Security Code Review - OWASP · What IS Security Code Review? 5 Thursday, 9 May, 13. OWASP Why...
Transcript of Security Code Review - OWASP · What IS Security Code Review? 5 Thursday, 9 May, 13. OWASP Why...
Copyright 2007 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Security Code Review
Sherif KoussaOWASP Ottawa Chapter LeaderSoftware Secured - Principal [email protected]
Education Project
Thursday, 9 May, 13
OWASP 2
Softwar S cur
2007 2009 2011 2013
About Sherif
Principal Consultant @ SoftwareSecured✓ Security Code Review✓ Penetration Testing✓ Secure SDL Integration✓ Application Security Training
Thursday, 9 May, 13
OWASP
Take Aways
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
Effective Security Code Review Process
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
Effective Security Code Review Process
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
Effective Security Code Review Process
Key Tools to Use
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
Effective Security Code Review Process
Key Tools to Use
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
Effective Security Code Review Process
Key Tools to Use
Practice Security Code Review
3
Thursday, 9 May, 13
OWASP
What is this presentation not going to do?
4
Thursday, 9 May, 13
OWASP
What is this presentation not going to do?
Ground Breaking Attack\Hack\Black
4
Thursday, 9 May, 13
OWASP
What is this presentation not going to do?
Ground Breaking Attack\Hack\Black
4
Thursday, 9 May, 13
OWASP
What is this presentation not going to do?
Ground Breaking Attack\Hack\Black
New Tool
4
Thursday, 9 May, 13
OWASP
What is this presentation not going to do?
Ground Breaking Attack\Hack\Black
New Tool
4
Thursday, 9 May, 13
OWASP
What is this presentation not going to do?
Ground Breaking Attack\Hack\Black
New Tool
How to Fix Vulnerabilities
4
Thursday, 9 May, 13
OWASP
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security Weakness
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development Lifecycle
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration
Development Teams
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration
Development TeamsSecurity Teams
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration
Development TeamsSecurity TeamsProject\Risk Management
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration
Development TeamsSecurity TeamsProject\Risk Management
Security Code Review Process
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
Why Security Code Reviews
6
Thursday, 9 May, 13
OWASP
Why Security Code Reviews
Effectiveness of security controls against known threatsExercise all application execution pathsFind all instances of a certain vulnerabilityThe only way to find certain types of vulnerabilitiesEffective remediation instructions
6
Thursday, 9 May, 13
OWASP
What Are We Looking For?
7
Thursday, 9 May, 13
OWASP
What Are We Looking For?
Software WeaknessesSQL InjectionCross-site ScriptingInsufficient Authentication
7
Thursday, 9 May, 13
OWASP
What Are We Looking For?
Software WeaknessesSQL InjectionCross-site ScriptingInsufficient Authentication
Application Logic IssuesApplication Logic Bypass
7
Thursday, 9 May, 13
OWASP
What Are We Looking For?
Software WeaknessesSQL InjectionCross-site ScriptingInsufficient Authentication
Application Logic IssuesApplication Logic Bypass
Dead\Debug Code
7
Thursday, 9 May, 13
OWASP
What Are We Looking For?
Software WeaknessesSQL InjectionCross-site ScriptingInsufficient Authentication
Application Logic IssuesApplication Logic Bypass
Dead\Debug CodeMisconfiguration Issues
7
Thursday, 9 May, 13
OWASP
Important Steps For Effective Process
8
Thursday, 9 May, 13
OWASP
Important Steps For Effective Process
Reconnaissance
8
Thursday, 9 May, 13
OWASP
Important Steps For Effective Process
ReconnaissanceThreat Assessment
8
Thursday, 9 May, 13
OWASP
Important Steps For Effective Process
ReconnaissanceThreat AssessmentAutomation
8
Thursday, 9 May, 13
OWASP
Important Steps For Effective Process
ReconnaissanceThreat AssessmentAutomationManual Review
8
Thursday, 9 May, 13
OWASP
Important Steps For Effective Process
ReconnaissanceThreat AssessmentAutomationManual ReviewConfirmation & PoC
8
Thursday, 9 May, 13
OWASP
Important Steps For Effective Process
ReconnaissanceThreat AssessmentAutomationManual ReviewConfirmation & PoCReporting
8
Thursday, 9 May, 13
OWASP 9
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklist!
