Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eoin Keary Code review Lead Irish Chapter Lead

Published byCésar Aubin Modified over 6 years ago

Similar presentations

Presentation on theme: "Eoin Keary Code review Lead Irish Chapter Lead"— Presentation transcript:

1 Eoin Keary Code review Lead Irish Chapter Lead
OWASP Code Review Eoin Keary Code review Lead Irish Chapter Lead

2 Agenda What is the Code review guide? Secure Code Review (who cares?) Sister Projects

3 The Code review guide – What is it?
Most comprehensive open source secure code review on the web One of the “OWASP Trinity” of guides Available in WIKI, Free Download, “Real Book” Is 3 years old, but never finished Contributors from across the globe #3 on the “OWASP best-seller list” (Yippee)

4 Guide 2008 (v1.1) Contents Foreword by Jeff Williams, OWASP Chair
Welcome to the OWASP Code Review Guide 1.1 About The Open Web Application Security Project Code Review Guide History Introduction Preparation Security Code Review in the SDLC Security Code Review Coverage Application Threat Modeling Code Review Metrics Crawling code Searching for code in J2EE/Java Searching for code in Classic ASP Code review and PCI DSS Reviewing by technical control: Authentication Reviewing by technical control: Authorization Reviewing by technical control: Session Management Reviewing by technical control: Input Validation Reviewing by technical control: Error Handling Reviewing by technical control Secure application deployment Reviewing by technical control Cryptographic controls Reviewing Code for Buffer Overruns and Overflows Reviewing Code for OS Injection Reviewing Code for SQL Injection Reviewing Code for Data Validation Reviewing Code for Cross-site scripting Reviewing code for Cross-Site Request Forgery issues Reviewing Code for Logging Issues Reviewing Code for Session Integrity issues Reviewing Code for Race Conditions Additional security considerations: Java gotchas Java leading security practice Classic ASP Design Mistakes PHP Security Leading Practice Strings and Integers Reviewing MySQL Security Reviewing Flash Applications Reviewing Web services How to write an application code review finding Automated Code revieW Tool Deployment Model The Owasp Orizon Framework The Owasp Code Review Top 9 Guide References Guide V Pages (66% bigger!!) Guide V1.0 – 143 Pages

5 Sustainable Environment
BIOMIMICRY – Nature's Manufacturing Genius Applied to Industry / Engineering Sustainable engineering model Evolution of systems: Robust/Strong DNA (Code) of a solution assures stability in the cyber environment. Think Darwin, survival of the fittest Organisms built correctly ensure stability and evolution. Penetrate and Patch model does not adhere to the natural order, what we currently do….

6 Secure Code Review - What it is : What it isn't:
Examination of developed source code for quality. Security = Quality Robust & Stable code More Expensive Can be more Accurate Requires unique skill set to do properly What it isn't: Silver Bullet Replacement for other security controls Replacement for poor application development Easy Cheap (Not Manual anyways)

7

8 Can we Automate Code review:
Automate = Good Can we Automate Code review: Yes!! (Its cheaper to do) Higher Through-put, quicker return But is it like a Web Application firewall in the case of runtime protection? Limited protection, Catch many types of issues, but not all?

9 Catches attack Vectors very well
Web Application Firewall (WAF) Catches attack Vectors very well Protects against SQL Injection, XSS, OS Injection, CLRF, DoS, Dir traversal, etc Not great against: Business Logic Flaws, CSRF attacks, Session Management issues/Hijacking…….

10 A fool with a tool, is still a fool”…..?
Automated Review A fool with a tool, is still a fool”…..?

11 Example: CSRF Protection
Cross-Site Request Forgery (CSRF) – causing an unsuspecting user’s browser to send requests they didn’t intend. (Funds Transfer, Form submission etc..) Preferably an authenticated user (Banking, Ticket purchase). Without them knowing about it? Can an automated scanner understand context here?: Line 1 String actionType = Request.getParameter("Action"); 2 If (actionType.equalsIgnoreCase("BuyStuff"){ 3 Response.add("Please enter your password"); 4 return Response; 5 }

12 Jeremiah Grossmann/Arian Evans – BH 08
New Layer of attacks: Workflow disruption & Hijacking Legal Cyber attacks Booking systems Transactional systems Security Code review & application threat modelling required to identify weakness Artificial Scarcity DoS – WhiteHat 1. Select a flight 2. Agree to the terms and conditions 3. Provide your personal details 4. Select seat *Seat is reserved and no user may select it for a variable amount of time - few minutes to several hours 5. Enter payment information (Don’t submit obviously) 6. Repeat and automate for every seat on the flight Jeremiah Grossmann/Arian Evans – BH 08

13 OWASP Code review tools
Code Crawler: Alessio Marziali Paulo Prego Orizon Framework

14 Deployment models Developer adoption model Testing Department model
Deploy automated tools to developers Control tool rule base Security review results and probe a little further. Testing Department model Test department include automated review in functional test. Application security group model All code goes through application security group Group use manual and automated solutions

15 OWASP Code Review Guide 2.0 – 2009
Help Required OWASP Code Review Guide 2.0 – 2009 New Ideas approaches welcomed Want to do more integration with tools

Download ppt "Eoin Keary Code review Lead Irish Chapter Lead"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
OWASP WEBGOAT Alaa Darabseh Department of Computer Science

OWASP WEBGOAT Alaa Darabseh Department of Computer Science
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to Web Application Security

Introduction to Web Application Security
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Copyright © 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Approaches to Application Security – DSM

Approaches to Application Security – DSM
A Framework for Automated Web Application Security Evaluation

A Framework for Automated Web Application Security Evaluation
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Similar presentations

Ads by Google