5. THE BEST DEFENSE IS A GOOD OFFENSE
In order to implement such
strong code, the company must
develop with secure coding
practices in mind.
6. WHAT IS SOFTWARE?
Software is described as operating systems, application programs and
data that is used by products containing microprocessors
7. WHAT IS SOURCE CODE?
Source code is defined as a version
of software written by the developer
in plain text (i.e., human readable
alphanumeric characters)
8. WHAT IS PROGRAMMING LANGUAGE?
In order to write source code, a
programming language must be selected
from a large pool of available
programming languages. A few common
programming languages are
JavaScript, Python, C, C++, Visual
Basic, and Perl.
13. COMMON CODING ERRORS – SQL INJECTION
Intruder can gain unauthorized access to database
Intruder can read and modify data
Integrity, confidentiality, and privacy compromised
14. COMMON CODING ERRORS – BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability, integrity, privacy, and
confidentiality compromised
15. COMMON CODING ERRORS – RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computer’s resources
Availability and confidentiality
compromised
16. KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
17. “Need-to know” principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES – LEAST PRIVILEGE
18. Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES – KEEP IT SIMPLE
19. Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES – VALIDATING INPUT
20. A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES –DEFENSE IN DEPTH
22. Software designers and programmers examine source code quality
Expensive, labor intensive , and highly effective
More than 75% of faults are found through this method
SECURE CODE ANALYSIS – MANUAL CODE REVIEW
23. Overt penetration testing has the pseudo-attacker working with the
organization
Covert penetration testing is a simulated attack
without the knowledge of most of the
organization
Overt testing is effective for finding faults, but
ineffective at testing incident response and
attack detection
Covert testing does test the organizations ability to respond to
attacks, but is very time consuming and costly
SECURE CODE ANALYSIS – PENETRATION TESTING
24. White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well, but is very costly
SECURE CODE ANALYSIS – PENETRATION TESTING
25. A tool meant for analyzing the
executable program, rather than the
source code
Covers a wide scope, not user-
friendly, many false positives
SECURE CODE ANALYSIS – STATIC ANALYSIS
26. Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS – DYNAMIC ANALYSIS
27. CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis