SlideShare uma empresa Scribd logo

Simplified security code review - BSidesQuebec2013

BSidesQuebec2013
BSidesQuebec2013
TecnologiaNegócios
1 de 105
Baixar para ler offline
Simplifying Secure Code Reviews Sherif Koussa sherif@softwaresecured.com BSides Quebec 2013 Softwar S cur Monday, 3 June, 13
De Se cu r ve lo pm en tT ity T ea ms ea ms Softwar S cur Monday, 3 June, 13
Bio 2007 2009 2011 2013 Softwar S cur Principal Consultant @ SoftwareSecured ✓ ✓ ✓ Application Security Assessment Application Security Assurance Program Implementation Application Security Training Monday, 3 June, 13 Softwar S cur
Take Aways Softwar S cur Monday, 3 June, 13
Take Aways Role of Security Code Review Softwar S cur Monday, 3 June, 13
Take Aways Role of Security Code Review Effective Process Softwar S cur Monday, 3 June, 13
Take Aways Role of Security Code Review Effective Process Simplified Process Softwar S cur Monday, 3 June, 13
Take Aways Role of Security Code Review Effective Process Simplified Process Key Tools to Use Softwar S cur Monday, 3 June, 13
What This Presentation is NOT... ➡ Ground Breaking Research ➡ New Tool ➡ How to Fix Vulnerabilities Softwar S cur Monday, 3 June, 13
What IS Security Code Review? Softwar S cur Monday, 3 June, 13
What IS Security Code Review? ➡ The Inspection of Source Code to Find Security Weakness Softwar S cur Monday, 3 June, 13
What IS Security Code Review? ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle Softwar S cur Monday, 3 June, 13
What IS Security Code Review? ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ Development Teams ➡ Security Teams ➡ ProjectRisk Management Softwar S cur Monday, 3 June, 13
What IS Security Code Review? ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ ➡ Security Teams ➡ ➡ Development Teams ProjectRisk Management Systematic Approach to Uncover Security Flaws Softwar S cur Monday, 3 June, 13
Why Security Code Reviews Softwar S cur Monday, 3 June, 13
Why Security Code Reviews Effectiveness of Security Controls Softwar S cur Monday, 3 June, 13
Why Security Code Reviews Exercise all code paths Effectiveness of Security Controls Softwar S cur Monday, 3 June, 13
Why Security Code Reviews Exercise all code paths All instances of a vulnerability Effectiveness of Security Controls Softwar S cur Monday, 3 June, 13
Why Security Code Reviews Exercise all code paths All instances of a vulnerability Effectiveness of Security Controls Find design flaws Monday, 3 June, 13 Softwar S cur
Why Security Code Reviews Exercise all code paths All instances of a vulnerability Find design flaws Remediation Instructions Effectiveness of Security Controls Monday, 3 June, 13 Softwar S cur
Effective Security Code Review Process Softwar S cur Monday, 3 June, 13
Effective Security Code Review Process ➡ Reconnaissance Softwar S cur Monday, 3 June, 13
Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling Softwar S cur Monday, 3 June, 13
Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation Softwar S cur Monday, 3 June, 13
Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review Softwar S cur Monday, 3 June, 13
Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept Softwar S cur Monday, 3 June, 13
Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept ➡ Reporting Softwar S cur Monday, 3 June, 13
Full SCR Process Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
Full SCR Process • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! • Low Hanging Fruit • Hot Spots • Missed Functionalities • Abandoned Code Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! • Low Hanging Fruit • Hot Spots • Missed Functionalities • Abandoned Code Checklists! Tools! Confirmation & PoC! Automation! Manual Review! • Security Controls • High Profile Code • Custom Rules Softwar S cur Monday, 3 June, 13
Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! • Low Hanging Fruit • Hot Spots • Missed Functionalities • Abandoned Code Checklists! Tools! Confirmation & PoC! • Confirmation • Evidences Automation! Manual Review! • Security Controls • High Profile Code • Custom Rules Softwar S cur Monday, 3 June, 13
Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! • Risk Rating • Role Based • Remediation Instructions Checklists! Tools! Confirmation & PoC! • Confirmation • Evidences • Low Hanging Fruit • Hot Spots • Missed Functionalities • Abandoned Code Automation! Manual Review! • Security Controls • High Profile Code • Custom Rules Softwar S cur Monday, 3 June, 13
Simplified Security Code Review Process Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
Simplified Security Code Review Process Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
Simplified Security Code Review Process Reconnaissance! Reporting! Trust*Boundary* Iden=fica=on* Automation Threat Modeling! Skills! OWASP* Top*10* Checklists! Tools* Tools! Confirmation & PoC! Checklists* Automation! Reporting Manual Review Manual Review! Softwar S cur Monday, 3 June, 13
Usages of Simplified Security Code Review ➡ Ideal for Introducing Development Teams To Security Code Reviews Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* ➡ Crossing The Gap Between Security and Development Teams Reporting Manual Review Softwar S cur Monday, 3 June, 13
