CERT Secure Coding OWASP Education Nishi Kumar Computer based training

Slides:



Advertisements
Similar presentations
© 2006 Carnegie Mellon University CERT Secure Coding Standards Robert C. Seacord.
Advertisements

Connecting to Databases. relational databases tables and relations accessed using SQL database -specific functionality –transaction processing commit.
CE203 - Application Programming Autumn 2013CE203 Part 51 Part 5.
Java II--Copyright © Tom Hunter. Chapter 18 JDBC.
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
© Carnegie Mellon University The CERT Insider Threat Center.
Basic JDBC Celsina Bignoli What is JDBC Industry standard for database- connectivity between the Java language and a wide range of.
15-Jun-15 JDBC. JDBC is a Sun trademark It is often taken to stand for Java Database Connectivity Java is very standardized, but there are many versions.
JDBC Overview Autumn 2001 Lecturer: C. DeJong. Relational Databases widespread use used via SQL (Structured Query Language) freely available powerful.
TUTORIAL (1) Software installation Written by: Eng. Ahmed Mohamed Abdel Ghafar, Edited by Eng. Muhammed Hammad, Eng. Hamdy Soltan & Eng. Osama Talaat.
Security Scanning OWASP Education Nishi Kumar Computer based training
© 2007 Carnegie Mellon University Secure Coding Initiative Jason A. Rafail Monday, May 14 th, 2007.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.
CS178 Database Management “JDBC”. What is JDBC ? JDBC stands for “Java DataBase Connectivity” The standard interface for communication between a Java.
JDBC and Hibernate Joshua Scotton. Connecting to Relational DBs.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
1  Carnegie Mellon University Protecting Information Infrastructures Rich Pethia Software Engineering Institute Carnegie Mellon University Pittsburgh,
Introduction to Computer Ethics
JAVA Database Access. JDBC The Java Database Connectivity (JDBC) API is the industry standard for database- independent connectivity between the Java.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
WEB/DB1 DATABASE PROGRAMMING 3JDBC by the ASU Scholars.
IEEE CS SAB, Nov 2007 For Computer Society Internal Use Only 1 S2ESC Report Standards Activities Board Meeting November 6-7, 2007 Submitted by Paul Croll.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP ESAPI SwingSet An introduction by Fabio Cerullo.
Java Database Connectivity. Java and the database Database is used to store data. It is also known as persistent storage as the data is stored and can.
WEEK INTRODUCTION CSC426 SOFTWARE ENGINEERING.
The OWASP Foundation OWASP Education Computer based training CERT Secure Coding Nishi Kumar IT Architect Specialist, FIS OWASP CBT.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
16 Java Database Connectivity. 2 Understand the JDBC Understand the steps of the JDBC: 1.) Importing packages 2.) Opening a connection to a database 3.)
Securing Java Applications
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
JDBC and SQLJ CIS 612 Spring JDBC JDBC is an API that enables database access from Java programs JDBC for DB access provides ◦ Portability across.
The OWASP Foundation OWASP Education Computer based training CERT Secure Coding Nishi Kumar IT Architect Specialist, FIS Chair, Software.
CSI 3125, Preliminaries, page 1 JDBC. CSI 3125, Preliminaries, page 2 JDBC JDBC stands for Java Database Connectivity, which is a standard Java API (application.
Web Programming Assistant Professor Xiaozhong Liu
The OWASP Foundation OWASP Education Computer based training The Basics Nishi Kumar IT Architect Specialist, FIS Chair, Software Security.
Intro to JDBC Joseph Sant Applied Computing and Engineering Sciences Sheridan ITAL.
CS422 Principles of Database Systems JDBC and Embedded SQL Chengyu Sun California State University, Los Angeles.
1  Carnegie Mellon University Overview of the CERT/CC and the Survivable Systems Initiative Andrew P. Moore CERT Coordination Center.
1. Writing a Java program to connect to SQL Server 2008 and Create a table Populate the table (insert data) Perform queries to retrieve information from.
CS320 Web and Internet Programming Database Access with JDBC Chengyu Sun California State University, Los Angeles.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Database Activity CEMC Steps 1. Verify Data Tools Platform is installed in Eclipse 2. Configure a Connection to Derby Create necessary table for.
COMP 430 Intro. to Database Systems SQL from application code.
Secure Coding Rules for C++ Copyright © 2016 Curt Hill
Building Global CSIRT Capabilities Barbara Laswell, Ph. D
CS3220 Web and Internet Programming Database Access with JDBC
Database System Implementation CSE 507
Interacting with Database
SE-1021 Software Engineering II
JDBC 15-Apr-18.
David Svoboda & Aaron Ballman
Chapter 7: Identifying Advanced Attacks
CS320 Web and Internet Programming Database Access with JDBC
How to connect natively?
Advanced Web Automation Using Selenium
Secure Coding Initiative
JDBC 21-Aug-18.
HW#4 Making Simple BBS Using JDBC
Secure Coding Rules for C++ Copyright © Curt Hill
Prof: Dr. Shu-Ching Chen TA: Sheng Guan
JDBC 15-Nov-18.
Fault Injection: A Method for Validating Fault-tolerant System
Threat Trends and Protection Strategies Barbara Laswell, Ph. D
Interacting with Database
Super Market Management
Using a Database with JDBC
CS3220 Web and Internet Programming Database Access with JDBC
CS3220 Web and Internet Programming Database Access with JDBC
Presentation transcript:

