SlideShare uma empresa Scribd logo

Secure Code Reviews

Marco Morana
Marco Morana

This document provides a summary of Marco Morana's presentation on secure code reviews. The presentation covers what secure code reviews are and are not, why they are needed, methodologies for conducting them, common coding mistakes, and resources for further information. Secure code reviews help ensure compliance, security best practices are followed, and adequate security controls are in place. They should be integrated within the software development lifecycle and involve threat modeling. The methodology includes prioritizing code based on threats, categorizing vulnerabilities, and providing recommendations. Common mistakes include insecure configuration, data protection, authentication, and authorization issues.

Tecnologia
1 de 43
Baixar para ler offline
Secure Code Reviews Marco Morana Senior Consultant Foundstone, A Division of McAfee Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 1 Orlando, Florida
Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 2 Orlando, Florida
Disclaimers Secure code reviews are not: 1. A stand alone activity separate from the SDLC 2. A process that just relies on tools: – Managed programming language – Automated code analysis 3. A method to rate un-attackable code – Not being scrutinized by security experts – False sense of security (i.e. false negatives) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 3 Orlando, Florida
Why we need secure code reviews ? 1. Compliance with governing policies 2. Assurance that code follows security best practices 3. Security assessment before releasing to QA and production 4. Measurement of adequacy of security controls to mitigate known threats Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 4 Orlando, Florida
Code Reviews • One to One (peer to peer) – Part of the sign-off before handing off to QA – Integrated with the check-in process • Group (team-driven) – Advantage of many eye-balls – Team members take different roles Both need preparation and organization Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 5 Orlando, Florida
Code Reviews - Team Code Review Approach • Optimal scenario: A team of 4 people in a conference room with a whiteboard and projector • Team Roles – Lead Reviewer – Narrator – Author – Subject Matter Experts Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 6 Orlando, Florida
Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 7 Orlando, Florida
Secure Code Reviews in the SDLC Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 8 Orlando, Florida
Code reviews in the Software Security Life Cycle The economics of security defects Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 9 Orlando, Florida
Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 10 Orlando, Florida
Methodology – Secure Code Review Process 1. Build a Threat Model – Identify, evaluate and mitigate risks for the particular application 2. Build an Attack Plan – Prioritize threats based on criticality – Map threats to code artifacts – Determine which high risk areas to focus the efforts based upon man-hours and costs 3. Code Review – Document each vulnerability under bugs or flaws – Review each section of the code for vulnerability categories Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 11 Orlando, Florida
What Is Threat Modeling? • Goal: Identify the threats against the system and the appropriate countermeasures to mitigate the risk they pose • Model the system as an attacker will see it: • Where are the entry points? • Which assets are targets? • Recognize the attacker’s advantage and defender’s dilemma: • Developers need to get the code 100 % correct, 100% of the time with limited resources and development time • Attackers need to find just one hole and can spend as much time finding it as they want Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 12 Orlando, Florida
Methodology - Secure Code Reviews Best Practices • Have clear goals – Tactical and strategic scenarios (e.g. new release vs. production) – Be specific on what must be accomplished • Decide which analysis style works best – Depth first vs. breadth first approach • Prioritize and simplify – Prioritize based upon critical areas – Break system complexity • Be methodical – Annotate the code you are reviewing (e.g. comments, IDE task lists) – Use checklists Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 13 Orlando, Florida
Methodology - Secure Code Reviews • Reduce complexity – Threat modeling – Rapid scan • Review critical sections of the code – Correlate and annotate – Use IDE tools (e.g. Visual Studio, Eclipse) • Categorize security defects – Threat categorization – Check lists – Bugs vs. flaws Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 14 Orlando, Florida
Methodology - Security Defects Categorization Can be categorized as: • Security Bugs – An implementation level software security problem (e.g. buffer overflows, SQL injection) • Security Flaws – A design level software security problem (e.g. an insecure authorization model or data access layer) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 15 Orlando, Florida
Methodology - Threat Categorization Un-secure code because of the following threats: • STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege Secure code by mapping to security controls: • CIA: Confidentiality, Integrity, Availability Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 16 Orlando, Florida
