This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Principal Consultant @ SoftwareSecured✓ Security Code Review✓ Penetration Testing✓ Secure SDL Integration✓ Application Security Training
Thursday, 9 May, 13
OWASP
Take Aways
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
Effective Security Code Review Process
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
Effective Security Code Review Process
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
Effective Security Code Review Process
Key Tools to Use
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
Effective Security Code Review Process
Key Tools to Use
3
Thursday, 9 May, 13
OWASP
Take Aways
What is Security Code Review
Effective Security Code Review Process
Key Tools to Use
Practice Security Code Review
3
Thursday, 9 May, 13
OWASP
What is this presentation not going to do?
4
Thursday, 9 May, 13
OWASP
What is this presentation not going to do?
Ground Breaking Attack\Hack\Black
4
Thursday, 9 May, 13
OWASP
What is this presentation not going to do?
Ground Breaking Attack\Hack\Black
4
Thursday, 9 May, 13
OWASP
What is this presentation not going to do?
Ground Breaking Attack\Hack\Black
New Tool
4
Thursday, 9 May, 13
OWASP
What is this presentation not going to do?
Ground Breaking Attack\Hack\Black
New Tool
4
Thursday, 9 May, 13
OWASP
What is this presentation not going to do?
Ground Breaking Attack\Hack\Black
New Tool
How to Fix Vulnerabilities
4
Thursday, 9 May, 13
OWASP
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security Weakness
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development Lifecycle
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration
Development Teams
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration
Development TeamsSecurity Teams
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration
Development TeamsSecurity TeamsProject\Risk Management
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
The Inspection of Source Code to Find Security WeaknessIntegrated Activity into Software Development LifecycleCross-Team Integration
Development TeamsSecurity TeamsProject\Risk Management
Security Code Review Process
What IS Security Code Review?
5
Thursday, 9 May, 13
OWASP
Why Security Code Reviews
6
Thursday, 9 May, 13
OWASP
Why Security Code Reviews
Effectiveness of security controls against known threatsExercise all application execution pathsFind all instances of a certain vulnerabilityThe only way to find certain types of vulnerabilitiesEffective remediation instructions
Primary Business Goal of the ApplicationUse Cases\Abuse Cases
11
Thursday, 9 May, 13
OWASP
Reconnaissance
Primary Business Goal of the ApplicationUse Cases\Abuse CasesDifferent User Roles
11
Thursday, 9 May, 13
OWASP
Reconnaissance
Primary Business Goal of the ApplicationUse Cases\Abuse CasesDifferent User RolesTechnology Stack of the Application
11
Thursday, 9 May, 13
OWASP
Reconnaissance
Primary Business Goal of the ApplicationUse Cases\Abuse CasesDifferent User RolesTechnology Stack of the ApplicationEnvironment Discovery
11
Thursday, 9 May, 13
OWASP
Reconnaissance
Primary Business Goal of the ApplicationUse Cases\Abuse CasesDifferent User RolesTechnology Stack of the ApplicationEnvironment DiscoveryUse the Application
11
Thursday, 9 May, 13
OWASP 12
THREAT ASSESSMENT
Reconnaissance!
Threat Assessment!
Automation!
Manual Review!
Confirmation & PoC!
Reporting!
Checklists!
Tools!
OWASP Top 10!
Thursday, 9 May, 13
OWASP
Enumerate Assets
13
Thursday, 9 May, 13
OWASP
Enumerate Threats
14
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 Injection
15
Thursday, 9 May, 13
OWASP
Enumerate Vulnerabilities OWASP Top 10
A1 InjectionA2 Broken Authentication and Session Management
Automation with .NETCAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - Microsoft
20
Thursday, 9 May, 13
OWASP
Automation with .NETCAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - MicrosoftComes with built-in rules:
Reflected Cross-Site ScriptingSQL Injection
XPath Injection
LDAP Injection
File Canonicalization Issues
Command InjectionInformation Disclosure
20
Thursday, 9 May, 13
OWASP
Automation with .NETCAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - MicrosoftComes with built-in rules:
Automation with .NETCAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors - MicrosoftComes with built-in rules:
Aviation: led the modern airplanes evolution after Major Hill’s famous 1934 incident
ICU: usage of checklists brought down infection rates in Michigan by 66%
34
Thursday, 9 May, 13
OWASP
What Does a Checklist Should Cover?
Data Validation and Encoding ControlsEncryption ControlsAuthentication and Authorization ControlsSession ManagementException HandlingAuditing and LoggingSecurity Configurations
References OWASP (www.owasp.org)Gotham Digital Science Blog (http://blog.gdssecurity.com/labs/tag/pmd)Milad’s Blog (http://miladbr.blogspot.de/2013/04/exploiting-unexploitable-dom-based-xss.html)SQL Injection Attacks and Defenses (http://www.amazon.com/SQL-Injection-Attacks-Defense-Second/dp/1597499633)MSDN Blogs (http://dlbmodigital.microsoft.com/ppt/DN-100225-ARevuru-1032438061-FINAL.pdf)