Here are the key things to report:
- Vulnerability type
- Location (file, line number)
- Short description
- Impact
- Recommendation
Provide enough context for developers to understand and fix.
Prioritize vulnerabilities by severity and risk.
29 Softwar S cur
REPORTING
SQL Injection:
Location: \source\ACMEPortal\updateinfo.aspx.cs:
Description: The code below is build dynamic sql statement using
• Weakness Metadata unvalidated data (i.e. name) which can lead to SQL Injection
- High severity
- Data exposure and system access
- Recommend using parameterized
10. TAKE AWAYS
• Components of an effective secure code review process
• Simplified secure code review process
4 Softwar S cur
11. TAKE AWAYS
• Components of an effective secure code review process
• Simplified secure code review process
• How to kickoff your internal security code review process
4 Softwar S cur
13. WHAT DOES CODE REVIEW
DO BEST?
• Systematic approach to uncover security flaws
5 Softwar S cur
14. WHAT DOES CODE REVIEW
DO BEST?
• Systematic approach to uncover security flaws
• Close to 100% code coverage
5 Softwar S cur
15. WHAT DOES CODE REVIEW
DO BEST?
• Systematic approach to uncover security flaws
• Close to 100% code coverage
• Better at finding design flaws
5 Softwar S cur
16. WHAT DOES CODE REVIEW
DO BEST?
• Systematic approach to uncover security flaws
• Close to 100% code coverage
• Better at finding design flaws
• Find all instances of a certain vulnerability
5 Softwar S cur
17. WHAT DOES CODE REVIEW
DO BEST?
• Systematic approach to uncover security flaws
• Close to 100% code coverage
• Better at finding design flaws
• Find all instances of a certain vulnerability
• The only way to find certain types of vulnerabilities
5 Softwar S cur
46. IMPORTANT ASPECTS IN ANY
PROCESS
• Reconnaissance: Understand the app
11 Softwar S cur
47. IMPORTANT ASPECTS IN ANY
PROCESS
• Reconnaissance: Understand the app
• Threat Modeling: Enumerate inputs, threats and attack surface
11 Softwar S cur
48. IMPORTANT ASPECTS IN ANY
PROCESS
• Reconnaissance: Understand the app
• Threat Modeling: Enumerate inputs, threats and attack surface
• Automation: Low hanging fruits
11 Softwar S cur
49. IMPORTANT ASPECTS IN ANY
PROCESS
• Reconnaissance: Understand the app
• Threat Modeling: Enumerate inputs, threats and attack surface
• Automation: Low hanging fruits
• Manual Review: High-risk modules
11 Softwar S cur
50. IMPORTANT ASPECTS IN ANY
PROCESS
• Reconnaissance: Understand the app
• Threat Modeling: Enumerate inputs, threats and attack surface
• Automation: Low hanging fruits
• Manual Review: High-risk modules
• Confirmation and PoC: Weed out false positive
and confirm high-risk vulns.
11 Softwar S cur
51. IMPORTANT ASPECTS IN ANY
PROCESS
• Reconnaissance: Understand the app
• Threat Modeling: Enumerate inputs, threats and attack surface
• Automation: Low hanging fruits
• Manual Review: High-risk modules
• Confirmation and PoC: Weed out false positive
and confirm high-risk vulns.
• Reporting: Communication back to the development team.
11 Softwar S cur
52. FULL APPLICATION SECURITY
CODE REVIEW PROCESS
Reconnaissance!
Reporting! Threat Modelling!
Security
Skills! Checklist!
Tools!
Confirmation & PoC! Automation!
Manual Review!
12 Softwar S cur
53. SIMPLIFIED APPLICATION
SECURITY CODE REVIEW
PROCESS
Trust*Boundary*
Iden=fica=on* Automation
OWASP* Checklists*
Top*10*
Tools*
Manual
Reporting
Review
13 Softwar S cur
54. SIMPLIFIED APPLICATION
SECURITY CODE REVIEW
PROCESS
Trust*Boundary*
Iden=fica=on* Automation
OWASP*
OWASP TOP Top*10*
Checklists*
10 Driven
Tools*
Manual
Reporting
Review
13 Softwar S cur
55. SIMPLIFIED APPLICATION
SECURITY CODE REVIEW
PROCESS
Trust*Boundary*
Automation OWASP Cheat
Iden=fica=on*
Sheets Series
OWASP*
OWASP TOP Top*10*
Checklists*
10 Driven
Tools*
Manual
Reporting
Review
13 Softwar S cur
56. DEFINE TRUST
BOUNDARY Trust*Boundary*
Iden=fica=on* Automation
OWASP* Checklists*
Top*10*
Tools*
Manual
Reporting
Review
14 Softwar S cur
57. TRUST BOUNDARY
• Trust Boundary is the virtual line where the trust level changes
• Privileges Change
• Untrusted Data Received
• Untrusted Data Sent
• Application’s Internal State Changes
Writing Secure Code, Second Edition Michael Howard and David LeBlanc
15 Softwar S cur
58. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
59. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
60. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
61. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
62. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
63. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
64. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
65. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
66. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
67. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
68. WAYS TO MARK TRUST
BOUNDARY
• Physical Source Code Separation.
• Naming Scheme
• Trust Boundary Safe: tbsProcessNameChange.java
• Trust Boundary UnSafe: tbuEditProfile.jsp
17 Softwar S cur
70. AUTOMATION
• Super Greps (keyword Search)
• Automated Unit-Tests
• Static Code Analysis Tools
19 Softwar S cur
71. AUTOMATION
STATIC CODE ANALYSIS TOOLS
• Security Code Review <> Running a Tool
Pros Cons
Scales Well False Positives
Low Hanging Fruit Application Logic Issues
Can be Taught New Tricks Collections
Frameworks
20 Softwar S cur
89. FILE UPLOADDOWNLOAD
FLAWS
An attacker can bypass
validation control
28 Softwar S cur
90. REPORTING Trust*Boundary*
Iden=fica=on* Automation
OWASP* Checklists*
Top*10*
Tools*
Manual
Reporting
Review
29 Softwar S cur
91. REPORTING
SQL Injection:
Location: sourceACMEPortalupdateinfo.aspx.cs:
Description: The code below is build dynamic sql statement using
• Weakness Metadata unvalidated data (i.e. name) which can lead to SQL Injection
51 SqlDataAdapter myCommand = new SqlDataAdapter(
• Thorough Description
52 "SELECT au_lname, au_fname FROM author WHERE
au_id = '" +
53 SSN.Text + "'", myConnection);
• Recommendation Priority: High
Recommendation: Use paramaterized SQL instead of dynamic
• Assign Appropriate Priority concatenation, refer to http://msdn.microsoft.com/en-us/library/
ff648339.aspx for details.
Owner: John Smith
30 Softwar S cur
92. SIMPLIFIED APPLICATION
SECURITY CODE REVIEW
PROCESS
Trust*Boundary*
Iden=fica=on* Automation
OWASP* Checklists*
Top*10*
Tools*
Manual
Reporting
Review
31 Softwar S cur