Skills - OWASP Top 10 Trust*Boundary* Iden=fica=on* ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards Automation OWASP* Top*10* Checklists* Tools* Reporting Manual Review Softwar S cur Monday, 3 June, 13
OWASP TOP 10 - 2013 OWASP TOP 10 - 2010 A1. Injection A2. Cross-Site Scripting A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery A6. Security Misconfiguration A7. Insecure Cryptographic Storage A8. Failure to Restrict URL Access A9. Insufficient Transport Layer Protection A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
OWASP TOP 10 - 2013 OWASP TOP 10 - 2010 A1. Injection A1. Injection A2. Cross-Site Scripting A2. Broken Authentication and Session Management A3. Broken Authentication and Session Management A3. Cross-Site Scripting A4. Insecure Direct Object References A4. Insecure Direct Object References A5. Cross-Site Request Forgery A5. Security Misconfiguration A6. Security Misconfiguration A6. Sensitive Data Exposure A7. Insecure Cryptographic Storage A7. Missing Function Level Access Control A8. Failure to Restrict URL Access A8. Cross-Site Request Forgery A9. Insufficient Transport Layer Protection A9. Using Known Vulnerable Components A10. Unvalidated Redirects and Forwards A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
Veracode Report - 2011 OWASP TOP 10 - 2013 A1. Injection A3 A2. Broken Authentication and Session Management A6 A3. Cross-Site Scripting A3 A4. Insecure Direct Object References A6 A4 A5. Security Misconfiguration A1 A3 A1 A6. Sensitive Data Exposure A9 A7. Missing Function Level Access Control A2 A8. Cross-Site Request Forgery A9. Using Known Vulnerable Components A9 A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
Trustwave Report - 2013 OWASP TOP 10 - 2013 A1. Injection A2. Broken Authentication and Session Management A3. Cross-Site Scripting A1 A4. Insecure Direct Object References A4 A5. Security Misconfiguration A3 A7 A6. Sensitive Data Exposure A8 A1 A7. Missing Function Level Access Control A4 A10 A8. Cross-Site Request Forgery A9 A9. Using Known Vulnerable Components A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
Whitehat Report - 2012 OWASP TOP 10 - 2013 A1. Injection A3 A2. Broken Authentication and Session Management A6 A3. Cross-Site Scripting A3 A4. Insecure Direct Object References A4 A7 A5. Security Misconfiguration A7 A4 A7 A6. Sensitive Data Exposure A4 A7. Missing Function Level Access Control A1 A8. Cross-Site Request Forgery A2 A9. Using Known Vulnerable Components A2 A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
Softwar S cur Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* Reporting Manual Review Define Trust Boundary Monday, 3 June, 13
Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB LAN Web Services Data Access Layer Front Controller Business Objects Trust Boundary - OWASP Top 10 LDAP File System Softwar S cur
A1 View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB LAN Web Services Data Access Layer Front Controller Business Objects Trust Boundary - OWASP Top 10 LDAP File System Softwar S cur
Trust Boundary - OWASP Top 10 Web Services A1 View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB A2 LAN A2 Business Objects Front Controller Data Access Layer A2 LDAP File System Softwar S cur
Trust Boundary - OWASP Top 10 Web Services A3 A1 View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB A2 LAN A2 Business Objects Front Controller Data Access Layer A2 LDAP File System Softwar S cur
Web Services A3 A1 View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB A4 A2 LAN A2 Front Controller Business Objects A2 A4 Data Access Layer Trust Boundary - OWASP Top 10 LDAP File System Softwar S cur
Web Services A3 Admin Front Controller A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A5 A1 View ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ DB A4 A2 LAN A2 Front Controller Business Objects A2 A4 Data Access Layer Trust Boundary - OWASP Top 10 LDAP File System Softwar S cur
Trust Boundary - OWASP Top 10 Web Services A3 DB A5 A1 View LAN Front Controller Data Access Layer A2 A6 Business Objects A2 A4 LDAP A6 Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A4 A2 File System Softwar S cur
Trust Boundary - OWASP Top 10 Web Services A3 DB A5 A1 View LAN Data Access Layer A2 A6 Business Objects A2 A4 A7 Front Controller LDAP A6 Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A4 A2 File System Softwar S cur
Trust Boundary - OWASP Top 10 Web Services A3 DB A5 A1 View LAN Data Access Layer A2 A6 Business Objects A2 A4 A7 Front Controller A8 LDAP A6 Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A4 A2 File System Softwar S cur
Web Services A9 A3 A10 View DB A5 A1 A9 LAN A2 A6 A9 Business Objects A2 A4 A9 A7 Front Controller A8 Data Access Layer Trust Boundary - OWASP Top 10 LDAP A6 Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A4 A10 A2 A9 File System Softwar S cur
How Can You Identify Trust Boundary? Softwar S cur Monday, 3 June, 13
How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc Softwar S cur Monday, 3 June, 13
How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc Softwar S cur Monday, 3 June, 13
How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc *.master.cs, etc Softwar S cur Monday, 3 June, 13
