simplified security code review - bsidesquebec2013
DESCRIPTION
TRANSCRIPT
![Page 1: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/1.jpg)
Softwar S cur
Simplifying Secure Code Reviews
Sherif [email protected]
BSides Quebec 2013
Monday, 3 June, 13
![Page 2: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/2.jpg)
Softwar S cur
Security Teams
Development Teams
Monday, 3 June, 13
![Page 3: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/3.jpg)
Softwar S cur
Softwar S cur
2007 2009 2011 2013
Bio
Principal Consultant @ SoftwareSecured✓ Application Security Assessment✓ Application Security Assurance Program Implementation✓ Application Security Training
Monday, 3 June, 13
![Page 4: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/4.jpg)
Softwar S cur
Take Aways
Monday, 3 June, 13
![Page 5: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/5.jpg)
Softwar S cur
Take Aways
Role of Security Code Review
Monday, 3 June, 13
![Page 6: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/6.jpg)
Softwar S cur
Take Aways
Role of Security Code Review Effective Process
Monday, 3 June, 13
![Page 7: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/7.jpg)
Softwar S cur
Take Aways
Role of Security Code Review Effective Process
Simplified Process
Monday, 3 June, 13
![Page 8: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/8.jpg)
Softwar S cur
Take Aways
Role of Security Code Review Effective Process
Simplified Process Key Tools to Use
Monday, 3 June, 13
![Page 9: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/9.jpg)
Softwar S cur
What This Presentation is NOT...
➡ Ground Breaking Research➡ New Tool➡ How to Fix Vulnerabilities
Monday, 3 June, 13
![Page 10: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/10.jpg)
Softwar S cur
What IS Security Code Review?
Monday, 3 June, 13
![Page 11: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/11.jpg)
Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
What IS Security Code Review?
Monday, 3 June, 13
![Page 12: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/12.jpg)
Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Lifecycle
What IS Security Code Review?
Monday, 3 June, 13
![Page 13: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/13.jpg)
Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Lifecycle
➡ Cross-Team Integration ➡ Development Teams
➡ Security Teams
➡ Project\Risk Management
What IS Security Code Review?
Monday, 3 June, 13
![Page 14: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/14.jpg)
Softwar S cur
➡ The Inspection of Source Code to Find Security Weakness
➡ Integrated Activity into Software Development Lifecycle
➡ Cross-Team Integration ➡ Development Teams
➡ Security Teams
➡ Project\Risk Management
➡ Systematic Approach to Uncover Security Flaws
What IS Security Code Review?
Monday, 3 June, 13
![Page 15: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/15.jpg)
Softwar S cur
Why Security Code Reviews
Monday, 3 June, 13
![Page 16: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/16.jpg)
Softwar S cur
Why Security Code Reviews
Effectiveness of Security Controls
Monday, 3 June, 13
![Page 17: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/17.jpg)
Softwar S cur
Why Security Code Reviews
Effectiveness of Security Controls
Exercise all code paths
Monday, 3 June, 13
![Page 18: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/18.jpg)
Softwar S cur
Why Security Code Reviews
Effectiveness of Security Controls
Exercise all code paths All instances of a vulnerability
Monday, 3 June, 13
![Page 19: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/19.jpg)
Softwar S cur
Why Security Code Reviews
Effectiveness of Security Controls
Exercise all code paths All instances of a vulnerability
Find design flawsMonday, 3 June, 13
![Page 20: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/20.jpg)
Softwar S cur
Why Security Code Reviews
Effectiveness of Security Controls
Exercise all code paths All instances of a vulnerability
Find design flaws Remediation InstructionsMonday, 3 June, 13
![Page 21: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/21.jpg)
