Code Quality - Security Session Topics: • Understand few terms, terminologies, known Issues and process problems • Software security development cycle, leverage tools and build effective processes. • Example projects(OpenSource and Commercial) Santhosh Kumar Edukulla
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Code Quality - Security
Session Topics:
• Understand few terms, terminologies, known Issues and process problems
• Software security development cycle, leverage tools and build effective processes.
• Example projects(OpenSource and Commercial)
Santhosh Kumar Edukulla
Burger King Site Hacked
Twitter hacked by Iranian Army
espn site hacked with unicorns
Few Numbers, Known Issues• More than 70% of attacks “targeted” are application related, of which web
vulnerabilities are getting prevalent.
• espn, sony, ebay, yahoo, twitter, facebook, dropbox, microsoft …even google is not spared
Few Examples
Few Code Samples:
• All the samples if we see are functionally wrong, even otherwise lead them to security issues.
• All these issues can be caught during code reviews, static analysis, or other code check process.
Core pillars of information security(CIA)
• Confidentiality – only allow access to data for which the user is permitted
• Integrity – ensure data is not tampered or altered by unauthorized users
• Availability – ensure systems and data are available to authorized users when they need it
In typical SDLC, “Security starts from requirements phase itself and it never ends…”
Principles of Information Security
• Minimize attack surface area
• Establish secure defaults
• Principle of least privilege
• Principle of defense in depth
• Fail securely
• Don’t trust services
• Avoid security by obscurity
• Fix security issues correctly
• Keep security simple
OWASP Top Web Vulnerabilities
OWASP urges all companies to be aware of these concerns within their organization and start the process of ensuring that their web applications do not contain these flaws.
• A1 Injection
• A2 Broken Authentication and Session Management
• A3 Cross Site Scripting (XSS)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration
• A6 Sensitive Data Exposure
• A7 Missing Function Level Access Control
• A8 Cross Site Request Forgery (CSRF)
• A9 Using Components with Known Vulnerabilities
• A10 Invalidated Redirects and Forwards
Code Quality : Functional (Vs) Non Functional
Definition of Quality: Broad…but should not be fixed only to functional quality of a software product.
“Secure” your data(Resources, configurations, physical, virtual, sockets, files, users etc)
“Secure” your code.
“Secure” your interactions.
Lock Everything…
Defense In Depth(SD, client, Server)
Layers of Defense
Typical User Process Space
Stack Smashing..
Stack Code Escalation
Code Quality : Goals and Objectives
• One of the key goal for every dev team should be to pass on less number of bugs to QA.
• One of the key goal for every dev team should be to have less number of design bugs in production and identified more during reviews.
• The number of issues identified during design and code reviews quantified with metrics against the total bugs for a release, how many of them were caught in Dev (Vs) QA etc.
• The sign off criteria for a build or feature should be from design sign off, code reviews sign off, zero static analysis bugs, zero profiling bugs detected by agreed upon tool etc.
• In fact, each sprint definition of done should and must be enforced by quality parameters.
Valgrind: It is an effective memory analysis and debugging tool, not an effective for memory analysis with static allocation, anything with dynamic memory allocation, it is very effective. It is limited in support on various platforms and not extensive like Rational Purify Plus, free and lot of community and user support available.
Rational Purify Plus : Supports lots of platforms, wealth of documentation, good support, does static analysis, dynamic analysis, and does provide coverage information as well, but little pricey :)
Gprof with krprof : Easily usable with gcc tools on the fly with limited tool set. A common complaint about these is their excessive rate of false alarms and that the warnings they issue do not correlate very well with real defects.
To Summarize..1. Don’t trust your inputs, don’t trust your code, any inputs from any sources.