SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

Similar documents
CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Engineering Your Software For Attack

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Secure coding practices

Copyright

Your Turn to Hack the OWASP Top 10!

CS 161 Computer Security

C and C++ Secure Coding 4-day course. Syllabus

Hackveda Training - Ethical Hacking, Networking & Security

SQL Injection. EECS Introduction to Database Management Systems

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

PHP-security Software lifecycle General Security Webserver security PHP security. Security Summary. Server-Side Web Languages

CMSC 414 Computer and Network Security

Certified Secure Web Application Engineer

Web Application Penetration Testing

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Application Vulnerabilities: OWASP Top 10 Revisited

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Secure Programming Techniques

CS 161 Computer Security

CSWAE Certified Secure Web Application Engineer

RiskSense Attack Surface Validation for Web Applications

TRAINING CURRICULUM 2017 Q2

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Application security : going quicker

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Secure Coding, some simple steps help. OWASP EU Tour 2013

The Android security jungle: pitfalls, threats and survival tips. Scott

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Web Application Whitepaper

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Security Best Practices. For DNN Websites

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Security Course. WebGoat Lab sessions

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

IoT & SCADA Cyber Security Services

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Combating Common Web App Authentication Threats

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

SQL Injection Attacks and Defense

Lecture 4 September Required reading materials for this class

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Online Intensive Ethical Hacking Training

CS 161 Computer Security

John Coggeshall Copyright 2006, Zend Technologies Inc.

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

NET 311 INFORMATION SECURITY

3. Apache Server Vulnerability Identification and Analysis

Host Hardening Achieve or Avoid. Nilesh Kapoor Auckland 2016

Top 10 Web Application Vulnerabilities

C1: Define Security Requirements

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Web Application Security. Philippe Bogaerts

How NOT To Get Hacked

InterCall Virtual Environments and Webcasting

Black Hat Webcast Series. C/C++ AppSec in 2014

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Secure Programming I. Steven M. Bellovin September 28,

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Hacking by Numbers OWASP. The OWASP Foundation

Web Application Security GVSAGE Theater

Secure Coding Techniques

Karthik Bharathy Program Manager, SQL Server Microsoft

One-Slide Summary. Lecture Outline. Language Security

Secure Software Development: Theory and Practice

Injection vulnerabilities: command injection and SQL injection

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Injecting Security Controls into Software Applications. Katy Anton

Solutions Business Manager Web Application Security Assessment

ECE 471 Embedded Systems Lecture 22

Lab 2: Buffer Overflows

Web Gate Keeper: Detecting Encroachment in Multi-tier Web Application

Automating the Top 20 CIS Critical Security Controls

IEEE Sec Dev Conference

An Oracle White Paper September Security and the Oracle Database Cloud Service

CS 361S - Network Security and Privacy Spring Homework #2

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

DreamFactory Security Guide

EasyCrypt passes an independent security audit

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Exploiting and Defending: Common Web Application Vulnerabilities

Five Nightmares for a Telecom

Software Security II: Memory Errors - Attacks & Defenses

Application Layer Security

How to perform the DDoS Testing of Web Applications

Unit Level Secure by Design Approach

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

String Analysis for the Detection of Web Application Flaws

Secure Development After Security Bugs

SECURE CODING ESSENTIALS

Memory Safety (cont d) Software Security

Transcription:

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER INFLUENCER @RESPONSIBLE CYBER 1

AGENDA 1. Introduction: What is security? How much security is necessary? 2. Security Framework 3. Design Principles - Least Privilege, Security vs. Obscurity 4. Good programming practices (OWASP TOP 10, CWE SANS TOP 25) 5. Practical Tools 6. Design (authentication, authorization, integrity) 7. C/C++ (buffer overflows, safe practices) 8. PHP (session handling, database) 9. OWASP TOP 10 Example SQL Injection 2

INTRODUCTION Goal: Have a Guide for Secure Coding When you are in charge of software development, ensure that you consider security: From the initial project requirements Throughout development Through deployment After deployment / During maintenance 3