Methodology - Security Frame Categorization • Configuration Management – Issues stemming from insecure deployment and administration • Data Protection in Storage and Transit – Lack of adequate protection for secrets and other sensitive data • Authentication – Lack of strong protocols to verify the identity of a component outside the trust boundary • Authorization – Lack of mechanisms to enforce access controls on protected resources within the system Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 17 Orlando, Florida
Methodology – Security Frame Categorization • User and Session Management – Lack of mechanisms to maintain session independence between multiple logged-on users and insecure user provisioning and de- provisioning policies • Data Validation – Lack of input and output validation when data crosses system or trust boundaries • Error handling and Exception Management – Failure to deal with exceptions effectively and in a secure manner, resulting unauthorized disclosure of information • Logging and Auditing – Failure to maintain detailed and accurate application logs that can allow for traceability and non-repudiation Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 18 Orlando, Florida
Methodology - Secure Code Review Findings • Sections: – Bug vs. Flaws – Threat Categorization – Risk Rating – Module and LOC range – Code Snippet – Commendation or Recommendation • Recommendations are often not limited to the code but also the design and the deployment environment as well! Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 19 Orlando, Florida
Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 20 Orlando, Florida
Coding Mistakes - Configuration Management 1. # credentials for the application database 2. datasource.name=jdbc_1 3. datasource.url=jdbc:oracle:thin:@dhs:1521:ORA1 4. datasource.classname=oracle.jdbc.driver.OracleDriver 5. datasource.username=scott 6. datasource.password=tiger Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 21 Orlando, Florida
Coding Mistakes - Configuration Management 1. <pages validateRequest=“false”/> 2. <!– DYNAMIC DEBUG COMPILATION……..…--> 3. <compilation defaultLanguage=“c#” debug=“true”/> 4. <!– CUSTOM ERROR MESSAGES……-- > 5. <customErrors mode=“Off”/> 6. <!– APPLICATION-LEVEL TRACE LOGGING….. -- > 7. <trace enabled=“true” requiredLimit=“10” pageOutpur=“true” tracemode=“SortByTime”localOnly=“false”/> Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 22 Orlando, Florida
Coding Mistakes - Data Protection in Storage and Transit 1. final public static byte key[] = 2. {(byte) 0x31, (byte) 0xAB, (byte) 0x05, (byte) 0xF7, 3. (byte) 0x45, (byte) 0x65, (byte) 0x98, (byte) 0xAB}; 4. try 5. { 6. encryptor.setKey(key); 7. plainText = new String(encryptor.decrypt(text)); 8. } 9. catch (Throwable te) 10.{ 11. […] 12.} Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 23 Orlando, Florida
Coding Mistakes - Data Protection in Storage and Transit 1. public static String digest(String password) { 2. MessageDigest md5 =MessageDigest.getInstance(“MD5quot;); 3. byte[] hash = md5.update(password.getBytes()); 4. return makeStringFromBytes(hash);} 5. public static String makeStringFromBytes(byte[] bytes) { 6. String result = quot;quot;; 7. for (int i=0; i<bytes.length; ++i) { 8. int n = bytes[i]; 9. result = result + quot; quot; + Integer.toHexString(n); } 10. return result;} Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 24 Orlando, Florida
Coding Mistakes - Authentication 1. Http Cookie MyCookie; 2. MyCookie = Request.Cookies [“CookiesLoginAttempts”]; 3. MyCookie.Expires=now.AddHours(10); 4. //decrement 5. int logInAtt=Convert.ToInt32(MyCookie.Value.ToString()); 6. CookieVal=int.Parse (MyCookie.Value.ToString()); 7. If (CookieVal >0) 8. CookieVal-=1; 9. //store in response cookie 10. HttpCookie AttemptCntCookie = new HttpCookie (“CookieLoginAttempts”); 11. AttemptCntCookie.Value =CookieVal.ToString(); Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 25 Orlando, Florida
Coding Mistakes - Authorization 1. <input value=”true” type=”HIDDEN” bean=”thisFormHandler.verifyCreditCardNumber”/> 2. <input value=”true” type=”HIDDEN” 3. bean=”thisFormHandler.validatePrice”/> 4. <FORM method=post action=quot;http://www.acme.com/cgi- bin/shop/shoppingcart.exe/products/telephonedevices quot;> 5. <b><font size=quot;5quot;>Sale Price $169.95!</font></b><BR> 6. <input type=quot;HIDDENquot; name=quot;IDquot; value=quot;PESL100quot;> 7. <input type=quot;HIDDENquot; name=quot;Describequot; 8. value=quot;Pro Series Telephone Analyzerquot;> 9. <input name=quot;Qtyquot; size=3 value=quot;quot;> Quantity <BR> 10.<input type=quot;HIDDENquot; name=quot;Pricequot; VALUE=quot;169.95quot;> Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 26 Orlando, Florida
Coding Mistakes - Authorization 1. if (sess.getCurrentUser().isCSR()) { 2. URLList.add(“View Customer Detailsquot;, 3. quot;/jsp/Customer.do?action=view&id=“ + custId)); 4. URLList.add(“Edit Customer Detailsquot;, 5. quot;/jsp/Customer.do? action=edit&id=“ + custId)); 6. URLList.add(“Delete Customerquot;, 7. quot;/jsp/Customer.do?action=delete&id=“ + custId)); 8. } else { 9. URLList.add(“View Customer Detailsquot;, 10. quot;/jsp/Customer.do?action=view&id=“ + custId)); 11. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 27 Orlando, Florida
