Upload
narudom-roongsiriwong-cissp
View
1.770
Download
0
Embed Size (px)
Citation preview
Secure Code Review 101Secure Code Review 101Narudom Roongsiriwong, CISSPNarudom Roongsiriwong, CISSP
MiSSConf(SP2) Nov 19, 2016MiSSConf(SP2) Nov 19, 2016
Secure Code Review 101Secure Code Review 101Narudom Roongsiriwong, CISSPNarudom Roongsiriwong, CISSP
MiSSConf(SP2) Nov 19, 2016MiSSConf(SP2) Nov 19, 2016
WhoAmI● Lazy Blogger
– Japan, Security, FOSS, Politics, Christian– http://narudomr.blogspot.com
● Information Security since 1995● Web Application Development since 1998● Head of IT Security and Solution Architecture, Kiatnakin
Bank PLC (KKP)● Consultant for OWASP Thailand Chapter● Committee Member of Cloud Security Alliance (CSA),
Thailand Chapter● Consulting Team Member for National e-Payment project ● Contact: [email protected]
Security controls cannot deal with broken business logic such as A2, A4 and A7
Security controls cannot deal with broken business logic such as A2, A4 and A7
Software weaknesses reduction down to zero is possible
Software weaknesses reduction down to zero is possible
Reduce Security Weaknesses vsIncrease Security Controls
What is Secure Code Review?
● Aim to identify security flaws in the application related to its features and design, along with the exact root causes.
● Verify that the proper security and logical controls are present, work as intended, and have been invoked in the right places.
● Assure application developers are following secure development techniques.
● Combine human effort and advanced static analysis tools.
Code Review and Secure Code Review
● Secure Code Review enhances the standard Code Review practice with security considerations.– Security standards– Security risks in the code base– Security context
● Reviewers must have the necessary skills and secure coding knowledge to effectively evaluate the code.
How Code Review Reduces Costs on Bug FixesRelative cost of security fixes, based on time of detection
Source: The National Institute of Standards and Technology (NIST)
Code Review PenetrationTesting
Method Comparison to Cover High Level Topics
Good
Some
None
Source: Code Review Guide 2.0 (Alpha Release)
Method Comparison Against OWASP Top 10 Risks
Good
Some
None
Source: Code Review Guide 2.0 (Alpha Release)
Factors to Consider in Code Review Process
● Risks● Purpose & Context
– A payment web application will have higher security standards than a promotional website.
● Lines of Code: the more lines, the more bugs● Programming Language
– Unmanaged code → Chances of buffer overflow– PHP → Remote code execution
● Resources, Time & Deadlines
Code Review Preparation
● Application Features and Business Rules– BR, SRS, etc
● Context● Sensitive Data● User Roles and Access Rights● Application Type
– Web, Desktop, Web Service, Mobile, Hybrid● Language and Its Security Features and Issues● Design / Framework
– MVC, Strut, Spring, Hibernate, YII, CakePHP● Company Standards and Guidelines
Code Review Checklist
● Data Validation● Authentication● Session Management● Authorization● Cryptography● Error Handling● Logging● Security Configuration● Network Architecture
Advantage & Disadvantage of Source Code Scanner
● Advantage– Reduction in manual
efforts– Find all the instances of
the vulnerabilities– Source to sink analysis– Elaborate reporting
format
● Disadvantage– Business logic flaws
remain untouched– Limited scope– Design flaws– False positives
NameProgramming Language Support
OSJava PHP .NET C C++ Python Other
CodePro X W L M
FindBugs X W L
FxCop X W
Flawfinder X X L
Milk X X W L
MOPS X L
OWASP Code Crawler X X W
OWASP ORIZON X X X L
OWASP O2 Platform X X Javascript W
OWASP LAPSE X W L M
PMD X X X Javascript, XML, XSL W L
PREfast X X W L
RIPS-Scanner X
SonarQube X X X X Delphi, Javascript, XML W L M
Sprint X W L
StypeCop X W
Yasca X X X X X HTML, , Javascript, Cobol, Coldfusion W L
Free Source Code Scanners
Let’s Go Back to Basic without Code Scanner
● Use your favorite text editor or IDE.● “Find in Files” feature with RegEx is recommended.● In this presentation will show you “Geany”, cross
platform text editor. https://www.geany.org
Review SQL Injection
● Cause of SQL injection vulnerability is from an SQL command that constructs from the untrusted input.
● Common actions to interact with data are Create (INSERT), Read (SELECT), Update, Delete.
● SELECT/UPDATE/DELETE are usually filtered only some records, using WHERE.
● Some bad code use dynamic fields or tables, it’s also able to be injected.
Sting custQuery =“SELECT custName, address1, address2, city, postalCode WHERE custID= ‘“ + request.GetParameter(“id”) + “’“
Code
Data
Example: Find in Files for INSERT or WHERE
1) Suspect
2) Is this an input parameter?
3) Vulnerable from calling?
Review Remote Code Injection
● Both client side (JavaScript) and server side (ex. PHP) scripting
● Search for data from untrusted sources could be inputs of– eval (most of scripting language)– include, require (PHP)
eva1
Review Hard-Coded Password/Encryption Key
● Hard-coded passwords or key may compromise system security in a way that cannot be easily remedied.
● Developers may create a backdoor with hard-coded username and password for special credential.
● Forms of password for databases and application are likely to be “password”, “pass”, “passwd” or “pwd”. → RegEx: pass|pwd
● Borland Interbase 4.0, 5.0, 6.0 was discovered a special credentials, username “politically” and password “correct”, were inserted into the credential table at program startup. dpb = dpb_string;*dpb++ = gds__dpb_version1;*dpb++ = gds__dpb_user_name;*dpb++ = strlen (LOCKSMITH_USER);q = LOCKSMITH_USER;while (*q) *dpb++ = *q++;
*dpb++ = gds__dpb_password_enc;strcpy (password_enc, (char
*)ENC_crypt(LOCKSMITH_PASSWORD, PASSWORD_SALT));
q = password_enc + 2;*dpb++ = strlen (q);while (*q) *dpb++ = *q++;
dpb_length = dpb – dpb_string;isc_attach_database (status_vector, 0,
GDS_VAL(name), &DB, dpb_length, dpb_string);
Review Poor Logging Practices
● Use of a System Output Stream– Using System.out or System.err rather than a dedicated logging.– Log messages may accidentally be returned to the end users and
expose sensitive informationpublic class MyClass
public void debug(Object message) {System.out.println(message);
}}
● Logger Not Declared Static Final– Loggers should be declared to be static and final.– Use the same logger for the duration of the program.– The following statement errantly declares a non-static logger.
private final Logger logger = Logger.getLogger(MyClass.class);
Review Session Management
● .Net ASPX web.config<authentication mode=”Forms”>
<forms loginUrl=”member_login.aspx”cookieless=”UseCookies”requireSSL=”true”path=”/MyApplication” />
</authentication>
● Java web.xml<session-config>
<cookie-config><secure>true</secure>
</cookie-config></session-config>
● PHP.inisession.cookie_lifetime=0session.use_cookies=Onsession.use_only_cookies=Onsession.use_strict_mode=Onsession.cookie_httponly=Onsession.cookie_secure=Onsession.gc_maxlifetime=[choose smallest possible]session.use_trans_sid=Off
Conclusion
● Code scanner absolutely helps code reviewers but they are lacks of capabilities and usually create false positive.
● Code reviewers should know the specific language and framework of codes they reviews
● The justification must rely on the context and requirements of the application together with standards and guidelines