SlideShare una empresa de Scribd logo

Security Code Review 101

Descargar como PPTX, PDF
P
Paul Ionescu

Code review is, hopefully, part of regular development practices for any organization. Adding security elements to code review can be the most effective measure in preventing vulnerabilities, very early in the development lifecycle, even before the first commit. This is an interactive presentation which will contain the basic elements to get you started. The audience will help review more than a dozen software examples in order to figure out the good from the ugly. The software examples are based on OWASP Top 10 and SANS Top 25 favourites such as Injection, Memory Flaws, Sensitive Data Exposure, Cross-Site Scripting and Broken Access Control.

Software
1 de 69
About Me
The Tip of the Iceberg Input Validation Parameterized Commands Safe functions Indirect Object References Encrypt Data Safe Memory Management Neutralize Output
Input Validation • Only allow input that you are expecting • Wouldyou letsomeonein your house ifyou thoughttheyshouldnot bethere? • Block lists are inefficient • Wouldyou maintaina block listofpeoplethatcannot cometoyour house? • Block listing-likegiving keys toyour house toeveryone excepta fewunwanted visitors.
LET'S PLAY, SPOT THE VALIDATION PROBLEM!
Answer: Both
Answer: Top
Special Characters Not Needed • Many parameter types not intended to contain symbols or punctuation • Many not even intended to contain Unicode characters • Parameters going into database queries such as ID, true/false, asc/desc have even a smaller character set Alphanumeric Alphanumeric + .-_
Input Validation Function Example
A Simple Multi-Purpose Function isAlphanumOrEx("true") isAlphanumOrEx("desc") isAlphanumOrEx("21845816438168") isAlphanumOrEx("0x0709750fa566") isAlphanumOrEx("Cr2i7nHq6qiMEs") isAlphanumOrEx("site.local",'.')
𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒊𝒆𝒔 = 𝑭( 𝑰𝒏𝒑𝒖𝒕 𝟏 + 𝑽𝒂𝒍𝒊𝒅𝒂𝒕𝒊𝒐𝒏 )
Attacks Prevented by Input Validation •Injection •Path Traversal •Cross-Site Scripting •Open Redirect •Deserialization …
How About the Irish? •Names, comments, articles, free text require quotes: •O'Brien, don't, "putting things in quotes" •While input validation reduces the attack surface, it cannot prevent all attacks
To sum all it up… •Input Validation reduces the attack surface and prevents many attack types •Block-listing is a bad practice •Many input types are alphanumeric •For those input types that need special characters we need different defenses
CONCATENATION … causes Injection! COMMAND +INPUT= INJECTION
CONCATENATION Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter … prevent Injection!
LET'S PLAY, SPOT THE INJECTION!
Answer: Top
Answer: Top
ORM Frameworks • ORM = Object Relational Mapping • ORM Frameworks keep developers away from SQL Queries • Popular ORM Framework: Hibernate Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter Object Field1 Input Field2 Input
To sum all it up… •Parameterized Commands handle situations where hazardous chars are needed •ORM Frameworks prevent mistakes
Problems with Memory •Classic Overflow •Incorrect Calculation of Buffer Size •Off by One •Format String Injection •Use-after-free
Memory Safer Functions fgets(dest_buff, BUFF_SIZE, stdin) snprintf(dest_buff, BUFF_SIZE, format, …); strncpy(dest_buff, src_buff, BUFF_SIZE); strncmp(buff1, buff2, BUFF_SIZE); If the BUFF_SIZE argument is larger than the size of the buffer: OVERFLOW!
Check Boundaries •A simple comparison against a known limit constant can go a long way to prevent serious logical attacks. •Pay special attention to comparison operators • < vs <=, <= can lead to off by one •Make sure the same constant is used to define buffer size and check boundaries
