Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get...

The OWASP Foundation

http://www.owasp.org

Security Code ReviewsDoes Your Code Need an Open Heart Surgery?6-Points Strategy to Get Your Application in Security Shape

Sherif KoussaOWASP Ottawa Chapter LeaderStatic Analysis Tools Evaluation Criteria Project LeaderApplication Security Specialist - Software Secured

Saturday, 13 April, 13

OWASP 2

Softwar S cur2007

2011Static Analysis Code Evaluation CriteriaProject Lead

Steering Committee MemberGSSP-Java, GSSP-NetDEV-541, DEV0544, SEC540

OWASP Chapter LeaderWebGoat 5.0 Developer

The 6 Points Strategy to Get Your Applications Back in Top Security Shape...

1. DRASTIC CHANGES NEED DRASTIC MEASURES!Get to the bottom of things quickly!

OWASP 5

Steps:

Open Heart Surgery

Step 1: Sawing Through the Sternum

Step 2: Working on the Heart

Step 3: Putting the Sternum Back Together

Step 4: Stitching Up the Skin

OWASP 5

Steps:

Open Heart Surgery

OWASP 5

Steps:

Open Heart Surgery

OWASP 5

Steps:

Open Heart Surgery

Causes:

OWASP 5

Steps:

Open Heart Surgery

Repair or replace heart valves, which control blood flow through the heart

Repair abnormal or damaged structures in the heart

Implant medical devices that help control the heartbeat or support heart function and blood flow

Replace a damaged heart with a healthy heart from a donor

Causes:

Open Code Surgery (AKA Code Review)

Why Security Code Reviews:

Effectiveness of Security Controls Against Known ThreatsTesting All Application Execution PathsFind All Instances of a Certain VulnerabilityThe Only Way to Find Certain Types of VulnerabilitiesEffective Remediation Instructions

Code Review Types

Peer Security Code Review: peer code reviews combined with secure coding best practices.Automatic Security Code Review: running a static code analysis tool.Modular Review: pure manual code review line by line.Ad-hoc Security Code Review: security done on selected modules of the application.Source-Code Driven Code Review: Full code review process combined with penetration testing.

Code Review Types

Peer Security Code Review: peer code reviews combined with secure coding best practices.Automatic Security Code Review: running a static code analysis tool.Modular Review: pure manual code review line by line.Ad-hoc Security Code Review: security done on selected modules of the application.Source-Code Driven Code Review: Full code review process combined with penetration testing.

2. COVER THE BASICS FIRSTDon’t run before you can walk!

OWASP Top 10 - 2010

OWASP Top 10 - 2013

A1. Injection

A2. Cross-Site Scripting

A3. Broken Authentication and Session Management

A4. Insecure Direct Object References

A5. Cross-Site Request Forgery

A6. Security Misconfiguration

A7. Insecure Cryptographic Storage

A9. Insufficient Transport Layer Protection

A8. Failure to Restrict URL Access

A10. Unvalidated Redirects and Forwards

2010 Modified New

OWASP Top 10 - 2010

OWASP Top 10 - 2013

A1. Injection

A6. Sensitive Data Exposure

A7. Missing Function Level Access Control

A9. Using Known Vulnerable Components

2010 Modified New

OWASP Top 10 - 2010

OWASP Top 10 - 2013

A1. Injection

2010 Modified New

OWASP 10

OWASP Top 10 - 2013A1. Injection

Veracode Report - 2011

A3 ...

2010 Modified New

OWASP 11

OWASP Top 10 - 2013Trustwave Report - 2013

A1. Injection

2010 Modified New

OWASP 12

OWASP Top 10 - 2013Whitehat Report - 2012

A1. InjectionA3

2010 Modified New

OWASP 13

3.FOCUS ON WHAT MATTERSReally...focus on what matters!

Effective Security Code Review Process

Reconnaissance: Understand the applicationThreat Assessment: Enumerate inputs, threats and attack surfaceAutomation: Low hanging fruitsManual Review: High-risk modulesConfirmation & PoC: Confirm high-risk vulnerabilities.Reporting: Communicate back to the development team

OWASP 15

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!

Reconnaissance What REALLY Matters?

Business Walkthrough: will get you right to the assets and the core business goal

Technical Walkthrough: will get you right to the vulnerabilities

Roles: better understand the application and attack surface

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!

Threat & Risk Modeling What REALLY Matters?

