SlideShare a Scribd company logo

Simplified Security Code Review Process

Sherif Koussa
Sherif Koussa
TechnologyBusiness
1 of 105
Download to read offline
Softwar S cur Simplifying Secure Code Reviews Sherif Koussa sherif@softwaresecured.com BSides Quebec 2013 Monday, 3 June, 13
Softwar S cur Security Teams Development Teams Monday, 3 June, 13
Softwar S cur Softwar S cur 2007 2009 2011 2013 Bio Principal Consultant @ SoftwareSecured ✓ Application Security Assessment ✓ Application Security Assurance Program Implementation ✓ Application Security Training Monday, 3 June, 13
Softwar S cur Take Aways Monday, 3 June, 13
Softwar S cur Take Aways Role of Security Code Review Monday, 3 June, 13
Softwar S cur Take Aways Role of Security Code Review Effective Process Monday, 3 June, 13
Softwar S cur Take Aways Role of Security Code Review Effective Process Simplified Process Monday, 3 June, 13
Softwar S cur Take Aways Role of Security Code Review Effective Process Simplified Process Key Tools to Use Monday, 3 June, 13
Softwar S cur What This Presentation is NOT... ➡ Ground Breaking Research ➡ New Tool ➡ How to Fix Vulnerabilities Monday, 3 June, 13
Softwar S cur What IS Security Code Review? Monday, 3 June, 13
Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness What IS Security Code Review? Monday, 3 June, 13
Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle What IS Security Code Review? Monday, 3 June, 13
Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ Development Teams ➡ Security Teams ➡ ProjectRisk Management What IS Security Code Review? Monday, 3 June, 13
Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ Development Teams ➡ Security Teams ➡ ProjectRisk Management ➡ Systematic Approach to Uncover Security Flaws What IS Security Code Review? Monday, 3 June, 13
Softwar S cur Why Security Code Reviews Monday, 3 June, 13
Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Monday, 3 June, 13
Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths Monday, 3 June, 13
Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths All instances of a vulnerability Monday, 3 June, 13
Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths All instances of a vulnerability Find design flaws Monday, 3 June, 13
Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths All instances of a vulnerability Find design flaws Remediation Instructions Monday, 3 June, 13
Softwar S cur Effective Security Code Review Process Monday, 3 June, 13
Softwar S cur Effective Security Code Review Process ➡ Reconnaissance Monday, 3 June, 13
Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling Monday, 3 June, 13
Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation Monday, 3 June, 13
Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review Monday, 3 June, 13
Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept Monday, 3 June, 13
Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept ➡ Reporting Monday, 3 June, 13
Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Monday, 3 June, 13
Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment Monday, 3 June, 13
Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls Monday, 3 June, 13
Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code Monday, 3 June, 13
Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code •Security Controls •High Profile Code •Custom Rules Monday, 3 June, 13
Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code •Security Controls •High Profile Code •Custom Rules •Confirmation •Evidences Monday, 3 June, 13
Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code •Security Controls •High Profile Code •Custom Rules •Confirmation •Evidences •Risk Rating •Role Based •Remediation Instructions Monday, 3 June, 13
Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Monday, 3 June, 13
Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Monday, 3 June, 13
Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Monday, 3 June, 13
Softwar S cur Usages of Simplified Security Code Review Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* ➡ Ideal for Introducing Development Teams To Security Code Reviews ➡ Crossing The Gap Between Security and Development Teams Monday, 3 June, 13
Softwar S cur Skills - OWASP Top 10 ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Monday, 3 June, 13
Softwar S cur A1. Injection A2. Cross-Site Scripting A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery A6. Security Misconfiguration A7. Insecure Cryptographic Storage A9. Insufficient Transport Layer Protection A8. Failure to Restrict URL Access A10. Unvalidated Redirects and Forwards 2010 Modified New OWASP TOP 10 - 2010 OWASP TOP 10 - 2013 Monday, 3 June, 13
Softwar S cur A1. Injection A2. Cross-Site Scripting A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery A6. Security Misconfiguration A7. Insecure Cryptographic Storage A9. Insufficient Transport Layer Protection A8. Failure to Restrict URL Access A10. Unvalidated Redirects and Forwards A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards 2010 Modified New OWASP TOP 10 - 2010 OWASP TOP 10 - 2013 Monday, 3 June, 13
Softwar S cur A3 A6 A3 A6 A4 A1 A1 A3 A2 A9 A9 A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards OWASP TOP 10 - 2013 2010 Modified New Veracode Report - 2011 Monday, 3 June, 13
Softwar S cur A7 A10 A4 A1 A8 A4 A3 A9 A1 A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards OWASP TOP 10 - 2013Trustwave Report - 2013 2010 Modified New Monday, 3 June, 13
Softwar S cur A3 A6 A7 A1 A7 A2 A4 A7A4 A4 A2 A3 A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards OWASP TOP 10 - 2013Whitehat Report - 2012 2010 Modified New Monday, 3 June, 13
Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Define Trust Boundary Monday, 3 June, 13
Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards Monday, 3 June, 13
Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 Monday, 3 June, 13
Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 Monday, 3 June, 13
Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 Monday, 3 June, 13
Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A4 Monday, 3 June, 13
Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 Monday, 3 June, 13
Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A6 Monday, 3 June, 13
Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A7 A6 Monday, 3 June, 13
Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A7 A8 A6 Monday, 3 June, 13
Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A7 A8 A10 A10 A6 A9 A9 A9 A9 A9 Monday, 3 June, 13
Softwar S cur How Can You Identify Trust Boundary? Monday, 3 June, 13
Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc Monday, 3 June, 13
Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc Monday, 3 June, 13
Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc Monday, 3 June, 13
Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output Monday, 3 June, 13
Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output ➡ Annotations: @WebMethods, @WebService Monday, 3 June, 13
Softwar S cur Making Unsecure Code Look Unsecure - cc/Joel Spolsky ➡ Physical Source Code Separation. ➡ File Naming Scheme: ➡ Trust Boundary Safe: tbsProcessNameChange.java ➡ Trust Boundary UnSafe: tbuEditProfile.jsp ➡ Variable Naming Convention: ➡ String usEmail = Request.getParameter(“email”); ➡ String sEmail = Validate(Request.getParameter(“email”); Monday, 3 June, 13
Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Automation Monday, 3 June, 13
Softwar S cur Automation Static Code Analysis Pros Cons Scales Well False Positives Low Hanging Fruit Application Logic Issues Could Be Customized Collections Frameworks Monday, 3 June, 13
Softwar S cur Scripts ➡ Compliment Static Code Analysis Tools. ➡ 3rd Party Libraries Discovery. ➡ Data Input Sources (e,g. web services) ➡ Tracing Data Through Collections (e.g. Session, Request, Collection) Monday, 3 June, 13
Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Manual Review Monday, 3 June, 13
Softwar S cur What Needs to Be Manually Reviewed? ➡ Authentication & Authorization Controls ➡ Encryption Modules ➡ File Upload and Download Operations ➡ Validation ControlsInput Filters ➡ Security-Sensitive Application Logic Monday, 3 June, 13
Softwar S cur Authentication & Authorization Flaws Monday, 3 June, 13
Softwar S cur Authentication & Authorization Flaws Monday, 3 June, 13
Softwar S cur Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Monday, 3 June, 13
Softwar S cur Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Monday, 3 June, 13
Softwar S cur Encryption Flaws Monday, 3 June, 13
Softwar S cur Encryption Flaws Monday, 3 June, 13
Softwar S cur Encryption Flaws Return value is initialized Monday, 3 June, 13
Softwar S cur Encryption Flaws Return value is initialized Monday, 3 June, 13
Softwar S cur Encryption Flaws Return value is initialized Monday, 3 June, 13
Softwar S cur Encryption Flaws Return value is initialized Classic fail-open scenario Monday, 3 June, 13
Softwar S cur File UploadDownload Flaws Monday, 3 June, 13
Softwar S cur File UploadDownload Flaws Monday, 3 June, 13
Softwar S cur File UploadDownload Flaws The value gets validated first time around Monday, 3 June, 13
Softwar S cur File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field Monday, 3 June, 13
Softwar S cur File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Monday, 3 June, 13
Softwar S cur File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Path used without validation Monday, 3 June, 13
Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Reporting Monday, 3 June, 13
Softwar S cur Reporting ➡ Weakness Metadata ➡ Thorough Description ➡ Recommendation ➡ Assign Priority SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: Description:The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); Priority: High Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ ff648339.aspx for details. Owner: John Smith Monday, 3 June, 13
Softwar S cur Confirmation & PoC Monday, 3 June, 13
Softwar S cur Confirmation & PoC Monday, 3 June, 13
Softwar S cur Confirmation & PoC Monday, 3 June, 13
Softwar S cur Confirmation & PoC Monday, 3 June, 13
Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Tools Monday, 3 June, 13
Softwar S cur Security Code Review Tools ➡ Static Code Analysis ➡ Free: (FindBugs, PMD, CAT.net, PCLint, etc) ➡ Commercial: (Static Code Tools Evaluation Criteria - WASC) ➡ 3rd Party Libraries: (DependencyCheck - https://github.com/ jeremylong/DependencyCheck) ➡ Scripts Monday, 3 June, 13
Softwar S cur Open-Source Static Code Analysis Tools Java .NET C++ Monday, 3 June, 13
Softwar S cur Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Checklists Monday, 3 June, 13
Softwar S cur Usage of checklists ➡ Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident ➡ ICU: usage of checklists brought down infection rates in Michigan by 66% Monday, 3 June, 13
Softwar S cur Security Code Review Checklist ➡ Data Validation and Encoding Controls ➡ Encryption Controls ➡ Authentication and Authorization Controls ➡ Session Management ➡ Exception Handling ➡ Auditing and Logging ➡ Security Configurations Monday, 3 June, 13
Softwar S cur Resources To Conduct Your Checklist ➡ NIST Checklist Project - http://checklists.nist.gov/ ➡ Mozilla’s Secure Coding QA Checklist - https:// wiki.mozilla.org/WebAppSec/ Secure_Coding_QA_Checklist ➡ Oracle’s Secure Coding Checklist - http:// www.oracle.com/technetwork/java/ seccodeguide-139067.html Monday, 3 June, 13
Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Monday, 3 June, 13
Softwar S cur Softwar S cur QUESTIONS? @skoussa sherif.koussa@owasp.org sherif@softwaresecured.com Monday, 3 June, 13