Coding Mistakes - User and Session Management 1. HTTP/1.1 302 Found 2. Date: Tue, 21 Feb 2006 19:16:08 GMT 3. Server: Apache/2.0.46 (Red Hat) 4. Accept-Ranges: bytes 5. X-Powered-By: PHP/4.3.2 6. Expires: Thu, 19 Nov 1981 08:52:00 GMT 7. Cache-Control: no-store, no-cache, must-revalidate, post- check=0, pre-check=0 8. Pragma: no-cache 9. Set-Cookie: userid=mmorana; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ 10.Set-Cookie: password=xxxxxxx; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ 11.Set-Cookie: communityid=202; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 28 Orlando, Florida
Coding Mistakes - Data Validation 1. public List getProductsByTitleKeyWords(String[] keywords) 2. { 3. JdbcTemplate jt = new JdbcTemplate(getDataSource()); 4. String query = quot;select * from products where quot;+ createCriteria(keywords); 5. List list = jt.query(query, new 6. ProductRowMapper()); 7. Iterator iter = list.iterator(); 8. while (iter.hasNext()) { Product prod = (Product) iter.next(); 9. prod.setFeedback(getFeedBacks(prod)); 10. } 11. return list; 12. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 29 Orlando, Florida
Coding Mistakes - Error Handling And Exception Handling 1. try 2. { 3. ElevatePrivilege(); 4. ReadSecretFile(); 5. LowerPrivilege(); 6. } 7. catch(Exception e) 8. { 9. ReportException(); 10. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 30 Orlando, Florida
Coding Mistakes - Error Handling And Exception Handling Error Message: executeRSProcedure Exception: Java.sql.SQLException: ORA- 06502:PL/SQL:numeric or value error: character to number conversion error Server Name: host1.acme.com Server Info: IBM WebSphere Application Server/5.1 Remote Address: 192.168.12.34 Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 31 Orlando, Florida
Coding Mistakes - Error Handling And Exception Handling • “The password is invalid for the account” • “The username does not exist” • “The DOB you entered is invalid” • “Your account has been locked due to too many invalid attempts” Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 32 Orlando, Florida
Coding Mistakes - Logging And Auditing 1. private void btnLogin_Click(object sender, System.EventArgs e) { 2. //.. 3. LogString(“User” + txtUserName.Text + “ with password “ + txtPassword.Text + “logged in at “+ DateTime.Now.ToString()); 4. //.. 5. DataSet ds = GetUserTable(); 6. //.. 7. Logdata(ds); 8. //.. 9. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 33 Orlando, Florida
Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 34 Orlando, Florida
Tools - Tools for Static Code Analysis Advantages: • Perform preliminary scanning of large code sets in little time • Provide consistent results • Can be used as secure code check-in gateway • Identify common coding bugs (low hanging fruits) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 35 Orlando, Florida
Tools - Tools for Static Code Analysis Common bugs identified by static parsers: • Un-secure functions • Lack of proper input validation and output filtering • Weak crypto algorithms • Exception handling errors • Hard coded passwords, keys, connection strings Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 36 Orlando, Florida
Tools - Tools for Static Code Analysis Disadvantages: • Do not identify security flaws • Generate a large amount of false positives • Provide a false sense of security Examples: • ITS4 • RATS • FlawFinder • CodeAssure • PreFIX/PreFAST • Foundstone CodeScout Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 37 Orlando, Florida
Tools - Tools for Dynamic Analysis Advantages: • Integrate with Debuggers and IDE • Monitor Access to Resources (Files, Libraries, Data, Registry Keys) • Monitor Network Access • Help Identify Data Flows Examples: • CLR Profiler • NProf • Sysinternals Tools – FileMon, RegMon • Foundstone .NETMon Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 38 Orlando, Florida
Tips And Tricks 1. Have a plan – Focus on clear objectives – Organize the team – Review incrementally 2. Follow a methodology – Identify threats and countermeasures – Use vulnerability check lists and tools – Categorize security defects Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 39 Orlando, Florida
Tips And Tricks 3. Integrate With Other Activities in the S-SDLC – Information risk management – Metrics and measurements – Training and awareness 4. Revise the Plan and the Process – Threats and vulnerabilities – New techniques – People, process and technology Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 40 Orlando, Florida
Questions ? Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 41 Orlando, Florida
Resources • Software Security Code Review: Code Inspection Finds Problems, R. Araujo and M. Curphey – http://www.softwaremag.com • A Process for Performing Security Code Reviews, M. Howard – http://www.computer.org • How To: Perform a Security Code Review for Managed Code, Microsoft Patterns & Practices – http://msdn.microsoft.com Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 42 Orlando, Florida
Contact Information • Presenter Email: – marco.morana@foundstone.com • Foundstone Software Application Security Services (SASS) – www.foundstone.com/sass • Foundstone Training – www.foundstone.com/education Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 43 Orlando, Florida

