Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get...

Copyright 2007 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Security Code ReviewsDoes Your Code Need an Open Heart Surgery?6-Points Strategy to Get Your Application in Security Shape

Sherif KoussaOWASP Ottawa Chapter LeaderStatic Analysis Tools Evaluation Criteria Project LeaderApplication Security Specialist - Software Secured

Saturday, 13 April, 13

OWASP 2

2

Softwar S cur2007

2008

2011Static Analysis Code Evaluation CriteriaProject Lead

Steering Committee MemberGSSP-Java, GSSP-NetDEV-541, DEV0544, SEC540

OWASP Chapter LeaderWebGoat 5.0 Developer

Bio


OWASP

The 6 Points Strategy to Get Your Applications Back in Top Security Shape...

3


OWASP

1. DRASTIC CHANGES NEED DRASTIC MEASURES!Get to the bottom of things quickly!

4


OWASP 5

Steps:

Open Heart Surgery


Step 1: Sawing Through the Sternum

Step 2: Working on the Heart

Step 3: Putting the Sternum Back Together

Step 4: Stitching Up the Skin

OWASP 5

Steps:

Open Heart Surgery






OWASP 5

Steps:

Open Heart Surgery






OWASP 5

Steps:

Open Heart Surgery

Causes:






OWASP 5

Steps:

Open Heart Surgery

Repair or replace heart valves, which control blood flow through the heart

Repair abnormal or damaged structures in the heart

Implant medical devices that help control the heartbeat or support heart function and blood flow

Replace a damaged heart with a healthy heart from a donor

Causes:


OWASP

6

Open Code Surgery (AKA Code Review)


OWASP

6


Why Security Code Reviews:


OWASP

6


Why Security Code Reviews:

Effectiveness of Security Controls Against Known ThreatsTesting All Application Execution PathsFind All Instances of a Certain VulnerabilityThe Only Way to Find Certain Types of VulnerabilitiesEffective Remediation Instructions


OWASP

Code Review Types

Peer Security Code Review: peer code reviews combined with secure coding best practices.Automatic Security Code Review: running a static code analysis tool.Modular Review: pure manual code review line by line.Ad-hoc Security Code Review: security done on selected modules of the application.Source-Code Driven Code Review: Full code review process combined with penetration testing.

7


OWASP

Code Review Types

Peer Security Code Review: peer code reviews combined with secure coding best practices.Automatic Security Code Review: running a static code analysis tool.Modular Review: pure manual code review line by line.Ad-hoc Security Code Review: security done on selected modules of the application.Source-Code Driven Code Review: Full code review process combined with penetration testing.

7


OWASP

2. COVER THE BASICS FIRSTDon’t run before you can walk!

8


OWASP

OWASP Top 10 - 2010

9

OWASP Top 10 - 2013

A1. Injection

A2. Cross-Site Scripting

A3. Broken Authentication and Session Management

A4. Insecure Direct Object References

A5. Cross-Site Request Forgery

A6. Security Misconfiguration

A7. Insecure Cryptographic Storage

A9. Insufficient Transport Layer Protection

A8. Failure to Restrict URL Access

A10. Unvalidated Redirects and Forwards

2010 Modified New


OWASP

OWASP Top 10 - 2010

9

OWASP Top 10 - 2013

A1. Injection










A1. Injection




A6. Sensitive Data Exposure


A7. Missing Function Level Access Control

A9. Using Known Vulnerable Components



2010 Modified New


OWASP

OWASP Top 10 - 2010

9

OWASP Top 10 - 2013

A1. Injection










A1. Injection










2010 Modified New


OWASP 10

OWASP Top 10 - 2013A1. Injection










Veracode Report - 2011

A3

A6

A3

A6

A4

A1

A1

A3 ...

A2

A9

2010 Modified New

A9


OWASP 11

OWASP Top 10 - 2013Trustwave Report - 2013










A7

A10

A4

A1

A8

A4

A3

A9

A1. Injection

A1

2010 Modified New


OWASP 12

OWASP Top 10 - 2013Whitehat Report - 2012










A1. InjectionA3

A6

A7

A1

A7

A2

A4

A7A4

A4

A2

A3

2010 Modified New


OWASP 13

3.FOCUS ON WHAT MATTERSReally...focus on what matters!