Softwar S cur
Effective Security Code Review Process
Monday, 3 June, 13
![Page 22: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/22.jpg)
Softwar S cur
Effective Security Code Review Process
➡ Reconnaissance
Monday, 3 June, 13
![Page 23: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/23.jpg)
Softwar S cur
Effective Security Code Review Process
➡ Reconnaissance➡ Threat Modeling
Monday, 3 June, 13
![Page 24: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/24.jpg)
Softwar S cur
Effective Security Code Review Process
➡ Reconnaissance➡ Threat Modeling➡ Automation
Monday, 3 June, 13
![Page 25: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/25.jpg)
Softwar S cur
Effective Security Code Review Process
➡ Reconnaissance➡ Threat Modeling➡ Automation➡ Manual Review
Monday, 3 June, 13
![Page 26: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/26.jpg)
Softwar S cur
Effective Security Code Review Process
➡ Reconnaissance➡ Threat Modeling➡ Automation➡ Manual Review➡ Confirmation & Proof-Of-Concept
Monday, 3 June, 13
![Page 27: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/27.jpg)
Softwar S cur
Effective Security Code Review Process
➡ Reconnaissance➡ Threat Modeling➡ Automation➡ Manual Review➡ Confirmation & Proof-Of-Concept➡ Reporting
Monday, 3 June, 13
![Page 28: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/28.jpg)
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
Monday, 3 June, 13
![Page 29: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/29.jpg)
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals•Technology Stack•Use Case Scenarios•Network Deployment
Monday, 3 June, 13
![Page 30: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/30.jpg)
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals•Technology Stack•Use Case Scenarios•Network Deployment
•Decompose Application•Attack Surface•Major Security Controls
Monday, 3 June, 13
![Page 31: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/31.jpg)
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals•Technology Stack•Use Case Scenarios•Network Deployment
•Decompose Application•Attack Surface•Major Security Controls
•Low Hanging Fruit•Hot Spots•Missed Functionalities•Abandoned Code
Monday, 3 June, 13
![Page 32: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/32.jpg)
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals•Technology Stack•Use Case Scenarios•Network Deployment
•Decompose Application•Attack Surface•Major Security Controls
•Low Hanging Fruit•Hot Spots•Missed Functionalities•Abandoned Code
•Security Controls•High Profile Code•Custom Rules
Monday, 3 June, 13
![Page 33: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/33.jpg)
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals•Technology Stack•Use Case Scenarios•Network Deployment
•Decompose Application•Attack Surface•Major Security Controls
•Low Hanging Fruit•Hot Spots•Missed Functionalities•Abandoned Code
•Security Controls•High Profile Code•Custom Rules
•Confirmation•Evidences
Monday, 3 June, 13
![Page 34: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/34.jpg)
Softwar S cur
Full SCR Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools!
Skills!
•Business Goals•Technology Stack•Use Case Scenarios•Network Deployment
•Decompose Application•Attack Surface•Major Security Controls
•Low Hanging Fruit•Hot Spots•Missed Functionalities•Abandoned Code
•Security Controls•High Profile Code•Custom Rules
•Confirmation•Evidences
•Risk Rating•Role Based •Remediation Instructions
Monday, 3 June, 13
![Page 35: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/35.jpg)
Softwar S cur
Simplified Security Code Review Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools !
Skills!
Monday, 3 June, 13
![Page 36: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/36.jpg)
Softwar S cur
Simplified Security Code Review Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools !
Skills!
Monday, 3 June, 13
![Page 37: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/37.jpg)
Softwar S cur
Simplified Security Code Review Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools !
Skills!
