SlideShare ist ein Scribd-Unternehmen logo

How to Kickstart Your Internal Secure Code Review Process

Sherif Koussa
Sherif Koussa

Here are the key things to report: - Vulnerability type - Location (file, line number) - Short description - Impact - Recommendation Provide enough context for developers to understand and fix. Prioritize vulnerabilities by severity and risk. 29 Softwar S cur REPORTING SQL Injection: Location: \source\ACMEPortal\updateinfo.aspx.cs: Description: The code below is build dynamic sql statement using • Weakness Metadata unvalidated data (i.e. name) which can lead to SQL Injection - High severity - Data exposure and system access - Recommend using parameterized

Technologie
1 von 93
SECURE CODE REVIEW: MAGIC OR ART? A Simplified Approach to Secure Code Review Sherif Koussa - AppSec USA Softwar S cur
2 Softwar S cur
ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
TAKE AWAYS 4 Softwar S cur
TAKE AWAYS • Components of an effective secure code review process 4 Softwar S cur
TAKE AWAYS • Components of an effective secure code review process • Simplified secure code review process 4 Softwar S cur
TAKE AWAYS • Components of an effective secure code review process • Simplified secure code review process • How to kickoff your internal security code review process 4 Softwar S cur
WHAT DOES CODE REVIEW DO BEST? 5 Softwar S cur
WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws 5 Softwar S cur
WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage 5 Softwar S cur
WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws 5 Softwar S cur
WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws • Find all instances of a certain vulnerability 5 Softwar S cur
WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws • Find all instances of a certain vulnerability • The only way to find certain types of vulnerabilities 5 Softwar S cur
6 Softwar S cur
6 Softwar S cur
Usain Bolt - Olympics 2012 6 Softwar S cur
How I think I Look at the Gym Usain Bolt - Olympics 2012 6 Softwar S cur
How I think I Look at the Gym Usain Bolt - Olympics 2012 How I Actually Look 6 Softwar S cur
How I think I Look at the Gym Usain Bolt - Olympics 2012 How I Actually Look 6 Softwar S cur
7 Softwar S cur
7 Softwar S cur
HOW DEVELOPERS THINK OF THEIR APPLICATIONS 7 Softwar S cur
HOW DEVELOPERS THINK OF THEIR APPLICATIONS 7 Softwar S cur
HOW DEVELOPERS THINK OF THEIR APPLICATIONS Until S**t Hits The Fan 7 Softwar S cur
HOW DEVELOPERS THINK OF THEIR APPLICATIONS Until S**t Hits The Fan 7 Softwar S cur
WHAT ARE WE LOOKING FOR? 8 Softwar S cur
WHAT ARE WE LOOKING FOR? • Software Weaknesses 8 Softwar S cur
WHAT ARE WE LOOKING FOR? • Software Weaknesses • Application Logic Issues 8 Softwar S cur
WHAT ARE WE LOOKING FOR? • Software Weaknesses • Application Logic Issues • DeadDebug Code 8 Softwar S cur
WHAT ARE WE LOOKING FOR? • Software Weaknesses • Application Logic Issues • DeadDebug Code • Misconfiguration Issues 8 Softwar S cur
WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW 9 Softwar S cur
WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset 9 Softwar S cur
WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset + 9 Softwar S cur
WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset + Security Code Review Process 9 Softwar S cur
10 Softwar S cur
10 Softwar S cur
SECURITY CODE REVIEW MINDSET 10 Softwar S cur
SECURITY CODE REVIEW MINDSET • Where is the data coming from? 10 Softwar S cur
SECURITY CODE REVIEW MINDSET • Where is the data coming from? • Original Intent -> Malicious Intent? 10 Softwar S cur
SECURITY CODE REVIEW MINDSET • Where is the data coming from? • Original Intent -> Malicious Intent? • Any mitigating controls? 10 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS 11 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app 11 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface 11 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits 11 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules 11 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules • Confirmation and PoC: Weed out false positive and confirm high-risk vulns. 11 Softwar S cur
IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules • Confirmation and PoC: Weed out false positive and confirm high-risk vulns. • Reporting: Communication back to the development team. 11 Softwar S cur
FULL APPLICATION SECURITY CODE REVIEW PROCESS Reconnaissance! Reporting! Threat Modelling! Security Skills! Checklist! Tools! Confirmation & PoC! Automation! Manual Review! 12 Softwar S cur
SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 13 Softwar S cur
SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* OWASP TOP Top*10* Checklists* 10 Driven Tools* Manual Reporting Review 13 Softwar S cur
SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Automation OWASP Cheat Iden=fica=on* Sheets Series OWASP* OWASP TOP Top*10* Checklists* 10 Driven Tools* Manual Reporting Review 13 Softwar S cur
DEFINE TRUST BOUNDARY Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 14 Softwar S cur
TRUST BOUNDARY • Trust Boundary is the virtual line where the trust level changes • Privileges Change • Untrusted Data Received • Untrusted Data Sent • Application’s Internal State Changes Writing Secure Code, Second Edition Michael Howard and David LeBlanc 15 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
WAYS TO MARK TRUST BOUNDARY • Physical Source Code Separation. • Naming Scheme • Trust Boundary Safe: tbsProcessNameChange.java • Trust Boundary UnSafe: tbuEditProfile.jsp 17 Softwar S cur
AUTOMATION Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 18
AUTOMATION • Super Greps (keyword Search) • Automated Unit-Tests • Static Code Analysis Tools 19 Softwar S cur
AUTOMATION STATIC CODE ANALYSIS TOOLS • Security Code Review <> Running a Tool Pros Cons Scales Well False Positives Low Hanging Fruit Application Logic Issues Can be Taught New Tricks Collections Frameworks 20 Softwar S cur
OPEN-SOURCE STATIC CODE ANALYSIS TOOLS Java .NET C++ 21 Softwar S cur
OPEN-SOURCE STATIC CODE ANALYSIS TOOLS Java .NET C++ 21 Softwar S cur
AUTOMATION 22 Softwar S cur
AUTOMATION • SQL Injection • Cross-Site Scripting • Parameter Tampering • Encryption Usage Flaws • Security Misconfiguration • External Code Reference • Log Forging 22 Softwar S cur
AUTOMATION • SQL Injection • Insecure Random Number Generation • Cross-Site Scripting • Command Injection • Parameter Tampering • XML Injection • Encryption Usage Flaws • XPATH Injection • Security Misconfiguration • External Code Reference • LDAP Injection • Log Forging • BufferOverflows 22 Softwar S cur
23 CUSTOMIZE YOUR TOOLS!cur Softwar S
MANUAL REVIEW Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 24 Softwar S cur
WHAT NEEDS TO BE MANUALLY REVIEWED? • Authentication & Authorization Controls • Encryption Modules • File Upload and Download Operations • Validation ControlsInput Filters • Security-Sensitive Application Logic 25 Softwar S cur
AUTHENTICATION & AUTHORIZATION FLAWS 26 Softwar S cur
AUTHENTICATION & AUTHORIZATION FLAWS 26 Softwar S cur
AUTHENTICATION & AUTHORIZATION FLAWS Web Methods Do Not Follow Regular ASP.NET Page Life Cycle 26 Softwar S cur
ENCRYPTION FLAWS 27 Softwar S cur
ENCRYPTION FLAWS 27 Softwar S cur
ENCRYPTION FLAWS There is a possibility of returning empty hashes on error 27 Softwar S cur
FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
FILE UPLOADDOWNLOAD FLAWS An attacker can bypass validation control 28 Softwar S cur
REPORTING Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 29 Softwar S cur
REPORTING SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: Description: The code below is build dynamic sql statement using • Weakness Metadata unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( • Thorough Description 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); • Recommendation Priority: High Recommendation: Use paramaterized SQL instead of dynamic • Assign Appropriate Priority concatenation, refer to http://msdn.microsoft.com/en-us/library/ ff648339.aspx for details. Owner: John Smith 30 Softwar S cur
SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 31 Softwar S cur
QUESTIONS? sherif.koussa@owasp.com sherif@softwaresecured.com Softwar S cur 32