How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output *.master.cs, etc Softwar S cur Monday, 3 June, 13
How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output ➡ Annotations: @WebMethods, @WebService *.master.cs, etc Softwar S cur Monday, 3 June, 13
Making Unsecure Code Look Unsecure - cc/Joel Spolsky ➡ Physical Source Code Separation. ➡ File Naming Scheme: ➡ ➡ ➡ Trust Boundary Safe: tbsProcessNameChange.java Trust Boundary UnSafe: tbuEditProfile.jsp Variable Naming Convention: ➡ String usEmail = Request.getParameter(“email”); ➡ String sEmail = Validate(Request.getParameter(“email”); Softwar S cur Monday, 3 June, 13
Softwar S cur Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* Reporting Automation Monday, 3 June, 13 Manual Review
Automation Static Code Analysis Pros Cons Scales Well False Positives Low Hanging Fruit Application Logic Issues Could Be Customized Collections Frameworks Softwar S cur Monday, 3 June, 13
Scripts ➡ Compliment Static Code Analysis Tools. ➡ 3rd Party Libraries Discovery. ➡ Data Input Sources (e,g. web services) ➡ Tracing Data Through Collections (e.g. Session, Request, Collection) Softwar S cur Monday, 3 June, 13
Softwar S cur Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* Reporting Manual Review Manual Review Monday, 3 June, 13
What Needs to Be Manually Reviewed? ➡ Authentication & Authorization Controls ➡ Encryption Modules ➡ File Upload and Download Operations ➡ Validation ControlsInput Filters ➡ Security-Sensitive Application Logic Softwar S cur Monday, 3 June, 13
Authentication & Authorization Flaws Softwar S cur Monday, 3 June, 13
Authentication & Authorization Flaws Softwar S cur Monday, 3 June, 13
Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Softwar S cur Monday, 3 June, 13
Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Softwar S cur Monday, 3 June, 13
Encryption Flaws Softwar S cur Monday, 3 June, 13
Encryption Flaws Softwar S cur Monday, 3 June, 13
Encryption Flaws Return value is initialized Softwar S cur Monday, 3 June, 13
Encryption Flaws Return value is initialized Softwar S cur Monday, 3 June, 13
Encryption Flaws Return value is initialized Softwar S cur Monday, 3 June, 13
Encryption Flaws Return value is initialized Classic fail-open scenario Softwar S cur Monday, 3 June, 13
File UploadDownload Flaws Softwar S cur Monday, 3 June, 13
File UploadDownload Flaws Softwar S cur Monday, 3 June, 13
File UploadDownload Flaws The value gets validated first time around Softwar S cur Monday, 3 June, 13
File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field Softwar S cur Monday, 3 June, 13
File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Softwar S cur Monday, 3 June, 13
File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Path used without validation Softwar S cur Monday, 3 June, 13
Softwar S cur Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* Reporting Reporting Monday, 3 June, 13 Manual Review
Reporting SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: ➡ Weakness Metadata ➡ Thorough Description ➡ Recommendation ➡ Assign Priority Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); Priority: High Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ ff648339.aspx for details. Owner: John Smith Softwar S cur Monday, 3 June, 13
Confirmation & PoC Softwar S cur Monday, 3 June, 13
Confirmation & PoC Softwar S cur Monday, 3 June, 13
Confirmation & PoC Softwar S cur Monday, 3 June, 13
Confirmation & PoC Softwar S cur Monday, 3 June, 13
Softwar S cur Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* Reporting Tools Monday, 3 June, 13 Manual Review
Security Code Review Tools ➡ Static Code Analysis ➡ ➡ ➡ Free: (FindBugs, PMD, CAT.net, PCLint, etc) Commercial: (Static Code Tools Evaluation Criteria - WASC) 3rd Party Libraries: (DependencyCheck - https://github.com/ jeremylong/DependencyCheck) ➡ Scripts Softwar S cur Monday, 3 June, 13
Open-Source Static Code Analysis Tools Java .NET C++ Softwar S cur Monday, 3 June, 13
Softwar S cur Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* Reporting Checklists Monday, 3 June, 13 Manual Review
Usage of checklists ➡ ➡ Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident ICU: usage of checklists brought down infection rates in Michigan by 66% Softwar S cur Monday, 3 June, 13
Security Code Review Checklist ➡ Data Validation and Encoding Controls ➡ Encryption Controls ➡ Authentication and Authorization Controls ➡ Session Management ➡ Exception Handling ➡ Auditing and Logging ➡ Security Configurations Softwar S cur Monday, 3 June, 13
Resources To Conduct Your Checklist ➡ ➡ ➡ NIST Checklist Project - http://checklists.nist.gov/ Mozilla’s Secure Coding QA Checklist - https:// wiki.mozilla.org/WebAppSec/ Secure_Coding_QA_Checklist Oracle’s Secure Coding Checklist - http:// www.oracle.com/technetwork/java/ seccodeguide-139067.html Softwar S cur Monday, 3 June, 13
Simplified Security Code Review Process Reconnaissance! Reporting! Trust*Boundary* Iden=fica=on* Automation Threat Modeling! Skills! OWASP* Top*10* Checklists! Tools* Tools! Confirmation & PoC! Checklists* Automation! Reporting Manual Review Manual Review! Softwar S cur Monday, 3 June, 13
QUESTIONS? @skoussa sherif.koussa@owasp.org sherif@softwaresecured.com Softwar S cur Softwar S cur Monday, 3 June, 13