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Monday, 3 June, 13
![Page 38: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/38.jpg)
Softwar S cur
Usages of Simplified Security Code Review
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
➡ Ideal for Introducing Development Teams To Security Code Reviews
➡ Crossing The Gap Between Security and Development Teams
Monday, 3 June, 13
![Page 39: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/39.jpg)
Softwar S cur
Skills - OWASP Top 10
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Monday, 3 June, 13
![Page 40: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/40.jpg)
Softwar S cur
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and Session Management
A4. Insecure Direct Object References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A9. Insufficient Transport Layer Protection
A8. Failure to Restrict URL Access
A10. Unvalidated Redirects and Forwards
2010 Modified New
OWASP TOP 10 - 2010 OWASP TOP 10 - 2013
Monday, 3 June, 13
![Page 41: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/41.jpg)
Softwar S cur
A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and Session Management
A4. Insecure Direct Object References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A9. Insufficient Transport Layer Protection
A8. Failure to Restrict URL Access
A10. Unvalidated Redirects and Forwards
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
2010 Modified New
OWASP TOP 10 - 2010 OWASP TOP 10 - 2013
Monday, 3 June, 13
![Page 42: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/42.jpg)
Softwar S cur
A3
A6
A3
A6
A4
A1
A1 A3
A2
A9
A9
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
OWASP TOP 10 - 2013
2010 Modified New
Veracode Report - 2011
Monday, 3 June, 13
![Page 43: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/43.jpg)
Softwar S cur
A7
A10
A4
A1
A8
A4
A3
A9
A1
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
OWASP TOP 10 - 2013Trustwave Report - 2013
2010 Modified New
Monday, 3 June, 13
![Page 44: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/44.jpg)
Softwar S cur
A3
A6
A7
A1
A7
A2
A4
A7A4
A4
A2
A3
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
OWASP TOP 10 - 2013Whitehat Report - 2012
2010 Modified New
Monday, 3 June, 13
![Page 45: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/45.jpg)
Softwar S cur
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Define Trust Boundary
Monday, 3 June, 13
![Page 46: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/46.jpg)
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
![Page 47: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/47.jpg)
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
![Page 48: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/48.jpg)
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
![Page 49: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/49.jpg)
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
![Page 50: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/50.jpg)
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
![Page 51: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/51.jpg)
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
![Page 52: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/52.jpg)
Softwar S cur
Trust Boundary - Example
Browser
SOAP Client
Mobile Client
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Internet
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
LAN
Browser
View
Monday, 3 June, 13
![Page 53: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/53.jpg)
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
Monday, 3 June, 13
![Page 54: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/54.jpg)
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
Monday, 3 June, 13
![Page 55: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/55.jpg)
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
Monday, 3 June, 13
![Page 56: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/56.jpg)
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
Monday, 3 June, 13
![Page 57: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/57.jpg)
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A4
Monday, 3 June, 13
![Page 58: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/58.jpg)
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
Monday, 3 June, 13
![Page 59: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/59.jpg)
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A6
Monday, 3 June, 13
![Page 60: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/60.jpg)
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A7
A6
Monday, 3 June, 13
![Page 61: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/61.jpg)
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A7A8
A6
Monday, 3 June, 13
![Page 62: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/62.jpg)
Softwar S cur
Trust Boundary - OWASP Top 10
Front Controller
Web Services
Admin Front Controller
LAN
DB
LDAP
File System
Busi
ness
Obj
ects
Dat
a A
cces
s La
yer
View
➡ A1 Injection➡ A2 Broken Authentication and Session Management ➡ A3 Cross-Site Scripting (XSS) ➡ A4 Insecure Direct Object References➡ A5 Security Misconfiguration ➡ A6 Sensitive Data Exposure ➡ A7 Missing Function Level Access Control ➡ A8 Cross-Site Request Forgery (CSRF) ➡ A9 Using Known Vulnerable Components ➡ A10 Unvalidated Redirects and Forwards
A1
A2
A2
A2
A3
A4
A5
A4
A6
A7A8
A10
A10
A6A9 A9
A9
A9
A9
Monday, 3 June, 13
![Page 63: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/63.jpg)
Softwar S cur
How Can You Identify Trust Boundary?
Monday, 3 June, 13
![Page 64: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/64.jpg)
Softwar S cur
How Can You Identify Trust Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
Monday, 3 June, 13
![Page 65: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/65.jpg)
Softwar S cur
How Can You Identify Trust Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
Monday, 3 June, 13
![Page 66: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/66.jpg)
Softwar S cur
How Can You Identify Trust Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
Monday, 3 June, 13
![Page 67: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/67.jpg)
Softwar S cur
How Can You Identify Trust Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
➡ Tools: Spiders’ output
Monday, 3 June, 13
![Page 68: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/68.jpg)
Softwar S cur
How Can You Identify Trust Boundary?