CERT Secure Coding OWASP Education Nishi Kumar Computer based training IT Architect Specialist, FIS Chair, Software Security Forum at FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org Contributor and Reviewer Keith Turpin

Objectives Understand Cert Secure Coding Cert Secure Coding Standards

Cert Secure Coding goals Reduce vulnerabilities resulting from coding errors Identify common programming errors that lead to software vulnerabilities Establish secure coding standards Educate software developers to advance the state of the practice in secure coding

Cert Secure Coding Standards Establish coding guidelines for commonly used programming languages that can be used to improve the security of software systems under development Based on documented standard language versions as defined by official or de facto standards organizations Secure coding standards are under development for: The CERT C Secure Coding Standard, Version 2.0 The CERT C++ Secure Coding Standard The CERT Oracle Secure Coding Standard for Java

The CERT Oracle Secure Coding Standard for Java Cert Secure Coding Standard for Java 00. Input Validation and Data Sanitization (IDS) 01. Declarations and Initialization (DCL) 02. Expressions (EXP) 03. Numeric Types and Operations (NUM) 04. Object Orientation (OBJ) 05. Methods (MET) 06. Exceptional Behavior (ERR) 07. Visibility and Atomicity (VNA)

The CERT Oracle Secure Coding Standard for Java Cert Secure Coding Standard for Java 08. Locking (LCK) 09. Thread APIs (THI) 10. Thread Pools (TPS) 11. Thread-Safety Miscellaneous (TSM) 12. Input Output (FIO) 14. Platform Security (SEC) 15. Runtime Environment (ENV) 16. Serialization (SER) 49. Miscellaneous (MSC)

IDS01-J. Sanitize untrusted data passed across a trust boundary Noncompliant Code Example public void doPrivilegedAction(String username, char[] password) throws SQLException { Connection connection = getConnection(); if (connection == null) { // handle error } String pwd = hashPassword(password); String sqlString = "SELECT * FROM db_user WHERE username = '" + username + "' AND password = '" + pwd + "'"; Statement stmt = connection.createStatement(); ResultSet rs = stmt.executeQuery(sqlString); if (!rs.next()) { throw new SecurityException("User name or Password incorrect"); } // Authenticated; proceed }

IDS01-J. Sanitize untrusted data passed across a trust boundary Compliant Solution (PreparedStatement) class Login { public void doPrivilegedAction(String username, char[] password) throws SQLException { Connection connection = getConnection(); if (connection == null) { // handle error } String pwd = hashPassword(password); // Ensure that the length of user name is legitimate if ((username.length() >= 8) { // Handle error } String sqlString = "select * from db_user where username=? and password=?"; PreparedStatement stmt = connection.prepareStatement(sqlString); stmt.setString (1, username); stmt.setString (2, pwd); ResultSet rs = stmt.executeQuery(); if (!rs.next()) { throw new SecurityException("User name or Password incorrect"); } // Authenticated; proceed }

References CERT - www.cert.org The CERT® Program is part of the Software Engineering Institute (SEI). CERT's primary objectives include analyzing and communicating the state of internet security through its US-CERT Vulnerability Notes Database and improving software security with its secure coding practices publications. US-CERT Vulnerability Notes Database - http://www.kb.cert.org/vuls/ CERT Secure Coding Practices - http://www.cert.org/secure-coding/   CERT www.cert.org The CERT® Program is part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the Morris worm incident, which brought 10 percent of internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents. This center was named the CERT Coordination Center (CERT/CC). One of CERT's primary objectives is to analyze the state of internet security and convey that information to the internet community. The CERT/CC monitors public sources of vulnerability information and regularly receives reports of vulnerabilities. CERT manages the US-CERT Vulnerability Notes Database, which is a list of serious, publically disclosed commercial software vulnerabilities. The Notes Database can be found here: http://www.kb.cert.org/vuls/ As part of our work to influence vendors to improve the basic, as-shipped, security within their products, our analysts evaluate the root causes of vulnerabilities and establish secure coding practices, located here: http://www.cert.org/secure-coding/ CERT also provides some useful tools and training material.