Empfohlen

Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Sherif Koussa
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 

Empfohlen

Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Sherif Koussa
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCParasoft_Mitchell
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourPriyanka Aash
 
Fortify technology
Fortify technologyFortify technology
Fortify technologyImad Nom de famille
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP AdoptionGoran Begic
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing TEST Huddle
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code ReviewNaga Venkata Sunil Alamuri
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictPriyanka Aash
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP CodingNarudom Roongsiriwong, CISSP
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021Denis Zakharov
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge frameworkOWASP
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015skantos
 

Weitere ähnliche Inhalte

Was ist angesagt?

Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCParasoft_Mitchell
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourPriyanka Aash
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP AdoptionGoran Begic
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing TEST Huddle
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictPriyanka Aash
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 

Was ist angesagt? (20)

Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an Hour
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP Adoption
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 

Ähnlich wie How to Kickstart Your Internal Secure Code Review Process

[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge frameworkOWASP
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015skantos
 
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...PROIDEA
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...Codemotion
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionRiscure
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesRiscure
 
BGOUG 2014 Decrease Your MySQL Attack Surface
BGOUG 2014 Decrease Your MySQL Attack SurfaceBGOUG 2014 Decrease Your MySQL Attack Surface
BGOUG 2014 Decrease Your MySQL Attack SurfaceGeorgi Kodinov
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Virtual Forge
 
Agility reboot iv
Agility reboot ivAgility reboot iv
Agility reboot ivAndrew Chum
 
Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...IT Arena
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changerJaap Karan Singh
 
Proactive SQA™ Shifting Left w/Proactive Software Quality Practices
Proactive SQA™ Shifting Left w/Proactive Software Quality PracticesProactive SQA™ Shifting Left w/Proactive Software Quality Practices
Proactive SQA™ Shifting Left w/Proactive Software Quality PracticesXBOSoft
 
Seven Deadly Habits of Dysfunctional Software Managers
Seven Deadly Habits of Dysfunctional Software ManagersSeven Deadly Habits of Dysfunctional Software Managers
Seven Deadly Habits of Dysfunctional Software ManagersTechWell
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 

Ähnlich wie How to Kickstart Your Internal Secure Code Review Process (20)

[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015
 
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault Injection
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open Source
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
 
BGOUG 2014 Decrease Your MySQL Attack Surface
BGOUG 2014 Decrease Your MySQL Attack SurfaceBGOUG 2014 Decrease Your MySQL Attack Surface
BGOUG 2014 Decrease Your MySQL Attack Surface
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?
 
Agility reboot iv
Agility reboot ivAgility reboot iv
Agility reboot iv
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
 
Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
 
Proactive SQA™ Shifting Left w/Proactive Software Quality Practices
Proactive SQA™ Shifting Left w/Proactive Software Quality PracticesProactive SQA™ Shifting Left w/Proactive Software Quality Practices
Proactive SQA™ Shifting Left w/Proactive Software Quality Practices
 
Seven Deadly Habits of Dysfunctional Software Managers
Seven Deadly Habits of Dysfunctional Software ManagersSeven Deadly Habits of Dysfunctional Software Managers
Seven Deadly Habits of Dysfunctional Software Managers
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 