OWASP

Effective Security Code Review Process

Reconnaissance: Understand the applicationThreat Assessment: Enumerate inputs, threats and attack surfaceAutomation: Low hanging fruitsManual Review: High-risk modulesConfirmation & PoC: Confirm high-risk vulnerabilities.Reporting: Communicate back to the development team

14


OWASP 15

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!

Effe

ctiv

e Se

curi

ty

Cod

e R

evie

w P

roce

ss


OWASP

Reconnaissance What REALLY Matters?

Business Walkthrough: will get you right to the assets and the core business goal

Technical Walkthrough: will get you right to the vulnerabilities

Roles: better understand the application and attack surface

16

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!


OWASP

Threat & Risk Modeling What REALLY Matters?

A library of Vulnerabilities/ThreatsIndustry basedRisk Based

Thorough Understanding of Assets

17

Attack Library

Assets

Vuln

erab

le C

ode

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!


OWASP

Automation:What REALLY Matters - Fitted ToolStatic Analysis Tools Evaluation Criteria

Deployment ModelTechnology SupportScan, Command and Control SupportProduct Signature UpdateTriage and Remediation SupportReporting CapabilitiesEnterprise Level Support

Find more at http://projects.webappsec.org/w/page/41188978/Static Analysis Tools Evaluation Criteria

18

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!


http://projects.webappsec.org/w/page/41188978/Static%20Analysis%20Tool%20Evaluation%20Criteria




OWASP

Automation:What REALLY Matters - 3rd Party Libs

3rd Party Libraries Discovery.DependencyCheck (https://github.com/jeremylong/DependencyCheck)

19

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!


https://github.com/jeremylong/DependencyCheck

https://github.com/jeremylong/DependencyCheck

OWASP 20

4. GET YOUR HANDS DIRTY!No pain...no gain...


OWASP

What Needs Manual Review?This REALLY Matters!

Authentication & Authorization ControlsEncryption ModulesFile Upload and Download OperationsValidation Controls\Input FiltersSecurity-Sensitive Application Logic

21

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!


OWASP

Authentication and Authorization Controls

22


OWASP


22


OWASP


22

WebMethods Don’t Follow Regular ASP.net Page Lifecycle


OWASP 23Encr

ypti

on M

odul

es


OWASP 23Encr

ypti

on M

odul

es


OWASP 23Encr

ypti

on M

odul

es


OWASP 23Encr

ypti

on M

odul

es

There is a possibility of returning empty hashes on error


OWASP 24

Secu

rity

Con

trol

s


OWASP 24

Secu

rity

Con

trol

s


OWASP 24

Secu

rity

Con

trol

s


OWASP 24

Secu

rity

Con

trol

s


OWASP 24

Secu

rity

Con

trol

s

Directory traversal is possible on post-back.


OWASP 25

5. GET YOUR B-17 FIX!Gain strategic advantage over the attackers...


Checklists Advances Technology

OWASP

Aviation: Model 299-1934: “Too much airplane for one man to fly”.

B-17 plane (Model 299 Successor) gave the U.S. major strategic advantage in WWII

Intensive Care Units: Usage of checklists brought down infection rates in Michigan by 66%

26


OWASP

Resources To Conduct Your Checklist

NIST Checklist Project http://checklists.nist.gov/

Mozilla’s Secure Coding QA Checklist https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist

Oracle’s Secure Coding Checklist - http://www.oracle.com/technetwork/java/seccodeguide-139067.html

MSDN Managed Code Checklist http://msdn.microsoft.com/en-us/library/ff648189.aspx

27


http://checklists.nist.gov/




https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist








http://msdn.microsoft.com/en-us/library/ff648189.aspx


OWASP 28

6. FINISH STRONG!Flex your communications muscles!


OWASP

Reporting

Weakness MetadataThorough DescriptionRecommendationAssign Appropriate Priority

29

SQL Injection:

Location: \source\ACMEPortal\updateinfo.aspx.cs:

Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection

51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection);

Priority: High

Recommendation: Use parameterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ff648339.aspx for details.

Owner: John Smith

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!






OWASP

The 6-Points Strategy...

1.Drastic Changes Requires Drastic Measures.2.Cover The Basics First.3.Focus on What Matters.4.Get Your Hands Dirty.5.Get Your B-17 Fix.6.Finish Strong.

30


OWASP

QUESTIONS?

31

[email protected]@softwaresecured.com


mailto:[email protected]




Date post:	07-Nov-2014
Category:	Technology
Upload:	sherif-koussa
View:	747 times
Download:	0 times