Recomendados

Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption StrategyNarudom Roongsiriwong, CISSP
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)Narudom Roongsiriwong, CISSP
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsNarudom Roongsiriwong, CISSP
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 

Recomendados

Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption StrategyNarudom Roongsiriwong, CISSP
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)Narudom Roongsiriwong, CISSP
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsNarudom Roongsiriwong, CISSP
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of DefenseNarudom Roongsiriwong, CISSP
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Sherif Koussa
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usPriyanka Aash
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code ReviewNaga Venkata Sunil Alamuri
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP TechnologyPriyanka Aash
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021Denis Zakharov
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101Narudom Roongsiriwong, CISSP
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applicationsOWASP
 
SQADays19 - 50 Слайдов для повышения безопасности вашего сервиса
SQADays19 - 50 Слайдов для повышения безопасности вашего сервисаSQADays19 - 50 Слайдов для повышения безопасности вашего сервиса
SQADays19 - 50 Слайдов для повышения безопасности вашего сервисаKonstantin Zavarov, ICP
 
Построение процесса безопасной разработки - Стачка 2016
Построение процесса безопасной разработки - Стачка 2016Построение процесса безопасной разработки - Стачка 2016
Построение процесса безопасной разработки - Стачка 2016Valery Boronin
 

Mais conteúdo relacionado

Mais procurados

OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Sherif Koussa
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usPriyanka Aash
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP TechnologyPriyanka Aash
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applicationsOWASP
 

Mais procurados (20)

OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications
 

Destaque

SQADays19 - 50 Слайдов для повышения безопасности вашего сервиса
SQADays19 - 50 Слайдов для повышения безопасности вашего сервисаSQADays19 - 50 Слайдов для повышения безопасности вашего сервиса
SQADays19 - 50 Слайдов для повышения безопасности вашего сервисаKonstantin Zavarov, ICP
 
Построение процесса безопасной разработки - Стачка 2016
Построение процесса безопасной разработки - Стачка 2016Построение процесса безопасной разработки - Стачка 2016
Построение процесса безопасной разработки - Стачка 2016Valery Boronin
 
SECON'2016. Бушмелев Юрий, Два титановых шарика
SECON'2016. Бушмелев Юрий, Два титановых шарикаSECON'2016. Бушмелев Юрий, Два титановых шарика
SECON'2016. Бушмелев Юрий, Два титановых шарикаSECON
 
Подходы к сигнатурному статическому анализу
Подходы к сигнатурному статическому анализуПодходы к сигнатурному статическому анализу
Подходы к сигнатурному статическому анализуPositive Development User Group
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Vlad Styran
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Dynamic PHP web-application analysis
Dynamic PHP web-application analysisDynamic PHP web-application analysis
Dynamic PHP web-application analysisax330d
 
Этичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действииЭтичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действииSQALab
 

Destaque (9)