• Format String Injection is a type of memory flaw caused by concatenating or using user input in a format parameter. Memory Injection?
LET'S PLAY, SPOT THE MEMORY PROBLEM!
Answer: Bottom (use of dangerous functions)
Answer: Bottom (incorrect calculation of buffer size)
Answer: Top (Format String Injection)
Answer: Top (Off by One)
To sum all it up… •Safer functions allow limiting the number of bytes read into the buffer •Even with safe functions special attention should be paid to size specified, very important to use constants to prevent mistakes •Do not allow user input in format strings •Careful with <= operator
Securing Data • The General Data Privacy Regulation (GDPR) has put additional emphasis on maintaining the security and privacy of data • Data should be transmitted and stored securely • Cryptography is one critical way to achieve this mandate • Secure protocols: TLS 1.2, TLS 1.3 • Secure ciphers: ECDHE • Strong digital signatures: SHA-2 • Reject invalid certificates and even more, enforce certificate pinning • Strong authenticated symmetric encryption in transit and at rest: AES 256 GCM • Other ways: • Anonymize private data • Do not collect or send private data • Short data retention • Ensure customer control over own data
LET'S PLAY, SPOT THE DATA BREACH!
Answer: Top (Password stored with weak un- salted hash)
Answer: Bottom (User and password transmitted in clear text)
Answer: Top (Person details and credit card number saved in the clear to S3 bucket)
To sum all it up… •Avoid collecting data for individuals •Pseudonymize the data. Strong salted hashes can be used, replace key data with * •Use strong cryptographic algorithms •All communication should be encrypted. •Data classification is risky so when in doubt, encrypt all data
Protect the Web UIs • Enterprise applications are using Web UIs • HTML is good looking, platform independent and powerful • JavaScript libraries such as jQuery, React and Angular make UIs responsive and versatile
Cross-Site Scripting (XSS) • The ability to inject arbitrary JavaScript into a web page • Reflected • Stored • DOM based • Easy to introduce • Easy to find • Leads to data breaches through spoofing attacks
Defending against XSS • Input validation ;) • Neutralize Output • Server Pages -> HTML Encoding (Escaping) • < becomes &lt; • > becomes &gt; • " becomes &quot; • JavaScript (DOM XSS) • Dangerous Attributes • innerHTML • src • onLoad, onClick, etc… • Dangerous Functions • eval • setTimeout • setInterval
HTML Encoding Neutralizes XSS
LET'S PLAY, SPOT THE XSS!
Answer: Bottom (User input is written into the page as is)
Answer: Bottom (Data is written into a dangerous HTML attribute)
Answer: Top (Code is executing a dangerous function, actually an example of code injection)
Answer: Bottom (Input is being reflected between the <script> tags)
To sum all it up… •XSS is easy to introduce and easy to find •Encoding should be applied to all server side generated content. •Additional encoding of single quotes required •Dangerous HTML contexts should be handled with care or avoided
Indirect Object References • Object accessed indirectly through an intermediary identifier • Prevent parameter path manipulation • fileId=1 vs file=/etc/passwd • Prevent transmission of potential sensitive data in URLs • userId=2 vs user=john_doe • Input validation facilitated (identifiers are numbers or GUIDs) 1 2 3
LET'S PLAY, SPOT THE PATH TRAVERSAL!
Answer: Top (Input is concatenated to a system path allowing manipulation)
To sum all it up… •Reduce the attack surface by enforcing accessing objects through identifiers rather than actual representation •Identifiers can be input validated easier, also solve encoding issues
Security Code Review 101
Security Code Review 101

