Presented by Heorot.net.  Understand abilities and limitations of code reviews  Identify potentially “bad” code  Identify and use code review tools.

Slides:

Advertisements

Similar presentations

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.

Advertisements

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS Markus Dale December 2005.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

University of Southern California Center for Systems and Software Engineering 1 © USC-CSSE Unified CodeCounter (UCC) with Differencing Functionality Marilyn.

Simple Source Auditing Tools Roy INSA. Outline FLAWFINDER RATS.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder.

Flawfinder N ă stase George-Daniel MSI2. About Written in python Relatively fast(examined approx. 17milion lines of code in about 6.5minutes) Extremely.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools

Doxygen and Javadoc By Derzsy Noemi.

Web Application Security Assessment and Vulnerability Assessment.

Security Scanning OWASP Education Nishi Kumar Computer based training

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

A Scanner Sparkly Web Application Proxy Editors and Scanners.

Doxygen: Source Code Documentation Generator John Tully.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

CAP6135 – Malware and Software Vulnerability Analysis By Tara Lingle and Orcun Tagtekin.

1 ISEC0511 Programming for Information System Security Lecture Notes #4 Security in Software Systems (cont)

Secure Coding Weasel nomad mobile research centre.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Copyright © 2006, SAS Institute Inc. All rights reserved. What Is New in SAS Profitability Management (PrM) 2.1? Authors: Jack Zhang Solution & Version:

Approaches to Application Security – DSM

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

CMS Security Justin Klein Keane CMS Working Group March 3, 2010.

1 Doxygen National University of Kaohsiung Department of Applied Mathematics Yu-Kai Hong, Chien-Hsiang Liu, Wei-Ren Chang February, 2008.

Attacking Applications: SQL Injection & Buffer Overflows.

A brief introduction to javadoc and doxygen Cont’d.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.

CAPTURE THE FLAG Introductions beer brew man dutchrowboat.

1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.

An Ad Hoc Writable Rule Language for White-Box Security Scanners Author:Sebastian Schinzel Referent:Prof. Dr. Alexander del Pino Korreferent:Prof. Dr.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

CSCE 548 Secure Software Development Taxonomy of Coding Errors.

SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Web system security issues: A developer's perspective Morrison, P. Jason 9 December 2004 BAD Information Security Web system security issues:

SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.

Input Validation vulnerabilities in Android System Services Sukwon Choi scho668.

1 Doxygen. 2 Doxygen: What is it ? ● A documentation generator – for C++, C, Java, Objective-C, Python, IDL (Corba and Microsoft flavors), Fortran, VHDL,

Problem Solving With C++ Doxygen Oct/Nov Introduction Doxygen is a documentation generator, a tool for writing software reference documentation.

Web Application Security

Tools for Code Review Static Analysis Handles unfinished code

Penetration Test Debrief

Theodore Lawson CSCE548 Student Presentation, Topic #2

Secure Code Scanners Cameron Davidson.

Lecture 2 - SQL Injection

FlawFinder Chris Durham CS297 June 30th, 2005.

Presentation transcript:

Presented by Heorot.net

 Understand abilities and limitations of code reviews  Identify potentially “bad” code  Identify and use code review tools * We will not discuss how to exploit code, just identify weak code

 There is a lot of code to review Nobody can review all code by themselves  You can only affect the program where the user interfaces with the application Definitely true with remote servers Mostly true with local system  You need to understand code  You need to understand how people exploit code  Understand that most coders do not know how to program securely – you become the expert  Expect a lot of False Positives

 Code Reviews: (PenTest review) != (software development review)  Set a time limit Code reviews take a lot of time  Pair up with someone if possible  Establish very small scope  Know your threats  Obfuscation does not work Often used to hide hard-coded data

 What can go wrong: ○ SQL injection ○ Cross-site scripting ○ Input/data validation ○ Authentication ○ Authorization ○ Sensitive data ○ Code access security ○ Exception management ○ Data access ○ Cryptography ○ Unsafe and unmanaged code use ○ Configuration ○ Threading ○ Undocumented public interfaces

 C/C++ problems: No bound checks: ○ strcpy(), strcat(), gets(), sprintf(), scanf() family format string problems; ○ [v][f]printf(), [v]snprintf(), syslog() race conditions: ○ access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), mktemp() shell metacharacter dangers: ○ exec() family, system(), popen()

 Code scanner Manual scanning is just not practical Automated scanning often provides documentation that is usable in a write-up  Fuzzers Able to find potential exploits Reduces time spent on code reviews Does not require code to use

 Code scanner *Fortify Static Code Analysis (SCA) ○ COBOL, Classic ASP and ColdFusion, Java,.NET, C/C++, PLSQL, TSQL and XML ○ Rough Auditing Tool for Security (RATS) ○ Scans C, C++, Perl, PHP and Python ○ Flawfinder ○ Includes a list of other code scanner applications ○ Doxygen ○ Documents code – does not scan for vulnerabilities ○ C++, C, Java, Objective-C, Python, IDL (Corba and Microsoft flavors), Fortran, VHDL, PHP, C# ○ *Commercial Product

 Understand abilities and limitations of code reviews  Identify potentially “bad” code  Identify and use code review tools