SlideShare uma empresa Scribd logo

Is code review the solution?

Tiago Mendo
Tiago Mendo

In this talk I will present a brief introduction to Code Review, where we will try to understand its value and why it is so hard to implement effectively. I will also present some of the challenges we had at SAPO and how we tried to fix them.

Software
1 de 73
Baixar para ler offline
Is Code Review the Solution? Versão 1.1 - 28/10/2014 Confraria da Segurança da Informação
Outline SAPO Websecurity Team 2 • What is code review • Mo9va9on • Open-­‐Source • How to • Tools • Problems
About me • Security Engineer at Portugal Telecom since 2004 – honeypots, SSAAPPOO WWeebbsseeccuurriittyy TTeeaamm traffic analysis, internal security • At SAPO since 2010 – pentes9ng of web applica9ons, iOS, Android, IPTV – all terrain security consultant • Trainer of Linux and network security courses at Citeforma • Speaker at security events like Codebits, Just4Mee9ng, Security Mee9ng, ISEL Tech, Create Tech, Confraria da Segurança da Informação and BSides Lisbon • Holds a MSc in Informa9on Technology/Informa9on Security from Carnegie Mellon and CISSP 3
What is code review • Code • Firefox SAPO Websecurity Team -­‐ 5 millions LOC (Lines of Code) • MySQL -­‐ 12 millions LOC • Debian 5 -­‐ 66 millions LOC • Windows Server 2003 -­‐ 50 millions LOC 4
What is code review • Review • “formal SAPO Websecurity Team assessment of something with the inten9on of ins9tu9ng change if necessary” 5
What is code review • Code review is the analysis of source code in order to find defects – security, SAPO Websecurity Team performance, func9onal, etc. – early detec9on – complements scanners and other tools 6
Motivation SAPO Websecurity Team 7
Motivation SAPO Websecurity Team 7
Motivation SAPO Websecurity Team 7
Motivation SAPO Websecurity Team 7
Motivation SAPO Websecurity Team 7
Motivation SAPO Websecurity Team 7
Motivation SAPO Websecurity Team 8
Motivation SAPO Websecurity Team 8
Motivation SAPO Websecurity Team 8
Motivation SAPO Websecurity Team 8
Motivation SAPO Websecurity Team 8
Motivation • Compliance • PCI-­‐DSS SAPO Websecurity Team -­‐ Payment Card Industry Data Security Standard • since 2005 • version 3.0 • Requirement 6.3.2 • “Review custom code prior to release to produc9on or customers in order to iden9fy any poten9al coding vulnerability (using either manual or automated processes) … “ 9
Open-Source • A requirement for code review is to have access to the source code • Open-­‐Source SAPO Websecurity Team Sobware (OSS) makes its source code available for anyone (to review) • Therefore, OSS is becer because its reviewed by the whole world • is it? 10
Open-Source SAPO Websecurity Team 11
Open-Source • Not all OSS is thoroughly reviewed, but… SAPO Websecurity Team 12
Open-Source • Not all OSS is thoroughly reviewed, but… SAPO Websecurity Team 12 • In 2011, a vulnerability that allowed backup decryp9on was found
Open-Source • Not all OSS is thoroughly reviewed, but… SAPO Websecurity Team 12 • In 2011, a vulnerability that allowed backup decryp9on was found
Open-Source • Not all OSS is thoroughly reviewed, but… SAPO Websecurity Team 12 • In 2011, a vulnerability that allowed backup decryp9on was found
Open-Source • Found SAPO Websecurity Team “by someone who was reading the Tarsnap source code purely of curiosity” • Lead to a bug bounty for security problems • “I'm a great fan of curiosity, but I've also learned that money can help to encourage curiosity.“ 13
Open-Source SAPO Websecurity Team 14
Open-Source • Apple SAPO Websecurity Team “goto fail” • CVE-­‐2014-­‐1266 -­‐ “acacker with a privileged network posi9on may capture or modify data in sessions protected by SSL/TLS” • Affected iOS and OS X • hcp://pi5.20.sl.pt 15
Open-Source • Apple SAPO Websecurity Team “goto fail” 16
Open-Source • Apple SAPO Websecurity Team “goto fail” 16
Open-Source • Likely SAPO Websecurity Team found by code review • “A test case could have caught this, but it's difficult because it's so deep into the handshake.” • “Code review can be effec9ve against these sorts of bug.” 17
Open-Source • In 2011, a Ph.D student pushed a commit to OpenSSL that implemented the Heartbeat extension • Reviewed SAPO Websecurity Team by one of OpenSSL’s four core developers • code in C • the problem was not detected 18
Open-Source SAPO Websecurity Team 19
Open-Source SAPO Websecurity Team 19
Open-Source SAPO Websecurity Team 19
Open-Source SAPO Websecurity Team 19
Open-Source SAPO Websecurity Team 19
Open-Source SAPO Websecurity Team 20
Open-Source SAPO Websecurity Team 20
Open-Source • Heartbleed • CVE-­‐2014-­‐0160 SAPO Websecurity Team -­‐ Allows reading of random data from the process memory • Affected OpenSSL -­‐ used by many exposed services such as www and mail • hcp://pi5.5l.sl.pt 21
Open-Source • Should SAPO Websecurity Team have been detected with code review • hcp://pi5.fp.sl.pt 22
Open-Source • SQL injec9on SAPO Websecurity Team 23
Open-Source • SQL injec9on SAPO Websecurity Team 23
