SlideShare una empresa de Scribd logo

Code Review Strategies for Secure Web Applications

Descargar como PPT, PDF
S
silviad74
Tecnología
1 de 24
Code Review for Secure Web Applications With java samples
Bibliography • OWASP – Open web applications security projects – www.owasp.org • OWASP Code review guide
Introduction • Code reviews: – Ad hoc reviews – Pair programming – Walkthrough – Team review – Inspection • Purpose – security
Code review strategies • Automatic • Manual – use checklists – Risk based – Most encountered programming mistakes – Mitigation of most encountered vulnerabilities exploited in the world – Security best practices
Checklist based on best practices • Authentication • Authorization • Session management • Input validation and output sanitization
Checklist based on best practices To be presented next meeting • Prevent Cross Site Request Forgery • Cryptographic controls • Error handling • Logging • Prevent Race conditions
Authentication • Check user is not allowed to choose weak passwords Bad: String password = request.getParameter("Password"); if (password == Null) {throw InvalidPasswordException() }
Authentication • Check user is not allowed to choose weak passwords OK: if password.RegEx([a-z]) and password.RegEx([A-Z]) and password.RegEx([0-9]) and password.RegEx({8-30}) and password.RexEX([!"£$%^&*()]) return true; else return false;
Authentication • Password storage strategy: hashing using a one-way hash algorithm + salting OK hashing: import java.security.MessageDigest; public byte[] getHash(String password) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-1"); digest.reset(); byte[] input = digest.digest(password.getBytes("UTF-8")); }
Authentication • Password storage strategy: hashing using a one-way hash algorithm + salting OK salting: import java.security.MessageDigest; public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA- 256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8")); }
Authorization • Check the access roles matrix and make sure it is created respecting the need-to-know and least- privilege principle • Check the business logic for errors Bad: if user.equals("NormalUser") { grantUser(Normal_Permissions); } else{ //user must be admin/super grantUser("Super_Permissions); }
Authorization • Check if security by obscurity is used • Check if authorization is verified for every request Good: String action = request.getParameter("action"); if (action.equals("doStuff")) boolean permit = session.authTable.isAuthorised(action); if (permit) doStuff(); else{ throw new (InvalidRequestException("Unauthorised request"); session.invalidate(); }
Session Management • Check if only framework’s session manager is used • Check the cryptographic strength, the length of the sessions and character pool • Check that sessionIds coming from clients are validated • Check there is a timeout implemented for idle sessions • Check session is destroyed on logout
Input validation and output sanitization • Ensure 2 separate validations occur: first a security validation, then a business validation • Ensure in the security validation, data are canonicalized first public static void main(String[] args) { File x = new File("/cmd/" + args[1]); String absPath = x.getAbsolutePath(); String canonicalPath = x.getCanonicalPath(); }
Input validation and output sanitization • Check that all input that traversed untrusted zones is validated, not only user input • Check that validators or sanitizers are adapted for the modules that receives/uses data – encode, escape, etc • Check validators are applied in a safe side (never client side)
Input validation and output sanitization public class DoStuff { public String executeCommand(String userName) { try { String myUid = userName; Runtime rt = Runtime.getRuntime(); rt.exec("cmd.exe /C doStuff.exe " +”-“ +myUid); } catch(Exception e) { e.printStackTrace(); } } }
Input validation and output sanitization String myQuery = “select food from foods where name=?”; String sortOrder=request.getParameter(“order”); myQuery+=sortOrder; PreparedStatement preparedStatement = connection.prepareStatement(myQuery); preparedStatement.setString(1, “Shaorma”); ResultSet resultSet = preparedStatement.executeQuery();
Input validation and output sanitization import java.io.*; import javax.servlet.http.*; import javax.servlet.*; public class HelloServlet extends HttpServlet { public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { String input = req.getHeader(“USERINPUT”); PrintWriter out = res.getWriter(); out.println(Server.HTMLEncode(input)); out.close(); } }
Thank you for the interest Questions?
Prevent Cross Site Script Forgery
Cryptographic controls
Error handling
Logging
Prevent Race Conditions

