SlideShare a Scribd company logo

Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)

OWASP Ottawa
OWASP Ottawa

Secure Code Review is the best approach to uncover the most security flaws, in addition to being the only approach to find certain types of flaws like design flaws. During this session, you will learn how to perform security code review and uncover vulnerabilities such as OWASP Top 10: Cross-site Scripting, SQL Injection, Access Control and much more in early stages of development. You will use a real life application. You will get an introduction to Static Code Analysis tools and how you can automate some parts of the process using tools like FxCop.

Technology
1 of 36
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Security Code Review For .Net Applications Sherif Koussa OWASP Ottawa Chapter Leader Software Secured sherif.koussa@owasp.org Education Project Thursday, 9 May, 13
OWASP 2 Softwar S cur 2007 2009 2011 2013 Bio Principal Consultant @ SoftwareSecured ✓ Security Code Review ✓ Penetration Testing ✓ Secure SDL Integration ✓ Application Security Training Thursday, 9 May, 13
OWASP Take Aways What is Security Code Review Effective Security Code Review Process How to Implement Your Own Process Key Tools to Use 3 Thursday, 9 May, 13
OWASP What Security Code Review is.........NOT? A Separate Activity From the SDLC Running a Tool Ad-hoc Activity Pentesting - (Just Say’n!) 4 Thursday, 9 May, 13
OWASP The Inspection of Source Code to Find Security Weakness Integrated Activity into Software Development Lifecycle Cross-Team Integration Development Teams Security Teams ProjectRisk Management Systematic Approach to Uncover Security Flaws What IS Security Code Review? 5 Thursday, 9 May, 13
OWASP Why Security Code Reviews Effectiveness of security controls against known threats Exercise all application execution paths Find all instances of a certain vulnerability The only way to find certain types of vulnerabilities Effective remediation instructions 6 Thursday, 9 May, 13
OWASP What Are We Looking For? Software Weaknesses SQL Injection Cross-site Scripting Insufficient Authentication Application Logic Issues Application Logic Bypass DeadDebug Code Misconfiguration Issues 7 Thursday, 9 May, 13
OWASP Important Steps For Effective Process Reconnaissance: Understand the application Threat Assessment: Enumerate inputs, threats and attack surface Automation: Low hanging fruits Manual Review: High-risk modules Confirmation & PoC: Confirm high-risk vulnerabilities. Reporting: Communicate back to the development team 8 Thursday, 9 May, 13
OWASP 9 Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklist! Tools! Security Skills! Thursday, 9 May, 13
OWASP 10 RECONNAISSANCE Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP Reconnaissance Primary Business Goal of the Application Use CasesAbuse Cases Different User Roles Technology Stack of the Application Environment Discovery Use the Application 11 Thursday, 9 May, 13
OWASP 12 THREAT ASSESSMENT Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP Enumerate Assets Data: personal data, financial data, etc Infrastructure: CPU, bandwidth, disk space, etc Users: malware, fishing, clicks Intellectual Property: software source code Other SystemsApplications: proxy to other more valuable systems. 13 Thursday, 9 May, 13
OWASP Enumerate Threats Data Theft Information Disclosure Spreading Malware Phishing Username Harvesting Fraudulent Transactions Likejacking 14 Thursday, 9 May, 13
OWASP Enumerate Vulnerabilities OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards 15 Thursday, 9 May, 13
OWASP 16 AUTOMATION Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP Automation Static Code Analysis Tools Scripts 17 Thursday, 9 May, 13
OWASP Automation with CAT.NET CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - Microsoft Comes with built-in rules: Reflected Cross-Site Scripting SQL Injection XPath Injection LDAP Injection File Canonicalization Issues Command Injection Information Disclosure Download from MSDN 18 Thursday, 9 May, 13
OWASP Demo... 19 Thursday, 9 May, 13
OWASP 20 MANUAL REVIEW Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP A1. Injection Start With Automation Database Script (*.sql, *.txt, etc) Pay Attention to Patterns & Coding Styles Second Order Injection 21 Manual Automatic Thursday, 9 May, 13
OWASP A2. Broken Authentication and Session Management Authentication Process Password Storage Password ResetChanges Session Generation Session Timeout Cookie DomainPath ViewState Protection 22 Manual Automatic Thursday, 9 May, 13
OWASP A3. Cross-Site Scripting Inspect application’s defenses (e.g. RequestValidation) Contextual HTML output encoding ASP.NET controls with no output encoding (MSDN) DOM-Based Cross-site Scripting HttpOnly Flag on Cookies. 23 Manual Automatic Thursday, 9 May, 13
OWASP A4. Insecure Direct Object Reference Parameters <-> resources relationship Hidden Fields JavaScript (JSON, AJAX) Querystring parameters 24 Manual Automatic Thursday, 9 May, 13
OWASP 25 CONFIRMATION & POC Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP Confirmation & PoC 26 Thursday, 9 May, 13
OWASP Confirmation & PoC 26 Thursday, 9 May, 13
OWASP Confirmation & PoC 26 Thursday, 9 May, 13
OWASP 27 REPORTING Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: Description:The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); Priority: High Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en- us/library/ff648339.aspx for details. Owner: John Smith OWASP Reporting Weakness Metadata Thorough Description Recommendation Assign Appropriate Priority 28 Thursday, 9 May, 13
OWASP 29 CHECKLISTS Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP Checklist - A bit of history Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident ICU: usage of checklists brought down infection rates in Michigan by 66% 30 Thursday, 9 May, 13
OWASP What Does a Checklist Cover? Data Validation and Encoding Controls Encryption Controls Authentication and Authorization Controls Session Management Exception Handling Auditing and Logging Security Configurations 31 Thursday, 9 May, 13
OWASP Resources to Conduct Your Checklist NIST Checklist Project http://checklists.nist.gov/ Mozilla’s Secure Coding QA Checklist https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist Oracle’s Secure Coding Checklist http://www.oracle.com/technetwork/java/seccodeguide-139067.html 32 Thursday, 9 May, 13
OWASP Full Application Security Code Review 33 Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
OWASP 34 QUESTIONS? sherif.koussa@owasp.org sherif@softwaresecured.com Thursday, 9 May, 13

