • Better than nothing?
  • 17. The bad security code reviews • “Bad reviews” might be fine for some companies • A single planned code review in your SDLC • Some structure, normally based on finding the OWASP top 10 • Still too late in the SDLC making findings very expensive to fix • Some automation, usually basic code analysis tools • Basic audit trails still no metrics so hard to measure “anything” • Better than ugly reviews, might be fine for some companies
  • 18. The good security code reviews • “Good reviews” don’t happen by accident • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases • Automation used where useful freeing up the reviewer • Ability to produce reports, metrics and measure improvements • External validation of the review process and SDLC
  • 19. The principles of secure development • What are the principles of secure development?
  • 20. The principles of secure development • We put the cart before the application security horse • Security guys tell developers about specific vulnerabilities • We hope they figure out how to prevent them • Inevitably security flaws end up in live code • Security guys complain when data gets stolen
  • 21. The principles of secure development • What if we taught drivers in the same way? • Instructor tells driver about the different ways to crash • We hope the driver figures out how not to crash • Inevitably the driver will crash • People complain when they get crashed into
  • 22. The principles of secure development • Many lists of vulnerabilities • OWASP Top 10 • White Hat Sec Top 10 • SANS Top 25 • Others??
  • 23. The principles of secure development Failure to Preserve Web Page Structure Failure to Preserve SQL Query Structure Reliance on Untrusted Inputs in a Security Decision Missing Encryption of Sensitive Data Incorrect Calculation of Buffer Size Improper Control of Filename for Include/Require Statement in PHP Program URL Redirection to Untrusted Site Buffer Copy without Checking Size on Input Content Spoofing Allocation of Resource Without Limits or Throttling Cross Site Request Forgery Information Leakage Injection Flaws Cross Site Scripting Improper Check for Unusual or Exceptional Conditions Insufficient Transport Layer Protection Failure to Preserve OS Command Structure Insufficient Authorisation Improper Limitation of a Pathname to a Restricted Directory Improper Access Control Insufficient Authentication Insecure Cryptographic Storage Race Condition Use of Hard-coded Credentials Session Management Insecure Direct Object Reference Improper Validation of Array Index Information Exposure Through an Error Message Abuse of Functionality Predictable Resource Location Download of Code Without Integrity Check Failure to Restrict URL Access Unvalidated Redirects and Forwards Buffer Access with Incorrect Length Value Security Misconfiguration SQL Injection Unrestricted Upload of File with Dangerous Type Broken Authentication Missing Authentication for Critical Function Integer Overflow or Wraparound Use of a Broken or Risky Cryptographic Algorithm Incorrect Permission Assignment for Critical Resource
  • 24. The principles of secure development • Many lists of vulnerabilities • OWASP Top 10 • White Hat Sec Top 10 • SANS Top 25 • Others?? • != Secure development guidance • 45 vulnerabilities, 41 unique names • Training courses etc based on these lists
  • 25. Philosophical Application Security Give a man a fish and you feed him for a day, teach him to fish and you feed him for a lifetime. I want to apply this to secure development education: Teach a developer about a vulnerability and he will prevent it, teach him how to develop securely and he will prevent many vulnerabilities.
  • 26. What we need to do • Put the application security horse before the cart • Security guys tell developers how to write secure code • Developer doesn’t need to guess anymore • Common vulnerabilities prevented in applications • Realistic or just a caffeine fueled dream?
  • 27. The current approach Principles of Secure Development Failure to Preserve Web Page Structure Failure to Preserve SQL Query Structure Reliance on Untrusted Inputs in a Security Decision Secure Communications Missing Encryption of Sensitive Data Incorrect Calculation of Buffer Size Output Validation Improper Control of Filename for Include/Require Statement in PHP Program URL Redirection to Untrusted Site Buffer Copy without Checking Size on Input Content Spoofing Allocation of Resource Without Limits or Throttling Input Validation Cross Site Request Forgery and Logging Auditing Information Leakage Injection Flaws Cross Site Scripting Improper Check for Unusual or Exceptional Conditions Insufficient Transport Layer Protection Failure to Preserve OS Command Structure Authorisation Insufficient Authorisation Improper Limitation of a Pathname to a Restricted Directory Session Management Insecure Cryptographic Storage Improper Access Control Insufficient Authentication Race Condition Use of Hard-coded Credentials Session Management Insecure Direct Object Reference Improper Validation of Array Index Error Handling Secure Resource Access Information Exposure Through an Error Message Abuse of Functionality Predictable Resource Location Download of Code Without Integrity Check Failure to Restrict URL Access Unvalidated Redirects and Forwards Buffer Access with Incorrect Length Value Security Misconfiguration SQL Injection Authentication Unrestricted Upload of File with Dangerous Type Broken Authentication Missing Authentication for Critical Function Integer Overflow or Wraparound Secure Storage a Broken or Risky Cryptographic Algorithm Use of Incorrect Permission Assignment for Critical Resource
  • 28. Agnitio • What is Agnitio? • Tool to help with manual static analysis • Checklist based with reviewer & developer guidance • Produces audit trails & enforces integrity checks • Single tool for security code review reports & metrics
  • 29. Agnitio • Why did I develop Agnitio? • Even if your review process is good it might not be smart • Is your review process really repeatable and easy to audit? • How about producing metrics, useful reports & integrity checks? • No? That’s why I developed Agnitio!
  • 30. Agnitio • Why did I develop Agnitio? • My own review process was good but it wasn’t smart • Minimum of 2 code reviews per release • Three pieces of evidence produced per review • One central Excel sheet for metrics and “audit” trail
  • 31. Why did I develop Agnitio? • 2 reviews, 3 deliverables x ~200 releases in 2010 x2 x1 x2 x1
  • 32. Why did I develop Agnitio? • 2 reviews: 3 deliverables x ~200 releases in 2010 • 400 security code reviews x 10
  • 33. Why did I develop Agnitio? • Demonstration: security code reviews
  • 34. Why did I develop Agnitio? • 2 reviews: 3 deliverables x ~200 releases in 2010 • Minimum of 4 Word documents per release x 10
  • 35. Why did I develop Agnitio? • Demonstration: security code review reports
  • 36. Why did I develop Agnitio? • 2 reviews: 3 deliverables x ~200 releases in 2010 • Note pad file per release with notes, LOC etc x 10
  • 37. Why did I develop Agnitio? • Demonstration: application security metrics
  • 38. Why did I develop Agnitio?
  • 39. Agnitio v2.0 • Automated code analysis module linked to checklist • Data editor for developer and checklist guidance text • Checklist and guidance in multiple languages • Plus lots of user suggested changes!
  • 40. Agnitio v2.0 • Agnitio v2.0 super early, Alpha demonstration
  • 41. My “shoot for the moon” vision for Agnitio “we pretty much need a Burp Pro equivalent for Static Analysis – awesome, powerful in the right hands, and completely affordable!” http://www.securityninja.co.uk/application-security/can-you-implement-static-analysis-without-breaking-the-bank/comment-page-1#comment-9777
  • 42. Using the principles and Agnitio • How you can apply the principles approach • Download principles documentation from Security Ninja • Focus secure development training on code not exploits • Use your language/s in all code examples • Use Agnitio to conduct principles based security code reviews • Tie all security findings back to specific principles
  • 43. QUESTIONS? www.securityninja.co.uk @securityninja /realexninja /securityninja /realexninja