Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Heorot.net.  Understand abilities and limitations of code reviews  Identify potentially “bad” code  Identify and use code review tools.

Published byNigel Cameron Modified over 8 years ago

Similar presentations

Presentation on theme: "Presented by Heorot.net.  Understand abilities and limitations of code reviews  Identify potentially “bad” code  Identify and use code review tools."— Presentation transcript:

1 Presented by Heorot.net

2  Understand abilities and limitations of code reviews  Identify potentially “bad” code  Identify and use code review tools * We will not discuss how to exploit code, just identify weak code

3  There is a lot of code to review Nobody can review all code by themselves  You can only affect the program where the user interfaces with the application Definitely true with remote servers Mostly true with local system  You need to understand code  You need to understand how people exploit code  Understand that most coders do not know how to program securely – you become the expert  Expect a lot of False Positives

4  Code Reviews: (PenTest review) != (software development review)  Set a time limit Code reviews take a lot of time  Pair up with someone if possible  Establish very small scope  Know your threats  Obfuscation does not work Often used to hide hard-coded data

5  What can go wrong: ○ SQL injection ○ Cross-site scripting ○ Input/data validation ○ Authentication ○ Authorization ○ Sensitive data ○ Code access security ○ Exception management ○ Data access ○ Cryptography ○ Unsafe and unmanaged code use ○ Configuration ○ Threading ○ Undocumented public interfaces

6  C/C++ problems: No bound checks: ○ strcpy(), strcat(), gets(), sprintf(), scanf() family format string problems; ○ [v][f]printf(), [v]snprintf(), syslog() race conditions: ○ access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), mktemp() shell metacharacter dangers: ○ exec() family, system(), popen()

7  Code scanner Manual scanning is just not practical Automated scanning often provides documentation that is usable in a write-up  Fuzzers Able to find potential exploits Reduces time spent on code reviews Does not require code to use

8  Code scanner *Fortify Static Code Analysis (SCA) ○ COBOL, Classic ASP and ColdFusion, Java,.NET, C/C++, PLSQL, TSQL and XML ○ http://www.fortify.com/products/sca/ Rough Auditing Tool for Security (RATS) ○ Scans C, C++, Perl, PHP and Python ○ http://www.fortify.com/security-resources/rats.jsp Flawfinder ○ Includes a list of other code scanner applications ○ http://www.dwheeler.com/flawfinder/ Doxygen ○ Documents code – does not scan for vulnerabilities ○ C++, C, Java, Objective-C, Python, IDL (Corba and Microsoft flavors), Fortran, VHDL, PHP, C# ○ http://www.stack.nl/~dimitri/doxygen/ *Commercial Product

9  Understand abilities and limitations of code reviews  Identify potentially “bad” code  Identify and use code review tools

Download ppt "Presented by Heorot.net.  Understand abilities and limitations of code reviews  Identify potentially “bad” code  Identify and use code review tools."

Similar presentations

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS Markus Dale December 2005.

Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS Markus Dale December 2005.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
University of Southern California Center for Systems and Software Engineering 1 © USC-CSSE Unified CodeCounter (UCC) with Differencing Functionality Marilyn.

University of Southern California Center for Systems and Software Engineering 1 © USC-CSSE Unified CodeCounter (UCC) with Differencing Functionality Marilyn.
Simple Source Auditing Tools Roy INSA. Outline FLAWFINDER RATS.

Simple Source Auditing Tools Roy INSA. Outline FLAWFINDER RATS.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder.

Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder.
Flawfinder N ă stase George-Daniel MSI2. About Written in python Relatively fast(examined approx. 17milion lines of code in about 6.5minutes) Extremely.

Flawfinder N ă stase George-Daniel MSI2. About Written in python Relatively fast(examined approx. 17milion lines of code in about 6.5minutes) Extremely.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools

Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools
Doxygen and Javadoc By Derzsy Noemi.

Doxygen and Javadoc By Derzsy Noemi.
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training

Similar presentations

Ads by Google