Presentation is loading. Please wait.

Presentation is loading. Please wait.

CERT Secure Coding OWASP Education Nishi Kumar Computer based training

Published byCalvin Montgomery Modified over 6 years ago

Similar presentations

Presentation on theme: "CERT Secure Coding OWASP Education Nishi Kumar Computer based training"— Presentation transcript:

1 CERT Secure Coding OWASP Education Nishi Kumar Computer based training
IT Architect Specialist, FIS Chair, Software Security Forum at FIS OWASP CBT Project Lead OWASP Global Industry Committee Contributor and Reviewer Keith Turpin

2 Objectives Understand Cert Secure Coding Cert Secure Coding Standards

3 Cert Secure Coding goals
Reduce vulnerabilities resulting from coding errors Identify common programming errors that lead to software vulnerabilities Establish secure coding standards Educate software developers to advance the state of the practice in secure coding

4 Cert Secure Coding Standards
Establish coding guidelines for commonly used programming languages that can be used to improve the security of software systems under development Based on documented standard language versions as defined by official or de facto standards organizations Secure coding standards are under development for: The CERT C Secure Coding Standard, Version 2.0 The CERT C++ Secure Coding Standard The CERT Oracle Secure Coding Standard for Java

5 The CERT Oracle Secure Coding Standard for Java
Cert Secure Coding Standard for Java 00. Input Validation and Data Sanitization (IDS) 01. Declarations and Initialization (DCL) 02. Expressions (EXP) 03. Numeric Types and Operations (NUM) 04. Object Orientation (OBJ) 05. Methods (MET) 06. Exceptional Behavior (ERR) 07. Visibility and Atomicity (VNA)

6 The CERT Oracle Secure Coding Standard for Java
Cert Secure Coding Standard for Java 08. Locking (LCK) 09. Thread APIs (THI) 10. Thread Pools (TPS) 11. Thread-Safety Miscellaneous (TSM) 12. Input Output (FIO) 14. Platform Security (SEC) 15. Runtime Environment (ENV) 16. Serialization (SER) 49. Miscellaneous (MSC)

7 IDS01-J. Sanitize untrusted data passed across a trust boundary
Noncompliant Code Example public void doPrivilegedAction(String username, char[] password) throws SQLException { Connection connection = getConnection(); if (connection == null) { // handle error } String pwd = hashPassword(password); String sqlString = "SELECT * FROM db_user WHERE username = '" + username + "' AND password = '" + pwd + "'"; Statement stmt = connection.createStatement(); ResultSet rs = stmt.executeQuery(sqlString); if (!rs.next()) { throw new SecurityException("User name or Password incorrect"); } // Authenticated; proceed }

8 IDS01-J. Sanitize untrusted data passed across a trust boundary
Compliant Solution (PreparedStatement) class Login { public void doPrivilegedAction(String username, char[] password) throws SQLException { Connection connection = getConnection(); if (connection == null) { // handle error } String pwd = hashPassword(password); // Ensure that the length of user name is legitimate if ((username.length() >= 8) { // Handle error } String sqlString = "select * from db_user where username=? and password=?"; PreparedStatement stmt = connection.prepareStatement(sqlString); stmt.setString (1, username); stmt.setString (2, pwd); ResultSet rs = stmt.executeQuery(); if (!rs.next()) { throw new SecurityException("User name or Password incorrect"); } // Authenticated; proceed }

9 References CERT - www.cert.org
The CERT® Program is part of the Software Engineering Institute (SEI). CERT's primary objectives include analyzing and communicating the state of internet security through its US-CERT Vulnerability Notes Database and improving software security with its secure coding practices publications. US-CERT Vulnerability Notes Database CERT Secure Coding Practices - CERT The CERT® Program is part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the Morris worm incident, which brought 10 percent of internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents. This center was named the CERT Coordination Center (CERT/CC). One of CERT's primary objectives is to analyze the state of internet security and convey that information to the internet community. The CERT/CC monitors public sources of vulnerability information and regularly receives reports of vulnerabilities. CERT manages the US-CERT Vulnerability Notes Database, which is a list of serious, publically disclosed commercial software vulnerabilities. The Notes Database can be found here: As part of our work to influence vendors to improve the basic, as-shipped, security within their products, our analysts evaluate the root causes of vulnerabilities and establish secure coding practices, located here: CERT also provides some useful tools and training material.