Recomendados

Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code ReviewNaga Venkata Sunil Alamuri
 
Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review ChecklistMahesh Chopker
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++Dan-Claudiu Dragoș
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 

Recomendados

Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code ReviewNaga Venkata Sunil Alamuri
 
Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review ChecklistMahesh Chopker
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++Dan-Claudiu Dragoș
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
Code review
Code reviewCode review
Code reviewAbhishek Sur
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniqueAndrey Karpov
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsWouter de Kort
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsOrest Ivasiv
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCParasoft_Mitchell
 
Java exception handling
Java exception handlingJava exception handling
Java exception handlingBHUVIJAYAVELU
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelinesLalit Kale
 
L27
L27L27
L27NathannyabvureMapisa
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 

Más contenido relacionado

La actualidad más candente

Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniqueAndrey Karpov
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsWouter de Kort
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsOrest Ivasiv
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCParasoft_Mitchell
 
Java exception handling
Java exception handlingJava exception handling
Java exception handlingBHUVIJAYAVELU
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelinesLalit Kale
 

La actualidad más candente (20)

Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
 
Code review
Code reviewCode review
Code review
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis technique
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOps
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
 
Java exception handling
Java exception handlingJava exception handling
Java exception handling
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
L27
L27L27
L27
 

Destacado

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity securityrustd
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...gmaran23
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015Stacy Kvernmo
 
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...OWASP Russia
 
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...OWASP Russia
 

Destacado (16)

Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
 
ASP.NET Core Security
ASP.NET Core SecurityASP.NET Core Security
ASP.NET Core Security
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015Sass Code Reviews - How one code review changed my life #SassConf2015
Sass Code Reviews - How one code review changed my life #SassConf2015
 
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
 
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
 

Similar a Code Review Strategies for Secure Web Applications

How to use Approval Tests for C++ Effectively
How to use Approval Tests for C++ EffectivelyHow to use Approval Tests for C++ Effectively
How to use Approval Tests for C++ EffectivelyClare Macrae
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of BreachesKarthik Bhat
 
Web Services Automated Testing via SoapUI Tool
Web Services Automated Testing via SoapUI ToolWeb Services Automated Testing via SoapUI Tool
Web Services Automated Testing via SoapUI ToolSperasoft
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능Hyperledger Korea User Group
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiContinuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiStephen de Vries
 
Continuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldContinuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldStephen de Vries
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
 
Testing Ext JS and Sencha Touch
Testing Ext JS and Sencha TouchTesting Ext JS and Sencha Touch
Testing Ext JS and Sencha TouchMats Bryntse
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnDan Rinzel
 

Similar a Code Review Strategies for Secure Web Applications (20)

How to use Approval Tests for C++ Effectively
How to use Approval Tests for C++ EffectivelyHow to use Approval Tests for C++ Effectively
How to use Approval Tests for C++ Effectively
 
Security in Node.JS and Express:
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of Breaches
 
Web Services Automated Testing via SoapUI Tool
Web Services Automated Testing via SoapUI ToolWeb Services Automated Testing via SoapUI Tool
Web Services Automated Testing via SoapUI Tool
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiContinuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinki
 
Continuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldContinuous Security Testing in a Devops World
Continuous Security Testing in a Devops World
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
Testing Ext JS and Sencha Touch
Testing Ext JS and Sencha TouchTesting Ext JS and Sencha Touch
Testing Ext JS and Sencha Touch
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Security testing
Security testingSecurity testing
Security testing
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard Learn
 

Último

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Último (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Code Review Strategies for Secure Web Applications

