Copyright 2007 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Security Code Review

Sherif KoussaOWASP Ottawa Chapter LeaderSoftware Secured - Principal sherif.koussa@owasp.org

Education Project

Thursday, 9 May, 13

OWASP 2

Softwar S cur

2007 2009 2011 2013

About Sherif

Principal Consultant @ SoftwareSecured✓ Security Code Review✓ Penetration Testing✓ Secure SDL Integration✓ Application Security Training

Thursday, 9 May, 13

OWASP

Take Aways

3

Thursday, 9 May, 13

OWASP

Take Aways

What is Security Code Review

3

Thursday, 9 May, 13

OWASP

Take Aways

What is Security Code Review

3

Thursday, 9 May, 13

OWASP

Take Aways

What is Security Code Review

Effective Security Code Review Process

3

Thursday, 9 May, 13

OWASP

Take Aways

What is Security Code Review

Effective Security Code Review Process

3

Thursday, 9 May, 13

OWASP

Take Aways

What is Security Code Review

Effective Security Code Review Process

Key Tools to Use

3

Thursday, 9 May, 13

OWASP

Take Aways

What is Security Code Review

Effective Security Code Review Process

Key Tools to Use

3

Thursday, 9 May, 13

OWASP

Take Aways

What is Security Code Review

Effective Security Code Review Process

Key Tools to Use

Practice Security Code Review

3

Thursday, 9 May, 13

OWASP

What is this presentation not going to do?

4

Thursday, 9 May, 13

OWASP

What is this presentation not going to do?

Ground Breaking Attack\Hack\Black

4

Thursday, 9 May, 13

OWASP

What is this presentation not going to do?

Ground Breaking Attack\Hack\Black

4

Thursday, 9 May, 13

OWASP

What is this presentation not going to do?

Ground Breaking Attack\Hack\Black

New Tool

4

Thursday, 9 May, 13

OWASP

What is this presentation not going to do?

Ground Breaking Attack\Hack\Black

New Tool

4

Thursday, 9 May, 13

OWASP

What is this presentation not going to do?

Ground Breaking Attack\Hack\Black

New Tool

How to Fix Vulnerabilities

4

Thursday, 9 May, 13

OWASP

What IS Security Code Review?

5

Thursday, 9 May, 13

OWASP

The Inspection of Source Code to Find Security Weakness

What IS Security Code Review?

5

Thursday, 9 May, 13

OWASP

The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development Lifecycle

What IS Security Code Review?

5

Thursday, 9 May, 13

OWASP

The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration

What IS Security Code Review?

5

Thursday, 9 May, 13

OWASP

The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration

Development Teams

What IS Security Code Review?

5

Thursday, 9 May, 13

OWASP

The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration

Development TeamsSecurity Teams

What IS Security Code Review?

5

Thursday, 9 May, 13

OWASP

The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration

Development TeamsSecurity TeamsProject\Risk Management

What IS Security Code Review?

5

Thursday, 9 May, 13

OWASP

The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration

Development TeamsSecurity TeamsProject\Risk Management

Security Code Review Process

What IS Security Code Review?

5

Thursday, 9 May, 13

OWASP

Why Security Code Reviews

6

Thursday, 9 May, 13

OWASP

Why Security Code Reviews

Effectiveness of security controls against known threatsExercise all application execution pathsFind all instances of a certain vulnerabilityThe only way to find certain types of vulnerabilitiesEffective remediation instructions

6

Thursday, 9 May, 13

OWASP

What Are We Looking For?

7

Thursday, 9 May, 13

OWASP

What Are We Looking For?

Software WeaknessesSQL InjectionCross-site ScriptingInsufficient Authentication

7

Thursday, 9 May, 13

OWASP

What Are We Looking For?

Software WeaknessesSQL InjectionCross-site ScriptingInsufficient Authentication

Application Logic IssuesApplication Logic Bypass

7

Thursday, 9 May, 13

OWASP

What Are We Looking For?

Software WeaknessesSQL InjectionCross-site ScriptingInsufficient Authentication

Application Logic IssuesApplication Logic Bypass

Dead\Debug Code

7

Thursday, 9 May, 13

OWASP

What Are We Looking For?