SQADays19 - 50 Слайдов для повышения безопасности вашего сервиса
SQADays19 - 50 Слайдов для повышения безопасности вашего сервисаSQADays19 - 50 Слайдов для повышения безопасности вашего сервиса
SQADays19 - 50 Слайдов для повышения безопасности вашего сервиса
 
Построение процесса безопасной разработки - Стачка 2016
Построение процесса безопасной разработки - Стачка 2016Построение процесса безопасной разработки - Стачка 2016
Построение процесса безопасной разработки - Стачка 2016
 
SECON'2016. Бушмелев Юрий, Два титановых шарика
SECON'2016. Бушмелев Юрий, Два титановых шарикаSECON'2016. Бушмелев Юрий, Два титановых шарика
SECON'2016. Бушмелев Юрий, Два титановых шарика
 
Подходы к сигнатурному статическому анализу
Подходы к сигнатурному статическому анализуПодходы к сигнатурному статическому анализу
Подходы к сигнатурному статическому анализу
 
Code review psyhology
Code review psyhologyCode review psyhology
Code review psyhology
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle
 
Secure code
Secure codeSecure code
Secure code
 
Dynamic PHP web-application analysis
Dynamic PHP web-application analysisDynamic PHP web-application analysis
Dynamic PHP web-application analysis
 
Этичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действииЭтичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действии
 

Semelhante a Secure Code Reviews

Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Cyber Crimes: The next five years.
Cyber Crimes: The next five years. Cyber Crimes: The next five years.
Cyber Crimes: The next five years. Gregory McCardle
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentChristopher Frenz
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourPriyanka Aash
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web ApplicationsNadia BENCHIKHA
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...GoQA
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer RisksKevo Meehan
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risksWSO2
 
Secure development of code
Secure development of codeSecure development of code
Secure development of codeSalomeVictor
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 

Semelhante a Secure Code Reviews (20)

Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
2016 to 2021
2016 to 20212016 to 2021
2016 to 2021
 
Cyber Crimes: The next five years.
Cyber Crimes: The next five years. Cyber Crimes: The next five years.
Cyber Crimes: The next five years.
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application Development
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an Hour
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web Applications
 
Web Security
Web SecurityWeb Security
Web Security
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer Risks
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
 
Secure development of code
Secure development of codeSecure development of code
Secure development of code
 
Grc tao.4
Grc tao.4Grc tao.4
Grc tao.4
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 

Mais de Marco Morana

Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco moranaMarco Morana
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfMarco Morana
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalMarco Morana
 
Security Summit Rome 2011
Security Summit Rome 2011Security Summit Rome 2011
Security Summit Rome 2011Marco Morana
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksMarco Morana
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software securityMarco Morana
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementMarco Morana
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Marco Morana
 

Mais de Marco Morana (20)

Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco morana
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdf
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_final
 
Security Summit Rome 2011
Security Summit Rome 2011Security Summit Rome 2011
Security Summit Rome 2011
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk Management
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'
 

Último

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Último (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Secure Code Reviews

