In this talk I will present a brief introduction to Code Review, where we will try to understand its value and why it is so hard to implement effectively. I will also present some of the challenges we had at SAPO and how we tried to fix them.
1. Is Code Review the Solution?
Versão 1.1 - 28/10/2014
Confraria
da
Segurança
da
Informação
2. Outline
SAPO
Websecurity
Team
2
• What
is
code
review
• Mo9va9on
• Open-‐Source
• How
to
• Tools
• Problems
3. About me
• Security
Engineer
at
Portugal
Telecom
since
2004
– honeypots,
SSAAPPOO
WWeebbsseeccuurriittyy
TTeeaamm
traffic
analysis,
internal
security
• At
SAPO
since
2010
– pentes9ng
of
web
applica9ons,
iOS,
Android,
IPTV
– all
terrain
security
consultant
• Trainer
of
Linux
and
network
security
courses
at
Citeforma
• Speaker
at
security
events
like
Codebits,
Just4Mee9ng,
Security
Mee9ng,
ISEL
Tech,
Create
Tech,
Confraria
da
Segurança
da
Informação
and
BSides
Lisbon
• Holds
a
MSc
in
Informa9on
Technology/Informa9on
Security
from
Carnegie
Mellon
and
CISSP
3
4. What is code review
• Code
• Firefox
SAPO
Websecurity
Team
-‐
5
millions
LOC
(Lines
of
Code)
• MySQL
-‐
12
millions
LOC
• Debian
5
-‐
66
millions
LOC
• Windows
Server
2003
-‐
50
millions
LOC
4
5. What is code review
• Review
• “formal
SAPO
Websecurity
Team
assessment
of
something
with
the
inten9on
of
ins9tu9ng
change
if
necessary”
5
6. What is code review
• Code
review
is
the
analysis
of
source
code
in
order
to
find
defects
– security,
SAPO
Websecurity
Team
performance,
func9onal,
etc.
– early
detec9on
– complements
scanners
and
other
tools
6
18. Motivation
• Compliance
• PCI-‐DSS
SAPO
Websecurity
Team
-‐
Payment
Card
Industry
Data
Security
Standard
• since
2005
• version
3.0
• Requirement
6.3.2
• “Review
custom
code
prior
to
release
to
produc9on
or
customers
in
order
to
iden9fy
any
poten9al
coding
vulnerability
(using
either
manual
or
automated
processes)
…
“
9
19. Open-Source
• A
requirement
for
code
review
is
to
have
access
to
the
source
code
• Open-‐Source
SAPO
Websecurity
Team
Sobware
(OSS)
makes
its
source
code
available
for
anyone
(to
review)
• Therefore,
OSS
is
becer
because
its
reviewed
by
the
whole
world
• is
it?
10
21. Open-Source
• Not
all
OSS
is
thoroughly
reviewed,
but…
SAPO
Websecurity
Team
12
22. Open-Source
• Not
all
OSS
is
thoroughly
reviewed,
but…
SAPO
Websecurity
Team
12
• In
2011,
a
vulnerability
that
allowed
backup
decryp9on
was
found
23. Open-Source
• Not
all
OSS
is
thoroughly
reviewed,
but…
SAPO
Websecurity
Team
12
• In
2011,
a
vulnerability
that
allowed
backup
decryp9on
was
found
24. Open-Source
• Not
all
OSS
is
thoroughly
reviewed,
but…
SAPO
Websecurity
Team
12
• In
2011,
a
vulnerability
that
allowed
backup
decryp9on
was
found
25. Open-Source
• Found
SAPO
Websecurity
Team
“by
someone
who
was
reading
the
Tarsnap
source
code
purely
of
curiosity”
• Lead
to
a
bug
bounty
for
security
problems
• “I'm
a
great
fan
of
curiosity,
but
I've
also
learned
that
money
can
help
to
encourage
curiosity.“
13
27. Open-Source
• Apple
SAPO
Websecurity
Team
“goto
fail”
• CVE-‐2014-‐1266
-‐
“acacker
with
a
privileged
network
posi9on
may
capture
or
modify
data
in
sessions
protected
by
SSL/TLS”
• Affected
iOS
and
OS
X
• hcp://pi5.20.sl.pt
15
30. Open-Source
• Likely
SAPO
Websecurity
Team
found
by
code
review
• “A
test
case
could
have
caught
this,
but
it's
difficult
because
it's
so
deep
into
the
handshake.”
• “Code
review
can
be
effec9ve
against
these
sorts
of
bug.”