Software WeaknessesSQL InjectionCross-site ScriptingInsufficient Authentication

Application Logic IssuesApplication Logic Bypass

Dead\Debug CodeMisconfiguration Issues

7

Thursday, 9 May, 13

OWASP

Important Steps For Effective Process

8

Thursday, 9 May, 13

OWASP

Important Steps For Effective Process

Reconnaissance

8

Thursday, 9 May, 13

OWASP

Important Steps For Effective Process

ReconnaissanceThreat Assessment

8

Thursday, 9 May, 13

OWASP

Important Steps For Effective Process

ReconnaissanceThreat AssessmentAutomation

8

Thursday, 9 May, 13

OWASP

Important Steps For Effective Process

ReconnaissanceThreat AssessmentAutomationManual Review

8

Thursday, 9 May, 13

OWASP

Important Steps For Effective Process

ReconnaissanceThreat AssessmentAutomationManual ReviewConfirmation & PoC

8

Thursday, 9 May, 13

OWASP

Important Steps For Effective Process

ReconnaissanceThreat AssessmentAutomationManual ReviewConfirmation & PoCReporting

8

Thursday, 9 May, 13

OWASP 9

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklist!

Tools!

Security Skills!

Thursday, 9 May, 13

OWASP 10

RECONNAISSANCE

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklists!

Tools!

OWASP Top 10!

Thursday, 9 May, 13

OWASP

Reconnaissance

11

Thursday, 9 May, 13

OWASP

Reconnaissance

Primary Business Goal of the Application

11

Thursday, 9 May, 13

OWASP

Reconnaissance

Primary Business Goal of the ApplicationUse Cases\Abuse Cases

11

Thursday, 9 May, 13

OWASP

Reconnaissance

Primary Business Goal of the ApplicationUse Cases\Abuse CasesDifferent User Roles

11

Thursday, 9 May, 13

OWASP

Reconnaissance

Primary Business Goal of the ApplicationUse Cases\Abuse CasesDifferent User RolesTechnology Stack of the Application

11

Thursday, 9 May, 13

OWASP

Reconnaissance

Primary Business Goal of the ApplicationUse Cases\Abuse CasesDifferent User RolesTechnology Stack of the ApplicationEnvironment Discovery

11

Thursday, 9 May, 13

OWASP

Reconnaissance

Primary Business Goal of the ApplicationUse Cases\Abuse CasesDifferent User RolesTechnology Stack of the ApplicationEnvironment DiscoveryUse the Application

11

Thursday, 9 May, 13

OWASP 12

THREAT ASSESSMENT

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklists!

Tools!

OWASP Top 10!

Thursday, 9 May, 13

OWASP

Enumerate Assets

13

Thursday, 9 May, 13

OWASP

Enumerate Threats

14

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

15

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

A1 Injection

15

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

A1 InjectionA2 Broken Authentication and Session Management

15

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS)

15

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References

15

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration

15

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure

15

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control

15

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF)

15

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components

15

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards

15

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards

15

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards

15

Thursday, 9 May, 13

OWASP

Enumerate Vulnerabilities OWASP Top 10

A1 InjectionA2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object ReferencesA5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidated Redirects and Forwards

15

Thursday, 9 May, 13

OWASP 16

AUTOMATION

Reconnaissance!

Threat Assessment!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklists!

Tools!

OWASP Top 10!

Thursday, 9 May, 13

OWASP

Automation

Static Code Analysis ToolsStatic Analysis Technologies Evaluation Criteria (SATEC)

Scripts: DependencyCheck (GitHub)17

Thursday, 9 May, 13

OWASP

Automation with PMD

PMD is a source code analyzer which finds common programming flaws.

Could be extended to find security flaws

Download from Sourceforge

18

Thursday, 9 May, 13

OWASP

Automation with PMD

PMD is a source code analyzer which finds common programming flaws.

Could be extended to find security flaws

Download from Sourceforge

18

Thursday, 9 May, 13

OWASP

PMD Demo...

19

Thursday, 9 May, 13

OWASP

Automation with .NET

20

Thursday, 9 May, 13

OWASP

Automation with .NETCAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - Microsoft

20

Thursday, 9 May, 13

OWASP

Automation with .NETCAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - MicrosoftComes with built-in rules:

Reflected Cross-Site ScriptingSQL Injection

XPath Injection

LDAP Injection

File Canonicalization Issues

Command InjectionInformation Disclosure

20

Thursday, 9 May, 13

OWASP

Automation with .NETCAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - MicrosoftComes with built-in rules:

Reflected Cross-Site ScriptingSQL Injection

XPath Injection

LDAP Injection

File Canonicalization Issues

Command InjectionInformation Disclosure

Download from MSDN 20

Thursday, 9 May, 13

OWASP

Automation with .NETCAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - MicrosoftComes with built-in rules:

Reflected Cross-Site ScriptingSQL Injection

XPath Injection

LDAP Injection

File Canonicalization Issues

Command InjectionInformation Disclosure

Download from MSDN 20

Thursday, 9 May, 13

OWASP

CAT.NET Demo...

21

Thursday, 9 May, 13

OWASP 22

MANUAL REVIEW

Reconnaissance!

Threat Modeling!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklists!

Tools!