➡ File Extensions: *.jsp, *.aspx.cs, *.sql, *.txt, *DAL.*, etc
➡ Implementations: HttpServlet, JAXMServlet, *.master.cs, etc
➡ Imports: Import System.Data.SqlClient, import javax.servlet.http.*, etc
➡ Tools: Spiders’ output
➡ Annotations: @WebMethods, @WebService
Monday, 3 June, 13
![Page 69: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/69.jpg)
Softwar S cur
Making Unsecure Code Look Unsecure - cc/Joel Spolsky
➡ Physical Source Code Separation.
➡ File Naming Scheme:
➡ Trust Boundary Safe: tbsProcessNameChange.java
➡ Trust Boundary UnSafe: tbuEditProfile.jsp
➡ Variable Naming Convention:
➡ String usEmail = Request.getParameter(“email”);
➡ String sEmail = Validate(Request.getParameter(“email”);
Monday, 3 June, 13
![Page 70: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/70.jpg)
Softwar S cur
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Automation
Monday, 3 June, 13
![Page 71: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/71.jpg)
Softwar S cur
Automation Static Code Analysis
Pros Cons
Scales Well False Positives
Low Hanging Fruit Application Logic Issues
Could Be Customized Collections
Frameworks
Monday, 3 June, 13
![Page 72: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/72.jpg)
Softwar S cur
Scripts
➡ Compliment Static Code Analysis Tools.➡ 3rd Party Libraries Discovery.➡ Data Input Sources (e,g. web services)➡ Tracing Data Through Collections (e.g.
Session, Request, Collection)
Monday, 3 June, 13
![Page 73: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/73.jpg)
Softwar S cur
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Manual Review
Monday, 3 June, 13
![Page 74: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/74.jpg)
Softwar S cur
What Needs to Be Manually Reviewed?
➡ Authentication & Authorization Controls➡ Encryption Modules➡ File Upload and Download Operations➡ Validation Controls\Input Filters➡ Security-Sensitive Application Logic
Monday, 3 June, 13
![Page 75: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/75.jpg)
Softwar S cur
Authentication & Authorization Flaws
Monday, 3 June, 13
![Page 76: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/76.jpg)
Softwar S cur
Authentication & Authorization Flaws
Monday, 3 June, 13
![Page 77: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/77.jpg)
Softwar S cur
Authentication & Authorization Flaws
Web Methods Do Not Follow Regular ASP.NET Page Life Cycle
Monday, 3 June, 13
![Page 78: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/78.jpg)
Softwar S cur
Authentication & Authorization Flaws
Web Methods Do Not Follow Regular ASP.NET Page Life Cycle
Monday, 3 June, 13
![Page 79: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/79.jpg)
Softwar S cur
Encryption Flaws
Monday, 3 June, 13
![Page 80: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/80.jpg)
Softwar S cur
Encryption Flaws
Monday, 3 June, 13
![Page 81: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/81.jpg)
Softwar S cur
Encryption FlawsReturn value is
initialized
Monday, 3 June, 13
![Page 82: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/82.jpg)
Softwar S cur
Encryption FlawsReturn value is
initialized
Monday, 3 June, 13
![Page 83: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/83.jpg)
Softwar S cur
Encryption FlawsReturn value is
initialized
Monday, 3 June, 13
![Page 84: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/84.jpg)
Softwar S cur
Encryption FlawsReturn value is
initialized
Classic fail-open scenario
Monday, 3 June, 13
![Page 85: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/85.jpg)
Softwar S cur
File Upload\Download Flaws
Monday, 3 June, 13
![Page 86: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/86.jpg)
Softwar S cur
File Upload\Download Flaws
Monday, 3 June, 13
![Page 87: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/87.jpg)
Softwar S cur
File Upload\Download FlawsThe value gets validated
first time around
Monday, 3 June, 13
![Page 88: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/88.jpg)
Softwar S cur
File Upload\Download FlawsThe value gets validated
first time around
File path saved into a hidden field
Monday, 3 June, 13
![Page 89: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/89.jpg)
Softwar S cur
File Upload\Download FlawsThe value gets validated
first time around
File path saved into a hidden field
File path is not validated on post back
Monday, 3 June, 13
![Page 90: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/90.jpg)
Softwar S cur
File Upload\Download FlawsThe value gets validated
first time around
File path saved into a hidden field
File path is not validated on post back
Path used without validation
Monday, 3 June, 13
![Page 91: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/91.jpg)
Softwar S cur
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Reporting
Monday, 3 June, 13
![Page 92: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/92.jpg)
Softwar S cur
Reporting
➡ Weakness Metadata➡ Thorough Description➡ Recommendation➡ Assign Priority
SQL Injection:
Location: \source\ACMEPortal\updateinfo.aspx.cs:
Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection
51 SqlDataAdapter myCommand = new SqlDataAdapter( 52 "SELECT au_lname, au_fname FROM author WHERE au_id = '" + 53 SSN.Text + "'", myConnection);
Priority: High
Recommendation: Use paramaterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ff648339.aspx for details.