Recomendados

A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!Ammar WK
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsAmmar WK
 
Pen-testing is Dead?
Pen-testing is Dead?Pen-testing is Dead?
Pen-testing is Dead?Ammar WK
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Cybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician PracticesCybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician PracticesRavi D. Goel, MD
 
RSA USA 2015 - Getting a Jump on Hackers
RSA USA 2015 - Getting a Jump on HackersRSA USA 2015 - Getting a Jump on Hackers
RSA USA 2015 - Getting a Jump on HackersWolfgang Kandek
 

Recomendados

A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!Ammar WK
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsAmmar WK
 
Pen-testing is Dead?
Pen-testing is Dead?Pen-testing is Dead?
Pen-testing is Dead?Ammar WK
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Cybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician PracticesCybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician PracticesRavi D. Goel, MD
 
RSA USA 2015 - Getting a Jump on Hackers
RSA USA 2015 - Getting a Jump on HackersRSA USA 2015 - Getting a Jump on Hackers
RSA USA 2015 - Getting a Jump on HackersWolfgang Kandek
 
Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Patricia Aas
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets n|u - The Open Security Community
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EClare Nelson, CISSP, CIPP-E
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
Finding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingFinding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingAlper Başaran
 
Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Patricia Aas
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013IGN MANTRA
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementA bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementBalázs Tatár
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Make it Fixable (CppCon 2018)
Make it Fixable (CppCon 2018)Make it Fixable (CppCon 2018)
Make it Fixable (CppCon 2018)Patricia Aas
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookNowSecure
 
A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testingNowSecure
 
Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Patricia Aas
 
A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
 
Project proposal navigator (jadi)
Project proposal navigator (jadi)Project proposal navigator (jadi)
Project proposal navigator (jadi)Iyang Pointer
 
Ferienwohnungen mallorca
Ferienwohnungen mallorcaFerienwohnungen mallorca
Ferienwohnungen mallorcaMaria Luisa Alcover
 

Mais conteúdo relacionado

Mais procurados

Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Patricia Aas
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EClare Nelson, CISSP, CIPP-E
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
Finding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingFinding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingAlper Başaran
 
Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Patricia Aas
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013IGN MANTRA
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementA bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementBalázs Tatár
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Make it Fixable (CppCon 2018)
Make it Fixable (CppCon 2018)Make it Fixable (CppCon 2018)
Make it Fixable (CppCon 2018)Patricia Aas
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookNowSecure
 
A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testingNowSecure
 
Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Patricia Aas
 
A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
 

Mais procurados (20)

Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0
 
Finding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingFinding Bugs FASTER with Fuzzing
Finding Bugs FASTER with Fuzzing
 
Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability ManagementA bug's life - Decoupled Drupal Security and Vulnerability Management
A bug's life - Decoupled Drupal Security and Vulnerability Management
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Make it Fixable (CppCon 2018)
Make it Fixable (CppCon 2018)Make it Fixable (CppCon 2018)
Make it Fixable (CppCon 2018)
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbook
 
A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability Management
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testing
 
Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)
 
A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability Management
 

Destaque

Project proposal navigator (jadi)
Project proposal navigator (jadi)Project proposal navigator (jadi)
Project proposal navigator (jadi)Iyang Pointer
 
How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013BSidesQuebec2013
 
Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013BSidesQuebec2013
 
Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013BSidesQuebec2013
 
L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013BSidesQuebec2013
 
гурткова робота
гурткова роботагурткова робота
гурткова роботаstark-lyuba
 
волонтерський рух
волонтерський рухволонтерський рух
волонтерський рухstark-lyuba
 
Animals salvatges
Animals salvatgesAnimals salvatges
Animals salvatgesGuillem_97
 

Destaque (16)

Project proposal navigator (jadi)
Project proposal navigator (jadi)Project proposal navigator (jadi)
Project proposal navigator (jadi)
 
Ferienwohnungen mallorca
Ferienwohnungen mallorcaFerienwohnungen mallorca
Ferienwohnungen mallorca
 