Open-Source • SQL injec9on SAPO Websecurity Team 23 • hcp://vuln.example/login?username=x’ or 1=1 limit 0,1-­‐-­‐%20 • SELECT id,group,full_name FROM users WHERE username=’x’ or 1=1 limit 0,1-­‐-­‐
How to • Code review methods vary a lot • highly SAPO Websecurity Team dependent on the depth of the analysis • Broad categories with different names depending on the author • Formal code review • Lightweight code review 24
How to • Formal SAPO Websecurity Team code review • line by line • mul9ple reviewers • group review • printed copies • Finds hard to find problems • Time consuming 25
How to • Lightweight SAPO Websecurity Team code review • shallow analysis • pacern based analysis • grep based • reviewing only cri9cal func9ons • Prone do miss some problems • Less 9me consuming • Good to easily find certain classes of vulnerabili9es 26
How to • Review SAPO Websecurity Team can be done • manually • automa9cally • using both approaches • Using both approaches • automa9cally find hotspots with pacern matching • manually review those areas 27
How to • Combining SAPO Websecurity Team approaches • milestone • mandatory review and approval before going to produc9on • a posteriori • detec9on vs preven9on • sampling • review just some code, chosen by • keyword • commiter • project 28
How to • Basic rules for code review to work • 1st rule: the reviewer must not be the one who wrote the code • if we could find bugs in our code we would be able to avoid them • biased SAPO Websecurity Team analysis • the reviewer will have a different and unbiased perspec9ve • the reviewer should be from a different project 29
How to • 2nd rule: the reviewer should understand the language being reviewed SAPO Websecurity Team 30
How to • 3rd rule: focus on the objec9ve: security, performance, feature, etc., but not on everything SAPO Websecurity Team 31
More motivation • How to mo9vate the reviewers? SAPO Websecurity Team 32
More motivation • Just saying “you must do code review” will not work • developers SAPO Websecurity Team have more interes9ng stuff to do • developers have more stuff to do • developers have deadlines and code review is easily not taken in considera9on (1st to drop) • developers don’t like others code • what to review? 33
How to • What SAPO Websecurity Team to review is a big ques9on • don’t let the developer choose what to review arbitrarily • Assign “reviews” to reviewers • use a tool to manage what is assigned to each reviewer • each reviewer has a queue of reviews to be done 34
How to • Assign “reviews” to reviewers • for instance, single commits • Ensures • coverage SAPO Websecurity Team -­‐ all code is reviewed • responsibility -­‐ the developer has something publicly assigned to him • deliverables -­‐ audit evidence; increases mo9va9on to review 35
How to • Even with task assignment the reviewer might let the work pile up • its like documenta9on: the applica9on will work fine without it • This will happen if the review is done individually and on their usual sirng place • gather SAPO Websecurity Team developers 36
How to • Book a mee9ng room • Get the developers there SAPO Websecurity Team 37
Tools • Suppor9ng SAPO Websecurity Team sobware • Phabricator • repository integra9on • assignment rules • issue tracking • pre and post commit hooking 38
Tools • Phabricator SAPO Websecurity Team 39
Tools • Phabricator SAPO Websecurity Team 40
Tools • Gerrit SAPO Websecurity Team 41
Tools • Gerrit • pre-­‐commit SAPO Websecurity Team only • Git only • Phabricator • pre-­‐commit • post-­‐commit • Subversion, Git, Mercurial 42
Tools • Security SAPO Websecurity Team Lib – less code to review 43
Tools • Watch SAPO Websecurity Team Commits 44
Tools • Do not confuse code review with other mechanisms • sta9c SAPO Websecurity Team analysis • dynamic analysis • These lack human intelligence • but do not get 9red 45
Problems • A portuguese company working in mission-­‐ cri9cal systems used (uses?) the following approach • developers SAPO Websecurity Team get a printed A4 page with code • they also get a 5/6 items checklist • 15 min mee9ng in the next morning to discuss the checklist issues • repeat every day • Scrum alike methodology 46
Problems • Problems SAPO Websecurity Team with this approach? 47 • Feels like homework • might review at work but subject to the usual constraints • Context • calls to func9ons outside the printed code • classes/objects defined elsewhere • inclusion of files and configura9ons
Problems SAPO Websecurity Team 48
Problems • Limita9ons • variables, SAPO Websecurity Team objects and func9ons define outside • configura9on dependent execu9on • scope limita9on 49
Is code review the solution? • Is code review the solu9on? SAPO Websecurity Team 50
Is code review the solution? • Is code review the solu9on? SAPO Websecurity Team 50 • No. • But it is a good complement • detects vulnerabili9es hard to find using blackbox approaches • detects potencial problems, before they are exploitable
More • Other SAPO Websecurity Team presenta9ons – slideshare.net/9agomendo – slideshare.net/nuno.loureiro – AP2SI -­‐ facebook.com/ap2si –OWASP -­‐ owasp.org 51
Questions? tiago.mendo@telecom.pt @tmendo

