secure development of code

SECURE DEVELOPMENT OF CODE

ACC 626 Term Paper

Salome Victor

20316185

July 7 2013

AGENDA

Background

Introduction

Importance of Secure Development of Code

Key Coding Principles

Secure Code Analysis

Conclusion

WHAT IS YOUR MOST IMPORTANT ASSET

THE BEST DEFENSE IS A GOOD OFFENSE

In order to implement such

strong code the company must

develop with secure coding

practices in mind

WHAT IS SOFTWARE

Software is described as operating systems application programs and

data that is used by products containing microprocessors

WHAT IS SOURCE CODE

Source code is defined as a version of software written by the developer in plain text (ie human readable alphanumeric characters)

WHAT IS PROGRAMMING LANGUAGE

In order to write source code a

programming language must be selected

from a large pool of available

programming languages A few common

programming languages are

JavaScript Python C C++ Visual

Basic and Perl

CODE ANALYSIS

KEY CODING PRINCIPLES

IMPORTANCE OF SECURE DEVELOPMENT OF CODE

AVAILABILITY

INTEGRITY

PRIVACYCONFIDENTIALITY

ECONOMIC IMPACTS

COMMON CODING ERRORS

SQL Injection

Buffer Overflow

Race Conditions

COMMON CODING ERRORS ndash SQL INJECTION

Intruder can gain unauthorized access to database

Intruder can read and modify data

Integrity confidentiality and privacy compromised

COMMON CODING ERRORS ndash BUFFER OVERFLOW

Attacker can crash the program

Attacker can inject his own code

into the program

Availability integrity privacy and

confidentiality compromised

COMMON CODING ERRORS ndash RACE CONDITIONS

Attacker can insert malicious code

and interfere with the normal

execution of the program

Attacker can exhaust the

computerrsquos resources

Availability and confidentiality

compromised


Least Privilege

Keep it Simple

Validate Input

Practice defense in Depth

ldquoNeed-to knowrdquo principle

Access should be restricted

High clearance should be allowed only for a limited time

Reduces the impact an attacker can have and reduces the possibility

of attacks

KEY CODING PRINCIPLES ndash LEAST PRIVILEGE

Complex systems have more surface

area for attack

Complexity creates errors

Complexity demands more resources

KEY CODING PRINCIPLES ndash KEEP IT SIMPLE

Input from external parties can be very dangerous

Every company should have a set of policies on handling input

Reduced risk of malicious data causing damage

KEY CODING PRINCIPLES ndash VALIDATING INPUT

A good system should have multiple

layers of security

More layers of security means more

trouble for an attacker

Helps mitigate insecure coding issues

KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH

Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis

SECURE CODE ANALYSIS

Software designers and programmers examine source code quality

Expensive labor intensive and highly effective

More than 75 of faults are found through this method

SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW

Overt penetration testing has the pseudo-attacker working with the organization

Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization

Overt testing is effective for finding faults butineffective at testing incident response andattack detection

Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly

SECURE CODE ANALYSIS ndash PENETRATION TESTING

White box testing gives the pseudo-

attacker full access to the organizations

structure and defenses

It is cost effective and less like real life

Black box testing gives the pseudo-

attacker little to no information

It simulates real life well but is very costly


A tool meant for analyzing the

executable program rather than the

source code

Covers a wide scope not user-

friendly many false positives

SECURE CODE ANALYSIS ndash STATIC ANALYSIS

Analyzes the program behavior

while it is running

Precise and valid results

SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS

CONCLUSION

Importance of source code and secure development

Common coding errors

Key coding principles

Secure code analysis

REFERENCES FOR PICTURES

httpavi72livejournalcom3018html

httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp

httpchem-manufacturingcomprogram

httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml

httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos

httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti

httpwwwdanmcinfohigh-availability

httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software

httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml

httpwwwehackingnewscomsearchlabelReverse20Engineering

httpsenwikipediaorgwikiFileVisualBasicLogogif

httpenwikipediaorgwikiOperation_Aurora

httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml

httpevos4rdwordpresscomauthorevos4rdpage2

httpswwwfacebookcompenetretiontestingblogger

httpwwwflickrcomphotoshelloimchloe5620821061

httpwwwflickrcomphotossebastian_bergmann3991540987

httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data

httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml

httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml

httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722

httpwwwinnovategycomhtmlstrategieworkshophtml

httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx

httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml

httpwwwkinokuniyacojpfdsg-02-9780071626750

httplurkerfaqscomboards8-gamefaqs-contests60380480

httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml

httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3

httpwwwmindfiresolutionscomperl-developmenthtm

httpwwwmyotherpcisacloudcompage=11

httpwwwphidgetscomdocsLanguage_-_CC++

httprebootblueprintcom7-healthy-no-fap-replacement-habits

httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input

httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia

httpwwwsecurecodingorg

httpwwwselectinternetcoukhtmlbackuphtml

httpseravofi2013javascript-the-winning-style

httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml

httpsoftbukarusoftscreens-IDA-Prohtml

httpwwwsoftwaresecuritysolutionscomlayered-securityhtml

httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions

httpturbotoddwordpresscom201303

httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01

httpxkcdcom327

httpzheronelitwordpresscomcategoryc-source-codes

AGENDA

Background

Introduction

Importance of Secure Development of Code

Key Coding Principles

Secure Code Analysis

Conclusion






practices in mind

WHAT IS SOFTWARE



WHAT IS SOURCE CODE









Basic and Perl

CODE ANALYSIS



AVAILABILITY

INTEGRITY


ECONOMIC IMPACTS


SQL Injection

Buffer Overflow

Race Conditions








into the program










compromised


Least Privilege

Keep it Simple

Validate Input






of attacks



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327







practices in mind

WHAT IS SOFTWARE



WHAT IS SOURCE CODE









Basic and Perl

CODE ANALYSIS



AVAILABILITY

INTEGRITY


ECONOMIC IMPACTS


SQL Injection

Buffer Overflow

Race Conditions








into the program










compromised


Least Privilege

Keep it Simple

Validate Input






of attacks



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327


WHAT IS SOFTWARE



WHAT IS SOURCE CODE









Basic and Perl

CODE ANALYSIS



AVAILABILITY

INTEGRITY


ECONOMIC IMPACTS


SQL Injection

Buffer Overflow

Race Conditions








into the program










compromised


Least Privilege

Keep it Simple

Validate Input






of attacks



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327


WHAT IS SOURCE CODE









Basic and Perl

CODE ANALYSIS



AVAILABILITY

INTEGRITY


ECONOMIC IMPACTS


SQL Injection

Buffer Overflow

Race Conditions








into the program










compromised


Least Privilege

Keep it Simple

Validate Input






of attacks



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327









Basic and Perl

CODE ANALYSIS



AVAILABILITY

INTEGRITY


ECONOMIC IMPACTS


SQL Injection

Buffer Overflow

Race Conditions








into the program










compromised


Least Privilege

Keep it Simple

Validate Input






of attacks



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327


CODE ANALYSIS



AVAILABILITY

INTEGRITY


ECONOMIC IMPACTS


SQL Injection

Buffer Overflow

Race Conditions








into the program










compromised


Least Privilege

Keep it Simple

Validate Input






of attacks



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327



AVAILABILITY

INTEGRITY


ECONOMIC IMPACTS


SQL Injection

Buffer Overflow

Race Conditions








into the program










compromised


Least Privilege

Keep it Simple

Validate Input






of attacks



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327


ECONOMIC IMPACTS


SQL Injection

Buffer Overflow

Race Conditions








into the program










compromised


Least Privilege

Keep it Simple

Validate Input






of attacks



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327



SQL Injection

Buffer Overflow

Race Conditions








into the program










compromised


Least Privilege

Keep it Simple

Validate Input






of attacks



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327









into the program










compromised


Least Privilege

Keep it Simple

Validate Input






of attacks



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327









compromised


Least Privilege

Keep it Simple

Validate Input






of attacks



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327



Least Privilege

Keep it Simple

Validate Input






of attacks



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327






of attacks



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327



area for attack









layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327







layers of security





Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327


Manual Code Review

Penetration Testing

Static Analysis

Dynamic Analysis





















source code





while it is running



CONCLUSION

















































httpxkcdcom327





















source code





while it is running



CONCLUSION

















































httpxkcdcom327



while it is running



CONCLUSION

















































httpxkcdcom327


CONCLUSION

















































httpxkcdcom327














































httpxkcdcom327


secure development of code

Technology

malicious code

strong code

secure coding practices

secure development of

manual code review penetration

source code quality

program attacker

common programming languages