17
31. Open-Source
• In
2011,
a
Ph.D
student
pushed
a
commit
to
OpenSSL
that
implemented
the
Heartbeat
extension
• Reviewed
SAPO
Websecurity
Team
by
one
of
OpenSSL’s
four
core
developers
• code
in
C
• the
problem
was
not
detected
18
39. Open-Source
• Heartbleed
• CVE-‐2014-‐0160
SAPO
Websecurity
Team
-‐
Allows
reading
of
random
data
from
the
process
memory
• Affected
OpenSSL
-‐
used
by
many
exposed
services
such
as
www
and
mail
• hcp://pi5.5l.sl.pt
21
40. Open-Source
• Should
SAPO
Websecurity
Team
have
been
detected
with
code
review
• hcp://pi5.fp.sl.pt
22
43. Open-Source
• SQL
injec9on
SAPO
Websecurity
Team
23
• hcp://vuln.example/login?username=x’
or
1=1
limit
0,1-‐-‐%20
• SELECT
id,group,full_name
FROM
users
WHERE
username=’x’
or
1=1
limit
0,1-‐-‐
44. How to
• Code
review
methods
vary
a
lot
• highly
SAPO
Websecurity
Team
dependent
on
the
depth
of
the
analysis
• Broad
categories
with
different
names
depending
on
the
author
• Formal
code
review
• Lightweight
code
review
24
45. How to
• Formal
SAPO
Websecurity
Team
code
review
• line
by
line
• mul9ple
reviewers
• group
review
• printed
copies
• Finds
hard
to
find
problems
• Time
consuming
25
46. How to
• Lightweight
SAPO
Websecurity
Team
code
review
• shallow
analysis
• pacern
based
analysis
• grep
based
• reviewing
only
cri9cal
func9ons
• Prone
do
miss
some
problems
• Less
9me
consuming
• Good
to
easily
find
certain
classes
of
vulnerabili9es
26
47. How to
• Review
SAPO
Websecurity
Team
can
be
done
• manually
• automa9cally
• using
both
approaches
• Using
both
approaches
• automa9cally
find
hotspots
with
pacern
matching
• manually
review
those
areas
27
48. How to
• Combining
SAPO
Websecurity
Team
approaches
• milestone
• mandatory
review
and
approval
before
going
to
produc9on
• a
posteriori
• detec9on
vs
preven9on
• sampling
• review
just
some
code,
chosen
by
• keyword
• commiter
• project
28
49. How to
• Basic
rules
for
code
review
to
work
• 1st
rule:
the
reviewer
must
not
be
the
one
who
wrote
the
code
• if
we
could
find
bugs
in
our
code
we
would
be
able
to
avoid
them
• biased
SAPO
Websecurity
Team
analysis
• the
reviewer
will
have
a
different
and
unbiased
perspec9ve
• the
reviewer
should
be
from
a
different
project
29
50. How to
• 2nd
rule:
the
reviewer
should
understand
the
language
being
reviewed
SAPO
Websecurity
Team
30
51. How to
• 3rd
rule:
focus
on
the
objec9ve:
security,
performance,
feature,
etc.,
but
not
on
everything
SAPO
Websecurity
Team
31
52. More motivation
• How
to
mo9vate
the
reviewers?
SAPO
Websecurity
Team
32
53. More motivation
• Just
saying
“you
must
do
code
review”
will
not
work
• developers
SAPO
Websecurity
Team
have
more
interes9ng
stuff
to
do
• developers
have
more
stuff
to
do
• developers
have
deadlines
and
code
review
is
easily
not
taken
in
considera9on
(1st
to
drop)
• developers
don’t
like
others
code
• what
to
review?
33
54. How to
• What
SAPO
Websecurity
Team
to
review
is
a
big
ques9on
• don’t
let
the
developer
choose
what
to
review
arbitrarily
• Assign
“reviews”
to
reviewers
• use
a
tool
to
manage
what
is
assigned
to
each
reviewer
• each
reviewer
has
a
queue
of
reviews
to
be
done
34
55. How to
• Assign
“reviews”
to
reviewers
• for
instance,
single
commits
• Ensures
• coverage
SAPO
Websecurity
Team
-‐
all
code
is
reviewed
• responsibility
-‐
the
developer
has
something
publicly
assigned
to
him
• deliverables
-‐
audit
evidence;
increases
mo9va9on
to
review
35
56. How to
• Even
with
task
assignment
the
reviewer
might
let
the
work
pile
up
• its
like
documenta9on:
the
applica9on
will
work
fine
without
it
• This
will
happen
if
the
review
is
done
individually
and
on
their
usual
sirng
place
• gather
SAPO
Websecurity
Team
developers
36
57. How to
• Book
a
mee9ng
room
• Get
the
developers
there
SAPO
Websecurity
Team
37
58. Tools
• Suppor9ng
SAPO
Websecurity
Team
sobware
• Phabricator
• repository
integra9on
• assignment
rules
• issue
tracking
• pre
and
post
commit
hooking
38
65. Tools
• Do
not
confuse
code
review
with
other
mechanisms
• sta9c
SAPO
Websecurity
Team
analysis
• dynamic
analysis
• These
lack
human
intelligence
• but
do
not
get
9red
45
66. Problems
• A
portuguese
company
working
in
mission-‐
cri9cal
systems
used
(uses?)
the
following
approach
• developers
SAPO
Websecurity
Team
get
a
printed
A4
page
with
code
• they
also
get
a
5/6
items
checklist
• 15
min
mee9ng
in
the
next
morning
to
discuss
the
checklist
issues
• repeat
every
day
• Scrum
alike
methodology
46
67. Problems
• Problems
SAPO
Websecurity
Team
with
this
approach?
47
• Feels
like
homework
• might
review
at
work
but
subject
to
the
usual
constraints
• Context
• calls
to
func9ons
outside
the
printed
code
• classes/objects
defined
elsewhere
• inclusion
of
files
and
configura9ons
70. Is code review the solution?
• Is
code
review
the
solu9on?
SAPO
Websecurity
Team
50
71. Is code review the solution?
• Is
code
review
the
solu9on?
SAPO
Websecurity
Team
50
• No.
• But
it
is
a
good
complement
• detects
vulnerabili9es
hard
to
find
using
blackbox
approaches
• detects
potencial
problems,
before
they
are
exploitable
72. More
• Other
SAPO
Websecurity
Team
presenta9ons
– slideshare.net/9agomendo
– slideshare.net/nuno.loureiro
– AP2SI
-‐
facebook.com/ap2si
–OWASP
-‐
owasp.org
51