6-Points Strategy to Get
Your Application in
Security Shape
Sherif Koussa
OWASP Ottawa Chapter Leader
Static Analysis Technologies Evaluation Criteria Project Leader
Application Security Specialist - Software Secured
Softwar S cur
Bio
Softwar S cur
Softwar S cur
The 6 Points Strategy to
Get Your Applications
Back in Top Security
Shape...
Softwar S cur
1. DRASTIC CHANGES
NEED DRASTIC
MEASURES!
Get to the bottom of things quickly!
Softwar S cur
Why Security Code Reviews:
Effectiveness of Security Controls Against Known
Threats
Testing All Application Execution Paths
Find All Instances of a Certain Vulnerability
The Only Way to Find Certain Types of
Vulnerabilities
Effective Remediation Instructions
Softwar S cur
2. COVER THE BASICS
FIRST
Don’t run before you can walk!
Softwar S cur
OWASP Top 10 - 2010
OWASP Top 10 - 2013
A1. Injection
A1. Injection
A2. Broken Authentication and Session Management
A2. Cross-Site Scripting
A3. Broken Authentication and Session Management
A3. Cross-Site Scripting
A4. Insecure Direct Object References
A4. Insecure Direct Object References
A5. Security Misconfiguration
A5. Cross-Site Request Forgery
A6. Sensitive Data Exposure
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A7. Missing Function Level Access
Control
A8. Failure to Restrict URL Access
A8. Cross-Site Request Forgery
A9. Insufficient Transport Layer Protection
A9. Using Known Vulnerable Components
A10. Unvalidated Redirects and Forwards
A10. Unvalidated Redirects and Forwards
2010
Modified
New
Softwar S cur
3.FOCUS ON WHAT MATTERS
!
Really...focus on what matters!
Softwar S cur
Effective Application
Security Assessment Process
Reconnaissance!
Threat
Assessment!
Reporting!
Security
Skills!
Checklist!
Tools!
Confirmation &
PoC!
Automation!
Manual Review!
Softwar S cur
4. GET YOUR HANDS
DIRTY!
No pain...no gain...
Softwar S cur
What Needs Manual Review?
This REALLY Matters!
Authentication & Authorization Controls
Encryption Modules
File Upload and Download Operations
Validation Controls\Input Filters
Security-Sensitive Application Logic
Softwar S cur
Authentication and
Authorization Controls
WebMethods Don’t Follow
Regular ASP.net Page Lifecycle
Softwar S cur
Encryption Modules
There is a possibility of
returning empty hashes on
error
Softwar S cur
Security Controls
Directory traversal is
possible on post-back.
Softwar S cur
5. GET YOUR B-17 FIX!
Gain strategic advantage over the attackers...
Softwar S cur
Checklists Advances Technology
Aviation:
Model 299-1934: “Too much airplane for one man to fly”.
B-17 plane (Model 299 Successor) gave the U.S. major
strategic advantage in WWII
Intensive Care Units:
Usage of checklists brought down infection rates in
Michigan by 66%
Softwar S cur
Resources To Conduct Your
Checklist
NIST Checklist Project
➡
http://checklists.nist.gov/
!
Mozilla’s Secure Coding QA Checklist
➡
https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist
!
Oracle’s Secure Coding Checklist ➡
http://www.oracle.com/technetwork/java/seccodeguide-139067.html
!
Softwar S cur
6. FINISH STRONG!
Flex your communications muscles!
Softwar S cur
Reporting
SQL Injection:
!
Location: \source\ACMEPortal\updateinfo.aspx.cs:
!
Description: The code below is build dynamic sql
statement using unvalidated data (i.e. name) which can
lead to SQL Injection
!
51 SqlDataAdapter myCommand = new !
SqlDataAdapter(!
52 "SELECT au_lname, au_fname FROM
!
author !
WHERE au_id = '" + !
53 SSN.Text + "'", myConnection);!
Priority: High
!
!
Metadata
Thorough Description
Recommendation
Assign Appropriate
Priority
Recommendation: Use parameterized SQL instead
of dynamic concatenation, refer to http://
msdn.microsoft.com/en-us/library/ff648339.aspx for
details.
!
Owner: John Smith
Softwar S cur
The 6-Points
Strategy...
1.Drastic Changes Requires Drastic Measures.
2.Cover The Basics First.
3.Focus on What Matters.
4.Get Your Hands Dirty.
5.Get Your B-17 Fix.
6.Finish Strong.
Softwar S cur
QUESTIONS?
[email protected]
[email protected]
Softwar S cur