10

Download ppt "CERT Secure Coding OWASP Education Nishi Kumar Computer based training"

Similar presentations

© 2006 Carnegie Mellon University CERT Secure Coding Standards Robert C. Seacord.

© 2006 Carnegie Mellon University CERT Secure Coding Standards Robert C. Seacord.
Connecting to Databases. relational databases tables and relations accessed using SQL database -specific functionality –transaction processing commit.

Connecting to Databases. relational databases tables and relations accessed using SQL database -specific functionality –transaction processing commit.
CE203 - Application Programming Autumn 2013CE203 Part 51 Part 5.

CE203 - Application Programming Autumn 2013CE203 Part 51 Part 5.
Java II--Copyright © 2001-2004 Tom Hunter. Chapter 18 JDBC.

Java II--Copyright © Tom Hunter. Chapter 18 JDBC.
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.

© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
© 2007-2011 Carnegie Mellon University The CERT Insider Threat Center.

© Carnegie Mellon University The CERT Insider Threat Center.
Basic JDBC Celsina Bignoli What is JDBC Industry standard for database- connectivity between the Java language and a wide range of.

Basic JDBC Celsina Bignoli What is JDBC Industry standard for database- connectivity between the Java language and a wide range of.
15-Jun-15 JDBC. JDBC is a Sun trademark It is often taken to stand for Java Database Connectivity Java is very standardized, but there are many versions.

15-Jun-15 JDBC. JDBC is a Sun trademark It is often taken to stand for Java Database Connectivity Java is very standardized, but there are many versions.
JDBC Overview Autumn 2001 Lecturer: C. DeJong. Relational Databases widespread use used via SQL (Structured Query Language) freely available powerful.

JDBC Overview Autumn 2001 Lecturer: C. DeJong. Relational Databases widespread use used via SQL (Structured Query Language) freely available powerful.
TUTORIAL (1) Software installation Written by: Eng. Ahmed Mohamed Abdel Ghafar, Edited by Eng. Muhammed Hammad, Eng. Hamdy Soltan & Eng. Osama Talaat.

TUTORIAL (1) Software installation Written by: Eng. Ahmed Mohamed Abdel Ghafar, Edited by Eng. Muhammed Hammad, Eng. Hamdy Soltan & Eng. Osama Talaat.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
© 2007 Carnegie Mellon University Secure Coding Initiative Jason A. Rafail Monday, May 14 th, 2007.

© 2007 Carnegie Mellon University Secure Coding Initiative Jason A. Rafail Monday, May 14 th, 2007.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
CS178 Database Management “JDBC”. What is JDBC ? JDBC stands for “Java DataBase Connectivity” The standard interface for communication between a Java.

CS178 Database Management “JDBC”. What is JDBC ? JDBC stands for “Java DataBase Connectivity” The standard interface for communication between a Java.
JDBC and Hibernate Joshua Scotton. Connecting to Relational DBs.

JDBC and Hibernate Joshua Scotton. Connecting to Relational DBs.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
1  Carnegie Mellon University Protecting Information Infrastructures Rich Pethia Software Engineering Institute Carnegie Mellon University Pittsburgh,

1  Carnegie Mellon University Protecting Information Infrastructures Rich Pethia Software Engineering Institute Carnegie Mellon University Pittsburgh,
Introduction to Computer Ethics

Introduction to Computer Ethics
JAVA Database Access. JDBC The Java Database Connectivity (JDBC) API is the industry standard for database- independent connectivity between the Java.

JAVA Database Access. JDBC The Java Database Connectivity (JDBC) API is the industry standard for database- independent connectivity between the Java.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

Similar presentations

Ads by Google