How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013
 
Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013
 
Michalis Bodouroglou-Shipping Industry and Crisis Management
Michalis Bodouroglou-Shipping Industry and Crisis ManagementMichalis Bodouroglou-Shipping Industry and Crisis Management
Michalis Bodouroglou-Shipping Industry and Crisis Management
 
Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013
 
Manolis Makris-"Kalimera" Cruise Shiping
Manolis Makris-"Kalimera" Cruise ShipingManolis Makris-"Kalimera" Cruise Shiping
Manolis Makris-"Kalimera" Cruise Shiping
 
Tassos Vamvakidis-Piraeus Container Terminal S.A the South East Gate of Europe
Tassos Vamvakidis-Piraeus Container Terminal S.A the South East Gate of EuropeTassos Vamvakidis-Piraeus Container Terminal S.A the South East Gate of Europe
Tassos Vamvakidis-Piraeus Container Terminal S.A the South East Gate of Europe
 
L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013
 
Pulpo book
Pulpo bookPulpo book
Pulpo book
 
гурткова робота
гурткова роботагурткова робота
гурткова робота
 
10 Greek Maritime Cluster Research Results Recession and Maritime Activities
10 Greek Maritime Cluster Research Results Recession and Maritime Activities10 Greek Maritime Cluster Research Results Recession and Maritime Activities
10 Greek Maritime Cluster Research Results Recession and Maritime Activities
 
волонтерський рух
волонтерський рухволонтерський рух
волонтерський рух
 
Evangelos Achillopoulos a failure... is just a step to success... lessons …
Evangelos Achillopoulos a failure... is just a step to success... lessons …Evangelos Achillopoulos a failure... is just a step to success... lessons …
Evangelos Achillopoulos a failure... is just a step to success... lessons …
 
George Tziralis openfund ii details for prospective entrepreneurs
George Tziralis openfund ii details for prospective entrepreneursGeorge Tziralis openfund ii details for prospective entrepreneurs
George Tziralis openfund ii details for prospective entrepreneurs
 
Animals salvatges
Animals salvatgesAnimals salvatges
Animals salvatges
 

Semelhante a Simplified security code review - BSidesQuebec2013

Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software SecuritydevObjective
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryTechWell
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introductionSebastien Gioria
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pchSébastien GIORIA
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerSplunk
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
Measures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environmentMeasures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environmentFibonalabs
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Security Monitoring (SPaaS)
Security Monitoring (SPaaS)Security Monitoring (SPaaS)
Security Monitoring (SPaaS)cyberware AI
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 

Semelhante a Simplified security code review - BSidesQuebec2013 (20)

Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
Web Security
Web SecurityWeb Security
Web Security
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introduction
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - Manager
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
Measures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environmentMeasures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environment
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Security Monitoring (SPaaS)
Security Monitoring (SPaaS)Security Monitoring (SPaaS)
Security Monitoring (SPaaS)
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 

Último

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Último (20)

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Simplified security code review - BSidesQuebec2013

