3. Bio
2007
2009
2011
2013
Softwar S cur
Principal Consultant @ SoftwareSecured
✓
✓
✓
Application Security Assessment
Application Security Assurance Program Implementation
Application Security Training
Monday, 3 June, 13
Softwar S cur
11. What IS Security Code
Review?
➡
The Inspection of Source Code to Find Security Weakness
Softwar S cur
Monday, 3 June, 13
12. What IS Security Code
Review?
➡
The Inspection of Source Code to Find Security Weakness
➡
Integrated Activity into Software Development Lifecycle
Softwar S cur
Monday, 3 June, 13
13. What IS Security Code
Review?
➡
The Inspection of Source Code to Find Security Weakness
➡
Integrated Activity into Software Development Lifecycle
➡
Cross-Team Integration
➡
Development Teams
➡
Security Teams
➡
ProjectRisk Management
Softwar S cur
Monday, 3 June, 13
14. What IS Security Code
Review?
➡
The Inspection of Source Code to Find Security Weakness
➡
Integrated Activity into Software Development Lifecycle
➡
Cross-Team Integration
➡
➡
Security Teams
➡
➡
Development Teams
ProjectRisk Management
Systematic Approach to Uncover Security Flaws
Softwar S cur
Monday, 3 June, 13
16. Why Security Code Reviews
Effectiveness of Security
Controls
Softwar S cur
Monday, 3 June, 13
17. Why Security Code Reviews
Exercise all code paths
Effectiveness of Security
Controls
Softwar S cur
Monday, 3 June, 13
18. Why Security Code Reviews
Exercise all code paths
All instances of a vulnerability
Effectiveness of Security
Controls
Softwar S cur
Monday, 3 June, 13
19. Why Security Code Reviews
Exercise all code paths
All instances of a vulnerability
Effectiveness of Security
Controls
Find design flaws
Monday, 3 June, 13
Softwar S cur
20. Why Security Code Reviews
Exercise all code paths
All instances of a vulnerability
Find design flaws
Remediation Instructions
Effectiveness of Security
Controls
Monday, 3 June, 13
Softwar S cur
38. Usages of Simplified
Security Code Review
➡
Ideal for Introducing
Development Teams To
Security Code Reviews
Trust*Boundary*
Iden=fica=on*
Automation
OWASP*
Top*10*
Checklists*
Tools*
➡
Crossing The Gap Between
Security and Development
Teams
Reporting
Manual
Review
Softwar S cur
Monday, 3 June, 13
39. Skills - OWASP
Top 10
Trust*Boundary*
Iden=fica=on*
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
Automation
OWASP*
Top*10*
Checklists*
Tools*
Reporting
Manual
Review
Softwar S cur
Monday, 3 June, 13
40. OWASP TOP 10 - 2013
OWASP TOP 10 - 2010
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A8. Failure to Restrict URL Access
A9. Insufficient Transport Layer
Protection
A10. Unvalidated Redirects and
Forwards
2010
Monday, 3 June, 13
Modified
New
Softwar S cur
41. OWASP TOP 10 - 2013
OWASP TOP 10 - 2010
A1. Injection
A1. Injection
A2. Cross-Site Scripting
A2. Broken Authentication and
Session Management
A3. Broken Authentication and
Session Management
A3. Cross-Site Scripting
A4. Insecure Direct Object
References
A4. Insecure Direct Object
References
A5. Cross-Site Request Forgery
A5. Security Misconfiguration
A6. Security Misconfiguration
A6. Sensitive Data Exposure
A7. Insecure Cryptographic Storage
A7. Missing Function Level Access
Control
A8. Failure to Restrict URL Access
A8. Cross-Site Request Forgery
A9. Insufficient Transport Layer
Protection
A9. Using Known Vulnerable
Components
A10. Unvalidated Redirects and
Forwards
A10. Unvalidated Redirects and
Forwards
2010
Monday, 3 June, 13
Modified
New
Softwar S cur
42. Veracode Report - 2011
OWASP TOP 10 - 2013
A1. Injection
A3
A2. Broken Authentication and
Session Management
A6
A3. Cross-Site Scripting
A3
A4. Insecure Direct Object
References
A6
A4
A5. Security Misconfiguration
A1
A3
A1
A6. Sensitive Data Exposure
A9
A7. Missing Function Level Access
Control
A2
A8. Cross-Site Request Forgery
A9. Using Known Vulnerable
Components
A9
A10. Unvalidated Redirects and
Forwards
2010
Monday, 3 June, 13
Modified
New
Softwar S cur
43. Trustwave Report - 2013
OWASP TOP 10 - 2013
A1. Injection
A2. Broken Authentication and
Session Management
A3. Cross-Site Scripting
A1
A4. Insecure Direct Object
References
A4
A5. Security Misconfiguration
A3
A7
A6. Sensitive Data Exposure
A8
A1
A7. Missing Function Level Access
Control
A4
A10
A8. Cross-Site Request Forgery
A9
A9. Using Known Vulnerable
Components
A10. Unvalidated Redirects and
Forwards
2010
Monday, 3 June, 13
Modified
New
Softwar S cur
44. Whitehat Report - 2012
OWASP TOP 10 - 2013
A1. Injection
