Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get Your Applications in Top Security Shape

Security Code Reviews
Does Your Code Need an Open Heart Surgery?
6-Points Strategy to Get Your Application in Security Shape

Sherif Koussa
OWASP Ottawa Chapter Leader
OWASP Static Analysis Tools Evaluation Criteria Project Leader
Application Security Specialist - Software Secured

Copyright 2007 © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation
http://www.owasp.org

Saturday, 13 April, 13

2011 Bio
Static Analysis Code Evaluation Criteria
Project Lead

2008
Steering Committee Member
GSSP-Java, GSSP-Net
DEV-541, DEV0544, SEC540

2007 Softwar S cur

OWASP Chapter Leader
WebGoat 5.0 Developer
OWASP 2

Saturday, 13 April, 13 2

The 6 Points Strategy to
Get Your Applications Back
in Top Security Shape...

OWASP 3


1. DRASTIC CHANGES
NEED DRASTIC MEASURES!
Get to the bottom of things quickly!

OWASP 4


Open Heart Surgery

Steps:

OWASP 5


Open Heart Surgery

Steps:
Step 1: Sawing Through the Sternum
Step 2: Working on the Heart
Step 3: Putting the Sternum Back Together
Step 4: Stitching Up the Skin

OWASP 5


Open Heart Surgery

Steps:

Causes:

OWASP 5


Open Heart Surgery

Steps:

Causes:
Repair or replace heart valves, which control blood flow through the heart
Repair abnormal or damaged structures in the heart
Implant medical devices that help control the heartbeat or support heart
function and blood flow
Replace a damaged heart with a healthy heart from a donor

OWASP 5


Open Code Surgery (AKA Code Review)

OWASP 6



Why Security Code Reviews:

OWASP 6



Why Security Code Reviews:

Effectiveness of Security Controls Against Known Threats
Testing All Application Execution Paths
Find All Instances of a Certain Vulnerability
The Only Way to Find Certain Types of Vulnerabilities
Effective Remediation Instructions

OWASP 6


Code Review Types

Peer Security Code Review: peer code reviews combined
with secure coding best practices.
Automatic Security Code Review: running a static code
analysis tool.
Modular Review: pure manual code review line by line.
Ad-hoc Security Code Review: security done on selected
modules of the application.
Source-Code Driven Code Review: Full code review
process combined with penetration testing.

OWASP 7


2. COVER THE BASICS FIRST
Don’t run before you can walk!

OWASP 8


OWASP Top 10 - 2010 OWASP Top 10 - 2013
A1. Injection

A2. Cross-Site Scripting

A3. Broken Authentication and
Session Management

A4. Insecure Direct Object
References

A5. Cross-Site Request Forgery

A6. Security Misconfiguration

A7. Insecure Cryptographic Storage

A8. Failure to Restrict URL Access

A9. Insufficient Transport Layer
Protection

A10. Unvalidated Redirects and
Forwards

OWASP 9
2010 Modified New


OWASP Top 10 - 2010 OWASP Top 10 - 2013
A1. Injection A1. Injection

A2. Cross-Site Scripting A2. Broken Authentication and
Session Management
Session Management A3. Cross-Site Scripting

A4. Insecure Direct Object A4. Insecure Direct Object
References References

A5. Cross-Site Request Forgery

A6. Sensitive Data Exposure
A7. Missing Function Level Access
A7. Insecure Cryptographic Storage Control

A8. Failure to Restrict URL Access A8. Cross-Site Request Forgery

A9. Insufficient Transport Layer A9. Using Known Vulnerable
Protection Components

A10. Unvalidated Redirects and A10. Unvalidated Redirects and
Forwards Forwards

OWASP 9
2010 Modified New


Veracode Report - 2011 OWASP Top 10 - 2013
A1. Injection

A3
Session Management
A6

A3

A4. Insecure Direct Object References
A6

A4

A1 A3 ...

A1 A7. Missing Function Level Access Control

A9 A8. Cross-Site Request Forgery

A2 A9. Using Known Vulnerable Components

A10. Unvalidated Redirects and Forwards

A9

OWASP 10
2010 Modified New


Trustwave Report - 2013 OWASP Top 10 - 2013
A1. Injection

Session Management


A4. Insecure Direct Object References
A1


A4
A3

A7
A7. Missing Function Level Access Control
A8

A4

A10 A9. Using Known Vulnerable Components

A9

OWASP 11
2010 Modified New


Whitehat Report - 2012 OWASP Top 10 - 2013
A3

A1. Injection

A6
Session Management

A3

A4 A7 A4. Insecure Direct Object References

A7


A4 A7
A7. Missing Function Level Access Control


A9. Using Known Vulnerable Components
A1

A2

A2 OWASP 12
2010 Modified New


3.FOCUS ON WHAT MATTERS
Really...focus on what matters!

OWASP 13


Effective Security Code Review Process

Reconnaissance: Understand the application
Threat Assessment: Enumerate inputs, threats and
attack surface
Automation: Low hanging fruits
Manual Review: High-risk modules
Confirmation & PoC: Confirm high-risk vulnerabilities.
Reporting: Communicate back to the development team

OWASP 14


Code Review Process Reconnaissance!
Effective Security

Threat
Reporting!
Assessment!
Security
Checklist!
Skills!