Kürzlich hochgeladen

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 

Kürzlich hochgeladen (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 

How to Kickstart Your Internal Secure Code Review Process

  • 1. SECURE CODE REVIEW: MAGIC OR ART? A Simplified Approach to Secure Code Review Sherif Koussa - AppSec USA Softwar S cur
  • 2. 2 Softwar S cur
  • 3. ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
  • 4. ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
  • 5. ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
  • 6. ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
  • 7. ABOUT ME Today 2011 2009 2008 3 2006 Softwar S cur
  • 8. TAKE AWAYS 4 Softwar S cur
  • 9. TAKE AWAYS • Components of an effective secure code review process 4 Softwar S cur
  • 10. TAKE AWAYS • Components of an effective secure code review process • Simplified secure code review process 4 Softwar S cur
  • 11. TAKE AWAYS • Components of an effective secure code review process • Simplified secure code review process • How to kickoff your internal security code review process 4 Softwar S cur
  • 12. WHAT DOES CODE REVIEW DO BEST? 5 Softwar S cur
  • 13. WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws 5 Softwar S cur
  • 14. WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage 5 Softwar S cur
  • 15. WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws 5 Softwar S cur
  • 16. WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws • Find all instances of a certain vulnerability 5 Softwar S cur
  • 17. WHAT DOES CODE REVIEW DO BEST? • Systematic approach to uncover security flaws • Close to 100% code coverage • Better at finding design flaws • Find all instances of a certain vulnerability • The only way to find certain types of vulnerabilities 5 Softwar S cur
  • 18. 6 Softwar S cur
  • 19. 6 Softwar S cur
  • 20. Usain Bolt - Olympics 2012 6 Softwar S cur
  • 21. How I think I Look at the Gym Usain Bolt - Olympics 2012 6 Softwar S cur
  • 22. How I think I Look at the Gym Usain Bolt - Olympics 2012 How I Actually Look 6 Softwar S cur
  • 23. How I think I Look at the Gym Usain Bolt - Olympics 2012 How I Actually Look 6 Softwar S cur
  • 24. 7 Softwar S cur
  • 25. 7 Softwar S cur
  • 26. HOW DEVELOPERS THINK OF THEIR APPLICATIONS 7 Softwar S cur
  • 27. HOW DEVELOPERS THINK OF THEIR APPLICATIONS 7 Softwar S cur
  • 28. HOW DEVELOPERS THINK OF THEIR APPLICATIONS Until S**t Hits The Fan 7 Softwar S cur
  • 29. HOW DEVELOPERS THINK OF THEIR APPLICATIONS Until S**t Hits The Fan 7 Softwar S cur
  • 30. WHAT ARE WE LOOKING FOR? 8 Softwar S cur
  • 31. WHAT ARE WE LOOKING FOR? • Software Weaknesses 8 Softwar S cur
  • 32. WHAT ARE WE LOOKING FOR? • Software Weaknesses • Application Logic Issues 8 Softwar S cur
  • 33. WHAT ARE WE LOOKING FOR? • Software Weaknesses • Application Logic Issues • DeadDebug Code 8 Softwar S cur
  • 34. WHAT ARE WE LOOKING FOR? • Software Weaknesses • Application Logic Issues • DeadDebug Code • Misconfiguration Issues 8 Softwar S cur
  • 35. WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW 9 Softwar S cur
  • 36. WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset 9 Softwar S cur
  • 37. WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset + 9 Softwar S cur
  • 38. WHAT CONSTITUTES A SUCCESSFUL SECURE CODE REVIEW Security Code Review Mindset + Security Code Review Process 9 Softwar S cur
  • 39. 10 Softwar S cur
  • 40. 10 Softwar S cur
  • 41. SECURITY CODE REVIEW MINDSET 10 Softwar S cur
  • 42. SECURITY CODE REVIEW MINDSET • Where is the data coming from? 10 Softwar S cur
  • 43. SECURITY CODE REVIEW MINDSET • Where is the data coming from? • Original Intent -> Malicious Intent? 10 Softwar S cur
  • 44. SECURITY CODE REVIEW MINDSET • Where is the data coming from? • Original Intent -> Malicious Intent? • Any mitigating controls? 10 Softwar S cur
  • 45. IMPORTANT ASPECTS IN ANY PROCESS 11 Softwar S cur
  • 46. IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app 11 Softwar S cur
  • 47. IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface 11 Softwar S cur
  • 48. IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits 11 Softwar S cur
  • 49. IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules 11 Softwar S cur
  • 50. IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules • Confirmation and PoC: Weed out false positive and confirm high-risk vulns. 11 Softwar S cur
  • 51. IMPORTANT ASPECTS IN ANY PROCESS • Reconnaissance: Understand the app • Threat Modeling: Enumerate inputs, threats and attack surface • Automation: Low hanging fruits • Manual Review: High-risk modules • Confirmation and PoC: Weed out false positive and confirm high-risk vulns. • Reporting: Communication back to the development team. 11 Softwar S cur
  • 52. FULL APPLICATION SECURITY CODE REVIEW PROCESS Reconnaissance! Reporting! Threat Modelling! Security Skills! Checklist! Tools! Confirmation & PoC! Automation! Manual Review! 12 Softwar S cur
  • 53. SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 13 Softwar S cur
  • 54. SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* OWASP TOP Top*10* Checklists* 10 Driven Tools* Manual Reporting Review 13 Softwar S cur