  • 1. Simplifying Secure Code Reviews Sherif Koussa sherif@softwaresecured.com BSides Quebec 2013 Softwar S cur Monday, 3 June, 13
  • 3. Bio 2007 2009 2011 2013 Softwar S cur Principal Consultant @ SoftwareSecured ✓ ✓ ✓ Application Security Assessment Application Security Assurance Program Implementation Application Security Training Monday, 3 June, 13 Softwar S cur
  • 4. Take Aways Softwar S cur Monday, 3 June, 13
  • 5. Take Aways Role of Security Code Review Softwar S cur Monday, 3 June, 13
  • 6. Take Aways Role of Security Code Review Effective Process Softwar S cur Monday, 3 June, 13
  • 7. Take Aways Role of Security Code Review Effective Process Simplified Process Softwar S cur Monday, 3 June, 13
  • 8. Take Aways Role of Security Code Review Effective Process Simplified Process Key Tools to Use Softwar S cur Monday, 3 June, 13
  • 9. What This Presentation is NOT... ➡ Ground Breaking Research ➡ New Tool ➡ How to Fix Vulnerabilities Softwar S cur Monday, 3 June, 13
  • 10. What IS Security Code Review? Softwar S cur Monday, 3 June, 13
  • 11. What IS Security Code Review? ➡ The Inspection of Source Code to Find Security Weakness Softwar S cur Monday, 3 June, 13
  • 12. What IS Security Code Review? ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle Softwar S cur Monday, 3 June, 13
  • 13. What IS Security Code Review? ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ Development Teams ➡ Security Teams ➡ ProjectRisk Management Softwar S cur Monday, 3 June, 13
  • 14. What IS Security Code Review? ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ ➡ Security Teams ➡ ➡ Development Teams ProjectRisk Management Systematic Approach to Uncover Security Flaws Softwar S cur Monday, 3 June, 13
  • 15. Why Security Code Reviews Softwar S cur Monday, 3 June, 13
  • 16. Why Security Code Reviews Effectiveness of Security Controls Softwar S cur Monday, 3 June, 13
  • 17. Why Security Code Reviews Exercise all code paths Effectiveness of Security Controls Softwar S cur Monday, 3 June, 13
  • 18. Why Security Code Reviews Exercise all code paths All instances of a vulnerability Effectiveness of Security Controls Softwar S cur Monday, 3 June, 13
  • 19. Why Security Code Reviews Exercise all code paths All instances of a vulnerability Effectiveness of Security Controls Find design flaws Monday, 3 June, 13 Softwar S cur
  • 20. Why Security Code Reviews Exercise all code paths All instances of a vulnerability Find design flaws Remediation Instructions Effectiveness of Security Controls Monday, 3 June, 13 Softwar S cur
  • 21. Effective Security Code Review Process Softwar S cur Monday, 3 June, 13
  • 22. Effective Security Code Review Process ➡ Reconnaissance Softwar S cur Monday, 3 June, 13
  • 23. Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling Softwar S cur Monday, 3 June, 13
  • 24. Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation Softwar S cur Monday, 3 June, 13
  • 25. Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review Softwar S cur Monday, 3 June, 13
  • 26. Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept Softwar S cur Monday, 3 June, 13
  • 27. Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept ➡ Reporting Softwar S cur Monday, 3 June, 13
  • 28. Full SCR Process Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
  • 29. Full SCR Process • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
  • 30. Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
  • 31. Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! • Low Hanging Fruit • Hot Spots • Missed Functionalities • Abandoned Code Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
  • 32. Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! • Low Hanging Fruit • Hot Spots • Missed Functionalities • Abandoned Code Checklists! Tools! Confirmation & PoC! Automation! Manual Review! • Security Controls • High Profile Code • Custom Rules Softwar S cur Monday, 3 June, 13
  • 33. Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! • Low Hanging Fruit • Hot Spots • Missed Functionalities • Abandoned Code Checklists! Tools! Confirmation & PoC! • Confirmation • Evidences Automation! Manual Review! • Security Controls • High Profile Code • Custom Rules Softwar S cur Monday, 3 June, 13
  • 34. Full SCR Process • Decompose Application • Attack Surface • Major Security Controls • Business Goals • Technology Stack • Use Case Scenarios • Network Deployment Reconnaissance! Reporting! Threat Modeling! Skills! • Risk Rating • Role Based • Remediation Instructions Checklists! Tools! Confirmation & PoC! • Confirmation • Evidences • Low Hanging Fruit • Hot Spots • Missed Functionalities • Abandoned Code Automation! Manual Review! • Security Controls • High Profile Code • Custom Rules Softwar S cur Monday, 3 June, 13
  • 35. Simplified Security Code Review Process Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
  • 36. Simplified Security Code Review Process Reconnaissance! Reporting! Threat Modeling! Skills! Checklists! Tools! Confirmation & PoC! Automation! Manual Review! Softwar S cur Monday, 3 June, 13
  • 37. Simplified Security Code Review Process Reconnaissance! Reporting! Trust*Boundary* Iden=fica=on* Automation Threat Modeling! Skills! OWASP* Top*10* Checklists! Tools* Tools! Confirmation & PoC! Checklists* Automation! Reporting Manual Review Manual Review! Softwar S cur Monday, 3 June, 13
