3. Softwar S cur
Softwar S cur
2007 2009 2011 2013
Bio
Principal Consultant @ SoftwareSecured
✓ Application Security Assessment
✓ Application Security Assurance Program Implementation
✓ Application Security Training
Monday, 3 June, 13
11. Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
What IS Security Code
Review?
Monday, 3 June, 13
12. Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Lifecycle
What IS Security Code
Review?
Monday, 3 June, 13
13. Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Lifecycle
➡ Cross-Team Integration
➡ Development Teams
➡ Security Teams
➡ ProjectRisk Management
What IS Security Code
Review?
Monday, 3 June, 13
14. Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Lifecycle
➡ Cross-Team Integration
➡ Development Teams
➡ Security Teams
➡ ProjectRisk Management
➡ Systematic Approach to Uncover Security Flaws
What IS Security Code
Review?
Monday, 3 June, 13
16. Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Monday, 3 June, 13
17. Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Exercise all code paths
Monday, 3 June, 13
18. Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Exercise all code paths All instances of a vulnerability
Monday, 3 June, 13
19. Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Exercise all code paths All instances of a vulnerability
Find design flaws
Monday, 3 June, 13
20. Softwar S cur
Why Security Code Reviews
Effectiveness of Security
Controls
Exercise all code paths All instances of a vulnerability
Find design flaws Remediation Instructions
Monday, 3 June, 13
38. Softwar S cur
Usages of Simplified
Security Code Review
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
➡ Ideal for Introducing
Development Teams To
Security Code Reviews
➡ Crossing The Gap Between
Security and Development
Teams
Monday, 3 June, 13
39. Softwar S cur
Skills - OWASP
Top 10
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
Automation
Manual
Review
Reporting
Checklists*
Tools*
OWASP*
Top*10*
Trust*Boundary*
Iden=fica=on*
Monday, 3 June, 13
40. Softwar S cur
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A9. Insufficient Transport Layer
Protection
A8. Failure to Restrict URL Access
A10. Unvalidated Redirects and
Forwards
2010 Modified New
OWASP TOP 10 - 2010 OWASP TOP 10 - 2013
Monday, 3 June, 13
41. Softwar S cur
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A9. Insufficient Transport Layer
Protection
A8. Failure to Restrict URL Access
A10. Unvalidated Redirects and
Forwards
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access
Control
A9. Using Known Vulnerable
Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and
Forwards
2010 Modified New
OWASP TOP 10 - 2010 OWASP TOP 10 - 2013
Monday, 3 June, 13
42. Softwar S cur
A3
A6
A3
A6
A4
A1
A1 A3
A2
A9
A9
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access
Control
A9. Using Known Vulnerable
Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and
Forwards
OWASP TOP 10 - 2013
2010 Modified New
Veracode Report - 2011
Monday, 3 June, 13
43. Softwar S cur
A7
A10
A4
A1
A8
A4
A3
A9
A1
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access
Control
A9. Using Known Vulnerable
Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and
Forwards
OWASP TOP 10 - 2013Trustwave Report - 2013
2010 Modified New
Monday, 3 June, 13
44. Softwar S cur
A3
A6
A7
A1
A7
A2
A4
A7A4
A4
A2
A3
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and
Session Management
A4. Insecure Direct Object
References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access
Control
A9. Using Known Vulnerable
Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and
Forwards
OWASP TOP 10 - 2013Whitehat Report - 2012
2010 Modified New
Monday, 3 June, 13
46. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13
47. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13
48. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13
49. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13
50. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13
51. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13
52. Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
Internet
BusinessObjects
DataAccessLayer
LAN
Browser
View
Monday, 3 June, 13
53. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13
54. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
Monday, 3 June, 13
55. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
Monday, 3 June, 13
56. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
Monday, 3 June, 13
57. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A4
Monday, 3 June, 13
58. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
Monday, 3 June, 13
59. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A6
Monday, 3 June, 13
60. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A7
A6
Monday, 3 June, 13
61. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A7
A8
A6
Monday, 3 June, 13
62. Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front
Controller
LAN
DB
LDAP
File
System
BusinessObjects
DataAccessLayer
View
➡ A1 Injection
➡ A2 Broken Authentication and Session Management
➡ A3 Cross-Site Scripting (XSS)
➡ A4 Insecure Direct Object References
➡ A5 Security Misconfiguration
➡ A6 Sensitive Data Exposure
➡ A7 Missing Function Level Access Control
➡ A8 Cross-Site Request Forgery (CSRF)
➡ A9 Using Known Vulnerable Components
➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A7
A8
A10
A10
A6
A9 A9
A9
A9
A9
Monday, 3 June, 13
63. Softwar S cur
How Can You Identify Trust
Boundary?