Recomendados

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP CodingNarudom Roongsiriwong, CISSP
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 

Recomendados

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP CodingNarudom Roongsiriwong, CISSP
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 

Más contenido relacionado

La actualidad más candente

Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 

La actualidad más candente (20)

Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Application Security
Application SecurityApplication Security
Application Security
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Secure code
Secure codeSecure code
Secure code
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 

Similar a Security Code Review 101

How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)Sam Bowne
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworkslastrand
 

Similar a Security Code Review 101 (20)

How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
Web Security
Web SecurityWeb Security
Web Security
 
Open source security
Open source securityOpen source security
Open source security
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.Net
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
 

Último

How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...software pro Development
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 

Último (20)

How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 

Security Code Review 101

  • 1.
  • 3. The Tip of the Iceberg Input Validation Parameterized Commands Safe functions Indirect Object References Encrypt Data Safe Memory Management Neutralize Output
  • 4. Input Validation • Only allow input that you are expecting • Wouldyou letsomeonein your house ifyou thoughttheyshouldnot bethere? • Block lists are inefficient • Wouldyou maintaina block listofpeoplethatcannot cometoyour house? • Block listing-likegiving keys toyour house toeveryone excepta fewunwanted visitors.
  • 6.
  • 8.
  • 10. Special Characters Not Needed • Many parameter types not intended to contain symbols or punctuation • Many not even intended to contain Unicode characters • Parameters going into database queries such as ID, true/false, asc/desc have even a smaller character set Alphanumeric Alphanumeric + .-_
  • 12. A Simple Multi-Purpose Function isAlphanumOrEx("true") isAlphanumOrEx("desc") isAlphanumOrEx("21845816438168") isAlphanumOrEx("0x0709750fa566") isAlphanumOrEx("Cr2i7nHq6qiMEs") isAlphanumOrEx("site.local",'.')
  • 14. Attacks Prevented by Input Validation •Injection •Path Traversal •Cross-Site Scripting •Open Redirect •Deserialization …
  • 15. How About the Irish? •Names, comments, articles, free text require quotes: •O'Brien, don't, "putting things in quotes" •While input validation reduces the attack surface, it cannot prevent all attacks
  • 16. To sum all it up… •Input Validation reduces the attack surface and prevents many attack types •Block-listing is a bad practice •Many input types are alphanumeric •For those input types that need special characters we need different defenses
  • 18. CONCATENATION Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter … prevent Injection!
  • 20.
  • 22.
  • 24. ORM Frameworks • ORM = Object Relational Mapping • ORM Frameworks keep developers away from SQL Queries • Popular ORM Framework: Hibernate Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter Object Field1 Input Field2 Input
  • 25. To sum all it up… •Parameterized Commands handle situations where hazardous chars are needed •ORM Frameworks prevent mistakes
  • 26. Problems with Memory •Classic Overflow •Incorrect Calculation of Buffer Size •Off by One •Format String Injection •Use-after-free
  • 27. Memory Safer Functions fgets(dest_buff, BUFF_SIZE, stdin) snprintf(dest_buff, BUFF_SIZE, format, …); strncpy(dest_buff, src_buff, BUFF_SIZE); strncmp(buff1, buff2, BUFF_SIZE); If the BUFF_SIZE argument is larger than the size of the buffer: OVERFLOW!
  • 28. Check Boundaries •A simple comparison against a known limit constant can go a long way to prevent serious logical attacks. •Pay special attention to comparison operators • < vs <=, <= can lead to off by one •Make sure the same constant is used to define buffer size and check boundaries
  • 29. • Format String Injection is a type of memory flaw caused by concatenating or using user input in a format parameter. Memory Injection?
  • 30. LET'S PLAY, SPOT THE MEMORY PROBLEM!
  • 31.
  • 32. Answer: Bottom (use of dangerous functions)
  • 33.
  • 35.
  • 37.
  • 39. To sum all it up… •Safer functions allow limiting the number of bytes read into the buffer •Even with safe functions special attention should be paid to size specified, very important to use constants to prevent mistakes •Do not allow user input in format strings •Careful with <= operator
  • 40. Securing Data • The General Data Privacy Regulation (GDPR) has put additional emphasis on maintaining the security and privacy of data • Data should be transmitted and stored securely • Cryptography is one critical way to achieve this mandate • Secure protocols: TLS 1.2, TLS 1.3 • Secure ciphers: ECDHE • Strong digital signatures: SHA-2 • Reject invalid certificates and even more, enforce certificate pinning • Strong authenticated symmetric encryption in transit and at rest: AES 256 GCM • Other ways: • Anonymize private data • Do not collect or send private data • Short data retention • Ensure customer control over own data
  • 42.
  • 43. Answer: Top (Password stored with weak un- salted hash)
  • 44.
  • 45. Answer: Bottom (User and password transmitted in clear text)
  • 46.
  • 47. Answer: Top (Person details and credit card number saved in the clear to S3 bucket)
  • 48. To sum all it up… •Avoid collecting data for individuals •Pseudonymize the data. Strong salted hashes can be used, replace key data with * •Use strong cryptographic algorithms •All communication should be encrypted. •Data classification is risky so when in doubt, encrypt all data
  • 49. Protect the Web UIs • Enterprise applications are using Web UIs • HTML is good looking, platform independent and powerful • JavaScript libraries such as jQuery, React and Angular make UIs responsive and versatile
  • 50. Cross-Site Scripting (XSS) • The ability to inject arbitrary JavaScript into a web page • Reflected • Stored • DOM based • Easy to introduce • Easy to find • Leads to data breaches through spoofing attacks
  • 51. Defending against XSS • Input validation ;) • Neutralize Output • Server Pages -> HTML Encoding (Escaping) • < becomes &lt; • > becomes &gt; • " becomes &quot; • JavaScript (DOM XSS) • Dangerous Attributes • innerHTML • src • onLoad, onClick, etc… • Dangerous Functions • eval • setTimeout • setInterval
  • 54.
  • 55. Answer: Bottom (User input is written into the page as is)
  • 56.
  • 57. Answer: Bottom (Data is written into a dangerous HTML attribute)
  • 58.
  • 59. Answer: Top (Code is executing a dangerous function, actually an example of code injection)
  • 60.
  • 61. Answer: Bottom (Input is being reflected between the <script> tags)
  • 62. To sum all it up… •XSS is easy to introduce and easy to find •Encoding should be applied to all server side generated content. •Additional encoding of single quotes required •Dangerous HTML contexts should be handled with care or avoided
  • 63. Indirect Object References • Object accessed indirectly through an intermediary identifier • Prevent parameter path manipulation • fileId=1 vs file=/etc/passwd • Prevent transmission of potential sensitive data in URLs • userId=2 vs user=john_doe • Input validation facilitated (identifiers are numbers or GUIDs) 1 2 3
  • 64. LET'S PLAY, SPOT THE PATH TRAVERSAL!
  • 65.
  • 66. Answer: Top (Input is concatenated to a system path allowing manipulation)
  • 67. To sum all it up… •Reduce the attack surface by enforcing accessing objects through identifiers rather than actual representation •Identifiers can be input validated easier, also solve encoding issues