advertisement

Secure Code Reviews

50 %
50 %
advertisement
Information about Secure Code Reviews
Technology

Published on November 23, 2008

Author: marco_morana

Source: slideshare.net

advertisement

Secure Code Reviews Marco Morana Senior Consultant Foundstone, A Division of McAfee Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 1 Orlando, Florida

Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 2 Orlando, Florida

Disclaimers Secure code reviews are not: 1. A stand alone activity separate from the SDLC 2. A process that just relies on tools: – Managed programming language – Automated code analysis 3. A method to rate un-attackable code – Not being scrutinized by security experts – False sense of security (i.e. false negatives) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 3 Orlando, Florida

Why we need secure code reviews ? 1. Compliance with governing policies 2. Assurance that code follows security best practices 3. Security assessment before releasing to QA and production 4. Measurement of adequacy of security controls to mitigate known threats Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 4 Orlando, Florida

Code Reviews • One to One (peer to peer) – Part of the sign-off before handing off to QA – Integrated with the check-in process • Group (team-driven) – Advantage of many eye-balls – Team members take different roles Both need preparation and organization Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 5 Orlando, Florida

Code Reviews - Team Code Review Approach • Optimal scenario: A team of 4 people in a conference room with a whiteboard and projector • Team Roles – Lead Reviewer – Narrator – Author – Subject Matter Experts Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 6 Orlando, Florida

Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 7 Orlando, Florida

Secure Code Reviews in the SDLC Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 8 Orlando, Florida

Code reviews in the Software Security Life Cycle The economics of security defects Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 9 Orlando, Florida

Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 10 Orlando, Florida

Methodology – Secure Code Review Process 1. Build a Threat Model – Identify, evaluate and mitigate risks for the particular application 2. Build an Attack Plan – Prioritize threats based on criticality – Map threats to code artifacts – Determine which high risk areas to focus the efforts based upon man-hours and costs 3. Code Review – Document each vulnerability under bugs or flaws – Review each section of the code for vulnerability categories Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 11 Orlando, Florida

What Is Threat Modeling? • Goal: Identify the threats against the system and the appropriate countermeasures to mitigate the risk they pose • Model the system as an attacker will see it: • Where are the entry points? • Which assets are targets? • Recognize the attacker’s advantage and defender’s dilemma: • Developers need to get the code 100 % correct, 100% of the time with limited resources and development time • Attackers need to find just one hole and can spend as much time finding it as they want Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 12 Orlando, Florida

Methodology - Secure Code Reviews Best Practices • Have clear goals – Tactical and strategic scenarios (e.g. new release vs. production) – Be specific on what must be accomplished • Decide which analysis style works best – Depth first vs. breadth first approach • Prioritize and simplify – Prioritize based upon critical areas – Break system complexity • Be methodical – Annotate the code you are reviewing (e.g. comments, IDE task lists) – Use checklists Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 13 Orlando, Florida

Methodology - Secure Code Reviews • Reduce complexity – Threat modeling – Rapid scan • Review critical sections of the code – Correlate and annotate – Use IDE tools (e.g. Visual Studio, Eclipse) • Categorize security defects – Threat categorization – Check lists – Bugs vs. flaws Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 14 Orlando, Florida

Methodology - Security Defects Categorization Can be categorized as: • Security Bugs – An implementation level software security problem (e.g. buffer overflows, SQL injection) • Security Flaws – A design level software security problem (e.g. an insecure authorization model or data access layer) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 15 Orlando, Florida

Methodology - Threat Categorization Un-secure code because of the following threats: • STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege Secure code by mapping to security controls: • CIA: Confidentiality, Integrity, Availability Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 16 Orlando, Florida

Methodology - Security Frame Categorization • Configuration Management – Issues stemming from insecure deployment and administration • Data Protection in Storage and Transit – Lack of adequate protection for secrets and other sensitive data • Authentication – Lack of strong protocols to verify the identity of a component outside the trust boundary • Authorization – Lack of mechanisms to enforce access controls on protected resources within the system Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 17 Orlando, Florida

