This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
● Aim to identify security flaws in the application related to its features and design, along with the exact root causes.
● Verify that the proper security and logical controls are present, work as intended, and have been invoked in the right places.
● Assure application developers are following secure development techniques.
● Combine human effort and advanced static analysis tools.
Code Review and Secure Code Review
● Secure Code Review enhances the standard Code Review practice with security considerations.– Security standards– Security risks in the code base– Security context
● Reviewers must have the necessary skills and secure coding knowledge to effectively evaluate the code.
Code Review in Secure SDLC
Code Review
How Code Review Reduces Costs on Bug FixesRelative cost of security fixes, based on time of detection
Source: The National Institute of Standards and Technology (NIST)
Code Review PenetrationTesting
Method Comparison to Cover High Level Topics
Good
Some
None
Source: Code Review Guide 2.0 (Alpha Release)
Method Comparison Against OWASP Top 10 Risks
Good
Some
None
Source: Code Review Guide 2.0 (Alpha Release)
Factors to Consider in Code Review Process
● Risks● Purpose & Context
– A payment web application will have higher security standards than a promotional website.
● Lines of Code: the more lines, the more bugs● Programming Language
Yasca X X X X X HTML, , Javascript, Cobol, Coldfusion W L
Free Source Code Scanners
Example: SonarQube with OWASP Plugin
Let’s Go Back to Basic without Code Scanner
● Use your favorite text editor or IDE.● “Find in Files” feature with RegEx is recommended.● In this presentation will show you “Geany”, cross
platform text editor. https://www.geany.org
Review SQL Injection
● Cause of SQL injection vulnerability is from an SQL command that constructs from the untrusted input.
● Common actions to interact with data are Create (INSERT), Read (SELECT), Update, Delete.
● SELECT/UPDATE/DELETE are usually filtered only some records, using WHERE.
● Some bad code use dynamic fields or tables, it’s also able to be injected.
Sting custQuery =“SELECT custName, address1, address2, city, postalCode WHERE custID= ‘“ + request.GetParameter(“id”) + “’“
Code
Data
Example: Find in Files for INSERT or WHERE
Example: Find in Files for INSERT or WHERE
1) Suspect
2) Is this an input parameter?
3) Vulnerable from calling?
Review Remote Code Injection
● Both client side (JavaScript) and server side (ex. PHP) scripting
● Search for data from untrusted sources could be inputs of– eval (most of scripting language)– include, require (PHP)
eva1
Review Hard-Coded Password/Encryption Key
● Hard-coded passwords or key may compromise system security in a way that cannot be easily remedied.
● Developers may create a backdoor with hard-coded username and password for special credential.
● Forms of password for databases and application are likely to be “password”, “pass”, “passwd” or “pwd”. → RegEx: pass|pwd
● Borland Interbase 4.0, 5.0, 6.0 was discovered a special credentials, username “politically” and password “correct”, were inserted into the credential table at program startup. dpb = dpb_string;*dpb++ = gds__dpb_version1;*dpb++ = gds__dpb_user_name;*dpb++ = strlen (LOCKSMITH_USER);q = LOCKSMITH_USER;while (*q) *dpb++ = *q++;
● Use of a System Output Stream– Using System.out or System.err rather than a dedicated logging.– Log messages may accidentally be returned to the end users and
expose sensitive informationpublic class MyClass
public void debug(Object message) {System.out.println(message);
}}
● Logger Not Declared Static Final– Loggers should be declared to be static and final.– Use the same logger for the duration of the program.– The following statement errantly declares a non-static logger.
private final Logger logger = Logger.getLogger(MyClass.class);