Tools!
Security Skills!
Thursday, 9 May, 13
OWASP 10
RECONNAISSANCE
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklists!
Tools!
OWASP Top 10!
Thursday, 9 May, 13
OWASP
Reconnaissance
11
Thursday, 9 May, 13
OWASP
Reconnaissance
Primary Business Goal of the Application
11
Thursday, 9 May, 13
OWASP
Reconnaissance
Primary Business Goal of the ApplicationUse Cases\Abuse Cases
11
Thursday, 9 May, 13
OWASP
Reconnaissance
Primary Business Goal of the ApplicationUse Cases\Abuse CasesDifferent User Roles
11
Thursday, 9 May, 13
OWASP
Reconnaissance
Primary Business Goal of the ApplicationUse Cases\Abuse CasesDifferent User RolesTechnology Stack of the Application
11
Thursday, 9 May, 13
OWASP
Reconnaissance
Primary Business Goal of the ApplicationUse Cases\Abuse CasesDifferent User RolesTechnology Stack of the ApplicationEnvironment Discovery
11
Thursday, 9 May, 13
OWASP
Reconnaissance
Primary Business Goal of the ApplicationUse Cases\Abuse CasesDifferent User RolesTechnology Stack of the ApplicationEnvironment DiscoveryUse the Application
11
Thursday, 9 May, 13
OWASP 12
THREAT ASSESSMENT
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklists!
Tools!
OWASP Top 10!
Thursday, 9 May, 13
OWASP
Enumerate Assets
13
Thursday, 9 May, 13
OWASP
Enumerate Threats
14
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 Injection
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 InjectionA2 Broken Authentication and Session Management
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS)
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF)
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards
15
Thursday, 9 May, 13
OWASP 16
AUTOMATION
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklists!
Tools!
OWASP Top 10!
Thursday, 9 May, 13
OWASP
Automation
Static Code Analysis ToolsStatic Analysis Technologies Evaluation Criteria (SATEC)
Scripts: DependencyCheck (GitHub)17
Thursday, 9 May, 13
OWASP
Automation with PMD
PMD is a source code analyzer which finds common programming flaws.
Could be extended to find security flaws
Download from Sourceforge
18
Thursday, 9 May, 13
OWASP
Automation with PMD
PMD is a source code analyzer which finds common programming flaws.
Could be extended to find security flaws
Download from Sourceforge
18
Thursday, 9 May, 13
OWASP
PMD Demo...
19
Thursday, 9 May, 13
OWASP
Automation with .NET
20
Thursday, 9 May, 13
OWASP
Automation with .NETCAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - Microsoft
20
Thursday, 9 May, 13
OWASP
Automation with .NETCAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - MicrosoftComes with built-in rules:
Reflected Cross-Site ScriptingSQL Injection
XPath Injection
LDAP Injection
File Canonicalization Issues
Command InjectionInformation Disclosure
20
Thursday, 9 May, 13
OWASP
Automation with .NETCAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - MicrosoftComes with built-in rules:
Reflected Cross-Site ScriptingSQL Injection
XPath Injection
LDAP Injection
File Canonicalization Issues
Command InjectionInformation Disclosure
Download from MSDN 20
Thursday, 9 May, 13
OWASP
Automation with .NETCAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - MicrosoftComes with built-in rules:
Reflected Cross-Site ScriptingSQL Injection
XPath Injection
LDAP Injection
File Canonicalization Issues
Command InjectionInformation Disclosure
Download from MSDN 20
Thursday, 9 May, 13
OWASP
CAT.NET Demo...
21
Thursday, 9 May, 13
OWASP 22
MANUAL REVIEW
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklists!
Tools!
OWASP Top 10!