Recommended

Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 

Recommended

Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
Christian Heinrich
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Web application security I
Web application security IWeb application security I
Web application security I
Md Syed Ahamad
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
Null Bhubaneswar
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 

More Related Content

What's hot

What's hot (20)

Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Security testing
Security testingSecurity testing
Security testing
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Web application security I
Web application security IWeb application security I
Web application security I
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 

Viewers also liked

Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
Ante Gulam
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Sherif Koussa
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
Sherif Koussa
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
DefCamp
 
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
Cyber Security Alliance
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
rustd
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
silviad74
 

Viewers also liked (20)

Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
China all up in your business: Annoying Persistant Threat - Dave Ockwell-Jenn...
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
 
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & TricksTop 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
 
Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
 
Natural Laws of Software Performance
Natural Laws of Software PerformanceNatural Laws of Software Performance
Natural Laws of Software Performance
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
 

Similar to Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)

Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universe
Sébastien GIORIA
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
Nikola Milosevic
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 

Similar to Security Code Review for .NET - Sherif Koussa (OWASP Ottawa) (20)

OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
 
CiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec PresentationCiNPA Security SIG - AppSec Presentation
CiNPA Security SIG - AppSec Presentation
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo Meucci
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
OWASP, the life and the universe
OWASP, the life and the universeOWASP, the life and the universe
OWASP, the life and the universe
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)