A3
A2. Broken Authentication and
Session Management
A6
A3. Cross-Site Scripting
A3
A4. Insecure Direct Object
References
A4
A7
A5. Security Misconfiguration
A7
A4
A7
A6. Sensitive Data Exposure
A4
A7. Missing Function Level Access
Control
A1
A8. Cross-Site Request Forgery
A2
A9. Using Known Vulnerable
Components
A2
A10. Unvalidated Redirects and
Forwards
2010
Monday, 3 June, 13
Modified
New
Softwar S cur
46. Mobile Client
Web Services
View
Admin Front
Controller
DB
LAN
Internet
SOAP Client
Front Controller
Data Access Layer
Browser
Business Objects
Trust Boundary - Example
LDAP
File
System
LAN
Browser
Softwar S cur
Monday, 3 June, 13
47. Mobile Client
Web Services
View
Admin Front
Controller
DB
LAN
Internet
SOAP Client
Front Controller
Data Access Layer
Browser
Business Objects
Trust Boundary - Example
LDAP
File
System
LAN
Browser
Softwar S cur
Monday, 3 June, 13
48. Mobile Client
Web Services
View
Admin Front
Controller
DB
LAN
Internet
SOAP Client
Front Controller
Data Access Layer
Browser
Business Objects
Trust Boundary - Example
LDAP
File
System
LAN
Browser
Softwar S cur
Monday, 3 June, 13
49. Mobile Client
Web Services
View
Admin Front
Controller
DB
LAN
Internet
SOAP Client
Front Controller
Data Access Layer
Browser
Business Objects
Trust Boundary - Example
LDAP
File
System
LAN
Browser
Softwar S cur
Monday, 3 June, 13
50. Mobile Client
Web Services
View
Admin Front
Controller
DB
LAN
Internet
SOAP Client
Front Controller
Data Access Layer
Browser
Business Objects
Trust Boundary - Example
LDAP
File
System
LAN
Browser
Softwar S cur
Monday, 3 June, 13
51. Mobile Client
Web Services
View
Admin Front
Controller
DB
LAN
Internet
SOAP Client
Front Controller
Data Access Layer
Browser
Business Objects
Trust Boundary - Example
LDAP
File
System
LAN
Browser
Softwar S cur
Monday, 3 June, 13
52. Mobile Client
Web Services
View
Admin Front
Controller
DB
LAN
Internet
SOAP Client
Front Controller
Data Access Layer
Browser
Business Objects
Trust Boundary - Example
LDAP
File
System
LAN
Browser
Softwar S cur
Monday, 3 June, 13
53. View
Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13
DB
LAN
Web Services
Data Access Layer
Front Controller
Business Objects
Trust Boundary - OWASP Top 10
LDAP
File
System
Softwar S cur
54. A1
View
Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13
DB
LAN
Web Services
Data Access Layer
Front Controller
Business Objects
Trust Boundary - OWASP Top 10
LDAP
File
System
Softwar S cur
55. Trust Boundary - OWASP Top 10
Web Services
A1
View
Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13
DB
A2
LAN
A2
Business Objects
Front Controller
Data Access Layer
A2
LDAP
File
System
Softwar S cur
56. Trust Boundary - OWASP Top 10
Web Services
A3
A1
View
Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13
DB
A2
LAN
A2
Business Objects
Front Controller
Data Access Layer
A2
LDAP
File
System
Softwar S cur
57. Web Services
A3
A1
View
Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13
DB
A4
A2
LAN
A2
Front Controller
Business Objects
A2
A4
Data Access Layer
Trust Boundary - OWASP Top 10
LDAP
File
System
Softwar S cur
58. Web Services
A3
Admin Front
Controller
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13
A5
A1
View
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡
DB
A4
A2
LAN
A2
Front Controller
Business Objects
A2
A4
Data Access Layer
Trust Boundary - OWASP Top 10
LDAP
File
System
Softwar S cur
59. Trust Boundary - OWASP Top 10
Web Services
A3
DB
A5
A1
View
LAN
Front Controller
Data Access Layer
A2
A6
Business Objects
A2
A4
LDAP
A6
Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13
A4
A2
File
System
Softwar S cur
60. Trust Boundary - OWASP Top 10
Web Services
A3
DB
A5
A1
View
LAN
Data Access Layer
A2
A6
Business Objects
A2
A4
A7 Front Controller
LDAP
A6
Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13
A4
A2
File
System
Softwar S cur
61. Trust Boundary - OWASP Top 10
Web Services
A3
DB
A5
A1
View
LAN
Data Access Layer
A2
A6
Business Objects
A2
A4
A7 Front Controller
A8
LDAP
A6
Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13
A4
A2
File
System
Softwar S cur
62. Web Services A9
A3
A10
View
DB
A5
A1
A9
LAN
A2
A6
A9
Business Objects
A2
A4
A9
A7 Front Controller
A8
Data Access Layer
Trust Boundary - OWASP Top 10
LDAP
A6
Admin Front
Controller
➡
➡
➡
➡
➡
➡
➡
➡
➡
➡
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13
A4 A10 A2 A9
File
System
Softwar S cur
63. How Can You Identify Trust
Boundary?