Recomendados

Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesTiago Mendo
 
BSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpBSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpTiago Mendo
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burpTomasz Fajks
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 

Recomendados

Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesTiago Mendo
 
BSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpBSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpTiago Mendo
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burpTomasz Fajks
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec CareerAndrew McNicol
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?Ciaran McNally
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Code Review: How and When - Tulsa TechFest 2016
Code Review: How and When - Tulsa TechFest 2016Code Review: How and When - Tulsa TechFest 2016
Code Review: How and When - Tulsa TechFest 2016Paul Gower
 
Code reviews
Code reviewsCode reviews
Code reviewsUNICORNS IN TECH
 

Mais conteúdo relacionado

Mais procurados

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec CareerAndrew McNicol
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?Ciaran McNally
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 

Mais procurados (20)

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 

Destaque

Code Review: How and When - Tulsa TechFest 2016
Code Review: How and When - Tulsa TechFest 2016Code Review: How and When - Tulsa TechFest 2016
Code Review: How and When - Tulsa TechFest 2016Paul Gower
 
Code Review: Veni, ViDI, Vici (saner15)
Code Review: Veni, ViDI, Vici (saner15)Code Review: Veni, ViDI, Vici (saner15)
Code Review: Veni, ViDI, Vici (saner15)Yuriy Tymchuk
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Atlassian
 
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010Atlassian
 
How to get the most out of code reviews
How to get the most out of code reviewsHow to get the most out of code reviews
How to get the most out of code reviewsJavaDayUA
 
