Embed Size (px)
Citation preview
Softwar S cur
6-Points Strategy to Get Your Application in
Security Shape Sherif Koussa
OWASP Ottawa Chapter Leader Static Analysis Technologies Evaluation Criteria Project Leader
Application Security Specialist - Software Secured
Softwar S cur
Softwar S cur
Bio
Softwar S cur
The 6 Points Strategy to Get Your Applications Back in Top Security
Shape...
Softwar S cur
1. DRASTIC CHANGES NEED DRASTIC
MEASURES! Get to the bottom of things quickly!
Softwar S cur
Why Security Code Reviews:
Effectiveness of Security Controls Against Known Threats Testing All Application Execution Paths Find All Instances of a Certain Vulnerability The Only Way to Find Certain Types of Vulnerabilities Effective Remediation Instructions
Softwar S cur
2. COVER THE BASICS FIRST
Don’t run before you can walk!
Softwar S cur
OWASP Top 10 - 2010 OWASP Top 10 - 2013A1. Injection
A2. Cross-Site Scripting
A3. Broken Authentication and Session Management
A4. Insecure Direct Object References
A5. Cross-Site Request Forgery
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A9. Insufficient Transport Layer Protection
A8. Failure to Restrict URL Access
A10. Unvalidated Redirects and Forwards
A1. Injection
A3. Cross-Site Scripting
A2. Broken Authentication and Session Management
A4. Insecure Direct Object References
A6. Sensitive Data Exposure
A5. Security Misconfiguration
A7. Missing Function Level Access Control
A9. Using Known Vulnerable Components
A8. Cross-Site Request Forgery
A10. Unvalidated Redirects and Forwards
2010 Modified New
Softwar S cur
3.FOCUS ON WHAT MATTERS !
Really...focus on what matters!
Softwar S cur
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklist!
Tools!
Security Skills!
Eff
ecti
ve A
ppli
cati
on
Secu
rity
Ass
essm
ent P
roce
ss
Softwar S cur
4. GET YOUR HANDS DIRTY!
No pain...no gain...
Softwar S cur
What Needs Manual Review? This REALLY Matters!
Authentication & Authorization Controls
Encryption Modules
File Upload and Download Operations
Validation Controls\Input Filters
Security-Sensitive Application Logic
Softwar S cur
Authentication and Authorization Controls
WebMethods Don’t Follow Regular ASP.net Page Lifecycle
Softwar S cur
Enc
rypt
ion
Mod
ules
There is a possibility of returning empty hashes on
error
Softwar S cur
Secu
rity
Con
trol
s
Directory traversal is possible on post-back.
Softwar S cur
5. GET YOUR B-17 FIX! Gain strategic advantage over the attackers...
Softwar S cur
Checklists Advances Technology
Aviation: Model 299-1934: “Too much airplane for one man to fly”.
B-17 plane (Model 299 Successor) gave the U.S. major strategic advantage in WWII
Intensive Care Units: Usage of checklists brought down infection rates in Michigan by 66%
Softwar S cur
Resources To Conduct Your Checklist
NIST Checklist Project
➡ http://checklists.nist.gov/
!Mozilla’s Secure Coding QA Checklist
➡ https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist
!Oracle’s Secure Coding Checklist -
➡ http://www.oracle.com/technetwork/java/seccodeguide-139067.html
!
Softwar S cur
6. FINISH STRONG! Flex your communications muscles!
Softwar S cur
Reporting
! Metadata
Thorough Description
Recommendation
Assign Appropriate Priority
SQL Injection: !Location: \source\ACMEPortal\updateinfo.aspx.cs: !Description: The code below is build dynamic sql statement using unvalidated data (i.e. name) which can lead to SQL Injection
51 SqlDataAdapter myCommand = new ! SqlDataAdapter(! 52 "SELECT au_lname, au_fname FROM ! author ! WHERE au_id = '" + ! 53 SSN.Text + "'", myConnection);!!
Priority: High !Recommendation: Use parameterized SQL instead of dynamic concatenation, refer to http://msdn.microsoft.com/en-us/library/ff648339.aspx for details. !Owner: John Smith
Softwar S cur
The 6-Points Strategy...
1.Drastic Changes Requires Drastic Measures.
2.Cover The Basics First.
3.Focus on What Matters.
4.Get Your Hands Dirty.
5.Get Your B-17 Fix.
6.Finish Strong.