SECURITY FRAMEWORK I found the SD3 FRAMEWORK useful to have an overview for your secure coding approach. SECURE BY DESIGN Secure architecture and code Threat analysis Vulnerability reduction SECURE BY DEFAULT Attack surface area reduced Unused features turned off by default Minimum privileges used SECURE IN DEPLOYMENT Protection: Detection, defence, recovery, management Process: Architecture guides People: Training 4

LEAST PRIVILEGE, SECURITY VS. OBSCURITY Take in consideration: OWASP TOP 10 The Open Web Application Security Project (OWASP) is a 501(c) worldwide not-for-profit charitable organization focused on improving the security of software. CWE SANS TOP 25 The CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most critical programming errors that can lead to critical software vulnerabilities. 5

GOOD PROGRAMMING PRACTICES Ensure that you: Raise security awareness of design team with ongoing training Get security right during the design phase Define security goals Integrate security in all requirements Use threat modelling 6

GOOD PROGRAMMING PRACTICES Be Aware of the Insecure Interaction Between Components Source: https://www.slideshare.net/blueinfy/advanced-applicationsarchitecturethreats 7

PRACTICAL TOOLS Below are few of the tools that I have been using, and got also positive feedback from the industry s professionals: Burp Suite https://portswigger.net/burp Burp or Burp Suite is a graphical tool for testing Web application security. The tool is written in Java and developed by PortSwigger Security. Veracode Static Analysis https://www.veracode.com/products/static-analysissast/static-code-analysis Static code analysis, also commonly called "white-box" testing, is one of veracode's code review tools that looks at applications in non-runtime environment. 8

DESIGN INTEGRITY) (AUTHENTICATION, AUTHORIZATION, 9

DESIGN (AUTHENTICATION, AUTHORIZATION, INTEGRITY) He is Yuri He has access to the web admin page. 10

DESIGN (AUTHENTICATION, AUTHORIZATION, INTEGRITY) Identification is the first step when a user connects. It is identifying the user without authenticating him. This means that the user needs to be identified with a unique ID. Each value should be unique, for accountability. Authentication needs 3 general factors for authenticating a user. Something a person knows- E.g.: passwords Something a person has E.g.: Access Card Something a person is- E.g.: Biometrics 11

DESIGN (AUTHENTICATION, AUTHORIZATION, INTEGRITY) Identification is the first step when a user connects. It is identifying the user without authenticating him. This means that the user needs to be identified with a unique ID. Each value should be unique, for accountability. Authentication needs 3 general factors for authenticating a user. Something a person knows- E.g.: passwords Something a person has E.g.: Access Card Something a person is- E.g.: Biometrics 12

DESIGN (AUTHENTICATION, AUTHORIZATION, INTEGRITY) Authorization needs to be based on least privileged. Access should be granted on least privilege basis. Integrity is an important aspect. Below are some of the important points to take in consideration: Secure Database access Log all activity Define unique identifier for database admins 13

C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) 14

C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) 15

Example: int arr[5] C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) In the above example, arr defines an array of 5 integers. Let s assume that the size of an integer is 4 bytes, the total buffer size of arr is 5*4 = 20 bytes. arr[0] is the left boundary and arr[4] is the right boundary. Buffer overflow example: char buff[5]; buff[5] = 'a'; 16

C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) The buffer overflow is mainly due to lack of verification of the amount of data written in the buffer. The attacked can therefore insert data in the buffer. The problem is related to the fact that strcpy(), strcat(), sprint() has no range checking. Stack buffer overflows are the most common. 17

C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) The buffer overflow is mainly due to lack of verification of the amount of data written in the buffer. The attacked can therefore insert data in the buffer. The problem is related to the fact that strcpy(), strcat(), sprint() has no range checking. Stack buffer overflows are the most common. 18

