SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

Transcription

1 SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER 1

2 AGENDA 1. Introduction: What is security? How much security is necessary? 2. Security Framework 3. Design Principles - Least Privilege, Security vs. Obscurity 4. Good programming practices (OWASP TOP 10, CWE SANS TOP 25) 5. Practical Tools 6. Design (authentication, authorization, integrity) 7. C/C++ (buffer overflows, safe practices) 8. PHP (session handling, database) 9. OWASP TOP 10 Example SQL Injection 2

3 INTRODUCTION Goal: Have a Guide for Secure Coding When you are in charge of software development, ensure that you consider security: From the initial project requirements Throughout development Through deployment After deployment / During maintenance 3

4 SECURITY FRAMEWORK I found the SD3 FRAMEWORK useful to have an overview for your secure coding approach. SECURE BY DESIGN Secure architecture and code Threat analysis Vulnerability reduction SECURE BY DEFAULT Attack surface area reduced Unused features turned off by default Minimum privileges used SECURE IN DEPLOYMENT Protection: Detection, defence, recovery, management Process: Architecture guides People: Training 4

5 LEAST PRIVILEGE, SECURITY VS. OBSCURITY Take in consideration: OWASP TOP 10 The Open Web Application Security Project (OWASP) is a 501(c) worldwide not-for-profit charitable organization focused on improving the security of software. CWE SANS TOP 25 The CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most critical programming errors that can lead to critical software vulnerabilities. 5

6 GOOD PROGRAMMING PRACTICES Ensure that you: Raise security awareness of design team with ongoing training Get security right during the design phase Define security goals Integrate security in all requirements Use threat modelling 6

7 GOOD PROGRAMMING PRACTICES Be Aware of the Insecure Interaction Between Components Source: 7

8 PRACTICAL TOOLS Below are few of the tools that I have been using, and got also positive feedback from the industry s professionals: Burp Suite Burp or Burp Suite is a graphical tool for testing Web application security. The tool is written in Java and developed by PortSwigger Security. Veracode Static Analysis Static code analysis, also commonly called "white-box" testing, is one of veracode's code review tools that looks at applications in non-runtime environment. 8

9 DESIGN INTEGRITY) (AUTHENTICATION, AUTHORIZATION, 9

10 DESIGN (AUTHENTICATION, AUTHORIZATION, INTEGRITY) He is Yuri He has access to the web admin page. 10

11 DESIGN (AUTHENTICATION, AUTHORIZATION, INTEGRITY) Identification is the first step when a user connects. It is identifying the user without authenticating him. This means that the user needs to be identified with a unique ID. Each value should be unique, for accountability. Authentication needs 3 general factors for authenticating a user. Something a person knows- E.g.: passwords Something a person has E.g.: Access Card Something a person is- E.g.: Biometrics 11

12 DESIGN (AUTHENTICATION, AUTHORIZATION, INTEGRITY) Identification is the first step when a user connects. It is identifying the user without authenticating him. This means that the user needs to be identified with a unique ID. Each value should be unique, for accountability. Authentication needs 3 general factors for authenticating a user. Something a person knows- E.g.: passwords Something a person has E.g.: Access Card Something a person is- E.g.: Biometrics 12

13 DESIGN (AUTHENTICATION, AUTHORIZATION, INTEGRITY) Authorization needs to be based on least privileged. Access should be granted on least privilege basis. Integrity is an important aspect. Below are some of the important points to take in consideration: Secure Database access Log all activity Define unique identifier for database admins 13

14 C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) 14

15 C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) 15

16 Example: int arr[5] C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) In the above example, arr defines an array of 5 integers. Let s assume that the size of an integer is 4 bytes, the total buffer size of arr is 5*4 = 20 bytes. arr[0] is the left boundary and arr[4] is the right boundary. Buffer overflow example: char buff[5]; buff[5] = 'a'; 16

17 C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) The buffer overflow is mainly due to lack of verification of the amount of data written in the buffer. The attacked can therefore insert data in the buffer. The problem is related to the fact that strcpy(), strcat(), sprint() has no range checking. Stack buffer overflows are the most common. 17