  • 38. Usages of Simplified Security Code Review ➡ Ideal for Introducing Development Teams To Security Code Reviews Trust*Boundary* Iden=fica=on* Automation OWASP* Top*10* Checklists* Tools* ➡ Crossing The Gap Between Security and Development Teams Reporting Manual Review Softwar S cur Monday, 3 June, 13
  • 39. Skills - OWASP Top 10 Trust*Boundary* Iden=fica=on* ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards Automation OWASP* Top*10* Checklists* Tools* Reporting Manual Review Softwar S cur Monday, 3 June, 13
  • 40. OWASP TOP 10 - 2013 OWASP TOP 10 - 2010 A1. Injection A2. Cross-Site Scripting A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery A6. Security Misconfiguration A7. Insecure Cryptographic Storage A8. Failure to Restrict URL Access A9. Insufficient Transport Layer Protection A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
  • 41. OWASP TOP 10 - 2013 OWASP TOP 10 - 2010 A1. Injection A1. Injection A2. Cross-Site Scripting A2. Broken Authentication and Session Management A3. Broken Authentication and Session Management A3. Cross-Site Scripting A4. Insecure Direct Object References A4. Insecure Direct Object References A5. Cross-Site Request Forgery A5. Security Misconfiguration A6. Security Misconfiguration A6. Sensitive Data Exposure A7. Insecure Cryptographic Storage A7. Missing Function Level Access Control A8. Failure to Restrict URL Access A8. Cross-Site Request Forgery A9. Insufficient Transport Layer Protection A9. Using Known Vulnerable Components A10. Unvalidated Redirects and Forwards A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
  • 42. Veracode Report - 2011 OWASP TOP 10 - 2013 A1. Injection A3 A2. Broken Authentication and Session Management A6 A3. Cross-Site Scripting A3 A4. Insecure Direct Object References A6 A4 A5. Security Misconfiguration A1 A3 A1 A6. Sensitive Data Exposure A9 A7. Missing Function Level Access Control A2 A8. Cross-Site Request Forgery A9. Using Known Vulnerable Components A9 A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
  • 43. Trustwave Report - 2013 OWASP TOP 10 - 2013 A1. Injection A2. Broken Authentication and Session Management A3. Cross-Site Scripting A1 A4. Insecure Direct Object References A4 A5. Security Misconfiguration A3 A7 A6. Sensitive Data Exposure A8 A1 A7. Missing Function Level Access Control A4 A10 A8. Cross-Site Request Forgery A9 A9. Using Known Vulnerable Components A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
  • 44. Whitehat Report - 2012 OWASP TOP 10 - 2013 A1. Injection A3 A2. Broken Authentication and Session Management A6 A3. Cross-Site Scripting A3 A4. Insecure Direct Object References A4 A7 A5. Security Misconfiguration A7 A4 A7 A6. Sensitive Data Exposure A4 A7. Missing Function Level Access Control A1 A8. Cross-Site Request Forgery A2 A9. Using Known Vulnerable Components A2 A10. Unvalidated Redirects and Forwards 2010 Monday, 3 June, 13 Modified New Softwar S cur
  • 46. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  • 47. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  • 48. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  • 49. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  • 50. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  • 51. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  • 52. Mobile Client Web Services View Admin Front Controller DB LAN Internet SOAP Client Front Controller Data Access Layer Browser Business Objects Trust Boundary - Example LDAP File System LAN Browser Softwar S cur Monday, 3 June, 13
  • 53. View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB LAN Web Services Data Access Layer Front Controller Business Objects Trust Boundary - OWASP Top 10 LDAP File System Softwar S cur
  • 54. A1 View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB LAN Web Services Data Access Layer Front Controller Business Objects Trust Boundary - OWASP Top 10 LDAP File System Softwar S cur
  • 55. Trust Boundary - OWASP Top 10 Web Services A1 View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB A2 LAN A2 Business Objects Front Controller Data Access Layer A2 LDAP File System Softwar S cur
  • 56. Trust Boundary - OWASP Top 10 Web Services A3 A1 View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB A2 LAN A2 Business Objects Front Controller Data Access Layer A2 LDAP File System Softwar S cur
  • 57. Web Services A3 A1 View Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 DB A4 A2 LAN A2 Front Controller Business Objects A2 A4 Data Access Layer Trust Boundary - OWASP Top 10 LDAP File System Softwar S cur
  • 58. Web Services A3 Admin Front Controller A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A5 A1 View ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ DB A4 A2 LAN A2 Front Controller Business Objects A2 A4 Data Access Layer Trust Boundary - OWASP Top 10 LDAP File System Softwar S cur
  • 59. Trust Boundary - OWASP Top 10 Web Services A3 DB A5 A1 View LAN Front Controller Data Access Layer A2 A6 Business Objects A2 A4 LDAP A6 Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A4 A2 File System Softwar S cur
  • 60. Trust Boundary - OWASP Top 10 Web Services A3 DB A5 A1 View LAN Data Access Layer A2 A6 Business Objects A2 A4 A7 Front Controller LDAP A6 Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A4 A2 File System Softwar S cur
  • 61. Trust Boundary - OWASP Top 10 Web Services A3 DB A5 A1 View LAN Data Access Layer A2 A6 Business Objects A2 A4 A7 Front Controller A8 LDAP A6 Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A4 A2 File System Softwar S cur