Softwar S cur
Monday, 3 June, 13
64. How Can You Identify Trust
Boundary?
➡
File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
Softwar S cur
Monday, 3 June, 13
65. How Can You Identify Trust
Boundary?
➡
File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡
Implementations: HttpServlet, JAXMServlet,
*.master.cs, etc
Softwar S cur
Monday, 3 June, 13
66. How Can You Identify Trust
Boundary?
➡
File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡
Implementations: HttpServlet, JAXMServlet,
➡
Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
*.master.cs, etc
Softwar S cur
Monday, 3 June, 13
67. How Can You Identify Trust
Boundary?
➡
File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡
Implementations: HttpServlet, JAXMServlet,
➡
Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
➡
Tools: Spiders’ output
*.master.cs, etc
Softwar S cur
Monday, 3 June, 13
68. How Can You Identify Trust
Boundary?
➡
File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡
Implementations: HttpServlet, JAXMServlet,
➡
Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
➡
Tools: Spiders’ output
➡
Annotations: @WebMethods, @WebService
*.master.cs, etc
Softwar S cur
Monday, 3 June, 13
88. File UploadDownload Flaws
The value gets validated
first time around
File path saved into a
hidden field
Softwar S cur
Monday, 3 June, 13
89. File UploadDownload Flaws
The value gets validated
first time around
File path saved into a
hidden field
File path is not validated on post
back
Softwar S cur
Monday, 3 June, 13
90. File UploadDownload Flaws
The value gets validated
first time around
File path saved into a
hidden field
File path is not validated on post
back
Path used without
validation
Softwar S cur
Monday, 3 June, 13
92. Reporting
SQL Injection:
Location: sourceACMEPortalupdateinfo.aspx.cs:
➡
Weakness Metadata
➡
Thorough Description
➡
Recommendation
➡
Assign Priority
Description: The code below is build dynamic sql statement using
unvalidated data (i.e. name) which can lead to SQL Injection
51 SqlDataAdapter myCommand = new SqlDataAdapter(
52 "SELECT au_lname, au_fname FROM author WHERE
au_id = '" +
53 SSN.Text + "'", myConnection);
Priority: High
Recommendation: Use paramaterized SQL instead of dynamic
concatenation, refer to http://msdn.microsoft.com/en-us/library/
ff648339.aspx for details.
Owner: John Smith
Softwar S cur
Monday, 3 June, 13
101. Usage of checklists
➡
➡
Aviation: led the modern airplanes evolution
after Major Hill’s famous 1934 incident
ICU: usage of checklists brought down
infection rates in Michigan by 66%
Softwar S cur
Monday, 3 June, 13
102. Security Code Review
Checklist
➡
Data Validation and Encoding Controls
➡
Encryption Controls
➡
Authentication and Authorization Controls
➡
Session Management
➡
Exception Handling
➡
Auditing and Logging
➡
Security Configurations
Softwar S cur
Monday, 3 June, 13
103. Resources To Conduct Your
Checklist
➡
➡
➡
NIST Checklist Project - http://checklists.nist.gov/
Mozilla’s Secure Coding QA Checklist - https://
wiki.mozilla.org/WebAppSec/
Secure_Coding_QA_Checklist
Oracle’s Secure Coding Checklist - http://
www.oracle.com/technetwork/java/
seccodeguide-139067.html
Softwar S cur
Monday, 3 June, 13