The OWASP Foundationhttp://www.owasp.org

OWASP EducationComputer based training

CERT Secure Coding

Nishi KumarIT Architect Specialist, FISOWASP CBT Project Lead

OWASP Global Industry CommitteeNishi.Kumar@owasp.org

Contributor and Reviewer Keith Turpin

2

Objectives Understand Cert Secure Coding

Cert Secure Coding Standards

3

Cert Secure Coding goals

Reduce vulnerabilities resulting from coding errors

Identify common programming errors that lead to software vulnerabilities

Establish secure coding standards

Educate software developers to advance the state of the practice in secure coding

4

Cert Secure Coding StandardsEstablish coding guidelines for commonly used programming languages that can be used to improve the security of software systems under development Based on documented standard language versions as defined by official or de facto standards organizations Secure coding standards are under development for:

The CERT C Secure Coding Standard, Version 2.0 The CERT C++ Secure Coding Standard The CERT Oracle Secure Coding Standard for Java

5

Cert Secure Coding Standard for Java

00. Input Validation and Data Sanitization (IDS)

01. Declarations and Initialization (DCL)

02. Expressions (EXP)

03. Numeric Types and Operations (NUM)

04. Object Orientation (OBJ)

05. Methods (MET)

06. Exceptional Behavior (ERR)

07. Visibility and Atomicity (VNA)

The CERT Oracle Secure Coding Standard for Java

6

The CERT Oracle Secure Coding Standard for Java

Cert Secure Coding Standard for Java

08. Locking (LCK)

09. Thread APIs (THI)

10. Thread Pools (TPS)

11. Thread-Safety Miscellaneous (TSM)

12. Input Output (FIO)

14. Platform Security (SEC)

15. Runtime Environment (ENV)

16. Serialization (SER)

49. Miscellaneous (MSC)

IDS01-J. Sanitize untrusted data passed across a trust boundary

public void doPrivilegedAction(String username, char[] password) throws SQLException { Connection connection = getConnection(); if (connection == null) {

// handle error }

String pwd = hashPassword(password);

String sqlString = "SELECT * FROM db_user WHERE username = '" + username + "' AND password = '" + pwd + "'";

Statement stmt = connection.createStatement(); ResultSet rs = stmt.executeQuery(sqlString); if (!rs.next()) {

throw new SecurityException("User name or Password incorrect"); } // Authenticated; proceed

}

7

Noncompliant Code Example

IDS01-J. Sanitize untrusted data passed across a trust boundary

class Login { public void doPrivilegedAction(String username, char[] password) throws SQLException {

Connection connection = getConnection(); if (connection == null) {

// handle error }

String pwd = hashPassword(password);

// Ensure that the length of user name is legitimate if ((username.length() >= 8) {

// Handle error }

String sqlString = "select * from db_user where username=? and password=?";

PreparedStatement stmt = connection.prepareStatement(sqlString);

stmt.setString (1, username); stmt.setString (2, pwd); ResultSet rs = stmt.executeQuery(); if (!rs.next()) {

throw new SecurityException("User name or Password incorrect"); } // Authenticated; proceed

} }

8

Compliant Solution (PreparedStatement)

References

CERT - www.cert.orgThe CERT® Program is part of the Software Engineering Institute (SEI).

CERT's primary objectives include analyzing and communicating the state of internet security through its US-CERT Vulnerability Notes Database and improving software security with its secure coding practices publications.

US-CERT Vulnerability Notes Database - http://www.kb.cert.org/vuls/ CERT Secure Coding Practices - http://www.cert.org/secure-coding/

9

10