  • 55. SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Automation OWASP Cheat Iden=fica=on* Sheets Series OWASP* OWASP TOP Top*10* Checklists* 10 Driven Tools* Manual Reporting Review 13 Softwar S cur
  • 56. DEFINE TRUST BOUNDARY Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 14 Softwar S cur
  • 57. TRUST BOUNDARY • Trust Boundary is the virtual line where the trust level changes • Privileges Change • Untrusted Data Received • Untrusted Data Sent • Application’s Internal State Changes Writing Secure Code, Second Edition Michael Howard and David LeBlanc 15 Softwar S cur
  • 58. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 59. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 60. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 61. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 62. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 63. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 64. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 65. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 66. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 67. TRUST BOUNDARY - EXAMPLE Browser Front Controller DB Data Access Layer Business Objects Internet LAN SOAP Client Web Services LDAP Admin Front File AD Server System Controller LAN Admin Client 16 Softwar S cur
  • 68. WAYS TO MARK TRUST BOUNDARY • Physical Source Code Separation. • Naming Scheme • Trust Boundary Safe: tbsProcessNameChange.java • Trust Boundary UnSafe: tbuEditProfile.jsp 17 Softwar S cur
  • 69. AUTOMATION Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 18
  • 70. AUTOMATION • Super Greps (keyword Search) • Automated Unit-Tests • Static Code Analysis Tools 19 Softwar S cur
  • 71. AUTOMATION STATIC CODE ANALYSIS TOOLS • Security Code Review <> Running a Tool Pros Cons Scales Well False Positives Low Hanging Fruit Application Logic Issues Can be Taught New Tricks Collections Frameworks 20 Softwar S cur
  • 72. OPEN-SOURCE STATIC CODE ANALYSIS TOOLS Java .NET C++ 21 Softwar S cur
  • 73. OPEN-SOURCE STATIC CODE ANALYSIS TOOLS Java .NET C++ 21 Softwar S cur
  • 74. AUTOMATION 22 Softwar S cur
  • 75. AUTOMATION • SQL Injection • Cross-Site Scripting • Parameter Tampering • Encryption Usage Flaws • Security Misconfiguration • External Code Reference • Log Forging 22 Softwar S cur
  • 76. AUTOMATION • SQL Injection • Insecure Random Number Generation • Cross-Site Scripting • Command Injection • Parameter Tampering • XML Injection • Encryption Usage Flaws • XPATH Injection • Security Misconfiguration • External Code Reference • LDAP Injection • Log Forging • BufferOverflows 22 Softwar S cur
  • 77. 23 CUSTOMIZE YOUR TOOLS!cur Softwar S
  • 78. MANUAL REVIEW Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 24 Softwar S cur
  • 79. WHAT NEEDS TO BE MANUALLY REVIEWED? • Authentication & Authorization Controls • Encryption Modules • File Upload and Download Operations • Validation ControlsInput Filters • Security-Sensitive Application Logic 25 Softwar S cur
  • 82. AUTHENTICATION & AUTHORIZATION FLAWS Web Methods Do Not Follow Regular ASP.NET Page Life Cycle 26 Softwar S cur
  • 83. ENCRYPTION FLAWS 27 Softwar S cur
  • 84. ENCRYPTION FLAWS 27 Softwar S cur
  • 85. ENCRYPTION FLAWS There is a possibility of returning empty hashes on error 27 Softwar S cur
  • 86. FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
  • 87. FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
  • 88. FILE UPLOADDOWNLOAD FLAWS 28 Softwar S cur
  • 89. FILE UPLOADDOWNLOAD FLAWS An attacker can bypass validation control 28 Softwar S cur
  • 90. REPORTING Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 29 Softwar S cur
  • 91. REPORTING SQL Injection: Location: sourceACMEPortalupdateinfo.aspx.cs: Description: The code below is build dynamic sql statement using • Weakness Metadata unvalidated data (i.e. name) which can lead to SQL Injection 51 SqlDataAdapter myCommand = new SqlDataAdapter( • Thorough Description 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection); • Recommendation Priority: High Recommendation: Use paramaterized SQL instead of dynamic • Assign Appropriate Priority concatenation, refer to http://msdn.microsoft.com/en-us/library/ ff648339.aspx for details. Owner: John Smith 30 Softwar S cur
  • 92. SIMPLIFIED APPLICATION SECURITY CODE REVIEW PROCESS Trust*Boundary* Iden=fica=on* Automation OWASP* Checklists* Top*10* Tools* Manual Reporting Review 31 Softwar S cur

Hinweis der Redaktion

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n
  41. \n
  42. \n
  43. \n
  44. \n
  45. \n
  46. \n
  47. \n
  48. \n
  49. \n
  50. \n
  51. \n
  52. \n
  53. \n
  54. \n
  55. \n
  56. \n
  57. \n
  58. \n
  59. \n
  60. \n
  61. \n
  62. \n
  63. \n
  64. \n
  65. \n
  66. \n
  67. \n
  68. \n
  69. \n
  70. \n
  71. \n
  72. \n
  73. \n
  74. \n
  75. \n
  76. \n
  77. \n
  78. \n
  79. \n
  80. \n
  81. \n
  82. \n
  83. \n
  84. \n
  85. \n
  86. \n
  87. \n
  88. \n
  89. \n
  90. \n
  91. \n
  92. \n
  93. \n
  94. \n
  95. \n
  96. \n
  97. \n
  98. \n
  99. \n
  100. \n
  101. \n
  102. \n