SlideShare una empresa de Scribd logo

Manual Code Review

n|u - The Open Security Community
n|u - The Open Security Community

This document discusses manual code review. It begins by introducing the author and their background and interests in security. It then asks why code review is important, noting that finding bugs early is cheaper and code review allows different visibility into code than other methods. Both automated and manual code review are discussed, saying they should be used complementarily. Manual review provides a 10,000 foot view by understanding the application and security controls. Specific vulnerabilities are then looked for. The document ends by stating manual code review can be done in 60 seconds by understanding the application, reviewing a security control, and looking for specific vulnerabilities.

EducaciónTecnología
1 de 10
Descargar para leer sin conexión
Manual Code Review - Sandesh Anand anand.sandesh@gmail.com www.linkedin.com/in/anandsandesh/
Who am I? • Security Consultant at Cigital Inc. • Ex-Developer • Areas of interest – Static analysis – Helping developers fix security bugs – Web App pen testing – Curious about all things security
What are we talking about? • Why review code? • Automated v/s Manual review • Manual review – 10,000 ft. view • Manual code review in 60 seconds
Why review code? • Finding bugs early in the lifecycle is cheaper • Different visibility to code – Reach all parts of code – Some issues only visible in code review (examples in the Demo) – Helps in identifying “where” the problem is
Why review code? • So, pen testing is useless, right? Not quite. Why not? – Don’t want to be killed by a room full of pen- testers – Better at proving “exploitability” – Makes it easier to evangelize security it an organization – Coverage different from code review (e.g.: Issues in application sever configuration) – Understand what a hacker is looking at
Automated v/s Manual This topic never ends. Here are some highlights: • Automated tools can plough through more code at lesser time. Very useful for large applications • Manual code review uses knowledge available to the tester • Tool support for certain programming languages stronger than the other (Java v/s Perl) • Quality of manual review depends on individual And so on….. Bottom line: Use both in a complimentary manner
Manual review – 10,000 ft. view • Understand the application – Purpose of the application – Flow of the application – Technologies used – Environment (type of DB, frameworks, AppServer etc.) – Business logic – Etc. • Understand the approach to security controls: – Authentication and Authorization – Handling un-trusted data – Handling sensitive information – Session handling – Network boundaries – Error handling and logging – Misuse of security related APIs (crypto, randomness etc.) – Etc. • Look for specific vulnerabilities – Issues common to most applications (e.g.: Race condition, resource management, information leakage, validation routines) – Language specific issues (e.g.: Format string attacks in C) – Framework specific issues (e.g.: review ACEGI configuration) – Looking for malicious code/ Insider threat
Manual code review in 60 seconds
Manual code review in 60 seconds • Understand the application • Review security control (Hint: Pick logging) • Look for specific vulnerabilities
Questions?

Recomendados

Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
Null Bhubaneswar
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
SonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code QualitySonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code Quality
Larry Nung
 

Recomendados

Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
Null Bhubaneswar
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
SonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code QualitySonarQube - The leading platform for Continuous Code Quality
SonarQube - The leading platform for Continuous Code Quality
Larry Nung
 
Track code quality with SonarQube
Track code quality with SonarQubeTrack code quality with SonarQube
Track code quality with SonarQube
Dmytro Patserkovskyi
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
WhiteSource
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
Chandan Singh Ghodela
 
AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application
Carlo Bonamico
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
SonarQube Presentation.pptx
SonarQube Presentation.pptxSonarQube Presentation.pptx
SonarQube Presentation.pptx
Satwik Bhupathi Raju
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
 
Code Quality Lightning Talk
Code Quality Lightning TalkCode Quality Lightning Talk
Code Quality Lightning Talk
Jonathan Gregory
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
Scalability in Software Systems Engineering: The Good, the Bad, and the Ugly ...
Scalability in Software Systems Engineering: The Good, the Bad, and the Ugly ...Scalability in Software Systems Engineering: The Good, the Bad, and the Ugly ...
Scalability in Software Systems Engineering: The Good, the Bad, and the Ugly ...
David Rosenblum
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
Opsta
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Api Gateway
Api GatewayApi Gateway
Api Gateway
KhaqanAshraf
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developers
Patrick Savalle
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
IBM Security
 
Analysis of Software Development Life Cycle and Quality Management
Analysis of Software Development Life Cycle and Quality ManagementAnalysis of Software Development Life Cycle and Quality Management
Analysis of Software Development Life Cycle and Quality Management
Abhay Yadav
 

Más contenido relacionado

La actualidad más candente

Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application
Carlo Bonamico
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 

La actualidad más candente (20)

Track code quality with SonarQube
Track code quality with SonarQubeTrack code quality with SonarQube
Track code quality with SonarQube
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
 
AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application
 
Security testing
Security testingSecurity testing
Security testing
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
SonarQube Presentation.pptx
SonarQube Presentation.pptxSonarQube Presentation.pptx
SonarQube Presentation.pptx
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
Code Quality Lightning Talk
Code Quality Lightning TalkCode Quality Lightning Talk
Code Quality Lightning Talk
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Scalability in Software Systems Engineering: The Good, the Bad, and the Ugly ...
Scalability in Software Systems Engineering: The Good, the Bad, and the Ugly ...Scalability in Software Systems Engineering: The Good, the Bad, and the Ugly ...
Scalability in Software Systems Engineering: The Good, the Bad, and the Ugly ...
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Api Gateway
Api GatewayApi Gateway
Api Gateway
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developers
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 

Destacado

Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
IBM Security
 
Analysis of Software Development Life Cycle and Quality Management
Analysis of Software Development Life Cycle and Quality ManagementAnalysis of Software Development Life Cycle and Quality Management
Analysis of Software Development Life Cycle and Quality Management
Abhay Yadav
 
Code Review
Code ReviewCode Review
Code Review
rantav
 
1 Quality Assurance Presentation
1 Quality Assurance Presentation1 Quality Assurance Presentation
1 Quality Assurance Presentation
guest337c19
 

Destacado (7)

Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
 
Analysis of Software Development Life Cycle and Quality Management
Analysis of Software Development Life Cycle and Quality ManagementAnalysis of Software Development Life Cycle and Quality Management
Analysis of Software Development Life Cycle and Quality Management
 
Code Review
Code ReviewCode Review
Code Review
 
Quality Assurance in Software Ind.
Quality Assurance in Software Ind.Quality Assurance in Software Ind.
Quality Assurance in Software Ind.
 
1 Quality Assurance Presentation
1 Quality Assurance Presentation1 Quality Assurance Presentation
1 Quality Assurance Presentation
 
Introduction To Software Quality Assurance
Introduction To Software Quality AssuranceIntroduction To Software Quality Assurance
Introduction To Software Quality Assurance
 
requirements analysis and design
requirements analysis and designrequirements analysis and design
requirements analysis and design
 

Similar a Manual Code Review

TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.pptch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
gealehegn
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
BeyondTrust
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security Governance
Can Demirel
 

Similar a Manual Code Review (20)

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.pptch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilities
 
Agility reboot iv
Agility reboot ivAgility reboot iv
Agility reboot iv
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Salesforce static code analysis
Salesforce static code analysisSalesforce static code analysis
Salesforce static code analysis
 
Code Review to the Rescue
Code Review to the RescueCode Review to the Rescue
Code Review to the Rescue
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surface
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
 
Test driven development
Test driven developmentTest driven development
Test driven development
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
 
The computer says no v2
The computer says no v2The computer says no v2
The computer says no v2
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security Governance
 

Más de n|u - The Open Security Community

Más de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Último

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 

Último (20)

Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptx
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 

Manual Code Review

  • 1. Manual Code Review - Sandesh Anand anand.sandesh@gmail.com www.linkedin.com/in/anandsandesh/
  • 2. Who am I? • Security Consultant at Cigital Inc. • Ex-Developer • Areas of interest – Static analysis – Helping developers fix security bugs – Web App pen testing – Curious about all things security
  • 3. What are we talking about? • Why review code? • Automated v/s Manual review • Manual review – 10,000 ft. view • Manual code review in 60 seconds
  • 4. Why review code? • Finding bugs early in the lifecycle is cheaper • Different visibility to code – Reach all parts of code – Some issues only visible in code review (examples in the Demo) – Helps in identifying “where” the problem is
  • 5. Why review code? • So, pen testing is useless, right? Not quite. Why not? – Don’t want to be killed by a room full of pen- testers – Better at proving “exploitability” – Makes it easier to evangelize security it an organization – Coverage different from code review (e.g.: Issues in application sever configuration) – Understand what a hacker is looking at
  • 6. Automated v/s Manual This topic never ends. Here are some highlights: • Automated tools can plough through more code at lesser time. Very useful for large applications • Manual code review uses knowledge available to the tester • Tool support for certain programming languages stronger than the other (Java v/s Perl) • Quality of manual review depends on individual And so on….. Bottom line: Use both in a complimentary manner
  • 7. Manual review – 10,000 ft. view • Understand the application – Purpose of the application – Flow of the application – Technologies used – Environment (type of DB, frameworks, AppServer etc.) – Business logic – Etc. • Understand the approach to security controls: – Authentication and Authorization – Handling un-trusted data – Handling sensitive information – Session handling – Network boundaries – Error handling and logging – Misuse of security related APIs (crypto, randomness etc.) – Etc. • Look for specific vulnerabilities – Issues common to most applications (e.g.: Race condition, resource management, information leakage, validation routines) – Language specific issues (e.g.: Format string attacks in C) – Framework specific issues (e.g.: review ACEGI configuration) – Looking for malicious code/ Insider threat
  • 8. Manual code review in 60 seconds
  • 9. Manual code review in 60 seconds • Understand the application • Review security control (Hint: Pick logging) • Look for specific vulnerabilities