Tools!

Conﬁrmation &
Automation!
PoC!

Manual Review!
OWASP 15


Reconnaissance
What REALLY Matters?
Business Walkthrough: will
get you right to the assets and
the core business goal Reconnaissance!

Threat
Reporting!
Assessment!

Technical Walkthrough: will Security
Skills!
Checklist!

get you right to the Tools!

vulnerabilities Conﬁrmation &
PoC!
Automation!

Manual Review!

Roles: better understand the
application and attack surface

OWASP 16


Threat & Risk Modeling
What REALLY Matters?
A library of Vulnerabilities/Threats
Industry based
Risk Based Reconnaissance!

Threat
Reporting!
Assessment!
Security

Thorough Understanding of Assets
Checklist!
Skills!

Tools!

Conﬁrmation &
Automation!
PoC!

Manual Review!
e
od

Att
C

ac
ble

k
Lib
era

rar
ln
Vu

y

Assets
OWASP 17


Automation:
What REALLY Matters - Fitted Tool
Static Analysis Tools Evaluation Criteria
Deployment Model
Technology Support Reconnaissance!

Scan, Command and Control Support Reporting!
Threat
Assessment!

Product Signature Update Security
Skills!
Checklist!

Triage and Remediation Support
Tools!

Conﬁrmation &
Automation!
PoC!

Reporting Capabilities Manual Review!

Enterprise Level Support

Find more at http://projects.webappsec.org/w/page/41188978/Static Analysis Tools
Evaluation Criteria

OWASP 18


Automation:
What REALLY Matters - 3rd Party Libs
3rd Party Libraries Discovery.
DependencyCheck (https://github.com/jeremylong/DependencyCheck)

Reconnaissance!

Threat
Reporting!
Assessment!
Security
Checklist!
Skills!

Tools!

Conﬁrmation &
Automation!
PoC!

Manual Review!

OWASP 19


4. GET YOUR HANDS DIRTY!
No pain...no gain...

OWASP 20


What Needs Manual Review?
This REALLY Matters!

Authentication & Authorization Controls Reconnaissance!

Encryption Modules Reporting!
Threat
Assessment!

File Upload and Download Operations
Security
Checklist!
Skills!

Tools!

Validation ControlsInput Filters Conﬁrmation &
PoC!
Automation!

Security-Sensitive Application Logic Manual Review!

OWASP 21


Authentication and Authorization
Controls

OWASP 22


Authentication and Authorization
Controls

WebMethods Don’t Follow
Regular ASP.net Page Lifecycle
OWASP 22


Encryption Modules

OWASP 23


Encryption Modules

There is a possibility of
returning empty hashes on
error

OWASP 23


Security Controls

OWASP 24


Security Controls

Directory traversal is
possible on post-back.

OWASP 24


5. GET YOUR B-17 FIX!
Gain strategic advantage over the attackers...

OWASP 25


Checklists Advances Technology

Aviation:
Model 299-1934: “Too much airplane for one man to ﬂy”.

B-17 plane (Model 299 Successor) gave the U.S. major
strategic advantage in WWII

Intensive Care Units:
Usage of checklists brought down infection rates in
Michigan by 66%

OWASP 26


Resources To Conduct Your
Checklist
NIST Checklist Project
 http://checklists.nist.gov/

Mozilla’s Secure Coding QA Checklist
 https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist

Oracle’s Secure Coding Checklist -
 http://www.oracle.com/technetwork/java/seccodeguide-139067.html

MSDN Managed Code Checklist
 http://msdn.microsoft.com/en-us/library/ff648189.aspx

OWASP 27


6. FINISH STRONG!
Flex your communications muscles!

OWASP 28


Reporting
SQL Injection:
Weakness Metadata
Location: sourceACMEPortalupdateinfo.aspx.cs:
Thorough Description
Description: The code below is build dynamic sql
Recommendation statement using unvalidated data (i.e. name) which can
lead to SQL Injection
Assign Appropriate 51 SqlDataAdapter myCommand = new
SqlDataAdapter(
Priority 52 "SELECT au_lname, au_fname FROM author
WHERE au_id = '" +
53 SSN.Text + "'", myConnection);

Reconnaissance!
Priority: High
Threat
Reporting!
Assessment! Recommendation: Use parameterized SQL
Security
Skills!
Checklist!
instead of dynamic concatenation, refer to http://
Tools!
msdn.microsoft.com/en-us/library/ff648339.aspx for
Conﬁrmation &
Automation!
details.
PoC!

Manual Review!
Owner: John Smith

OWASP 29


The 6-Points Strategy...

1. Drastic Changes Requires Drastic Measures.
2. Cover The Basics First.
3. Focus on What Matters.
4. Get Your Hands Dirty.
5. Get Your B-17 Fix.
6. Finish Strong.

OWASP 30


QUESTIONS?
sherif.koussa@owasp.org
sherif@softwaresecured.com

OWASP 31


Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get Your Applications in Top Security Shape

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get Your Applications in Top Security Shape

Similaire à Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get Your Applications in Top Security Shape (20)

Dernier

Dernier (20)

Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get Your Applications in Top Security Shape