Methodology – Security Frame Categorization • User and Session Management – Lack of mechanisms to maintain session independence between multiple logged-on users and insecure user provisioning and de- provisioning policies • Data Validation – Lack of input and output validation when data crosses system or trust boundaries • Error handling and Exception Management – Failure to deal with exceptions effectively and in a secure manner, resulting unauthorized disclosure of information • Logging and Auditing – Failure to maintain detailed and accurate application logs that can allow for traceability and non-repudiation Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 18 Orlando, Florida

Methodology - Secure Code Review Findings • Sections: – Bug vs. Flaws – Threat Categorization – Risk Rating – Module and LOC range – Code Snippet – Commendation or Recommendation • Recommendations are often not limited to the code but also the design and the deployment environment as well! Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 19 Orlando, Florida

Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 20 Orlando, Florida

Coding Mistakes - Configuration Management 1. # credentials for the application database 2. datasource.name=jdbc_1 3. datasource.url=jdbc:oracle:thin:@dhs:1521:ORA1 4. datasource.classname=oracle.jdbc.driver.OracleDriver 5. datasource.username=scott 6. datasource.password=tiger Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 21 Orlando, Florida

Coding Mistakes - Configuration Management 1. <pages validateRequest=“false”/> 2. <!– DYNAMIC DEBUG COMPILATION……..…--> 3. <compilation defaultLanguage=“c#” debug=“true”/> 4. <!– CUSTOM ERROR MESSAGES……-- > 5. <customErrors mode=“Off”/> 6. <!– APPLICATION-LEVEL TRACE LOGGING….. -- > 7. <trace enabled=“true” requiredLimit=“10” pageOutpur=“true” tracemode=“SortByTime”localOnly=“false”/> Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 22 Orlando, Florida

Coding Mistakes - Data Protection in Storage and Transit 1. final public static byte key[] = 2. {(byte) 0x31, (byte) 0xAB, (byte) 0x05, (byte) 0xF7, 3. (byte) 0x45, (byte) 0x65, (byte) 0x98, (byte) 0xAB}; 4. try 5. { 6. encryptor.setKey(key); 7. plainText = new String(encryptor.decrypt(text)); 8. } 9. catch (Throwable te) 10.{ 11. […] 12.} Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 23 Orlando, Florida

Coding Mistakes - Data Protection in Storage and Transit 1. public static String digest(String password) { 2. MessageDigest md5 =MessageDigest.getInstance(“MD5quot;); 3. byte[] hash = md5.update(password.getBytes()); 4. return makeStringFromBytes(hash);} 5. public static String makeStringFromBytes(byte[] bytes) { 6. String result = quot;quot;; 7. for (int i=0; i<bytes.length; ++i) { 8. int n = bytes[i]; 9. result = result + quot; quot; + Integer.toHexString(n); } 10. return result;} Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 24 Orlando, Florida

Coding Mistakes - Authentication 1. Http Cookie MyCookie; 2. MyCookie = Request.Cookies [“CookiesLoginAttempts”]; 3. MyCookie.Expires=now.AddHours(10); 4. //decrement 5. int logInAtt=Convert.ToInt32(MyCookie.Value.ToString()); 6. CookieVal=int.Parse (MyCookie.Value.ToString()); 7. If (CookieVal >0) 8. CookieVal-=1; 9. //store in response cookie 10. HttpCookie AttemptCntCookie = new HttpCookie (“CookieLoginAttempts”); 11. AttemptCntCookie.Value =CookieVal.ToString(); Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 25 Orlando, Florida

Coding Mistakes - Authorization 1. <input value=”true” type=”HIDDEN” bean=”thisFormHandler.verifyCreditCardNumber”/> 2. <input value=”true” type=”HIDDEN” 3. bean=”thisFormHandler.validatePrice”/> 4. <FORM method=post action=quot;http://www.acme.com/cgi- bin/shop/shoppingcart.exe/products/telephonedevices quot;> 5. <b><font size=quot;5quot;>Sale Price $169.95!</font></b><BR> 6. <input type=quot;HIDDENquot; name=quot;IDquot; value=quot;PESL100quot;> 7. <input type=quot;HIDDENquot; name=quot;Describequot; 8. value=quot;Pro Series Telephone Analyzerquot;> 9. <input name=quot;Qtyquot; size=3 value=quot;quot;> Quantity <BR> 10.<input type=quot;HIDDENquot; name=quot;Pricequot; VALUE=quot;169.95quot;> Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 26 Orlando, Florida