WordCamp US 2016 - Ryan Markel: Code Review
WordCamp US 2016 - Ryan Markel: Code ReviewWordCamp US 2016 - Ryan Markel: Code Review
WordCamp US 2016 - Ryan Markel: Code Reviewthemarkel
 
Code reviews
Code reviewsCode reviews
Code reviewsJuan Maiz
 
Git and Gerrit Code Review - Tech Talk - 2010_09_23
Git and Gerrit Code Review - Tech Talk - 2010_09_23Git and Gerrit Code Review - Tech Talk - 2010_09_23
Git and Gerrit Code Review - Tech Talk - 2010_09_23msohn
 
Review your code like a Googler
Review your code like a GooglerReview your code like a Googler
Review your code like a GooglerDariusz Łuksza
 
Scaling your code review
Scaling your code reviewScaling your code review
Scaling your code reviewSander Bol
 
Increasing code quality with code reviews (poetry version)
Increasing code quality with code reviews (poetry version)Increasing code quality with code reviews (poetry version)
Increasing code quality with code reviews (poetry version)David Stockton
 
How not to run code reviews
How not to run code reviewsHow not to run code reviews
How not to run code reviewsVictor Maliy
 
On to code review lessons learned at microsoft
On to code review lessons learned at microsoftOn to code review lessons learned at microsoft
On to code review lessons learned at microsoftMichaela Greiler
 
Code Review: An apple a day
Code Review: An apple a dayCode Review: An apple a day
Code Review: An apple a dayKathryn Rotondo
 
Code Review
Code ReviewCode Review
Code ReviewRavi Raj
 
Code Review Matters and Manners
Code Review Matters and MannersCode Review Matters and Manners
Code Review Matters and MannersTrisha Gee
 
Why you should integrate peer code reviews in your software company
Why you should integrate peer code reviews in your software companyWhy you should integrate peer code reviews in your software company
Why you should integrate peer code reviews in your software companyMatts Devriendt
 
How Google Said - Ninja Code Review With Gerrit
How Google Said - Ninja Code Review With GerritHow Google Said - Ninja Code Review With Gerrit
How Google Said - Ninja Code Review With GerritAnuar Nurmakanov
 

Destaque (20)

Code Review: How and When - Tulsa TechFest 2016
Code Review: How and When - Tulsa TechFest 2016Code Review: How and When - Tulsa TechFest 2016
Code Review: How and When - Tulsa TechFest 2016
 
Code reviews
Code reviewsCode reviews
Code reviews
 
Code Review: Veni, ViDI, Vici (saner15)
Code Review: Veni, ViDI, Vici (saner15)Code Review: Veni, ViDI, Vici (saner15)
Code Review: Veni, ViDI, Vici (saner15)
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
 
Effective code reviews
Effective code reviewsEffective code reviews
Effective code reviews
 
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
Code Review for Teams Too Busy to Review Code - Atlassian Summit 2010
 
How to get the most out of code reviews
How to get the most out of code reviewsHow to get the most out of code reviews
How to get the most out of code reviews
 
WordCamp US 2016 - Ryan Markel: Code Review
WordCamp US 2016 - Ryan Markel: Code ReviewWordCamp US 2016 - Ryan Markel: Code Review
WordCamp US 2016 - Ryan Markel: Code Review
 
Code reviews
Code reviewsCode reviews
Code reviews
 
Git and Gerrit Code Review - Tech Talk - 2010_09_23
Git and Gerrit Code Review - Tech Talk - 2010_09_23Git and Gerrit Code Review - Tech Talk - 2010_09_23
Git and Gerrit Code Review - Tech Talk - 2010_09_23
 
Review your code like a Googler
Review your code like a GooglerReview your code like a Googler
Review your code like a Googler
 
Scaling your code review
Scaling your code reviewScaling your code review
Scaling your code review
 
Increasing code quality with code reviews (poetry version)
Increasing code quality with code reviews (poetry version)Increasing code quality with code reviews (poetry version)
Increasing code quality with code reviews (poetry version)
 
How not to run code reviews
How not to run code reviewsHow not to run code reviews
How not to run code reviews
 