  • 62. Web Services A9 A3 A10 View DB A5 A1 A9 LAN A2 A6 A9 Business Objects A2 A4 A9 A7 Front Controller A8 Data Access Layer Trust Boundary - OWASP Top 10 LDAP A6 Admin Front Controller ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ ➡ A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards Monday, 3 June, 13 A4 A10 A2 A9 File System Softwar S cur
  • 63. How Can You Identify Trust Boundary? Softwar S cur Monday, 3 June, 13
  • 64. How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc Softwar S cur Monday, 3 June, 13
  • 65. How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc Softwar S cur Monday, 3 June, 13
  • 66. How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc *.master.cs, etc Softwar S cur Monday, 3 June, 13
  • 67. How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output *.master.cs, etc Softwar S cur Monday, 3 June, 13
  • 68. How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output ➡ Annotations: @WebMethods, @WebService *.master.cs, etc Softwar S cur Monday, 3 June, 13
  • 69. Making Unsecure Code Look Unsecure - cc/Joel Spolsky ➡ Physical Source Code Separation. ➡ File Naming Scheme: ➡ ➡ ➡ Trust Boundary Safe: tbsProcessNameChange.java Trust Boundary UnSafe: tbuEditProfile.jsp Variable Naming Convention: ➡ String usEmail = Request.getParameter(“email”); ➡ String sEmail = Validate(Request.getParameter(“email”); Softwar S cur Monday, 3 June, 13
  • 71. Automation Static Code Analysis Pros Cons Scales Well False Positives Low Hanging Fruit Application Logic Issues Could Be Customized Collections Frameworks Softwar S cur Monday, 3 June, 13
  • 72. Scripts ➡ Compliment Static Code Analysis Tools. ➡ 3rd Party Libraries Discovery. ➡ Data Input Sources (e,g. web services) ➡ Tracing Data Through Collections (e.g. Session, Request, Collection) Softwar S cur Monday, 3 June, 13
  • 74. What Needs to Be Manually Reviewed? ➡ Authentication & Authorization Controls ➡ Encryption Modules ➡ File Upload and Download Operations ➡ Validation ControlsInput Filters ➡ Security-Sensitive Application Logic Softwar S cur Monday, 3 June, 13
  • 77. Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Softwar S cur Monday, 3 June, 13
  • 78. Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Softwar S cur Monday, 3 June, 13
  • 79. Encryption Flaws Softwar S cur Monday, 3 June, 13
  • 80. Encryption Flaws Softwar S cur Monday, 3 June, 13
  • 81. Encryption Flaws Return value is initialized Softwar S cur Monday, 3 June, 13
  • 82. Encryption Flaws Return value is initialized Softwar S cur Monday, 3 June, 13
  • 83. Encryption Flaws Return value is initialized Softwar S cur Monday, 3 June, 13
  • 84. Encryption Flaws Return value is initialized Classic fail-open scenario Softwar S cur Monday, 3 June, 13
  • 85. File UploadDownload Flaws Softwar S cur Monday, 3 June, 13
  • 86. File UploadDownload Flaws Softwar S cur Monday, 3 June, 13
  • 87. File UploadDownload Flaws The value gets validated first time around Softwar S cur Monday, 3 June, 13
  • 88. File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field Softwar S cur Monday, 3 June, 13
  • 89. File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Softwar S cur Monday, 3 June, 13
  • 90. File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Path used without validation Softwar S cur Monday, 3 June, 13
  • 92. Reporting SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: ➡ Weakness Metadata ➡ Thorough Description ➡ Recommendation ➡ Assign Priority Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); Priority: High Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ ff648339.aspx for details. Owner: John Smith Softwar S cur Monday, 3 June, 13
  • 93. Confirmation & PoC Softwar S cur Monday, 3 June, 13
  • 94. Confirmation & PoC Softwar S cur Monday, 3 June, 13
  • 95. Confirmation & PoC Softwar S cur Monday, 3 June, 13
  • 96. Confirmation & PoC Softwar S cur Monday, 3 June, 13
  • 98. Security Code Review Tools ➡ Static Code Analysis ➡ ➡ ➡ Free: (FindBugs, PMD, CAT.net, PCLint, etc) Commercial: (Static Code Tools Evaluation Criteria - WASC) 3rd Party Libraries: (DependencyCheck - https://github.com/ jeremylong/DependencyCheck) ➡ Scripts Softwar S cur Monday, 3 June, 13
  • 99. Open-Source Static Code Analysis Tools Java .NET C++ Softwar S cur Monday, 3 June, 13
  • 101. Usage of checklists ➡ ➡ Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident ICU: usage of checklists brought down infection rates in Michigan by 66% Softwar S cur Monday, 3 June, 13
  • 102. Security Code Review Checklist ➡ Data Validation and Encoding Controls ➡ Encryption Controls ➡ Authentication and Authorization Controls ➡ Session Management ➡ Exception Handling ➡ Auditing and Logging ➡ Security Configurations Softwar S cur Monday, 3 June, 13
  • 103. Resources To Conduct Your Checklist ➡ ➡ ➡ NIST Checklist Project - http://checklists.nist.gov/ Mozilla’s Secure Coding QA Checklist - https:// wiki.mozilla.org/WebAppSec/ Secure_Coding_QA_Checklist Oracle’s Secure Coding Checklist - http:// www.oracle.com/technetwork/java/ seccodeguide-139067.html Softwar S cur Monday, 3 June, 13
  • 104. Simplified Security Code Review Process Reconnaissance! Reporting! Trust*Boundary* Iden=fica=on* Automation Threat Modeling! Skills! OWASP* Top*10* Checklists! Tools* Tools! Confirmation & PoC! Checklists* Automation! Reporting Manual Review Manual Review! Softwar S cur Monday, 3 June, 13