Upload
sherif-koussa
View
747
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Copyright 2007 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Security Code ReviewsDoes Your Code Need an Open Heart Surgery?6-Points Strategy to Get Your Application in Security Shape
Sherif KoussaOWASP Ottawa Chapter LeaderStatic Analysis Tools Evaluation Criteria Project LeaderApplication Security Specialist - Software Secured
Saturday, 13 April, 13
OWASP 2
2
Softwar S cur2007
2008
2011Static Analysis Code Evaluation CriteriaProject Lead
Steering Committee MemberGSSP-Java, GSSP-NetDEV-541, DEV0544, SEC540
OWASP Chapter LeaderWebGoat 5.0 Developer
Bio
Saturday, 13 April, 13
OWASP
The 6 Points Strategy to Get Your Applications Back in Top Security Shape...
3
Saturday, 13 April, 13
OWASP
1. DRASTIC CHANGES NEED DRASTIC MEASURES!Get to the bottom of things quickly!
4
Saturday, 13 April, 13
OWASP 5
Steps:
Open Heart Surgery
Saturday, 13 April, 13
Step 1: Sawing Through the Sternum
Step 2: Working on the Heart
Step 3: Putting the Sternum Back Together
Step 4: Stitching Up the Skin
OWASP 5
Steps:
Open Heart Surgery
Saturday, 13 April, 13
Step 1: Sawing Through the Sternum
Step 2: Working on the Heart
Step 3: Putting the Sternum Back Together
Step 4: Stitching Up the Skin
OWASP 5
Steps:
Open Heart Surgery
Saturday, 13 April, 13
Step 1: Sawing Through the Sternum
Step 2: Working on the Heart
Step 3: Putting the Sternum Back Together
Step 4: Stitching Up the Skin
OWASP 5
Steps:
Open Heart Surgery
Causes:
Saturday, 13 April, 13
Step 1: Sawing Through the Sternum
Step 2: Working on the Heart
Step 3: Putting the Sternum Back Together
Step 4: Stitching Up the Skin
OWASP 5
Steps:
Open Heart Surgery
Repair or replace heart valves, which control blood flow through the heart
Repair abnormal or damaged structures in the heart
Implant medical devices that help control the heartbeat or support heart function and blood flow
Replace a damaged heart with a healthy heart from a donor
Causes:
Saturday, 13 April, 13
OWASP
6
Open Code Surgery (AKA Code Review)
Saturday, 13 April, 13
OWASP
6
Open Code Surgery (AKA Code Review)
Why Security Code Reviews:
Saturday, 13 April, 13
OWASP
6
Open Code Surgery (AKA Code Review)
Why Security Code Reviews:
Effectiveness of Security Controls Against Known ThreatsTesting All Application Execution PathsFind All Instances of a Certain VulnerabilityThe Only Way to Find Certain Types of VulnerabilitiesEffective Remediation Instructions
Saturday, 13 April, 13
OWASP
Code Review Types
Peer Security Code Review: peer code reviews combined with secure coding best practices.Automatic Security Code Review: running a static code analysis tool.Modular Review: pure manual code review line by line.Ad-hoc Security Code Review: security done on selected modules of the application.Source-Code Driven Code Review: Full code review process combined with penetration testing.
7
Saturday, 13 April, 13
OWASP
Code Review Types
Peer Security Code Review: peer code reviews combined with secure coding best practices.Automatic Security Code Review: running a static code analysis tool.Modular Review: pure manual code review line by line.Ad-hoc Security Code Review: security done on selected modules of the application.Source-Code Driven Code Review: Full code review process combined with penetration testing.
7
Saturday, 13 April, 13
OWASP
2. COVER THE BASICS FIRSTDon’t run before you can walk!
8
Saturday, 13 April, 13
OWASP
OWASP Top 10 - 2010
9
OWASP Top 10 - 2013
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and Session Management
A4. Insecure Direct Object References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A9. Insufficient Transport Layer Protection
A8. Failure to Restrict URL Access
A10. Unvalidated Redirects and Forwards
2010 Modified New
Saturday, 13 April, 13
OWASP
OWASP Top 10 - 2010
9
OWASP Top 10 - 2013
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and Session Management
A4. Insecure Direct Object References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A9. Insufficient Transport Layer Protection
A8. Failure to Restrict URL Access
A10. Unvalidated Redirects and Forwards
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
2010 Modified New
Saturday, 13 April, 13
OWASP
OWASP Top 10 - 2010
9
OWASP Top 10 - 2013
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and Session Management
A4. Insecure Direct Object References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A9. Insufficient Transport Layer Protection
A8. Failure to Restrict URL Access
A10. Unvalidated Redirects and Forwards
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
2010 Modified New
Saturday, 13 April, 13
OWASP 10
OWASP Top 10 - 2013A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
Veracode Report - 2011
A3
A6
A3
A6
A4
A1
A1
A3 ...
A2
A9
2010 Modified New
A9
Saturday, 13 April, 13
OWASP 11
OWASP Top 10 - 2013Trustwave Report - 2013
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
A7
A10
A4
A1
A8
A4
A3
A9
A1. Injection
A1
2010 Modified New
Saturday, 13 April, 13
OWASP 12
OWASP Top 10 - 2013Whitehat Report - 2012
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
A1. InjectionA3
A6
A7
A1
A7
A2
A4
A7A4
A4
A2
A3
2010 Modified New
Saturday, 13 April, 13
OWASP 13
3.FOCUS ON WHAT MATTERSReally...focus on what matters!