Thursday, 9 May, 13
OWASP
A1. Injection
Start With AutomationDatabase Script (*.sql, *.txt, etc)Pay Attention to Patterns & Coding StylesSecond Order Injection
23
Manual Automatic
Thursday, 9 May, 13
OWASP
Quiz-O-Code
24
Thursday, 9 May, 13
OWASP
Quiz-O-Code
24
Will it catch “UNI/**/ON”, “SEL/**?ECT”?
Thursday, 9 May, 13
OWASP
A2. Broken Authentication and Session Management
Authentication ProcessPassword StoragePassword Reset\ChangesSession GenerationSession TimeoutCookie Domain\Path
25
Manual Automatic
Thursday, 9 May, 13
OWASP
Quiz-o-code
26
Thursday, 9 May, 13
OWASP
Quiz-o-code
26
Thursday, 9 May, 13
OWASP
Quiz-o-code
26
Fail-‐Open Scenario
Thursday, 9 May, 13
OWASP
Quiz-o-code
26
Fail-‐Open Scenario
Thursday, 9 May, 13
OWASP
Quiz-o-code
26
Fail-‐Open Scenario
Thursday, 9 May, 13
OWASP
Quiz-o-code
26
Fail-‐Open Scenario
Thursday, 9 May, 13
OWASP
A3. Cross-Site Scripting
Inspect application’s defenses Contextual HTML output encodingTags with no output encoding DOM-Based Cross-site ScriptingHttpOnly Flag on Cookies.
27
Manual Automatic
Thursday, 9 May, 13
OWASP
Quiz-O-Code
28
Thursday, 9 May, 13
OWASP
Quiz-O-Code
28
Thursday, 9 May, 13
OWASP
Quiz-O-Code
28
Thursday, 9 May, 13
OWASP
Quiz-O-Code
28
Thursday, 9 May, 13
OWASP
Quiz-O-Code
28
Thursday, 9 May, 13
OWASP 29
CONFIRMATION & POC
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklists!
Tools!
OWASP Top 10!
Thursday, 9 May, 13
OWASP
Confirmation & PoC
30
Thursday, 9 May, 13
OWASP
Confirmation & PoC
30
Thursday, 9 May, 13
OWASP
Confirmation & PoC
30
Thursday, 9 May, 13
OWASP 31
REPORTING
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklists!
Tools!
OWASP Top 10!
Thursday, 9 May, 13
SQL Injection:
Location: \source\ACMEPortal\updateinfo.aspx.cs:
Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection
51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection);
Priority: High
Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ff648339.aspx for details.
Owner: John Smith OWASP
Reporting
Weakness MetadataThorough DescriptionRecommendationAssign Appropriate Priority
32
Thursday, 9 May, 13
OWASP 33
CHECKLISTS
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklists!
Tools!
OWASP Top 10!
Thursday, 9 May, 13
OWASP
Checklists A bit of history
Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident
ICU: usage of checklists brought down infection rates in Michigan by 66%
34
Thursday, 9 May, 13
OWASP
What Does a Checklist Should Cover?
Data Validation and Encoding ControlsEncryption ControlsAuthentication and Authorization ControlsSession ManagementException HandlingAuditing and LoggingSecurity Configurations
35
Thursday, 9 May, 13
OWASP
Resources to Conduct Your Checklist
NIST Checklist Project http://checklists.nist.gov/
Mozilla’s Secure Coding QA Checklist https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist
Oracle’s Secure Coding Checklist http://www.oracle.com/technetwork/java/seccodeguide-139067.html
36
Thursday, 9 May, 13
OWASP
Full Application Security Code Review
37
Reconnaissance!
Threat Modeling!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklists!
Tools!
OWASP Top 10!
Thursday, 9 May, 13
OWASP
References OWASP (www.owasp.org)Gotham Digital Science Blog (http://blog.gdssecurity.com/labs/tag/pmd)Milad’s Blog (http://miladbr.blogspot.de/2013/04/exploiting-unexploitable-dom-based-xss.html)SQL Injection Attacks and Defenses (http://www.amazon.com/SQL-Injection-Attacks-Defense-Second/dp/1597499633)MSDN Blogs (http://dlbmodigital.microsoft.com/ppt/DN-100225-ARevuru-1032438061-FINAL.pdf)
39
Thursday, 9 May, 13