Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byKylie Coughlin Modified over 10 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP EU09 Poland http://www.owasp.org The Owasp Source code flaws Top 10 Project Paolo Perego Owasp SCf_Top10 Project leader Spike Reply thesp0nge@owasp.org

2 2 OWASP AppSecEU09 Poland Agenda Why do we need another Top 10 The source code flaws top 10

3 3 OWASP AppSecEU09 Poland $ whoami Senior consultant @ Spike Reply srl Offense (Application penetration test) Defense Application Security Code review SSDLC design Owasp project leader Owasp Orizon Owasp Source code flaws Top 10 Owasp Italy board member

4 4 OWASP AppSecEU09 Poland Do we need another Top 10?

5 5 OWASP AppSecEU09 Poland Why do we need another Top 10 Owasp Top 10 is great to describe what is wrong with a web application when dynamically tested Stuff like CWE are great to categories vulnerabilities Source code flaws Top 10 was born to: make a pair with classic Owasp Top 10 document give Owasp Code review guide, Owasp Orizon, Owasp Code Crawler a way to summarize flaws in a web application is statically analyzed Categories != Vulnerabilities

6 6 OWASP AppSecEU09 Poland The Source code flaws top 10 C1 - Design Weakness C2 - Architectural Weakness C3 - Missing input validation C4 - Insecure communications C5 - Information leakage and improper error handling C6 - Direct object reference C7 - Misuse of local resources C8 - Usage of potentially dangerous APIs C9 - Documentation weakness C10 - Best practices violation

7 7 OWASP AppSecEU09 Poland The SCF Top 10: C1 - Design Weakness Safe coding starts from designing an application with security in mind Safe design starts with a threat modeling activity and continues with designing classes and database schema Can reveal SDLC workflow weakness A design weakness can be detected in early stage of SDLC, prior development starts It addresses how the application is designed

8 8 OWASP AppSecEU09 Poland The SCF Top 10: C1 - Design Weakness Can be a design weakness missing threat modeling no questionnaire is submitted to customer no extra care is taken for sensitive data stored in a database a class field scope is public two or more main methods are present in different application classes duplicated functionalities are present in application design...

9 9 OWASP AppSecEU09 Poland The SCF Top 10: C2 - Architectural Weakness With the word architecture we talk about the underlying application server / operating system auxiliary systems such as Mail server, DNS server,... the overall application subsystems and how they are connected Can reveal SDLC workflow weakness An architectural weakness can be detected in early stage of SDLC, prior development starts It addresses how the architecture is built

10 10 OWASP AppSecEU09 Poland The SCF Top 10: C2 - Architectural Weakness Can be an architectural weakness no hardening guidelines are expected to be applied for operating system, DBMS, mail server,... architecture is designed by the developers themselves...

11 11 OWASP AppSecEU09 Poland The SCF Top 10: C3 - Missing input validation The category that gather together the first two points of the Owasp Top 10 (Cross site scripting, Injection flaws) There is an input vs output debate Can be a missing input validation when there is not a data filtering policy to be applied when managing user supplied data, then can input filtering is not centralized Most risky vulnerabilities are here

12 12 OWASP AppSecEU09 Poland The SCF Top 10: C4 - Insecure communications Match the correspondent Classic Top 10 voice to the source code side Doesnt care for invalid certificate, we care how communication APIs are used Easy to spot with a code crawling Can be an insecure communication vulnerability missing cryptography usage usage of weak function such as MD5 or SHA1 missing secure attribute for cookies...

13 13 OWASP AppSecEU09 Poland The SCF Top 10: C5 - Information leakage and improper error handling Match the correspondent Classic Top 10 voice to the source code side To avoid false positives, a manual code review can be better to spot these vulnerabilities It will be evaluated how in the code are managed: error conditions exceptions log / debug messages database data

14 14 OWASP AppSecEU09 Poland The SCF Top 10: C5 - Information leakage and improper error handling Can be an info leakage and improper error handling using System.out or System.err in a J2EE application empty catch block not all exceptions are caught method return value is ignored no checks performed over methods parameters (to spot null values)...

15 15 OWASP AppSecEU09 Poland The SCF Top 10: C6 - Direct object reference Match the correspondent Classic Top 10 voice to the source code side No magic here Easy to spot with a manual review

16 16 OWASP AppSecEU09 Poland The SCF Top 10: C7 - Misuse of local resources Often code doesnt handle OS resources fairly Resources that can be misused are disk space memory cpu time Can be a misuse of local resources not checking for available disk space prior I/O not freeing your m-allocated() memory spawning too much processes double free()...