  • 1. Code Review for Secure Web Applications With java samples
  • 2. Bibliography • OWASP – Open web applications security projects – www.owasp.org • OWASP Code review guide
  • 3. Introduction • Code reviews: – Ad hoc reviews – Pair programming – Walkthrough – Team review – Inspection • Purpose – security
  • 4. Code review strategies • Automatic • Manual – use checklists – Risk based – Most encountered programming mistakes – Mitigation of most encountered vulnerabilities exploited in the world – Security best practices
  • 5. Checklist based on best practices • Authentication • Authorization • Session management • Input validation and output sanitization
  • 6. Checklist based on best practices To be presented next meeting • Prevent Cross Site Request Forgery • Cryptographic controls • Error handling • Logging • Prevent Race conditions
  • 7. Authentication • Check user is not allowed to choose weak passwords Bad: String password = request.getParameter("Password"); if (password == Null) {throw InvalidPasswordException() }
  • 8. Authentication • Check user is not allowed to choose weak passwords OK: if password.RegEx([a-z]) and password.RegEx([A-Z]) and password.RegEx([0-9]) and password.RegEx({8-30}) and password.RexEX([!"£$%^&*()]) return true; else return false;
  • 9. Authentication • Password storage strategy: hashing using a one-way hash algorithm + salting OK hashing: import java.security.MessageDigest; public byte[] getHash(String password) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-1"); digest.reset(); byte[] input = digest.digest(password.getBytes("UTF-8")); }
  • 10. Authentication • Password storage strategy: hashing using a one-way hash algorithm + salting OK salting: import java.security.MessageDigest; public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA- 256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8")); }
  • 11. Authorization • Check the access roles matrix and make sure it is created respecting the need-to-know and least- privilege principle • Check the business logic for errors Bad: if user.equals("NormalUser") { grantUser(Normal_Permissions); } else{ //user must be admin/super grantUser("Super_Permissions); }
  • 12. Authorization • Check if security by obscurity is used • Check if authorization is verified for every request Good: String action = request.getParameter("action"); if (action.equals("doStuff")) boolean permit = session.authTable.isAuthorised(action); if (permit) doStuff(); else{ throw new (InvalidRequestException("Unauthorised request"); session.invalidate(); }
  • 13. Session Management • Check if only framework’s session manager is used • Check the cryptographic strength, the length of the sessions and character pool • Check that sessionIds coming from clients are validated • Check there is a timeout implemented for idle sessions • Check session is destroyed on logout
  • 14. Input validation and output sanitization • Ensure 2 separate validations occur: first a security validation, then a business validation • Ensure in the security validation, data are canonicalized first public static void main(String[] args) { File x = new File("/cmd/" + args[1]); String absPath = x.getAbsolutePath(); String canonicalPath = x.getCanonicalPath(); }
  • 15. Input validation and output sanitization • Check that all input that traversed untrusted zones is validated, not only user input • Check that validators or sanitizers are adapted for the modules that receives/uses data – encode, escape, etc • Check validators are applied in a safe side (never client side)
  • 16. Input validation and output sanitization public class DoStuff { public String executeCommand(String userName) { try { String myUid = userName; Runtime rt = Runtime.getRuntime(); rt.exec("cmd.exe /C doStuff.exe " +”-“ +myUid); } catch(Exception e) { e.printStackTrace(); } } }
  • 17. Input validation and output sanitization String myQuery = “select food from foods where name=?”; String sortOrder=request.getParameter(“order”); myQuery+=sortOrder; PreparedStatement preparedStatement = connection.prepareStatement(myQuery); preparedStatement.setString(1, “Shaorma”); ResultSet resultSet = preparedStatement.executeQuery();
  • 18. Input validation and output sanitization import java.io.*; import javax.servlet.http.*; import javax.servlet.*; public class HelloServlet extends HttpServlet { public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { String input = req.getHeader(“USERINPUT”); PrintWriter out = res.getWriter(); out.println(Server.HTMLEncode(input)); out.close(); } }
  • 19. Thank you for the interest Questions?
  • 20. Prevent Cross Site Script Forgery