18 C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) The buffer overflow is mainly due to lack of verification of the amount of data written in the buffer. The attacked can therefore insert data in the buffer. The problem is related to the fact that strcpy(), strcat(), sprint() has no range checking. Stack buffer overflows are the most common. 18

19 C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) Prevention can be achieved through some of the below practices: Mark the stack (and heap) as non-executable Note that even with nonexecutable heap and stack, exploits are still possible using the return-oriented programming Randomize stack location or Address space layout randomization (ASLR) It may still be possible to inject self contained code with relative memory references when running malicious code Make sure that the memory auditing is properly done (Configure minimum and maximum memory) 19

20 C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) Use fgets() instead of gets() fgets() reads input and saves to a buffer until: (char *fgets(char *str, int n, FILE *stream) 1) The buffer is 1 shy of being full - or - 2) '\n' is encountered - or - 3) The stream reaches an end-of-file condition - or - 4) An input error occurs. 20

21 C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) I owe a proper explanation of buffer overflow as in the last course, I just mentioned an issue with the memory. I cant forget the funny story about buffalos related to buffer overflow. Comment if you want to know what it is about ;) 21

22 PHP (SESSION HANDLING, DATABASE) 22

23 PHP (SESSION HANDLING, DATABASE) 23

24 PHP (SESSION HANDLING, DATABASE) Sessions keep track of the user with a unique ID. Session Handling security practices rely on the below actions: Store session data in different locations Use built-in frameworks Encrypt session data Secure cookie attribute (Use only HTTPS) Http only cookies (Not to allow scripts) Session ID renewal after privilege change 24

25 PHP (SESSION HANDLING, DATABASE) Database security practices rely on the below actions: Limit admin access to declared IP addresses Always use.php extension when it comes to related files so they are not accessible and readable Ensure that you do not save the.php files within the public folder Ensure that you create users for each application database 25

26 OWASP TOP 10 SQL INJECTION 26

27 OWASP TOP 10 SQL INJECTION SQL injection is a popular attack and is a simple technique. It is based on code injection that will affect your database. It can for example the voiding of transactions or the change of balances. It will place malicious code/sql query, using an unsecure web page input. It is very common with PHP and ASP applications. 27

28 OWASP TOP 10 SQL INJECTION A SQL attack is achieved in two phases: Research: Attacker submits different unexpected values, analysis how the application responds, and defines an attack (Identify injectable parameters, Identify the database type and version, Discover database schema, etc. ) Attack: Attacker injects a predefined and chosen value in the SQL query and it is executed as part of a SQL command. The command, then is executed by the database. (Denial of service by locking or deleting tables, Bypassing authentication, Privilege escalation, etc. ) 28

29 OWASP TOP 10 SQL INJECTION SELECT accountnumber, balance FROM accounts WHERE accountowner_id = 24 This is a query to return the account balance for the user with the id 24. If the attacker changes the user_id to 0 OR 1=1, as per below: SELECT accountnumber, balance FROM accounts WHERE accountowner_id = 0 OR 1=1 The result will return all the account numbers and respective balances. 29

30 OWASP TOP 10 SQL INJECTION I found an educational web application at that is vulnerable to SQL Injection attacks for demonstration purposes only. You can exploit the password field. By entering xxx') OR 1 = 1 -- ] in the password field, you get the result and the details of the database. 30

31 OWASP TOP 10 SQL INJECTION OWASP Mutillidae II Web Pen-Test Practice Application is another tool that you can use to practice. OWASP Mutillidae II is a free, open source, deliberately vulnerable webapplication providing a target for websecurity enthusiast. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is preinstalled on SamuraiWTF and OWASP BWA. 31

32 OWASP TOP 10 SQL INJECTION Over the time, we can find several hacks with a simple SQL injection. This is one example, when Sony Pictures has been attacked. In 2011, PlayStation Network has been as well attacked with a SQL injection. 32

33 OWASP TOP 10 SQL INJECTION The most common defences are: Neutralizing all special characters Escaping single quotes isn t enough to neutralize a SQL string Input validation Ensure that your input is valid. If you're expecting letters, it shouldn't contain numbers or special characters. Nor should the date of birth be allowed to be a sentence. Whitelisting Technique 33

34 THANK YOU! PLEASE FEEL FREE TO ASK QUESTIONS OR SHARE YOUR TIPS 34