Recommended

Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 

Recommended

Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysissecurityxploded
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsiAppSecure Solutions
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 

More Related Content

What's hot

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 

What's hot (20)

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAP
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 

Viewers also liked

DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsiAppSecure Solutions
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Sherif Koussa
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP Technology
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop Priyanka Aash
 

Viewers also liked (7)

DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
 

Similar to Simplified Security Code Review Process

Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013BSidesQuebec2013
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software SecuritydevObjective
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryTechWell
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Measures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environmentMeasures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environmentFibonalabs
 
Web security: concepts and tools used by attackers
Web security: concepts and tools used by attackersWeb security: concepts and tools used by attackers
Web security: concepts and tools used by attackerstomasperezv
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introductionSebastien Gioria
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pchSébastien GIORIA
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerSplunk
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryGene Gotimer
 

Similar to Simplified Security Code Review Process (20)

Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
Web Security
Web SecurityWeb Security
Web Security
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Measures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environmentMeasures to ensure Cyber Security in a serverless environment
Measures to ensure Cyber Security in a serverless environment
 
Web security: concepts and tools used by attackers
Web security: concepts and tools used by attackersWeb security: concepts and tools used by attackers
Web security: concepts and tools used by attackers
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introduction
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - Manager
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 

Recently uploaded

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

Simplified Security Code Review Process

  • 1. Softwar S cur Simplifying Secure Code Reviews Sherif Koussa sherif@softwaresecured.com BSides Quebec 2013 Monday, 3 June, 13
  • 2. Softwar S cur Security Teams Development Teams Monday, 3 June, 13
  • 3. Softwar S cur Softwar S cur 2007 2009 2011 2013 Bio Principal Consultant @ SoftwareSecured ✓ Application Security Assessment ✓ Application Security Assurance Program Implementation ✓ Application Security Training Monday, 3 June, 13
  • 4. Softwar S cur Take Aways Monday, 3 June, 13
  • 5. Softwar S cur Take Aways Role of Security Code Review Monday, 3 June, 13
  • 6. Softwar S cur Take Aways Role of Security Code Review Effective Process Monday, 3 June, 13
  • 7. Softwar S cur Take Aways Role of Security Code Review Effective Process Simplified Process Monday, 3 June, 13
  • 8. Softwar S cur Take Aways Role of Security Code Review Effective Process Simplified Process Key Tools to Use Monday, 3 June, 13
  • 9. Softwar S cur What This Presentation is NOT... ➡ Ground Breaking Research ➡ New Tool ➡ How to Fix Vulnerabilities Monday, 3 June, 13
  • 10. Softwar S cur What IS Security Code Review? Monday, 3 June, 13
  • 11. Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness What IS Security Code Review? Monday, 3 June, 13
  • 12. Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle What IS Security Code Review? Monday, 3 June, 13