OWASP Top 10!

Thursday, 9 May, 13

OWASP

A1. Injection

Start With AutomationDatabase Script (*.sql, *.txt, etc)Pay Attention to Patterns & Coding StylesSecond Order Injection

23

Manual Automatic

Thursday, 9 May, 13

OWASP

Quiz-O-Code

24

Thursday, 9 May, 13

OWASP

Quiz-O-Code

24

Will  it  catch  “UNI/**/ON”,  “SEL/**?ECT”?

Thursday, 9 May, 13

OWASP

A2. Broken Authentication and Session Management

Authentication ProcessPassword StoragePassword Reset\ChangesSession GenerationSession TimeoutCookie Domain\Path

25

Manual Automatic

Thursday, 9 May, 13

OWASP

Quiz-o-code

26

Thursday, 9 May, 13

OWASP

Quiz-o-code

26

Thursday, 9 May, 13

OWASP

Quiz-o-code

26

Fail-­‐Open  Scenario

Thursday, 9 May, 13

OWASP

Quiz-o-code

26

Fail-­‐Open  Scenario

Thursday, 9 May, 13

OWASP

Quiz-o-code

26

Fail-­‐Open  Scenario

Thursday, 9 May, 13

OWASP

Quiz-o-code

26

Fail-­‐Open  Scenario

Thursday, 9 May, 13

OWASP

A3. Cross-Site Scripting

Inspect application’s defenses Contextual HTML output encodingTags with no output encoding DOM-Based Cross-site ScriptingHttpOnly Flag on Cookies.

27

Manual Automatic

Thursday, 9 May, 13

OWASP

Quiz-O-Code

28

Thursday, 9 May, 13

OWASP

Quiz-O-Code

28

Thursday, 9 May, 13

OWASP

Quiz-O-Code

28

Thursday, 9 May, 13

OWASP

Quiz-O-Code

28

Thursday, 9 May, 13

OWASP

Quiz-O-Code

28

Thursday, 9 May, 13

OWASP 29

CONFIRMATION & POC

Reconnaissance!

Threat Modeling!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklists!

Tools!

OWASP Top 10!

Thursday, 9 May, 13

OWASP

Confirmation & PoC

30

Thursday, 9 May, 13

OWASP

Confirmation & PoC

30

Thursday, 9 May, 13

OWASP

Confirmation & PoC

30

Thursday, 9 May, 13

OWASP 31

REPORTING

Reconnaissance!

Threat Modeling!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklists!

Tools!

OWASP Top 10!

Thursday, 9 May, 13

SQL Injection:

Location: \source\ACMEPortal\updateinfo.aspx.cs:

Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection

51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection);

Priority: High

Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ff648339.aspx for details.

Owner: John Smith OWASP

Reporting

Weakness MetadataThorough DescriptionRecommendationAssign Appropriate Priority

32

Thursday, 9 May, 13

OWASP 33

CHECKLISTS

Reconnaissance!

Threat Modeling!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklists!

Tools!

OWASP Top 10!

Thursday, 9 May, 13

OWASP

Checklists A bit of history

Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident

ICU: usage of checklists brought down infection rates in Michigan by 66%

34

Thursday, 9 May, 13

OWASP

What Does a Checklist Should Cover?

Data Validation and Encoding ControlsEncryption ControlsAuthentication and Authorization ControlsSession ManagementException HandlingAuditing and LoggingSecurity Configurations

35

Thursday, 9 May, 13

OWASP

Resources to Conduct Your Checklist

NIST Checklist Project http://checklists.nist.gov/

Mozilla’s Secure Coding QA Checklist https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist

Oracle’s Secure Coding Checklist http://www.oracle.com/technetwork/java/seccodeguide-139067.html

36

Thursday, 9 May, 13

OWASP

Full Application Security Code Review

37

Reconnaissance!

Threat Modeling!

Automation!

Manual Review!

Confirmation & PoC!

Reporting!

Checklists!

Tools!

OWASP Top 10!

Thursday, 9 May, 13

OWASP 38

QUESTIONS?

sherif.koussa@owasp.orgsherif@softwaresecured.com

Thursday, 9 May, 13

OWASP

References OWASP (www.owasp.org)Gotham Digital Science Blog (http://blog.gdssecurity.com/labs/tag/pmd)Milad’s Blog (http://miladbr.blogspot.de/2013/04/exploiting-unexploitable-dom-based-xss.html)SQL Injection Attacks and Defenses (http://www.amazon.com/SQL-Injection-Attacks-Defense-Second/dp/1597499633)MSDN Blogs (http://dlbmodigital.microsoft.com/ppt/DN-100225-ARevuru-1032438061-FINAL.pdf)

39

Thursday, 9 May, 13