GME Code Review Approach

8/2/2019 GME Code Review Approach

1/23


2/23

About Green Method

Industry Credentials

1

2

3 Green Method Services

Examples

Green Method Approach4

5


3/23

About Green Method

FZE company based out of UAE Invested by experienced

information security

organization, Secureyes

All projects delivered by expertconsultants with varied

experience from 15 years to 3

years

Have resource center in India(Secureyes) and houses about 30

information security consultants

Green Method is a co-invested

partner of SecurEyes, India. SecurEyes

acts as the technology and resource

hub for all the MENA & Indian

operations. SecurEyes specializes in

Information Security Services delivery.

Founded in 2004, SecurEyes comprises

of a group of dedicated information

security professionals from different

domains. Secureyes have the base in

Bangalore and have done several

information security projects in India,

Middle East, Africa and the UnitedStates of America.


4/23

Industry Credentials

Our Consultants have:

Vast experience in providing information security consulting services for large banks,telecom and government organizations in the Middle-east and Africa region.

Conducted end to end risk assessments for multiple multinational banks across theglobe.

Audited 500+ business critical applications.

Trained over 3000+ software developers on secure coding practices.

Empanelled by CERT-IN, Ministry of Communications & Information Technology,Government of India as IT Security Auditors.

Actively involved in R&D activities and have been speaking in well known securityconferences

Developed in-house security tools in collaboration with Foundstone (HACKME Bankversion 1 has seen more than a million downloads).

Actively involved in web-based malware research activities to identify, detect and cleanmalwares from websites. Have developed proprietary tools to continuously monitor theweb sites of our customers.


5/23

Green Method Services

Governance

IT Strategy Development

IT Governance Design

IT Strategy Planning

Enterprise IT Architecture Development

Enterprise Performance Management

Balanced Score Card Implementation

Risk Management

Business Continuity Management

Information Security Risk Management

Disaster Recovery Planning

Ethical Hacking

ERP / Applications Business Control Audit

VOIP Risk Assessment

GSM Risk Assessment

Compliance

ISO 27001 based ISMS build and accreditation assistance ISO 20000 based ITSM system build and accreditation assistance

BS 25999 based BCMS system build and accreditation assistance

Payment Card Industry Data Security Standards (PCI-DSS) Compliance Facilitation


6/23

Sample Projects:ISMS

Application Audit

VA & PT

Secure Code Review

IT Strategy Development

IT Governance Framework Design

Balance Score Card ImplementationPerformance Measurement

Enterprise Risk Assessments

Client Domains

Banking & Finance

Multi Business Conglomerates

Retail

IT Companies

Government

A few of Our Clients


7/23

Green Method Approach

Application Code Review

Application Threat Profiling

Application Understanding &

Architecture Analysis

Report Documentation

Confirmation Review

Industry Best Practices and Standards

Compliance OWASP

ISECOM


8/23

Application Understanding &

Architecture Analysis

Gain thorough application understanding using:

Available documentation

Application walk through

Development team interviews etc.

Learn the application architecture through:

Available documentation

Meeting / Discussions with developers

Develop understanding of different component modules in theapplication along with their dependencies

Study all application interfaces

Study custom communication protocols if any


9/23

Application Threat Profiling

Threat profiling Listing the threats the application may be exposed to

Mapping threats to different modules Develop module wise test plan for code review

Prioritizing Critical application modules

Interface layers


10/23


Manual review of the application code

Identification of insecure coding issues

Discovering and categorizing replicating vulnerable code

throughout the application

Carrying out exploit simulation for vulnerabilities found in

manual code review

Documenting vulnerable code snippets


11/23


Manual review of the application code

Identification of insecure coding issues

Discovering and categorizing replicating vulnerable code

throughout the application

Carrying out exploit simulation for vulnerabilities found in

manual code review

Documenting vulnerable code snippets


12/23

Code Review - Sample Areas

1 Authentication Password complexity, susceptibility to brute forcing,account lockout on incorrect login attempts, user nameharvesting, stealing of passwords locally, login error

messages, password policy, SQL injection, etc

2 Authorization Insecure session management, Secure Cookie use,caching, user tracking logic, susceptibility to session

hijacking / session replay attacks

3 Information Leakage Review HTML Page source code for:

Revision History, developer Comments, E-mailAddresses, Internal host information, Hidden form fields,

Error messages

4 Field Variable Control Buffer overflow, SQL injection, Cross site scripting,System calls, URL re-writing

5 Session Time-out and

Log-out

Cookie invalidation, are multiple logins allowed for asingle user, Reusing older credentials to gain access,

secure logout mechanism, session fixation, sessionriding


13/23

Code Review Sample

Technical Risks Covered

Input data validation

SLQ injection

XSS attacks

Authentication & authorization of users Improper session management

Improper error handling

Weak cryptography implementation

Insecure configuration management

Improper handling of sensitive data Hard coded secrets

Weak auditing & logging mechanisms

Insecure developer comments


14/23

Code Review

Sample Specific Checks

Input data validation

Server side validations for SQL injection, XSS, business rules, etc

Data type, length & format checking

White list validation

Sanitization

Authentication

CAPTCHA/Account lock out

Use of salted one way hash


15/23

Reporting

Final Report with security risks, impact and solutions

All vulnerable codes are depicted using appropriate screen shots

Presentation/Call with developers to explain exploit scenarios

Detailed report containing:

Separate executive and technical sections

Prioritized results

Risks described in terms of real business risk!

Details of vulnerabilities/holes discovered in code

Step-by-step description of insecure code and possibleexploits

No false positives

Practicable recommendations


16/23

Confirmatory Review

Post implementation review

Black box penetration testing

Ensuring all holes have been plugged by the development team


17/23

Benefits of Code Review

Detailed knowledge of application at following levels

Design

Architecture

Source Code

Internal behavior of the program is completely

understood

Best approach for identifying all potential threats

Fool-proof method of securing applications Identifies even the most remote application security

holes


18/23

Benefits of Code Review

Detect Insecure Coding Flaws

Discover common security issues in code

Identify uncommon security loopholes - even deep inside the code

Spot Insecure Logical Flaws Identify code that flouts Business rules

Identify workflow bypass issues

Discover potential backdoors in code

Discover backdoors purposefully inserted by developers

Gain 360 Security of the application


19/23

Example: SQL Injection


20/23

Example: Weak Input Validation


21/23


22/23

Example: Improper Error Handling


23/23

Thank You

GME Code Review Approach

Documents