On to code review lessons learned at microsoft
On to code review lessons learned at microsoftOn to code review lessons learned at microsoft
On to code review lessons learned at microsoft
 
Code Review: An apple a day
Code Review: An apple a dayCode Review: An apple a day
Code Review: An apple a day
 
Code Review
Code ReviewCode Review
Code Review
 
Code Review Matters and Manners
Code Review Matters and MannersCode Review Matters and Manners
Code Review Matters and Manners
 
Why you should integrate peer code reviews in your software company
Why you should integrate peer code reviews in your software companyWhy you should integrate peer code reviews in your software company
Why you should integrate peer code reviews in your software company
 
How Google Said - Ninja Code Review With Gerrit
How Google Said - Ninja Code Review With GerritHow Google Said - Ninja Code Review With Gerrit
How Google Said - Ninja Code Review With Gerrit
 

Semelhante a Is code review the solution?

Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPRISMA CSI
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeEmerasoft, solutions to collaborate
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPSimon Bennetts
 
SonarQube-taking-control-of-the-code-quality-Webinar-presentation.pptx
SonarQube-taking-control-of-the-code-quality-Webinar-presentation.pptxSonarQube-taking-control-of-the-code-quality-Webinar-presentation.pptx
SonarQube-taking-control-of-the-code-quality-Webinar-presentation.pptxNaveenKS45
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Mitigate potential compliance risks
Mitigate potential compliance risksMitigate potential compliance risks
Mitigate potential compliance risksJürgen Brüder
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 

Semelhante a Is code review the solution? (20)

Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Practical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability DetectionPractical White Hat Hacker Training - Vulnerability Detection
Practical White Hat Hacker Training - Vulnerability Detection
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
class32.pptx
class32.pptxclass32.pptx
class32.pptx
 
SonarQube-taking-control-of-the-code-quality-Webinar-presentation.pptx
SonarQube-taking-control-of-the-code-quality-Webinar-presentation.pptxSonarQube-taking-control-of-the-code-quality-Webinar-presentation.pptx
SonarQube-taking-control-of-the-code-quality-Webinar-presentation.pptx
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Mitigate potential compliance risks
Mitigate potential compliance risksMitigate potential compliance risks
Mitigate potential compliance risks
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 

Último

Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROmotivationalword821
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 

Último (20)

Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTRO
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 

Is code review the solution?