C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) Prevention can be achieved through some of the below practices: Mark the stack (and heap) as non-executable Note that even with nonexecutable heap and stack, exploits are still possible using the return-oriented programming Randomize stack location or Address space layout randomization (ASLR) It may still be possible to inject self contained code with relative memory references when running malicious code Make sure that the memory auditing is properly done (Configure minimum and maximum memory) 19

C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) Use fgets() instead of gets() fgets() reads input and saves to a buffer until: (char *fgets(char *str, int n, FILE *stream) 1) The buffer is 1 shy of being full - or - 2) '\n' is encountered - or - 3) The stream reaches an end-of-file condition - or - 4) An input error occurs. 20

C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES) I owe a proper explanation of buffer overflow as in the last course, I just mentioned an issue with the memory. I cant forget the funny story about buffalos related to buffer overflow. Comment if you want to know what it is about ;) 21

PHP (SESSION HANDLING, DATABASE) 22

PHP (SESSION HANDLING, DATABASE) 23

PHP (SESSION HANDLING, DATABASE) Sessions keep track of the user with a unique ID. Session Handling security practices rely on the below actions: Store session data in different locations Use built-in frameworks Encrypt session data Secure cookie attribute (Use only HTTPS) Http only cookies (Not to allow scripts) Session ID renewal after privilege change 24

PHP (SESSION HANDLING, DATABASE) Database security practices rely on the below actions: Limit admin access to declared IP addresses Always use.php extension when it comes to related files so they are not accessible and readable Ensure that you do not save the.php files within the public folder Ensure that you create users for each application database 25

OWASP TOP 10 SQL INJECTION 26

OWASP TOP 10 SQL INJECTION SQL injection is a popular attack and is a simple technique. It is based on code injection that will affect your database. It can for example the voiding of transactions or the change of balances. It will place malicious code/sql query, using an unsecure web page input. It is very common with PHP and ASP applications. 27

OWASP TOP 10 SQL INJECTION A SQL attack is achieved in two phases: Research: Attacker submits different unexpected values, analysis how the application responds, and defines an attack (Identify injectable parameters, Identify the database type and version, Discover database schema, etc. ) Attack: Attacker injects a predefined and chosen value in the SQL query and it is executed as part of a SQL command. The command, then is executed by the database. (Denial of service by locking or deleting tables, Bypassing authentication, Privilege escalation, etc. ) 28

OWASP TOP 10 SQL INJECTION SELECT accountnumber, balance FROM accounts WHERE accountowner_id = 24 This is a query to return the account balance for the user with the id 24. If the attacker changes the user_id to 0 OR 1=1, as per below: SELECT accountnumber, balance FROM accounts WHERE accountowner_id = 0 OR 1=1 The result will return all the account numbers and respective balances. 29

OWASP TOP 10 SQL INJECTION I found an educational web application at http://www.techpanda.org/ that is vulnerable to SQL Injection attacks for demonstration purposes only. You can exploit the password field. By entering xxx') OR 1 = 1 -- ] in the password field, you get the result and the details of the database. 30

OWASP TOP 10 SQL INJECTION OWASP Mutillidae II Web Pen-Test Practice Application is another tool that you can use to practice. OWASP Mutillidae II is a free, open source, deliberately vulnerable webapplication providing a target for websecurity enthusiast. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is preinstalled on SamuraiWTF and OWASP BWA. 31

OWASP TOP 10 SQL INJECTION Over the time, we can find several hacks with a simple SQL injection. This is one example, when Sony Pictures has been attacked. In 2011, PlayStation Network has been as well attacked with a SQL injection. 32

OWASP TOP 10 SQL INJECTION The most common defences are: Neutralizing all special characters Escaping single quotes isn t enough to neutralize a SQL string Input validation Ensure that your input is valid. If you're expecting letters, it shouldn't contain numbers or special characters. Nor should the date of birth be allowed to be a sentence. Whitelisting Technique 33

THANK YOU! PLEASE FEEL FREE TO ASK QUESTIONS OR SHARE YOUR TIPS 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback