Securing your web applications a pragmatic approach
Similaire à Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get Your Applications in Top Security Shape
Similaire à Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get Your Applications in Top Security Shape (20)
6. Open Heart Surgery
Steps:
Step 1: Sawing Through the Sternum
Step 2: Working on the Heart
Step 3: Putting the Sternum Back Together
Step 4: Stitching Up the Skin
OWASP 5
Saturday, 13 April, 13
7. Open Heart Surgery
Steps:
Step 1: Sawing Through the Sternum
Step 2: Working on the Heart
Step 3: Putting the Sternum Back Together
Step 4: Stitching Up the Skin
OWASP 5
Saturday, 13 April, 13
8. Open Heart Surgery
Steps:
Step 1: Sawing Through the Sternum
Step 2: Working on the Heart
Step 3: Putting the Sternum Back Together
Step 4: Stitching Up the Skin
Causes:
OWASP 5
Saturday, 13 April, 13
9. Open Heart Surgery
Steps:
Step 1: Sawing Through the Sternum
Step 2: Working on the Heart
Step 3: Putting the Sternum Back Together
Step 4: Stitching Up the Skin
Causes:
Repair or replace heart valves, which control blood flow through the heart
Repair abnormal or damaged structures in the heart
Implant medical devices that help control the heartbeat or support heart
function and blood flow
Replace a damaged heart with a healthy heart from a donor
OWASP 5
Saturday, 13 April, 13
11. Open Code Surgery (AKA Code Review)
Why Security Code Reviews:
OWASP 6
Saturday, 13 April, 13
12. Open Code Surgery (AKA Code Review)
Why Security Code Reviews:
Effectiveness of Security Controls Against Known Threats
Testing All Application Execution Paths
Find All Instances of a Certain Vulnerability
The Only Way to Find Certain Types of Vulnerabilities
Effective Remediation Instructions
OWASP 6
Saturday, 13 April, 13
13. Code Review Types
Peer Security Code Review: peer code reviews combined
with secure coding best practices.
Automatic Security Code Review: running a static code
analysis tool.
Modular Review: pure manual code review line by line.
Ad-hoc Security Code Review: security done on selected
modules of the application.
Source-Code Driven Code Review: Full code review
process combined with penetration testing.
OWASP 7
Saturday, 13 April, 13
14. Code Review Types
Peer Security Code Review: peer code reviews combined
with secure coding best practices.
Automatic Security Code Review: running a static code
analysis tool.
Modular Review: pure manual code review line by line.
Ad-hoc Security Code Review: security done on selected
modules of the application.
Source-Code Driven Code Review: Full code review
process combined with penetration testing.
OWASP 7
Saturday, 13 April, 13
15. 2. COVER THE BASICS FIRST
Don’t run before you can walk!
OWASP 8
Saturday, 13 April, 13
16. OWASP Top 10 - 2010 OWASP Top 10 - 2013
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A8. Failure to Restrict URL Access
A9. Insufficient Transport Layer
Protection
A10. Unvalidated Redirects and
Forwards
OWASP 9
2010 Modified New
Saturday, 13 April, 13
17. OWASP Top 10 - 2010 OWASP Top 10 - 2013
A1. Injection A1. Injection
A2. Cross-Site Scripting A2. Broken Authentication and
Session Management
A3. Broken Authentication and
Session Management A3. Cross-Site Scripting
A4. Insecure Direct Object A4. Insecure Direct Object
References References
A5. Security Misconfiguration
A5. Cross-Site Request Forgery
A6. Sensitive Data Exposure
A6. Security Misconfiguration
A7. Missing Function Level Access
A7. Insecure Cryptographic Storage Control
A8. Failure to Restrict URL Access A8. Cross-Site Request Forgery
A9. Insufficient Transport Layer A9. Using Known Vulnerable
Protection Components
A10. Unvalidated Redirects and A10. Unvalidated Redirects and
Forwards Forwards
OWASP 9
2010 Modified New
Saturday, 13 April, 13
18. OWASP Top 10 - 2010 OWASP Top 10 - 2013
A1. Injection A1. Injection
A2. Cross-Site Scripting A2. Broken Authentication and
Session Management
A3. Broken Authentication and
Session Management A3. Cross-Site Scripting
A4. Insecure Direct Object A4. Insecure Direct Object
References References
A5. Security Misconfiguration
A5. Cross-Site Request Forgery
A6. Sensitive Data Exposure
A6. Security Misconfiguration
A7. Missing Function Level Access
A7. Insecure Cryptographic Storage Control
A8. Failure to Restrict URL Access A8. Cross-Site Request Forgery
A9. Insufficient Transport Layer A9. Using Known Vulnerable
Protection Components
A10. Unvalidated Redirects and A10. Unvalidated Redirects and
Forwards Forwards
OWASP 9
2010 Modified New
Saturday, 13 April, 13
19. Veracode Report - 2011 OWASP Top 10 - 2013
A1. Injection
A3
A2. Broken Authentication and
Session Management
A6
A3. Cross-Site Scripting
A3
A4. Insecure Direct Object References
A6
A5. Security Misconfiguration
A4
A6. Sensitive Data Exposure
A1 A3 ...
A1 A7. Missing Function Level Access Control
A9 A8. Cross-Site Request Forgery
A2 A9. Using Known Vulnerable Components
A10. Unvalidated Redirects and Forwards
A9
OWASP 10
2010 Modified New
Saturday, 13 April, 13
20. Trustwave Report - 2013 OWASP Top 10 - 2013
A1. Injection
A2. Broken Authentication and
Session Management
A3. Cross-Site Scripting
A4. Insecure Direct Object References
A1
A5. Security Misconfiguration
A4
A6. Sensitive Data Exposure
A3
A7
A7. Missing Function Level Access Control
A8
A1 A8. Cross-Site Request Forgery
A4
A10 A9. Using Known Vulnerable Components
A9
A10. Unvalidated Redirects and Forwards
OWASP 11
2010 Modified New
Saturday, 13 April, 13
21. Whitehat Report - 2012 OWASP Top 10 - 2013
A3
A1. Injection
A6
A2. Broken Authentication and
Session Management
A3
A3. Cross-Site Scripting
A4 A7 A4. Insecure Direct Object References
A5. Security Misconfiguration
A7
A6. Sensitive Data Exposure
A4 A7
A7. Missing Function Level Access Control
A4 A8. Cross-Site Request Forgery
A9. Using Known Vulnerable Components
A1
A10. Unvalidated Redirects and Forwards
A2
A2 OWASP 12
2010 Modified New
Saturday, 13 April, 13
22. 3.FOCUS ON WHAT MATTERS
Really...focus on what matters!
OWASP 13
Saturday, 13 April, 13
23. Effective Security Code Review Process
Reconnaissance: Understand the application
Threat Assessment: Enumerate inputs, threats and
attack surface
Automation: Low hanging fruits
Manual Review: High-risk modules
Confirmation & PoC: Confirm high-risk vulnerabilities.
Reporting: Communicate back to the development team
OWASP 14
Saturday, 13 April, 13
25. Reconnaissance
What REALLY Matters?
Business Walkthrough: will
get you right to the assets and
the core business goal Reconnaissance!
Threat
Reporting!
Assessment!
Technical Walkthrough: will Security
Skills!
Checklist!
get you right to the Tools!
vulnerabilities Confirmation &
PoC!
Automation!
Manual Review!
Roles: better understand the
application and attack surface
OWASP 16
Saturday, 13 April, 13
26. Threat & Risk Modeling
What REALLY Matters?
A library of Vulnerabilities/Threats
Industry based
Risk Based Reconnaissance!
Threat
Reporting!
Assessment!
Security
Thorough Understanding of Assets
Checklist!
Skills!
Tools!
Confirmation &
Automation!
PoC!
Manual Review!
e
od
Att
C
ac
ble
k
Lib
era
rar
ln
Vu
y
Assets
OWASP 17
Saturday, 13 April, 13
27. Automation:
What REALLY Matters - Fitted Tool
Static Analysis Tools Evaluation Criteria
Deployment Model
Technology Support Reconnaissance!
Scan, Command and Control Support Reporting!
Threat
Assessment!
Product Signature Update Security
Skills!
Checklist!
Triage and Remediation Support
Tools!
Confirmation &
Automation!
PoC!
Reporting Capabilities Manual Review!
Enterprise Level Support
Find more at http://projects.webappsec.org/w/page/41188978/Static Analysis Tools
Evaluation Criteria
OWASP 18
Saturday, 13 April, 13
28. Automation:
What REALLY Matters - 3rd Party Libs
3rd Party Libraries Discovery.
DependencyCheck (https://github.com/jeremylong/DependencyCheck)
Reconnaissance!
Threat
Reporting!
Assessment!
Security
Checklist!
Skills!
Tools!
Confirmation &
Automation!
PoC!
Manual Review!
OWASP 19
Saturday, 13 April, 13
29. 4. GET YOUR HANDS DIRTY!
No pain...no gain...
OWASP 20
Saturday, 13 April, 13
42. Security Controls
Directory traversal is
possible on post-back.
OWASP 24
Saturday, 13 April, 13
43. 5. GET YOUR B-17 FIX!
Gain strategic advantage over the attackers...
OWASP 25
Saturday, 13 April, 13
44. Checklists Advances Technology
Aviation:
Model 299-1934: “Too much airplane for one man to fly”.
B-17 plane (Model 299 Successor) gave the U.S. major
strategic advantage in WWII
Intensive Care Units:
Usage of checklists brought down infection rates in
Michigan by 66%
OWASP 26
Saturday, 13 April, 13
46. 6. FINISH STRONG!
Flex your communications muscles!
OWASP 28
Saturday, 13 April, 13
47. Reporting
SQL Injection:
Weakness Metadata
Location: sourceACMEPortalupdateinfo.aspx.cs:
Thorough Description
Description: The code below is build dynamic sql
Recommendation statement using unvalidated data (i.e. name) which can
lead to SQL Injection
Assign Appropriate 51 SqlDataAdapter myCommand = new
SqlDataAdapter(
Priority 52 "SELECT au_lname, au_fname FROM author
WHERE au_id = '" +
53 SSN.Text + "'", myConnection);
Reconnaissance!
Priority: High
Threat
Reporting!
Assessment! Recommendation: Use parameterized SQL
Security
Skills!
Checklist!
instead of dynamic concatenation, refer to http://
Tools!
msdn.microsoft.com/en-us/library/ff648339.aspx for
Confirmation &
Automation!
details.
PoC!
Manual Review!
Owner: John Smith
OWASP 29
Saturday, 13 April, 13
48. The 6-Points Strategy...
1. Drastic Changes Requires Drastic Measures.
2. Cover The Basics First.
3. Focus on What Matters.
4. Get Your Hands Dirty.
5. Get Your B-17 Fix.
6. Finish Strong.
OWASP 30
Saturday, 13 April, 13
49. QUESTIONS?
sherif.koussa@owasp.org
sherif@softwaresecured.com
OWASP 31
Saturday, 13 April, 13