  • 1. Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Security Code Review For .Net Applications Sherif Koussa OWASP Ottawa Chapter Leader Software Secured sherif.koussa@owasp.org Education Project Thursday, 9 May, 13
  • 2. OWASP 2 Softwar S cur 2007 2009 2011 2013 Bio Principal Consultant @ SoftwareSecured ✓ Security Code Review ✓ Penetration Testing ✓ Secure SDL Integration ✓ Application Security Training Thursday, 9 May, 13
  • 3. OWASP Take Aways What is Security Code Review Effective Security Code Review Process How to Implement Your Own Process Key Tools to Use 3 Thursday, 9 May, 13
  • 4. OWASP What Security Code Review is.........NOT? A Separate Activity From the SDLC Running a Tool Ad-hoc Activity Pentesting - (Just Say’n!) 4 Thursday, 9 May, 13
  • 5. OWASP The Inspection of Source Code to Find Security Weakness Integrated Activity into Software Development Lifecycle Cross-Team Integration Development Teams Security Teams ProjectRisk Management Systematic Approach to Uncover Security Flaws What IS Security Code Review? 5 Thursday, 9 May, 13
  • 6. OWASP Why Security Code Reviews Effectiveness of security controls against known threats Exercise all application execution paths Find all instances of a certain vulnerability The only way to find certain types of vulnerabilities Effective remediation instructions 6 Thursday, 9 May, 13
  • 7. OWASP What Are We Looking For? Software Weaknesses SQL Injection Cross-site Scripting Insufficient Authentication Application Logic Issues Application Logic Bypass DeadDebug Code Misconfiguration Issues 7 Thursday, 9 May, 13
  • 8. OWASP Important Steps For Effective Process Reconnaissance: Understand the application Threat Assessment: Enumerate inputs, threats and attack surface Automation: Low hanging fruits Manual Review: High-risk modules Confirmation & PoC: Confirm high-risk vulnerabilities. Reporting: Communicate back to the development team 8 Thursday, 9 May, 13
  • 9. OWASP 9 Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklist! Tools! Security Skills! Thursday, 9 May, 13
  • 10. OWASP 10 RECONNAISSANCE Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 11. OWASP Reconnaissance Primary Business Goal of the Application Use CasesAbuse Cases Different User Roles Technology Stack of the Application Environment Discovery Use the Application 11 Thursday, 9 May, 13
  • 12. OWASP 12 THREAT ASSESSMENT Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 13. OWASP Enumerate Assets Data: personal data, financial data, etc Infrastructure: CPU, bandwidth, disk space, etc Users: malware, fishing, clicks Intellectual Property: software source code Other SystemsApplications: proxy to other more valuable systems. 13 Thursday, 9 May, 13
  • 14. OWASP Enumerate Threats Data Theft Information Disclosure Spreading Malware Phishing Username Harvesting Fraudulent Transactions Likejacking 14 Thursday, 9 May, 13
  • 15. OWASP Enumerate Vulnerabilities OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards 15 Thursday, 9 May, 13
  • 16. OWASP 16 AUTOMATION Reconnaissance! Threat Assessment! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 17. OWASP Automation Static Code Analysis Tools Scripts 17 Thursday, 9 May, 13
  • 18. OWASP Automation with CAT.NET CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - Microsoft Comes with built-in rules: Reflected Cross-Site Scripting SQL Injection XPath Injection LDAP Injection File Canonicalization Issues Command Injection Information Disclosure Download from MSDN 18 Thursday, 9 May, 13
  • 20. OWASP 20 MANUAL REVIEW Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 21. OWASP A1. Injection Start With Automation Database Script (*.sql, *.txt, etc) Pay Attention to Patterns & Coding Styles Second Order Injection 21 Manual Automatic Thursday, 9 May, 13
  • 22. OWASP A2. Broken Authentication and Session Management Authentication Process Password Storage Password ResetChanges Session Generation Session Timeout Cookie DomainPath ViewState Protection 22 Manual Automatic Thursday, 9 May, 13
  • 23. OWASP A3. Cross-Site Scripting Inspect application’s defenses (e.g. RequestValidation) Contextual HTML output encoding ASP.NET controls with no output encoding (MSDN) DOM-Based Cross-site Scripting HttpOnly Flag on Cookies. 23 Manual Automatic Thursday, 9 May, 13
  • 24. OWASP A4. Insecure Direct Object Reference Parameters <-> resources relationship Hidden Fields JavaScript (JSON, AJAX) Querystring parameters 24 Manual Automatic Thursday, 9 May, 13
  • 25. OWASP 25 CONFIRMATION & POC Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 29. OWASP 27 REPORTING Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 30. SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: Description:The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); Priority: High Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en- us/library/ff648339.aspx for details. Owner: John Smith OWASP Reporting Weakness Metadata Thorough Description Recommendation Assign Appropriate Priority 28 Thursday, 9 May, 13
  • 31. OWASP 29 CHECKLISTS Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13
  • 32. OWASP Checklist - A bit of history Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident ICU: usage of checklists brought down infection rates in Michigan by 66% 30 Thursday, 9 May, 13
  • 33. OWASP What Does a Checklist Cover? Data Validation and Encoding Controls Encryption Controls Authentication and Authorization Controls Session Management Exception Handling Auditing and Logging Security Configurations 31 Thursday, 9 May, 13
  • 34. OWASP Resources to Conduct Your Checklist NIST Checklist Project http://checklists.nist.gov/ Mozilla’s Secure Coding QA Checklist https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist Oracle’s Secure Coding Checklist http://www.oracle.com/technetwork/java/seccodeguide-139067.html 32 Thursday, 9 May, 13
  • 35. OWASP Full Application Security Code Review 33 Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! OWASP Top 10! Thursday, 9 May, 13