A library of Vulnerabilities/ThreatsIndustry basedRisk Based

Thorough Understanding of Assets

Attack Library

Assets

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!

Automation:What REALLY Matters - Fitted ToolStatic Analysis Tools Evaluation Criteria

Deployment ModelTechnology SupportScan, Command and Control SupportProduct Signature UpdateTriage and Remediation SupportReporting CapabilitiesEnterprise Level Support

Find more at http://projects.webappsec.org/w/page/41188978/Static Analysis Tools Evaluation Criteria

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!

Automation:What REALLY Matters - 3rd Party Libs

3rd Party Libraries Discovery.DependencyCheck (https://github.com/jeremylong/DependencyCheck)

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!

OWASP 20

4. GET YOUR HANDS DIRTY!No pain...no gain...

What Needs Manual Review?This REALLY Matters!

Authentication & Authorization ControlsEncryption ModulesFile Upload and Download OperationsValidation Controls\Input FiltersSecurity-Sensitive Application Logic

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!

Authentication and Authorization Controls

WebMethods Don’t Follow Regular ASP.net Page Lifecycle

OWASP 23Encr

There is a possibility of returning empty hashes on error

OWASP 24

Directory traversal is possible on post-back.

OWASP 25

5. GET YOUR B-17 FIX!Gain strategic advantage over the attackers...

Checklists Advances Technology

Aviation: Model 299-1934: “Too much airplane for one man to fly”.

B-17 plane (Model 299 Successor) gave the U.S. major strategic advantage in WWII

Intensive Care Units: Usage of checklists brought down infection rates in Michigan by 66%

Resources To Conduct Your Checklist

NIST Checklist Project http://checklists.nist.gov/

Mozilla’s Secure Coding QA Checklist https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist

Oracle’s Secure Coding Checklist - http://www.oracle.com/technetwork/java/seccodeguide-139067.html

MSDN Managed Code Checklist http://msdn.microsoft.com/en-us/library/ff648189.aspx

OWASP 28

6. FINISH STRONG!Flex your communications muscles!

Reporting

Weakness MetadataThorough DescriptionRecommendationAssign Appropriate Priority

SQL Injection:

Location: \source\ACMEPortal\updateinfo.aspx.cs:

Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection

51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection);

Priority: High

Recommendation: Use parameterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ff648339.aspx for details.

Owner: John Smith

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!

The 6-Points Strategy...

1.Drastic Changes Requires Drastic Measures.2.Cover The Basics First.3.Focus on What Matters.4.Get Your Hands Dirty.5.Get Your B-17 Fix.6.Finish Strong.

QUESTIONS?

sherif.koussa@owasp.orgsherif@softwaresecured.com

Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Points Methodology To Get...

Technology

Injecting evil code in your SAP J2EE systems. Security of SAP Software Deployment Server

ColdFusion Code Security

Cálculo (23423411 security code )

Security as Code owasp

Code Quality - Security

GPCA HQ SECURITY CODE

C c security system.ppt(COLOR CODE SECURITY SYSTEM)

Being Mean To Your Code: Integrating Security Tools into ... · Being Mean To Your Code: Integrating Security Tools into Your DevOps Pipeline Boston Code Camp 26 November 19, 2016

Code Red Security

Code Security Systems Ltd

Mobile Code Security Evaluation

Step5LogIntoCROWNWebandChange User Facility€¦ · 6. Enter your Password 7. Select MFA Device Type 8. Enter Security Code received 9. Click Log In Security Code is sent through

Payment Security in Multiple Layers€¦ · devices to facilitate e-commerce and mobile payments. 3 Digit Code Shown on the back of your credit or debit card, this security code lets

About Your Security System - The ADT Corporation · About Your Security System Your DSC security equipment has been designed to provide you ... Only the Master Code can be used to

Symantec Code Signing - an essential security feature to add to your software

Ethical Hacking: Source Code Review - zerodaylab.com Code Reviews.pdfEthical Hacking: Source Code Review . Source Code Review Security at the Root of your Systems Source Code Reviews

MODEL WIPC409HD-E - Aztech · Enter your camera’s Security Code (password). NOTE: The default Security Code for all Cameras is admin. Enter the camera’s Name. ... MODEL WIPC409HD-E

Serverless Security Your Code, Your Responsibility...• Akamai Kona Cloud Security (World’s 1st Cloud-WAF) •Author of 20 patents in the fields of Web Security, SAST, DAST, IAST

Code Lock Security details

Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()