17 17 OWASP AppSecEU09 Poland The SCF Top 10: C8 - Usage of potentially dangerous APIs Ideal to match source code crawling findings Known frameworks, languages potentially dangerous keywords should not to be used Can be detected with a blind code crawl (potentially with some false positives) a code crawl adding inference to the arguments passed to the keyword Should be marked as low critical vulnerability unless manually reviewed

18 18 OWASP AppSecEU09 Poland The SCF Top 10: C9 - Documentation weakness Yes... were lazy and we love coding instead of writing documentation Look at the Orizon code... I know what I say (is it correct Dinis? :-)) A documentation weakness can be missing documentation in the code, it is easy to spot automatically poor documentation in the code, it is easy to spot with a manual review with the code the developer that wrote it missing or non suitable documentation used in the SDLC...

19 19 OWASP AppSecEU09 Poland The SCF Top 10: C10 - Best practices violation The garbage collector vulnerability category All the issues not included in other 9 categories falls here It addresses missing or violated best practices normally applied to source code or to SDLC process

20 20 OWASP AppSecEU09 Poland Some key values before we leave... Venerable Owasp Top 10 doesnt fit very well code review findings This Top 10 can be a glue between Code Review and Testing guide We dont want to enumerate checks to be done keywords to avoid these are already there in the Testing and Code review guide Just flaws categories

21 21 OWASP AppSecEU09 Poland Before we leave Thanks to OWASP the Italian chapter and its board the mailing list gang my Mom my Wife

22 22 OWASP AppSecEU09 Poland Some link Owasp Source Code Flaws Top 10 link Homepage: http://www.owasp.org/index.php/OWASP_Source_Co de_Flaws_Top_10_Project_Index http://www.owasp.org/index.php/OWASP_Source_Co de_Flaws_Top_10_Project_Index

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Error-Tolerant Password Recovery Niklas Frykholm and Ari Juels RSA Laboratories.

Error-Tolerant Password Recovery Niklas Frykholm and Ari Juels RSA Laboratories.
Copyright © 2003 Pearson Education, Inc. Slide 7-1 The Web Wizards Guide to PHP by David Lash.

Copyright © 2003 Pearson Education, Inc. Slide 7-1 The Web Wizards Guide to PHP by David Lash.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Application Security Verification Standard 2009

OWASP Application Security Verification Standard 2009
The 4 T’s of Test Automation:

The 4 T’s of Test Automation:
Copyright © 2003 Pearson Education, Inc. Slide 1-1 The Web Wizards Guide to PHP by David A. Lash.

Copyright © 2003 Pearson Education, Inc. Slide 1-1 The Web Wizards Guide to PHP by David A. Lash.
Chapter 7 Constructors and Other Tools. Copyright © 2006 Pearson Addison-Wesley. All rights reserved. 7-2 Learning Objectives Constructors Definitions.

Chapter 7 Constructors and Other Tools. Copyright © 2006 Pearson Addison-Wesley. All rights reserved. 7-2 Learning Objectives Constructors Definitions.
Foundations of Relational Implementation (1) IS 240 – Database Management Lecture #13 – 2004-04-01 Prof. M. E. Kabay, PhD, CISSP Norwich University

Foundations of Relational Implementation (1) IS 240 – Database Management Lecture #13 – Prof. M. E. Kabay, PhD, CISSP Norwich University
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
© 2006 Open Grid Forum GGF18, 13th September 2006 OGSA Data Architecture Scenarios Dave Berry & Stephen Davey.

© 2006 Open Grid Forum GGF18, 13th September 2006 OGSA Data Architecture Scenarios Dave Berry & Stephen Davey.
IT203 Unit 9: Database Security II Is It Secure? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice HallChapter8.1.

IT203 Unit 9: Database Security II Is It Secure? Copyright © 2012 Pearson Education, Inc. Publishing as Prentice HallChapter8.1.
0 - 0.

0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts 1 - 20.

Addition Facts
Construction process lasts until coding and testing is completed consists of design and implementation reasons for this phase –analysis model is not sufficiently.

Construction process lasts until coding and testing is completed consists of design and implementation reasons for this phase –analysis model is not sufficiently.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Configuration management

Configuration management
Software change management

Software change management
Software testing.

Software testing.
How to Navigate the IFPUG Member Services Area 1.

How to Navigate the IFPUG Member Services Area 1.

Similar presentations

Ads by Google