  • 13. Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ Development Teams ➡ Security Teams ➡ ProjectRisk Management What IS Security Code Review? Monday, 3 June, 13
  • 14. Softwar S cur ➡ The Inspection of Source Code to Find Security Weakness ➡ Integrated Activity into Software Development Lifecycle ➡ Cross-Team Integration ➡ Development Teams ➡ Security Teams ➡ ProjectRisk Management ➡ Systematic Approach to Uncover Security Flaws What IS Security Code Review? Monday, 3 June, 13
  • 15. Softwar S cur Why Security Code Reviews Monday, 3 June, 13
  • 16. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Monday, 3 June, 13
  • 17. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths Monday, 3 June, 13
  • 18. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths All instances of a vulnerability Monday, 3 June, 13
  • 19. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths All instances of a vulnerability Find design flaws Monday, 3 June, 13
  • 20. Softwar S cur Why Security Code Reviews Effectiveness of Security Controls Exercise all code paths All instances of a vulnerability Find design flaws Remediation Instructions Monday, 3 June, 13
  • 21. Softwar S cur Effective Security Code Review Process Monday, 3 June, 13
  • 22. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance Monday, 3 June, 13
  • 23. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling Monday, 3 June, 13
  • 24. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation Monday, 3 June, 13
  • 25. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review Monday, 3 June, 13
  • 26. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept Monday, 3 June, 13
  • 27. Softwar S cur Effective Security Code Review Process ➡ Reconnaissance ➡ Threat Modeling ➡ Automation ➡ Manual Review ➡ Confirmation & Proof-Of-Concept ➡ Reporting Monday, 3 June, 13
  • 28. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Monday, 3 June, 13
  • 29. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment Monday, 3 June, 13
  • 30. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls Monday, 3 June, 13
  • 31. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code Monday, 3 June, 13
  • 32. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code •Security Controls •High Profile Code •Custom Rules Monday, 3 June, 13
  • 33. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code •Security Controls •High Profile Code •Custom Rules •Confirmation •Evidences Monday, 3 June, 13
  • 34. Softwar S cur Full SCR Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! •Business Goals •Technology Stack •Use Case Scenarios •Network Deployment •Decompose Application •Attack Surface •Major Security Controls •Low Hanging Fruit •Hot Spots •Missed Functionalities •Abandoned Code •Security Controls •High Profile Code •Custom Rules •Confirmation •Evidences •Risk Rating •Role Based •Remediation Instructions Monday, 3 June, 13
  • 35. Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Monday, 3 June, 13
  • 36. Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Monday, 3 June, 13
  • 37. Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Monday, 3 June, 13
  • 38. Softwar S cur Usages of Simplified Security Code Review Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* ➡ Ideal for Introducing Development Teams To Security Code Reviews ➡ Crossing The Gap Between Security and Development Teams Monday, 3 June, 13
  • 39. Softwar S cur Skills - OWASP Top 10 ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Monday, 3 June, 13
  • 40. Softwar S cur A1. Injection A2. Cross-Site Scripting A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery A6. Security Misconfiguration A7. Insecure Cryptographic Storage A9. Insufficient Transport Layer Protection A8. Failure to Restrict URL Access A10. Unvalidated Redirects and Forwards 2010 Modified New OWASP TOP 10 - 2010 OWASP TOP 10 - 2013 Monday, 3 June, 13
  • 41. Softwar S cur A1. Injection A2. Cross-Site Scripting A3. Broken Authentication and Session Management A4. Insecure Direct Object References A5. Cross-Site Request Forgery A6. Security Misconfiguration A7. Insecure Cryptographic Storage A9. Insufficient Transport Layer Protection A8. Failure to Restrict URL Access A10. Unvalidated Redirects and Forwards A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards 2010 Modified New OWASP TOP 10 - 2010 OWASP TOP 10 - 2013 Monday, 3 June, 13