  • 1. Secure Code Reviews Marco Morana Senior Consultant Foundstone, A Division of McAfee Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 1 Orlando, Florida
  • 2. Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 2 Orlando, Florida
  • 3. Disclaimers Secure code reviews are not: 1. A stand alone activity separate from the SDLC 2. A process that just relies on tools: – Managed programming language – Automated code analysis 3. A method to rate un-attackable code – Not being scrutinized by security experts – False sense of security (i.e. false negatives) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 3 Orlando, Florida
  • 4. Why we need secure code reviews ? 1. Compliance with governing policies 2. Assurance that code follows security best practices 3. Security assessment before releasing to QA and production 4. Measurement of adequacy of security controls to mitigate known threats Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 4 Orlando, Florida
  • 5. Code Reviews • One to One (peer to peer) – Part of the sign-off before handing off to QA – Integrated with the check-in process • Group (team-driven) – Advantage of many eye-balls – Team members take different roles Both need preparation and organization Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 5 Orlando, Florida
  • 6. Code Reviews - Team Code Review Approach • Optimal scenario: A team of 4 people in a conference room with a whiteboard and projector • Team Roles – Lead Reviewer – Narrator – Author – Subject Matter Experts Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 6 Orlando, Florida
  • 7. Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 7 Orlando, Florida
  • 8. Secure Code Reviews in the SDLC Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 8 Orlando, Florida
  • 9. Code reviews in the Software Security Life Cycle The economics of security defects Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 9 Orlando, Florida
  • 10. Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 10 Orlando, Florida
  • 11. Methodology – Secure Code Review Process 1. Build a Threat Model – Identify, evaluate and mitigate risks for the particular application 2. Build an Attack Plan – Prioritize threats based on criticality – Map threats to code artifacts – Determine which high risk areas to focus the efforts based upon man-hours and costs 3. Code Review – Document each vulnerability under bugs or flaws – Review each section of the code for vulnerability categories Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 11 Orlando, Florida
  • 12. What Is Threat Modeling? • Goal: Identify the threats against the system and the appropriate countermeasures to mitigate the risk they pose • Model the system as an attacker will see it: • Where are the entry points? • Which assets are targets? • Recognize the attacker’s advantage and defender’s dilemma: • Developers need to get the code 100 % correct, 100% of the time with limited resources and development time • Attackers need to find just one hole and can spend as much time finding it as they want Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 12 Orlando, Florida
  • 13. Methodology - Secure Code Reviews Best Practices • Have clear goals – Tactical and strategic scenarios (e.g. new release vs. production) – Be specific on what must be accomplished • Decide which analysis style works best – Depth first vs. breadth first approach • Prioritize and simplify – Prioritize based upon critical areas – Break system complexity • Be methodical – Annotate the code you are reviewing (e.g. comments, IDE task lists) – Use checklists Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 13 Orlando, Florida
  • 14. Methodology - Secure Code Reviews • Reduce complexity – Threat modeling – Rapid scan • Review critical sections of the code – Correlate and annotate – Use IDE tools (e.g. Visual Studio, Eclipse) • Categorize security defects – Threat categorization – Check lists – Bugs vs. flaws Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 14 Orlando, Florida
  • 15. Methodology - Security Defects Categorization Can be categorized as: • Security Bugs – An implementation level software security problem (e.g. buffer overflows, SQL injection) • Security Flaws – A design level software security problem (e.g. an insecure authorization model or data access layer) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 15 Orlando, Florida
  • 16. Methodology - Threat Categorization Un-secure code because of the following threats: • STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege Secure code by mapping to security controls: • CIA: Confidentiality, Integrity, Availability Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 16 Orlando, Florida
  • 17. Methodology - Security Frame Categorization • Configuration Management – Issues stemming from insecure deployment and administration • Data Protection in Storage and Transit – Lack of adequate protection for secrets and other sensitive data • Authentication – Lack of strong protocols to verify the identity of a component outside the trust boundary • Authorization – Lack of mechanisms to enforce access controls on protected resources within the system Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 17 Orlando, Florida
  • 18. Methodology – Security Frame Categorization • User and Session Management – Lack of mechanisms to maintain session independence between multiple logged-on users and insecure user provisioning and de- provisioning policies • Data Validation – Lack of input and output validation when data crosses system or trust boundaries • Error handling and Exception Management – Failure to deal with exceptions effectively and in a secure manner, resulting unauthorized disclosure of information • Logging and Auditing – Failure to maintain detailed and accurate application logs that can allow for traceability and non-repudiation Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 18 Orlando, Florida
  • 19. Methodology - Secure Code Review Findings • Sections: – Bug vs. Flaws – Threat Categorization – Risk Rating – Module and LOC range – Code Snippet – Commendation or Recommendation • Recommendations are often not limited to the code but also the design and the deployment environment as well! Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 19 Orlando, Florida
  • 20. Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 20 Orlando, Florida
  • 21. Coding Mistakes - Configuration Management 1. # credentials for the application database 2. datasource.name=jdbc_1 3. datasource.url=jdbc:oracle:thin:@dhs:1521:ORA1 4. datasource.classname=oracle.jdbc.driver.OracleDriver 5. datasource.username=scott 6. datasource.password=tiger Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 21 Orlando, Florida
  • 22. Coding Mistakes - Configuration Management 1. <pages validateRequest=“false”/> 2. <!– DYNAMIC DEBUG COMPILATION……..…--> 3. <compilation defaultLanguage=“c#” debug=“true”/> 4. <!– CUSTOM ERROR MESSAGES……-- > 5. <customErrors mode=“Off”/> 6. <!– APPLICATION-LEVEL TRACE LOGGING….. -- > 7. <trace enabled=“true” requiredLimit=“10” pageOutpur=“true” tracemode=“SortByTime”localOnly=“false”/> Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 22 Orlando, Florida
  • 23. Coding Mistakes - Data Protection in Storage and Transit 1. final public static byte key[] = 2. {(byte) 0x31, (byte) 0xAB, (byte) 0x05, (byte) 0xF7, 3. (byte) 0x45, (byte) 0x65, (byte) 0x98, (byte) 0xAB}; 4. try 5. { 6. encryptor.setKey(key); 7. plainText = new String(encryptor.decrypt(text)); 8. } 9. catch (Throwable te) 10.{ 11. […] 12.} Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 23 Orlando, Florida
  • 24. Coding Mistakes - Data Protection in Storage and Transit 1. public static String digest(String password) { 2. MessageDigest md5 =MessageDigest.getInstance(“MD5quot;); 3. byte[] hash = md5.update(password.getBytes()); 4. return makeStringFromBytes(hash);} 5. public static String makeStringFromBytes(byte[] bytes) { 6. String result = quot;quot;; 7. for (int i=0; i<bytes.length; ++i) { 8. int n = bytes[i]; 9. result = result + quot; quot; + Integer.toHexString(n); } 10. return result;} Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 24 Orlando, Florida
  • 25. Coding Mistakes - Authentication 1. Http Cookie MyCookie; 2. MyCookie = Request.Cookies [“CookiesLoginAttempts”]; 3. MyCookie.Expires=now.AddHours(10); 4. //decrement 5. int logInAtt=Convert.ToInt32(MyCookie.Value.ToString()); 6. CookieVal=int.Parse (MyCookie.Value.ToString()); 7. If (CookieVal >0) 8. CookieVal-=1; 9. //store in response cookie 10. HttpCookie AttemptCntCookie = new HttpCookie (“CookieLoginAttempts”); 11. AttemptCntCookie.Value =CookieVal.ToString(); Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 25 Orlando, Florida
  • 26. Coding Mistakes - Authorization 1. <input value=”true” type=”HIDDEN” bean=”thisFormHandler.verifyCreditCardNumber”/> 2. <input value=”true” type=”HIDDEN” 3. bean=”thisFormHandler.validatePrice”/> 4. <FORM method=post action=quot;http://www.acme.com/cgi- bin/shop/shoppingcart.exe/products/telephonedevices quot;> 5. <b><font size=quot;5quot;>Sale Price $169.95!</font></b><BR> 6. <input type=quot;HIDDENquot; name=quot;IDquot; value=quot;PESL100quot;> 7. <input type=quot;HIDDENquot; name=quot;Describequot; 8. value=quot;Pro Series Telephone Analyzerquot;> 9. <input name=quot;Qtyquot; size=3 value=quot;quot;> Quantity <BR> 10.<input type=quot;HIDDENquot; name=quot;Pricequot; VALUE=quot;169.95quot;> Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 26 Orlando, Florida
  • 27. Coding Mistakes - Authorization 1. if (sess.getCurrentUser().isCSR()) { 2. URLList.add(“View Customer Detailsquot;, 3. quot;/jsp/Customer.do?action=view&id=“ + custId)); 4. URLList.add(“Edit Customer Detailsquot;, 5. quot;/jsp/Customer.do? action=edit&id=“ + custId)); 6. URLList.add(“Delete Customerquot;, 7. quot;/jsp/Customer.do?action=delete&id=“ + custId)); 8. } else { 9. URLList.add(“View Customer Detailsquot;, 10. quot;/jsp/Customer.do?action=view&id=“ + custId)); 11. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 27 Orlando, Florida