Monday, 3 June, 13
64. Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
Monday, 3 June, 13
65. Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
Monday, 3 June, 13
66. Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
Monday, 3 June, 13
67. Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
➡ Tools: Spiders’ output
Monday, 3 June, 13
68. Softwar S cur
How Can You Identify Trust
Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
➡ Tools: Spiders’ output
➡ Annotations: @WebMethods, @WebService
Monday, 3 June, 13
71. Softwar S cur
Automation
Static Code Analysis
Pros Cons
Scales Well False Positives
Low Hanging Fruit Application Logic Issues
Could Be Customized Collections
Frameworks
Monday, 3 June, 13
72. Softwar S cur
Scripts
➡ Compliment Static Code Analysis Tools.
➡ 3rd Party Libraries Discovery.
➡ Data Input Sources (e,g. web services)
➡ Tracing Data Through Collections (e.g.
Session, Request, Collection)
Monday, 3 June, 13
87. Softwar S cur
File UploadDownload Flaws
The value gets validated
first time around
Monday, 3 June, 13
88. Softwar S cur
File UploadDownload Flaws
The value gets validated
first time around
File path saved into a
hidden field
Monday, 3 June, 13
89. Softwar S cur
File UploadDownload Flaws
The value gets validated
first time around
File path saved into a
hidden field
File path is not validated on post
back
Monday, 3 June, 13
90. Softwar S cur
File UploadDownload Flaws
The value gets validated
first time around
File path saved into a
hidden field
File path is not validated on post
back
Path used without
validation
Monday, 3 June, 13
92. Softwar S cur
Reporting
➡ Weakness Metadata
➡ Thorough Description
➡ Recommendation
➡ Assign Priority
SQL Injection:
Location: sourceACMEPortalupdateinfo.aspx.cs:
Description:The code below is build dynamic sql statement using
unvalidated data (i.e. name) which can lead to SQL Injection
51 SqlDataAdapter myCommand = new SqlDataAdapter(
52 "SELECT au_lname, au_fname FROM author WHERE
au_id = '" +
53 SSN.Text + "'", myConnection);
Priority: High
Recommendation: Use paramaterized SQL instead of dynamic
concatenation, refer to http://msdn.microsoft.com/en-us/library/
ff648339.aspx for details.
Owner: John Smith
Monday, 3 June, 13
101. Softwar S cur
Usage of checklists
➡ Aviation: led the modern airplanes evolution
after Major Hill’s famous 1934 incident
➡ ICU: usage of checklists brought down
infection rates in Michigan by 66%
Monday, 3 June, 13
102. Softwar S cur
Security Code Review
Checklist
➡ Data Validation and Encoding Controls
➡ Encryption Controls
➡ Authentication and Authorization Controls
➡ Session Management
➡ Exception Handling
➡ Auditing and Logging
➡ Security Configurations
Monday, 3 June, 13
103. Softwar S cur
Resources To Conduct Your
Checklist
➡ NIST Checklist Project - http://checklists.nist.gov/
➡ Mozilla’s Secure Coding QA Checklist - https://
wiki.mozilla.org/WebAppSec/
Secure_Coding_QA_Checklist
➡ Oracle’s Secure Coding Checklist - http://
www.oracle.com/technetwork/java/
seccodeguide-139067.html
Monday, 3 June, 13