  • 42. Softwar S cur A3 A6 A3 A6 A4 A1 A1 A3 A2 A9 A9 A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards OWASP TOP 10 - 2013 2010 Modified New Veracode Report - 2011 Monday, 3 June, 13
  • 43. Softwar S cur A7 A10 A4 A1 A8 A4 A3 A9 A1 A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards OWASP TOP 10 - 2013Trustwave Report - 2013 2010 Modified New Monday, 3 June, 13
  • 44. Softwar S cur A3 A6 A7 A1 A7 A2 A4 A7A4 A4 A2 A3 A1. Injection A3. Cross-Site Scripting A2. Broken Authentication and Session Management A4. Insecure Direct Object References A6. Sensitive Data Exposure A5. Security Misconfiguration A7. Missing Function Level Access Control A9. Using Known Vulnerable Components A8. Cross-Site Request Forgery A10. Unvalidated Redirects and Forwards OWASP TOP 10 - 2013Whitehat Report - 2012 2010 Modified New Monday, 3 June, 13
  • 46. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  • 47. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  • 48. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  • 49. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  • 50. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  • 51. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  • 52. Softwar S cur Trust Boundary - Example Browser SOAP Client Mobile Client Front Controller Web Services Admin Front Controller LAN DB LDAP File System Internet BusinessObjects DataAccessLayer LAN Browser View Monday, 3 June, 13
  • 53. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards Monday, 3 June, 13
  • 54. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 Monday, 3 June, 13
  • 55. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 Monday, 3 June, 13
  • 56. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 Monday, 3 June, 13
  • 57. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A4 Monday, 3 June, 13
  • 58. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 Monday, 3 June, 13
  • 59. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A6 Monday, 3 June, 13
  • 60. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A7 A6 Monday, 3 June, 13
  • 61. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A7 A8 A6 Monday, 3 June, 13
  • 62. Softwar S cur Trust Boundary - OWASP Top 10 Front Controller Web Services Admin Front Controller LAN DB LDAP File System BusinessObjects DataAccessLayer View ➡ A1 Injection ➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References ➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards A1 A2 A2 A2 A3 A4 A5 A4 A6 A7 A8 A10 A10 A6 A9 A9 A9 A9 A9 Monday, 3 June, 13
  • 63. Softwar S cur How Can You Identify Trust Boundary? Monday, 3 June, 13
  • 64. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc Monday, 3 June, 13
  • 65. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc Monday, 3 June, 13
  • 66. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc Monday, 3 June, 13
  • 67. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output Monday, 3 June, 13
  • 68. Softwar S cur How Can You Identify Trust Boundary? ➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc ➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc ➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc ➡ Tools: Spiders’ output ➡ Annotations: @WebMethods, @WebService Monday, 3 June, 13
  • 69. Softwar S cur Making Unsecure Code Look Unsecure - cc/Joel Spolsky ➡ Physical Source Code Separation. ➡ File Naming Scheme: ➡ Trust Boundary Safe: tbsProcessNameChange.java ➡ Trust Boundary UnSafe: tbuEditProfile.jsp ➡ Variable Naming Convention: ➡ String usEmail = Request.getParameter(“email”); ➡ String sEmail = Validate(Request.getParameter(“email”); Monday, 3 June, 13
  • 71. Softwar S cur Automation Static Code Analysis Pros Cons Scales Well False Positives Low Hanging Fruit Application Logic Issues Could Be Customized Collections Frameworks Monday, 3 June, 13
