Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation OWASP Education Computer based training CERT Secure Coding Nishi Kumar IT Architect Specialist, FIS Chair, Software.

Published byImogene Marshall Modified over 8 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation OWASP Education Computer based training CERT Secure Coding Nishi Kumar IT Architect Specialist, FIS Chair, Software."— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org OWASP Education Computer based training CERT Secure Coding Nishi Kumar IT Architect Specialist, FIS Chair, Software Security Forum at FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org Nishi.Kumar@owasp.org Contributor and Reviewer Keith Turpin

2 2 Objectives Understand Cert Secure Coding Cert Secure Coding Standards Go over few Java samples

3 3 Cert Secure Coding goals Reduce vulnerabilities resulting from coding errors Identify common programming errors that lead to software vulnerabilities Establish secure coding standards Educate software developers to advance the state of the practice in secure coding

4 4 Cert Secure Coding Standards Establish coding guidelines for commonly used programming languages that can be used to improve the security of software systems under development Based on documented standard language versions as defined by official or de facto standards organizations Secure coding standards are under development for: The CERT C Secure Coding Standard, Version 2.0 The CERT C++ Secure Coding Standard The CERT Oracle Secure Coding Standard for Java

5 5 Cert Secure Coding Standard for Java 00. Input Validation and Data Sanitization (IDS) 01. Declarations and Initialization (DCL) 02. Expressions (EXP) 03. Numeric Types and Operations (NUM) 04. Object Orientation (OBJ) 05. Methods (MET) 06. Exceptional Behavior (ERR) 07. Visibility and Atomicity (VNA) The CERT Oracle Secure Coding Standard for Java

6 6 Cert Secure Coding Standard for Java 08. Locking (LCK) 09. Thread APIs (THI) 10. Thread Pools (TPS) 11. Thread-Safety Miscellaneous (TSM) 12. Input Output (FIO) 14. Platform Security (SEC) 15. Runtime Environment (ENV) 16. Serialization (SER) 49. Miscellaneous (MSC)

7 IDS01-J. Sanitize untrusted data passed across a trust boundary public void doPrivilegedAction(String username, char[] password) throws SQLException { Connection connection = getConnection(); if (connection == null) { // handle error } String pwd = hashPassword(password); String sqlString = "SELECT * FROM db_user WHERE username = '" + username + "' AND password = '" + pwd + "'"; Statement stmt = connection.createStatement(); ResultSet rs = stmt.executeQuery(sqlString); if (!rs.next()) { throw new SecurityException("User name or Password incorrect"); } // Authenticated; proceed } 7 Noncompliant Code Example

8 IDS01-J. Sanitize untrusted data passed across a trust boundary class Login { public void doPrivilegedAction(String username, char[] password) throws SQLException { Connection connection = getConnection(); if (connection == null) { // handle error } String pwd = hashPassword(password); // Ensure that the length of user name is legitimate if ((username.length() >= 8) { // Handle error } String sqlString = "select * from db_user where username= ? and password= ? "; PreparedStatement stmt = connection.prepareStatement(sqlString); stmt.setString ( 1, username); stmt.setString ( 2, pwd); ResultSet rs = stmt.executeQuery(); if (!rs.next()) { throw new SecurityException("User name or Password incorrect"); } // Authenticated; proceed } 8 Compliant Solution (PreparedStatement)

9 ERR02-J. Prevent exceptions while logging data try { //... } catch (SecurityException se) { System.err.println(e); // Recover from exception } 9 Noncompliant Code Example Writing such exceptions to the standard error stream is inadequate for logging purposes

10 10 Compliant Solution try { //... } catch (SecurityException se) { logger.log(Level.SEVERE, se); // Recover from exception } ERR02-J. Prevent exceptions while logging data

11 MSC11-J. Address the shortcomings of the Singleton design pattern class MySingleton { private static MySingleton Instance; protected MySingleton() { // private constructor prevents instantiation by untrusted callers Instance = new MySingleton(); } public static synchronized MySingleton getInstance() { return Instance; } } 11 Noncompliant Code Example

12 12 Compliant Solution class MySingleton { private static final MySingleton Instance = new MySingleton(); private MySingleton() { // private constructor prevents instantiation by untrusted callers } public static synchronized MySingleton getInstance() { return Instance; } MSC11-J. Address the shortcomings of the Singleton design pattern

13 TSM00-J. Do not override thread-safe methods with methods that are not thread-safe class Base { public synchronized void doSomething() { //... } class Derived extends Base { @Override public void doSomething() { //... } 13 Noncompliant Code Example

14 14 Compliant Solution class Base { public synchronized void doSomething() { //... } class Derived extends Base { @Override public synchronized void doSomething() { //... } TSM00-J. Do not override thread-safe methods with methods that are not thread-safe

15 15 Compliant Solution import java.util.Random; //... Random number = new Random(123L); //... for (int i = 0; i < 20; i++) { // Generate another random integer in the range [0, 20] int n = number.nextInt(21); System.out.println(n); } MSC02-J. Generate strong random numbers