  • 1. Is Code Review the Solution? Versão 1.1 - 28/10/2014 Confraria da Segurança da Informação
  • 2. Outline SAPO Websecurity Team 2 • What is code review • Mo9va9on • Open-­‐Source • How to • Tools • Problems
  • 3. About me • Security Engineer at Portugal Telecom since 2004 – honeypots, SSAAPPOO WWeebbsseeccuurriittyy TTeeaamm traffic analysis, internal security • At SAPO since 2010 – pentes9ng of web applica9ons, iOS, Android, IPTV – all terrain security consultant • Trainer of Linux and network security courses at Citeforma • Speaker at security events like Codebits, Just4Mee9ng, Security Mee9ng, ISEL Tech, Create Tech, Confraria da Segurança da Informação and BSides Lisbon • Holds a MSc in Informa9on Technology/Informa9on Security from Carnegie Mellon and CISSP 3
  • 4. What is code review • Code • Firefox SAPO Websecurity Team -­‐ 5 millions LOC (Lines of Code) • MySQL -­‐ 12 millions LOC • Debian 5 -­‐ 66 millions LOC • Windows Server 2003 -­‐ 50 millions LOC 4
  • 5. What is code review • Review • “formal SAPO Websecurity Team assessment of something with the inten9on of ins9tu9ng change if necessary” 5
  • 6. What is code review • Code review is the analysis of source code in order to find defects – security, SAPO Websecurity Team performance, func9onal, etc. – early detec9on – complements scanners and other tools 6
  • 18. Motivation • Compliance • PCI-­‐DSS SAPO Websecurity Team -­‐ Payment Card Industry Data Security Standard • since 2005 • version 3.0 • Requirement 6.3.2 • “Review custom code prior to release to produc9on or customers in order to iden9fy any poten9al coding vulnerability (using either manual or automated processes) … “ 9
  • 19. Open-Source • A requirement for code review is to have access to the source code • Open-­‐Source SAPO Websecurity Team Sobware (OSS) makes its source code available for anyone (to review) • Therefore, OSS is becer because its reviewed by the whole world • is it? 10
  • 21. Open-Source • Not all OSS is thoroughly reviewed, but… SAPO Websecurity Team 12
  • 22. Open-Source • Not all OSS is thoroughly reviewed, but… SAPO Websecurity Team 12 • In 2011, a vulnerability that allowed backup decryp9on was found
  • 23. Open-Source • Not all OSS is thoroughly reviewed, but… SAPO Websecurity Team 12 • In 2011, a vulnerability that allowed backup decryp9on was found
  • 24. Open-Source • Not all OSS is thoroughly reviewed, but… SAPO Websecurity Team 12 • In 2011, a vulnerability that allowed backup decryp9on was found
  • 25. Open-Source • Found SAPO Websecurity Team “by someone who was reading the Tarsnap source code purely of curiosity” • Lead to a bug bounty for security problems • “I'm a great fan of curiosity, but I've also learned that money can help to encourage curiosity.“ 13
  • 27. Open-Source • Apple SAPO Websecurity Team “goto fail” • CVE-­‐2014-­‐1266 -­‐ “acacker with a privileged network posi9on may capture or modify data in sessions protected by SSL/TLS” • Affected iOS and OS X • hcp://pi5.20.sl.pt 15
  • 28. Open-Source • Apple SAPO Websecurity Team “goto fail” 16
  • 29. Open-Source • Apple SAPO Websecurity Team “goto fail” 16
  • 30. Open-Source • Likely SAPO Websecurity Team found by code review • “A test case could have caught this, but it's difficult because it's so deep into the handshake.” • “Code review can be effec9ve against these sorts of bug.” 17
  • 31. Open-Source • In 2011, a Ph.D student pushed a commit to OpenSSL that implemented the Heartbeat extension • Reviewed SAPO Websecurity Team by one of OpenSSL’s four core developers • code in C • the problem was not detected 18
  • 39. Open-Source • Heartbleed • CVE-­‐2014-­‐0160 SAPO Websecurity Team -­‐ Allows reading of random data from the process memory • Affected OpenSSL -­‐ used by many exposed services such as www and mail • hcp://pi5.5l.sl.pt 21
  • 40. Open-Source • Should SAPO Websecurity Team have been detected with code review • hcp://pi5.fp.sl.pt 22
  • 41. Open-Source • SQL injec9on SAPO Websecurity Team 23
  • 42. Open-Source • SQL injec9on SAPO Websecurity Team 23
  • 43. Open-Source • SQL injec9on SAPO Websecurity Team 23 • hcp://vuln.example/login?username=x’ or 1=1 limit 0,1-­‐-­‐%20 • SELECT id,group,full_name FROM users WHERE username=’x’ or 1=1 limit 0,1-­‐-­‐
  • 44. How to • Code review methods vary a lot • highly SAPO Websecurity Team dependent on the depth of the analysis • Broad categories with different names depending on the author • Formal code review • Lightweight code review 24
  • 45. How to • Formal SAPO Websecurity Team code review • line by line • mul9ple reviewers • group review • printed copies • Finds hard to find problems • Time consuming 25
  • 46. How to • Lightweight SAPO Websecurity Team code review • shallow analysis • pacern based analysis • grep based • reviewing only cri9cal func9ons • Prone do miss some problems • Less 9me consuming • Good to easily find certain classes of vulnerabili9es 26
  • 47. How to • Review SAPO Websecurity Team can be done • manually • automa9cally • using both approaches • Using both approaches • automa9cally find hotspots with pacern matching • manually review those areas 27
  • 48. How to • Combining SAPO Websecurity Team approaches • milestone • mandatory review and approval before going to produc9on • a posteriori • detec9on vs preven9on • sampling • review just some code, chosen by • keyword • commiter • project 28
  • 49. How to • Basic rules for code review to work • 1st rule: the reviewer must not be the one who wrote the code • if we could find bugs in our code we would be able to avoid them • biased SAPO Websecurity Team analysis • the reviewer will have a different and unbiased perspec9ve • the reviewer should be from a different project 29
  • 50. How to • 2nd rule: the reviewer should understand the language being reviewed SAPO Websecurity Team 30
  • 51. How to • 3rd rule: focus on the objec9ve: security, performance, feature, etc., but not on everything SAPO Websecurity Team 31
  • 52. More motivation • How to mo9vate the reviewers? SAPO Websecurity Team 32
  • 53. More motivation • Just saying “you must do code review” will not work • developers SAPO Websecurity Team have more interes9ng stuff to do • developers have more stuff to do • developers have deadlines and code review is easily not taken in considera9on (1st to drop) • developers don’t like others code • what to review? 33
  • 54. How to • What SAPO Websecurity Team to review is a big ques9on • don’t let the developer choose what to review arbitrarily • Assign “reviews” to reviewers • use a tool to manage what is assigned to each reviewer • each reviewer has a queue of reviews to be done 34
  • 55. How to • Assign “reviews” to reviewers • for instance, single commits • Ensures • coverage SAPO Websecurity Team -­‐ all code is reviewed • responsibility -­‐ the developer has something publicly assigned to him • deliverables -­‐ audit evidence; increases mo9va9on to review 35
  • 56. How to • Even with task assignment the reviewer might let the work pile up • its like documenta9on: the applica9on will work fine without it • This will happen if the review is done individually and on their usual sirng place • gather SAPO Websecurity Team developers 36
  • 57. How to • Book a mee9ng room • Get the developers there SAPO Websecurity Team 37
  • 58. Tools • Suppor9ng SAPO Websecurity Team sobware • Phabricator • repository integra9on • assignment rules • issue tracking • pre and post commit hooking 38
  • 59. Tools • Phabricator SAPO Websecurity Team 39
  • 60. Tools • Phabricator SAPO Websecurity Team 40
  • 61. Tools • Gerrit SAPO Websecurity Team 41
  • 62. Tools • Gerrit • pre-­‐commit SAPO Websecurity Team only • Git only • Phabricator • pre-­‐commit • post-­‐commit • Subversion, Git, Mercurial 42
  • 63. Tools • Security SAPO Websecurity Team Lib – less code to review 43
  • 64. Tools • Watch SAPO Websecurity Team Commits 44
  • 65. Tools • Do not confuse code review with other mechanisms • sta9c SAPO Websecurity Team analysis • dynamic analysis • These lack human intelligence • but do not get 9red 45
  • 66. Problems • A portuguese company working in mission-­‐ cri9cal systems used (uses?) the following approach • developers SAPO Websecurity Team get a printed A4 page with code • they also get a 5/6 items checklist • 15 min mee9ng in the next morning to discuss the checklist issues • repeat every day • Scrum alike methodology 46
  • 67. Problems • Problems SAPO Websecurity Team with this approach? 47 • Feels like homework • might review at work but subject to the usual constraints • Context • calls to func9ons outside the printed code • classes/objects defined elsewhere • inclusion of files and configura9ons
  • 69. Problems • Limita9ons • variables, SAPO Websecurity Team objects and func9ons define outside • configura9on dependent execu9on • scope limita9on 49
  • 70. Is code review the solution? • Is code review the solu9on? SAPO Websecurity Team 50
  • 71. Is code review the solution? • Is code review the solu9on? SAPO Websecurity Team 50 • No. • But it is a good complement • detects vulnerabili9es hard to find using blackbox approaches • detects potencial problems, before they are exploitable
  • 72. More • Other SAPO Websecurity Team presenta9ons – slideshare.net/9agomendo – slideshare.net/nuno.loureiro – AP2SI -­‐ facebook.com/ap2si –OWASP -­‐ owasp.org 51