  • 72. Softwar S cur Scripts ➡ Compliment Static Code Analysis Tools. ➡ 3rd Party Libraries Discovery. ➡ Data Input Sources (e,g. web services) ➡ Tracing Data Through Collections (e.g. Session, Request, Collection) Monday, 3 June, 13
  • 74. Softwar S cur What Needs to Be Manually Reviewed? ➡ Authentication & Authorization Controls ➡ Encryption Modules ➡ File Upload and Download Operations ➡ Validation ControlsInput Filters ➡ Security-Sensitive Application Logic Monday, 3 June, 13
  • 75. Softwar S cur Authentication & Authorization Flaws Monday, 3 June, 13
  • 76. Softwar S cur Authentication & Authorization Flaws Monday, 3 June, 13
  • 77. Softwar S cur Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Monday, 3 June, 13
  • 78. Softwar S cur Authentication & Authorization Flaws Web Methods Do Not Follow Regular ASP.NET Page Life Cycle Monday, 3 June, 13
  • 79. Softwar S cur Encryption Flaws Monday, 3 June, 13
  • 80. Softwar S cur Encryption Flaws Monday, 3 June, 13
  • 81. Softwar S cur Encryption Flaws Return value is initialized Monday, 3 June, 13
  • 82. Softwar S cur Encryption Flaws Return value is initialized Monday, 3 June, 13
  • 83. Softwar S cur Encryption Flaws Return value is initialized Monday, 3 June, 13
  • 84. Softwar S cur Encryption Flaws Return value is initialized Classic fail-open scenario Monday, 3 June, 13
  • 85. Softwar S cur File UploadDownload Flaws Monday, 3 June, 13
  • 86. Softwar S cur File UploadDownload Flaws Monday, 3 June, 13
  • 87. Softwar S cur File UploadDownload Flaws The value gets validated first time around Monday, 3 June, 13
  • 88. Softwar S cur File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field Monday, 3 June, 13
  • 89. Softwar S cur File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Monday, 3 June, 13
  • 90. Softwar S cur File UploadDownload Flaws The value gets validated first time around File path saved into a hidden field File path is not validated on post back Path used without validation Monday, 3 June, 13
  • 92. Softwar S cur Reporting ➡ Weakness Metadata ➡ Thorough Description ➡ Recommendation ➡ Assign Priority SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: Description:The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); Priority: High Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ ff648339.aspx for details. Owner: John Smith Monday, 3 June, 13
  • 93. Softwar S cur Confirmation & PoC Monday, 3 June, 13
  • 94. Softwar S cur Confirmation & PoC Monday, 3 June, 13
  • 95. Softwar S cur Confirmation & PoC Monday, 3 June, 13
  • 96. Softwar S cur Confirmation & PoC Monday, 3 June, 13
  • 98. Softwar S cur Security Code Review Tools ➡ Static Code Analysis ➡ Free: (FindBugs, PMD, CAT.net, PCLint, etc) ➡ Commercial: (Static Code Tools Evaluation Criteria - WASC) ➡ 3rd Party Libraries: (DependencyCheck - https://github.com/ jeremylong/DependencyCheck) ➡ Scripts Monday, 3 June, 13
  • 99. Softwar S cur Open-Source Static Code Analysis Tools Java .NET C++ Monday, 3 June, 13
  • 101. Softwar S cur Usage of checklists ➡ Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident ➡ ICU: usage of checklists brought down infection rates in Michigan by 66% Monday, 3 June, 13
  • 102. Softwar S cur Security Code Review Checklist ➡ Data Validation and Encoding Controls ➡ Encryption Controls ➡ Authentication and Authorization Controls ➡ Session Management ➡ Exception Handling ➡ Auditing and Logging ➡ Security Configurations Monday, 3 June, 13
  • 103. Softwar S cur Resources To Conduct Your Checklist ➡ NIST Checklist Project - http://checklists.nist.gov/ ➡ Mozilla’s Secure Coding QA Checklist - https:// wiki.mozilla.org/WebAppSec/ Secure_Coding_QA_Checklist ➡ Oracle’s Secure Coding Checklist - http:// www.oracle.com/technetwork/java/ seccodeguide-139067.html Monday, 3 June, 13
  • 104. Softwar S cur Simplified Security Code Review Process Reconnaissance! Threat Modeling! Automation! Manual Review! Confirmation & PoC! Reporting! Checklists! Tools! Skills! Automation Manual Review Reporting Checklists* Tools* OWASP* Top*10* Trust*Boundary* Iden=fica=on* Monday, 3 June, 13
  • 105. Softwar S cur Softwar S cur QUESTIONS? @skoussa sherif.koussa@owasp.org sherif@softwaresecured.com Monday, 3 June, 13