8/2/2019 GME Code Review Approach
1/23
8/2/2019 GME Code Review Approach
2/23
About Green Method
Industry Credentials
1
2
3 Green Method Services
Examples
Green Method Approach4
5
8/2/2019 GME Code Review Approach
3/23
About Green Method
FZE company based out of UAE Invested by experienced
information security
organization, Secureyes
All projects delivered by expertconsultants with varied
experience from 15 years to 3
years
Have resource center in India(Secureyes) and houses about 30
information security consultants
Green Method is a co-invested
partner of SecurEyes, India. SecurEyes
acts as the technology and resource
hub for all the MENA & Indian
operations. SecurEyes specializes in
Information Security Services delivery.
Founded in 2004, SecurEyes comprises
of a group of dedicated information
security professionals from different
domains. Secureyes have the base in
Bangalore and have done several
information security projects in India,
Middle East, Africa and the UnitedStates of America.
8/2/2019 GME Code Review Approach
4/23
Industry Credentials
Our Consultants have:
Vast experience in providing information security consulting services for large banks,telecom and government organizations in the Middle-east and Africa region.
Conducted end to end risk assessments for multiple multinational banks across theglobe.
Audited 500+ business critical applications.
Trained over 3000+ software developers on secure coding practices.
Empanelled by CERT-IN, Ministry of Communications & Information Technology,Government of India as IT Security Auditors.
Actively involved in R&D activities and have been speaking in well known securityconferences
Developed in-house security tools in collaboration with Foundstone (HACKME Bankversion 1 has seen more than a million downloads).
Actively involved in web-based malware research activities to identify, detect and cleanmalwares from websites. Have developed proprietary tools to continuously monitor theweb sites of our customers.
8/2/2019 GME Code Review Approach
5/23
Green Method Services
Governance
IT Strategy Development
IT Governance Design
IT Strategy Planning
Enterprise IT Architecture Development
Enterprise Performance Management
Balanced Score Card Implementation
Risk Management
Business Continuity Management
Information Security Risk Management
Disaster Recovery Planning
Ethical Hacking
ERP / Applications Business Control Audit
VOIP Risk Assessment
GSM Risk Assessment
Compliance
ISO 27001 based ISMS build and accreditation assistance ISO 20000 based ITSM system build and accreditation assistance
BS 25999 based BCMS system build and accreditation assistance
Payment Card Industry Data Security Standards (PCI-DSS) Compliance Facilitation
8/2/2019 GME Code Review Approach
6/23
Sample Projects:ISMS
Application Audit
VA & PT
Secure Code Review
IT Strategy Development
IT Governance Framework Design
Balance Score Card ImplementationPerformance Measurement
Enterprise Risk Assessments
Client Domains
Banking & Finance
Multi Business Conglomerates
Retail
IT Companies
Government
A few of Our Clients
8/2/2019 GME Code Review Approach
7/23
Green Method Approach
Application Code Review
Application Threat Profiling
Application Understanding &
Architecture Analysis
Report Documentation
Confirmation Review
Industry Best Practices and Standards
Compliance OWASP
ISECOM
8/2/2019 GME Code Review Approach
8/23
Application Understanding &
Architecture Analysis
Gain thorough application understanding using:
Available documentation
Application walk through
Development team interviews etc.
Learn the application architecture through:
Available documentation
Meeting / Discussions with developers
Develop understanding of different component modules in theapplication along with their dependencies
Study all application interfaces
Study custom communication protocols if any
8/2/2019 GME Code Review Approach
9/23
Application Threat Profiling
Threat profiling Listing the threats the application may be exposed to
Mapping threats to different modules Develop module wise test plan for code review
Prioritizing Critical application modules
Interface layers
8/2/2019 GME Code Review Approach
10/23
Application Code Review
Manual review of the application code
Identification of insecure coding issues
Discovering and categorizing replicating vulnerable code
throughout the application
Carrying out exploit simulation for vulnerabilities found in
manual code review
Documenting vulnerable code snippets
8/2/2019 GME Code Review Approach
11/23
Application Code Review
Manual review of the application code
Identification of insecure coding issues
Discovering and categorizing replicating vulnerable code
throughout the application
Carrying out exploit simulation for vulnerabilities found in
manual code review
Documenting vulnerable code snippets
8/2/2019 GME Code Review Approach
12/23
Code Review - Sample Areas
1 Authentication Password complexity, susceptibility to brute forcing,account lockout on incorrect login attempts, user nameharvesting, stealing of passwords locally, login error
messages, password policy, SQL injection, etc
2 Authorization Insecure session management, Secure Cookie use,caching, user tracking logic, susceptibility to session
hijacking / session replay attacks
3 Information Leakage Review HTML Page source code for:
Revision History, developer Comments, E-mailAddresses, Internal host information, Hidden form fields,
Error messages
4 Field Variable Control Buffer overflow, SQL injection, Cross site scripting,System calls, URL re-writing
5 Session Time-out and
Log-out
Cookie invalidation, are multiple logins allowed for asingle user, Reusing older credentials to gain access,
secure logout mechanism, session fixation, sessionriding
8/2/2019 GME Code Review Approach
13/23
Code Review Sample
Technical Risks Covered
Input data validation
SLQ injection
XSS attacks
Authentication & authorization of users Improper session management
Improper error handling
Weak cryptography implementation
Insecure configuration management
Improper handling of sensitive data Hard coded secrets
Weak auditing & logging mechanisms
Insecure developer comments
8/2/2019 GME Code Review Approach
14/23
Code Review
Sample Specific Checks
Input data validation
Server side validations for SQL injection, XSS, business rules, etc
Data type, length & format checking
White list validation
Sanitization
Authentication
CAPTCHA/Account lock out
Use of salted one way hash
8/2/2019 GME Code Review Approach
15/23
Reporting
Final Report with security risks, impact and solutions
All vulnerable codes are depicted using appropriate screen shots
Presentation/Call with developers to explain exploit scenarios
Detailed report containing:
Separate executive and technical sections
Prioritized results
Risks described in terms of real business risk!
Details of vulnerabilities/holes discovered in code
Step-by-step description of insecure code and possibleexploits
No false positives
Practicable recommendations
8/2/2019 GME Code Review Approach
16/23
Confirmatory Review
Post implementation review
Black box penetration testing
Ensuring all holes have been plugged by the development team
8/2/2019 GME Code Review Approach
17/23
Benefits of Code Review
Detailed knowledge of application at following levels
Design
Architecture
Source Code
Internal behavior of the program is completely
understood
Best approach for identifying all potential threats
Fool-proof method of securing applications Identifies even the most remote application security
holes
8/2/2019 GME Code Review Approach
18/23
Benefits of Code Review
Detect Insecure Coding Flaws
Discover common security issues in code
Identify uncommon security loopholes - even deep inside the code
Spot Insecure Logical Flaws Identify code that flouts Business rules
Identify workflow bypass issues
Discover potential backdoors in code
Discover backdoors purposefully inserted by developers
Gain 360 Security of the application
8/2/2019 GME Code Review Approach
19/23
Example: SQL Injection
8/2/2019 GME Code Review Approach
20/23
Example: Weak Input Validation
8/2/2019 GME Code Review Approach
21/23
8/2/2019 GME Code Review Approach
22/23
Example: Improper Error Handling
8/2/2019 GME Code Review Approach
23/23
Thank You