Owner: John Smith
Monday, 3 June, 13
![Page 93: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/93.jpg)
Softwar S cur
Confirmation & PoC
Monday, 3 June, 13
![Page 94: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/94.jpg)
Softwar S cur
Confirmation & PoC
Monday, 3 June, 13
![Page 95: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/95.jpg)
Softwar S cur
Confirmation & PoC
Monday, 3 June, 13
![Page 96: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/96.jpg)
Softwar S cur
Confirmation & PoC
Monday, 3 June, 13
![Page 97: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/97.jpg)
Softwar S cur
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Tools
Monday, 3 June, 13
![Page 98: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/98.jpg)
Softwar S cur
Security Code Review Tools
➡ Static Code Analysis➡ Free: (FindBugs, PMD, CAT.net, PCLint, etc)
➡ Commercial: (Static Code Tools Evaluation Criteria - WASC)
➡ 3rd Party Libraries: (DependencyCheck - https://github.com/jeremylong/DependencyCheck)
➡ Scripts
Monday, 3 June, 13
![Page 99: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/99.jpg)
Softwar S cur
Open-Source Static Code Analysis Tools
Java
.NET
C++Monday, 3 June, 13
![Page 100: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/100.jpg)
Softwar S cur
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Checklists
Monday, 3 June, 13
![Page 101: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/101.jpg)
Softwar S cur
Usage of checklists
➡ Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident
➡ ICU: usage of checklists brought down infection rates in Michigan by 66%
Monday, 3 June, 13
![Page 102: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/102.jpg)
Softwar S cur
Security Code Review Checklist
➡ Data Validation and Encoding Controls➡ Encryption Controls➡ Authentication and Authorization Controls➡ Session Management➡ Exception Handling➡ Auditing and Logging➡ Security Configurations
Monday, 3 June, 13
![Page 103: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/103.jpg)
Softwar S cur
Resources To Conduct Your Checklist
➡ NIST Checklist Project - http://checklists.nist.gov/➡ Mozilla’s Secure Coding QA Checklist - https://
wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist
➡ Oracle’s Secure Coding Checklist - http://www.oracle.com/technetwork/java/seccodeguide-139067.html
Monday, 3 June, 13
![Page 104: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/104.jpg)
Softwar S cur
Simplified Security Code Review Process
Reconnaissance!
Threat Modeling !
Automation !
Manual Review !
Confirmation & PoC!
Reporting!
Checklists!
Tools !
Skills!
Automation
Manual Review Reporting
Checklists*
Tools*
OWASP*Top*10*
Trust*Boundary*Iden=fica=on*
Monday, 3 June, 13
![Page 105: Simplified security code review - BSidesQuebec2013](https://reader033.vdocuments.net/reader033/viewer/2022051400/54c41ea44a7959e8508b45b3/html5/thumbnails/105.jpg)
Softwar S cur
Softwar S cur
QUESTIONS?@skoussa
[email protected]@softwaresecured.com
Monday, 3 June, 13