REDUCING RISK THROUGH CODE REVIEW. Gary Robinson (CISSP) OWASP

Transcription

1 REDUCING RISK THROUGH CODE REVIEW Gary Robinson (CISSP) OWASP

2 WHAT ARE WE GOING TO DISCUSS Suggestions and practices for moving secure SDLC governance to the Code Review gate Methodologies brought together during development of the OWASP Code Review Guide (Second Edition) OWASP Code Review Guide is one of the few documents that concentrates on the topic of Secure Code Review

3 WHAT IS A PROJECT? Code Binaries People Documentation Tests Cases

4 SECURITY TOUCHPOINTS IN THE SDLC Security SMEs within the development organization are rare, yet important Much of security testing is focused on the Binaries

5 CONTROLS ON PROJECT DELIVERABLES Typically evaluated at different times in the SDLC Code evaluated at check-in or end of project, by other programmers Test cases checked when documented or automated, or at the end of the project, by other test engineers (sometimes programmers) Documentation (requirements, design, threat models, user guides) typically approved throughout the SDLC however checked for security at the end of the project Many times security checked by controls/audit teams instead of people already involved in the project If issues are found close to release, effort is repeated, other risks are introduced

6 HOW CAN WE MOVE GOVERNANCE TO DEVELOPERS? First step: Perform code review on every project Make code review process streamlined and usable Have code review recognized as a gate for project security and quality Code Documentation Tests Cases Build Security In by applying Secure Coding Standards during code review gate

7 EXTENDING CODE REVIEW TO DOCUMENTATION AND TEST CASES Ensure Documentation exists is complete and is approved Reviewers looking at the code submission get: Context on the problem to be solved by the code Ensure relevant requirements are covered Ensure abuse/misuse tests cases exist ensure correct coverage Reviewers can ensure manual/automatic test cases will cover code and documented requirements Result is the body of work reviewed during code review gate is complete and complies with security SDLC

8 ADVANTAGES TO SDLC AND ORGANISATION Developer security training is relevant! Instead of attending X days of partially relevant course secure coding and security training becomes an on-the-job activity during code review Security SMEs (SSG, Satellite) can assist initially, eventually security will be an awareness of all developers Code Review Feature Tracking Code Repository People Document Storage

9 BSIMM V CR 1.5 Make code review mandatory for all projects. CR 2.2 Enforce coding standards SM 2.2 A gate could require a project to undergo code review and remediate any critical findings before release. SM 2.3 Create or grow a satellite T1 Make customized, role based training available T1.1 SSG provides awareness training in order to promote a culture of software security SFD 3.2 Implementers must take their security features and frameworks from an approved list.

10 PCI DSS V3.0 STANDARD Section covers Code Review Review custom code prior to release Code reviews ensure code is developed according to secure coding guidelines Code review should be performed by someone other than the developer This requirement for code reviews applies to all custom code (both internal and publicfacing)

11 OVERVIEW Use Code Review as a gate Get security reviewers involved initially, then security reviews should be part of the normal review cycle Developer ensure code, tests, and documentation are complete at check-in Focused training for developers Maturity and Regulatory compliance

12 OWASP CODE REVIEW GUIDE Used by industry and government bodies Second Edition due by end of 2014 Partially funded by US DHS Plans after second edition are to turn it into a living document Sub-releases regularly with new sections and updates

13 Questions?