Coding Mistakes - Authorization 1. if (sess.getCurrentUser().isCSR()) { 2. URLList.add(“View Customer Detailsquot;, 3. quot;/jsp/Customer.do?action=view&id=“ + custId)); 4. URLList.add(“Edit Customer Detailsquot;, 5. quot;/jsp/Customer.do? action=edit&id=“ + custId)); 6. URLList.add(“Delete Customerquot;, 7. quot;/jsp/Customer.do?action=delete&id=“ + custId)); 8. } else { 9. URLList.add(“View Customer Detailsquot;, 10. quot;/jsp/Customer.do?action=view&id=“ + custId)); 11. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 27 Orlando, Florida

Coding Mistakes - User and Session Management 1. HTTP/1.1 302 Found 2. Date: Tue, 21 Feb 2006 19:16:08 GMT 3. Server: Apache/2.0.46 (Red Hat) 4. Accept-Ranges: bytes 5. X-Powered-By: PHP/4.3.2 6. Expires: Thu, 19 Nov 1981 08:52:00 GMT 7. Cache-Control: no-store, no-cache, must-revalidate, post- check=0, pre-check=0 8. Pragma: no-cache 9. Set-Cookie: userid=mmorana; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ 10.Set-Cookie: password=xxxxxxx; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ 11.Set-Cookie: communityid=202; expires=Thu, 01-Jun-2006 19:16:08 GMT; path=/ Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 28 Orlando, Florida

Coding Mistakes - Data Validation 1. public List getProductsByTitleKeyWords(String[] keywords) 2. { 3. JdbcTemplate jt = new JdbcTemplate(getDataSource()); 4. String query = quot;select * from products where quot;+ createCriteria(keywords); 5. List list = jt.query(query, new 6. ProductRowMapper()); 7. Iterator iter = list.iterator(); 8. while (iter.hasNext()) { Product prod = (Product) iter.next(); 9. prod.setFeedback(getFeedBacks(prod)); 10. } 11. return list; 12. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 29 Orlando, Florida

Coding Mistakes - Error Handling And Exception Handling 1. try 2. { 3. ElevatePrivilege(); 4. ReadSecretFile(); 5. LowerPrivilege(); 6. } 7. catch(Exception e) 8. { 9. ReportException(); 10. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 30 Orlando, Florida

Coding Mistakes - Error Handling And Exception Handling Error Message: executeRSProcedure Exception: Java.sql.SQLException: ORA- 06502:PL/SQL:numeric or value error: character to number conversion error Server Name: host1.acme.com Server Info: IBM WebSphere Application Server/5.1 Remote Address: 192.168.12.34 Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 31 Orlando, Florida

Coding Mistakes - Error Handling And Exception Handling • “The password is invalid for the account” • “The username does not exist” • “The DOB you entered is invalid” • “Your account has been locked due to too many invalid attempts” Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 32 Orlando, Florida

Coding Mistakes - Logging And Auditing 1. private void btnLogin_Click(object sender, System.EventArgs e) { 2. //.. 3. LogString(“User” + txtUserName.Text + “ with password “ + txtPassword.Text + “logged in at “+ DateTime.Now.ToString()); 4. //.. 5. DataSet ds = GetUserTable(); 6. //.. 7. Logdata(ds); 8. //.. 9. } Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 33 Orlando, Florida

Agenda • Introduction – What Secure Code Reviews Are Not – Why We Need Secure Code Reviews ? – Code Reviews • Concepts and Strategies – Secure Code Reviews in the SDLC – Threat Modeling – Methodology – Coding Mistakes – Tools • Tips And Tricks • Resources Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 34 Orlando, Florida