16 import java.security.SecureRandom; import java.security.NoSuchAlgorithmException; //... public static void main (String args[]) { try { SecureRandom number = SecureRandom.getInstance("SHA1PRNG"); // Generate 20 integers 0..20 for (int i = 0; i < 20; i++) { System.out.println(number.nextInt(21)); } } catch (NoSuchAlgorithmException nsae) { // Forward to handler } 16 Noncompliant Code Example

17 References CERT - www.cert.orgwww.cert.org The CERT® Program is part of the Software Engineering Institute (SEI). CERT's primary objectives include analyzing and communicating the state of internet security through its US-CERT Vulnerability Notes Database and improving software security with its secure coding practices publications. US-CERT Vulnerability Notes Database - http://www.kb.cert.org/vuls/ CERT Secure Coding Practices - http://www.cert.org/secure-coding/http://www.kb.cert.org/vuls/http://www.cert.org/secure-coding/ 17

18 18

Download ppt "The OWASP Foundation OWASP Education Computer based training CERT Secure Coding Nishi Kumar IT Architect Specialist, FIS Chair, Software."

Similar presentations

1 Exceptions: An OO Way for Handling Errors Rajkumar Buyya Grid Computing and Distributed Systems (GRIDS) Laboratory Dept. of Computer Science and Software.

1 Exceptions: An OO Way for Handling Errors Rajkumar Buyya Grid Computing and Distributed Systems (GRIDS) Laboratory Dept. of Computer Science and Software.
Chapter 5: The Singleton Pattern

Chapter 5: The Singleton Pattern
CE203 - Application Programming Autumn 2013CE203 Part 51 Part 5.

CE203 - Application Programming Autumn 2013CE203 Part 51 Part 5.
METHOD OVERRIDING 1.Sub class can override the methods defined by the super class. 2.Overridden Methods in the sub classes should have same name, same.

METHOD OVERRIDING 1.Sub class can override the methods defined by the super class. 2.Overridden Methods in the sub classes should have same name, same.
Exception Handling – illustrated by Java mMIC-SFT November 2003 Anders P. Ravn Aalborg University.

Exception Handling – illustrated by Java mMIC-SFT November 2003 Anders P. Ravn Aalborg University.
Slides prepared by Rose Williams, Binghamton University ICS201 Exception Handling University of Hail College of Computer Science and Engineering Department.

Slides prepared by Rose Williams, Binghamton University ICS201 Exception Handling University of Hail College of Computer Science and Engineering Department.
Final Review.

Final Review.
Basic JDBC Celsina Bignoli What is JDBC Industry standard for database- connectivity between the Java language and a wide range of.

Basic JDBC Celsina Bignoli What is JDBC Industry standard for database- connectivity between the Java language and a wide range of.
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
15-Jun-15 JDBC. JDBC is a Sun trademark It is often taken to stand for Java Database Connectivity Java is very standardized, but there are many versions.

15-Jun-15 JDBC. JDBC is a Sun trademark It is often taken to stand for Java Database Connectivity Java is very standardized, but there are many versions.
Exceptions in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

Exceptions in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
1 Lecture 05: Database Programming (JDBC). 2 Outline JDBC overview JDBC API Reading: Chapter 10.5 Pointbase Developer Manual.

1 Lecture 05: Database Programming (JDBC). 2 Outline JDBC overview JDBC API Reading: Chapter 10.5 Pointbase Developer Manual.
JDBC Overview Autumn 2001 Lecturer: C. DeJong. Relational Databases widespread use used via SQL (Structured Query Language) freely available powerful.

JDBC Overview Autumn 2001 Lecturer: C. DeJong. Relational Databases widespread use used via SQL (Structured Query Language) freely available powerful.
Scott Grissom, copyright 2004Ch 3: Java Features Slide 1 Why Java? It is object-oriented provides many ready to use classes platform independent modern.

Scott Grissom, copyright 2004Ch 3: Java Features Slide 1 Why Java? It is object-oriented provides many ready to use classes platform independent modern.
1 Scenario: Audio Clip Imagine that your application played an audio clip Based on user action, a different audio clip may begin playing You want only.

1 Scenario: Audio Clip Imagine that your application played an audio clip Based on user action, a different audio clip may begin playing You want only.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Principles of Computer Programming (using Java) Review Haidong Xue Summer 2011, at GSU.

Principles of Computer Programming (using Java) Review Haidong Xue Summer 2011, at GSU.
Singleton Christopher Chiaverini Software Design & Documentation September 18, 2003.

Singleton Christopher Chiaverini Software Design & Documentation September 18, 2003.
1 Java Database Connection (JDBC) There are many industrial-strength DBMS's commercially available in the market. Oracle, DB2, and Sybase are just a few.

1 Java Database Connection (JDBC) There are many industrial-strength DBMS's commercially available in the market. Oracle, DB2, and Sybase are just a few.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.

Similar presentations

Ads by Google