  • 28. Coding Mistakes - User and Session Management 1. HTTP/1.1 302 Found 2. Date: Tue, 21 Feb 2006 19:16:08 GMT 3. Server: Apache/2.0.46 (Red Hat) 4. Accept-Ranges: bytes 5. X-Powered-By: PHP/4.3.2 6. Expires: Thu, 19 Nov 1981 08:52:00 GMT 7. Cache-Control: no-store, no-cache, must-revalidate, post- check=0, pre-check=0 8. Pragma: no-cache 9. Set-Cookie: userid=mmorana; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ 10.Set-Cookie: password=xxxxxxx; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ 11.Set-Cookie: communityid=202; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 28 Orlando, Florida
  • 29. Coding Mistakes - Data Validation 1. public List getProductsByTitleKeyWords(String[] keywords) 2. { 3. JdbcTemplate jt = new JdbcTemplate(getDataSource()); 4. String query = quot;select * from products where quot;+ createCriteria(keywords); 5. List list = jt.query(query, new 6. ProductRowMapper()); 7. Iterator iter = list.iterator(); 8. while (iter.hasNext()) { Product prod = (Product) iter.next(); 9. prod.setFeedback(getFeedBacks(prod)); 10. } 11. return list; 12. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 29 Orlando, Florida
  • 30. Coding Mistakes - Error Handling And Exception Handling 1. try 2. { 3. ElevatePrivilege(); 4. ReadSecretFile(); 5. LowerPrivilege(); 6. } 7. catch(Exception e) 8. { 9. ReportException(); 10. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 30 Orlando, Florida
  • 31. Coding Mistakes - Error Handling And Exception Handling Error Message: executeRSProcedure Exception: Java.sql.SQLException: ORA- 06502:PL/SQL:numeric or value error: character to number conversion error Server Name: host1.acme.com Server Info: IBM WebSphere Application Server/5.1 Remote Address: 192.168.12.34 Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 31 Orlando, Florida
  • 32. Coding Mistakes - Error Handling And Exception Handling • “The password is invalid for the account” • “The username does not exist” • “The DOB you entered is invalid” • “Your account has been locked due to too many invalid attempts” Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 32 Orlando, Florida
  • 33. Coding Mistakes - Logging And Auditing 1. private void btnLogin_Click(object sender, System.EventArgs e) { 2. //.. 3. LogString(“User” + txtUserName.Text + “ with password “ + txtPassword.Text + “logged in at “+ DateTime.Now.ToString()); 4. //.. 5. DataSet ds = GetUserTable(); 6. //.. 7. Logdata(ds); 8. //.. 9. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 33 Orlando, Florida
  • 34. Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 34 Orlando, Florida
  • 35. Tools - Tools for Static Code Analysis Advantages: • Perform preliminary scanning of large code sets in little time • Provide consistent results • Can be used as secure code check-in gateway • Identify common coding bugs (low hanging fruits) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 35 Orlando, Florida
  • 36. Tools - Tools for Static Code Analysis Common bugs identified by static parsers: • Un-secure functions • Lack of proper input validation and output filtering • Weak crypto algorithms • Exception handling errors • Hard coded passwords, keys, connection strings Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 36 Orlando, Florida
  • 37. Tools - Tools for Static Code Analysis Disadvantages: • Do not identify security flaws • Generate a large amount of false positives • Provide a false sense of security Examples: • ITS4 • RATS • FlawFinder • CodeAssure • PreFIX/PreFAST • Foundstone CodeScout Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 37 Orlando, Florida
  • 38. Tools - Tools for Dynamic Analysis Advantages: • Integrate with Debuggers and IDE • Monitor Access to Resources (Files, Libraries, Data, Registry Keys) • Monitor Network Access • Help Identify Data Flows Examples: • CLR Profiler • NProf • Sysinternals Tools – FileMon, RegMon • Foundstone .NETMon Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 38 Orlando, Florida
  • 39. Tips And Tricks 1. Have a plan – Focus on clear objectives – Organize the team – Review incrementally 2. Follow a methodology – Identify threats and countermeasures – Use vulnerability check lists and tools – Categorize security defects Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 39 Orlando, Florida
  • 40. Tips And Tricks 3. Integrate With Other Activities in the S-SDLC – Information risk management – Metrics and measurements – Training and awareness 4. Revise the Plan and the Process – Threats and vulnerabilities – New techniques – People, process and technology Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 40 Orlando, Florida
  • 41. Questions ? Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 41 Orlando, Florida
  • 42. Resources • Software Security Code Review: Code Inspection Finds Problems, R. Araujo and M. Curphey – http://www.softwaremag.com • A Process for Performing Security Code Reviews, M. Howard – http://www.computer.org • How To: Perform a Security Code Review for Managed Code, Microsoft Patterns & Practices – http://msdn.microsoft.com Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 42 Orlando, Florida
  • 43. Contact Information • Presenter Email: – marco.morana@foundstone.com • Foundstone Software Application Security Services (SASS) – www.foundstone.com/sass • Foundstone Training – www.foundstone.com/education Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 43 Orlando, Florida