Saturday, 13 April, 13
OWASP
Effective Security Code Review Process
Reconnaissance: Understand the applicationThreat Assessment: Enumerate inputs, threats and attack surfaceAutomation: Low hanging fruitsManual Review: High-risk modulesConfirmation & PoC: Confirm high-risk vulnerabilities.Reporting: Communicate back to the development team
14
Saturday, 13 April, 13
OWASP 15
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklist!
Tools!
Security Skills!
Effe
ctiv
e Se
curi
ty
Cod
e R
evie
w P
roce
ss
Saturday, 13 April, 13
OWASP
Reconnaissance What REALLY Matters?
Business Walkthrough: will get you right to the assets and the core business goal
Technical Walkthrough: will get you right to the vulnerabilities
Roles: better understand the application and attack surface
16
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklist!
Tools!
Security Skills!
Saturday, 13 April, 13
OWASP
Threat & Risk Modeling What REALLY Matters?
A library of Vulnerabilities/ThreatsIndustry basedRisk Based
Thorough Understanding of Assets
17
Attack Library
Assets
Vuln
erab
le C
ode
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklist!
Tools!
Security Skills!
Saturday, 13 April, 13
OWASP
Automation:What REALLY Matters - Fitted ToolStatic Analysis Tools Evaluation Criteria
Deployment ModelTechnology SupportScan, Command and Control SupportProduct Signature UpdateTriage and Remediation SupportReporting CapabilitiesEnterprise Level Support
Find more at http://projects.webappsec.org/w/page/41188978/Static Analysis Tools Evaluation Criteria
18
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklist!
Tools!
Security Skills!
Saturday, 13 April, 13
OWASP
Automation:What REALLY Matters - 3rd Party Libs
3rd Party Libraries Discovery.DependencyCheck (https://github.com/jeremylong/DependencyCheck)
19
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklist!
Tools!
Security Skills!
Saturday, 13 April, 13
OWASP 20
4. GET YOUR HANDS DIRTY!No pain...no gain...
Saturday, 13 April, 13
OWASP
What Needs Manual Review?This REALLY Matters!
Authentication & Authorization ControlsEncryption ModulesFile Upload and Download OperationsValidation Controls\Input FiltersSecurity-Sensitive Application Logic
21
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklist!
Tools!
Security Skills!
Saturday, 13 April, 13
OWASP
Authentication and Authorization Controls
22
Saturday, 13 April, 13
OWASP
Authentication and Authorization Controls
22
Saturday, 13 April, 13
OWASP
Authentication and Authorization Controls
22
WebMethods Don’t Follow Regular ASP.net Page Lifecycle
Saturday, 13 April, 13
OWASP 23Encr
ypti
on M
odul
es
Saturday, 13 April, 13
OWASP 23Encr
ypti
on M
odul
es
Saturday, 13 April, 13
OWASP 23Encr
ypti
on M
odul
es
Saturday, 13 April, 13
OWASP 23Encr
ypti
on M
odul
es
There is a possibility of returning empty hashes on error
Saturday, 13 April, 13
OWASP 24
Secu
rity
Con
trol
s
Saturday, 13 April, 13
OWASP 24
Secu
rity
Con
trol
s
Saturday, 13 April, 13
OWASP 24
Secu
rity
Con
trol
s
Saturday, 13 April, 13
OWASP 24
Secu
rity
Con
trol
s
Saturday, 13 April, 13
OWASP 24
Secu
rity
Con
trol
s
Directory traversal is possible on post-back.
Saturday, 13 April, 13
OWASP 25
5. GET YOUR B-17 FIX!Gain strategic advantage over the attackers...
Saturday, 13 April, 13
Checklists Advances Technology
OWASP
Aviation: Model 299-1934: “Too much airplane for one man to fly”.
B-17 plane (Model 299 Successor) gave the U.S. major strategic advantage in WWII
Intensive Care Units: Usage of checklists brought down infection rates in Michigan by 66%
26
Saturday, 13 April, 13
OWASP
Resources To Conduct Your Checklist
NIST Checklist Project http://checklists.nist.gov/
Mozilla’s Secure Coding QA Checklist https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist
Oracle’s Secure Coding Checklist - http://www.oracle.com/technetwork/java/seccodeguide-139067.html
MSDN Managed Code Checklist http://msdn.microsoft.com/en-us/library/ff648189.aspx
27
Saturday, 13 April, 13
OWASP 28
6. FINISH STRONG!Flex your communications muscles!
Saturday, 13 April, 13
OWASP
Reporting
Weakness MetadataThorough DescriptionRecommendationAssign Appropriate Priority
29
SQL Injection:
Location: \source\ACMEPortal\updateinfo.aspx.cs:
Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection
51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection);
Priority: High
Recommendation: Use parameterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ff648339.aspx for details.
Owner: John Smith
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklist!
Tools!
Security Skills!
Saturday, 13 April, 13
OWASP
The 6-Points Strategy...
1.Drastic Changes Requires Drastic Measures.2.Cover The Basics First.3.Focus on What Matters.4.Get Your Hands Dirty.5.Get Your B-17 Fix.6.Finish Strong.
30
Saturday, 13 April, 13