Tools - Tools for Static Code Analysis Advantages: • Perform preliminary scanning of large code sets in little time • Provide consistent results • Can be used as secure code check-in gateway • Identify common coding bugs (low hanging fruits) Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 35 Orlando, Florida

Tools - Tools for Static Code Analysis Common bugs identified by static parsers: • Un-secure functions • Lack of proper input validation and output filtering • Weak crypto algorithms • Exception handling errors • Hard coded passwords, keys, connection strings Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 36 Orlando, Florida

Tools - Tools for Static Code Analysis Disadvantages: • Do not identify security flaws • Generate a large amount of false positives • Provide a false sense of security Examples: • ITS4 • RATS • FlawFinder • CodeAssure • PreFIX/PreFAST • Foundstone CodeScout Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 37 Orlando, Florida

Tools - Tools for Dynamic Analysis Advantages: • Integrate with Debuggers and IDE • Monitor Access to Resources (Files, Libraries, Data, Registry Keys) • Monitor Network Access • Help Identify Data Flows Examples: • CLR Profiler • NProf • Sysinternals Tools – FileMon, RegMon • Foundstone .NETMon Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 38 Orlando, Florida

Tips And Tricks 1. Have a plan – Focus on clear objectives – Organize the team – Review incrementally 2. Follow a methodology – Identify threats and countermeasures – Use vulnerability check lists and tools – Categorize security defects Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 39 Orlando, Florida

Tips And Tricks 3. Integrate With Other Activities in the S-SDLC – Information risk management – Metrics and measurements – Training and awareness 4. Revise the Plan and the Process – Threats and vulnerabilities – New techniques – People, process and technology Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 40 Orlando, Florida

Questions ? Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 41 Orlando, Florida

Resources • Software Security Code Review: Code Inspection Finds Problems, R. Araujo and M. Curphey – http://www.softwaremag.com • A Process for Performing Security Code Reviews, M. Howard – http://www.computer.org • How To: Perform a Security Code Review for Managed Code, Microsoft Patterns & Practices – http://msdn.microsoft.com Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 42 Orlando, Florida

Contact Information • Presenter Email: – marco.morana@foundstone.com • Foundstone Software Application Security Services (SASS) – www.foundstone.com/sass • Foundstone Training – www.foundstone.com/education Marco Morana Secure Code Reviews 33rd CSI Conference, DEV-7 November 7th, 2006 43 Orlando, Florida

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

How To: Perform a Security Code Review for Managed Code ...

How To: Perform a Security Code Review for Managed Code (.NET Framework 2.0) Retired Content; This content is outdated and is no longer being maintained.
Read more

Secure Code Review: A Practical Approach - InfoSec Resources

Techniques to secure code review: Generally, we can divide the secure code review process into two different techniques:
Read more

Secure Code Review | The MITRE Corporation

Definition: A secure code review is a specialized task involving manual and/or automated review of an application's source code in an attempt to identify ...
Read more

Code Review Tools & Software | Veracode

Code review software tools fix mistakes added in the app during development. Our code review solution will expose flaws down to the binary level!
Read more

Secure Code Review | Drupal.org - Drupal - Open Source CMS ...

The long name for this project could be: Static Code Analysis for Security Vulnerabilities. Goal From the abstract to the related project in the 2010 ...
Read more

Security Code Review in the SDLC - OWASP

Security code reviews vary widely in their level of formality. Reviews can be as informal as inviting a friend to help look for a hard-to-find ...
Read more

Application Security Services | Security Code Review

Praetorian secure code review services identify & remediate software vulnerabilities rarlier in the development lifecycle
Read more

Code Review

Code reviews should be a regular part of your development process. ... Review your code for the correct and secure use of database connection strings.
Read more

Category:OWASP Code Review Project - OWASP

Category:OWASP Code Review Project. From ... The combination of a book on secure code review and tools to support such an activity is very ...
Read more

Secure Code Reviews | Pure Hacking

When performing code reviews, many auditors make the mistake of overlooking the fact, that the code is not checking the return value of functions ...
Read more