david rook agnitio security code review swiss army knife
play

David Rook Agnitio Security code review swiss army knife Hack in - PowerPoint PPT Presentation

Aug 08, 2023 •189 likes •933 views

David Rook Agnitio Security code review swiss army knife Hack in Paris, Paris Friday, 17 June 2011 if (slide == introduction) System.out.println( " Im David Rook " ); Security Analyst, Realex Payments, Ireland CISSP, CISA,

  1. David Rook Agnitio Security code review swiss army knife Hack in Paris, Paris Friday, 17 June 2011

  2. if (slide == introduction) System.out.println( " I’m David Rook " ); • Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms • Security Ninja (www.securityninja.co.uk) • Speaker at international security conferences • Nominated for multiple blog awards • A mentor in the InfoSecMentors project • Developed and released Agnitio Friday, 17 June 2011

  3. Agenda • What is static analysis? • Security code reviews: the good, the bad and the ugly • The principles of secure development • Agnitio: It’s static analysis, but not as we know it • A sneak preview of Agnitio v2.0 Friday, 17 June 2011

  4. Static analysis • What do I mean by static analysis? • A review of source code without executing the application • Can be either manual or automated through one or more tools • Human and/or tools analysing application source code Friday, 17 June 2011

  5. Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t software Friday, 17 June 2011

  6. Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t software • The worst thing about humans is that they are humans Friday, 17 June 2011

  7. Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1 Friday, 17 June 2011

  8. Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1 Friday, 17 June 2011

  9. Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t human Friday, 17 June 2011

  10. Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t human • The worst thing about software is that it’s software Friday, 17 June 2011

  11. Friday, 17 June 2011

  12. Friday, 17 June 2011

  13. Friday, 17 June 2011

  14. Friday, 17 June 2011

  15. Friday, 17 June 2011

  16. Friday, 17 June 2011

  17. Friday, 17 June 2011

  18. Friday, 17 June 2011

  19. Friday, 17 June 2011

  20. Friday, 17 June 2011

  21. Friday, 17 June 2011

  22. Friday, 17 June 2011

  23. Friday, 17 June 2011

  24. Friday, 17 June 2011

  25. Friday, 17 June 2011

  26. Friday, 17 June 2011

  27. The ugly security code reviews • “Ugly reviews” implies you do actually review code • An unplanned magical mystery tour at the end of the SDLC • Unstructured, not repeatable and heavily reliant on C 8 H 10 N 4 O 2 • Too late in the SDLC making findings very expensive to fix Friday, 17 June 2011

  28. The ugly security code reviews • “Ugly reviews” implies you do actually review code • An unplanned magical mystery tour at the end of the SDLC • Unstructured, not repeatable and heavily reliant on C 8 H 10 N 4 O 2 • Too late in the SDLC making findings very expensive to fix • Completely manual process, no tools used during reviews • No audit trails, no metrics........no security? • Better than nothing? Friday, 17 June 2011

  29. The bad security code reviews • “Bad reviews” might be fine for some companies • A single planned code review in your SDLC • Some structure, normally based on finding the OWASP top 10 • Still too late in the SDLC making findings very expensive to fix Friday, 17 June 2011

  30. The bad security code reviews • “Bad reviews” might be fine for some companies • A single planned code review in your SDLC • Some structure, normally based on finding the OWASP top 10 • Still too late in the SDLC making findings very expensive to fix • Some automation, usually basic code analysis tools • Basic audit trails still no metrics so hard to measure “anything” • Better than ugly reviews, might be fine for some companies Friday, 17 June 2011

  31. The good security code reviews • “Good reviews” don’t happen by accident • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases Friday, 17 June 2011

  32. The good security code reviews • “Good reviews” don’t happen by accident • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases • Automation used where useful freeing up the reviewer • Ability to produce reports, metrics and measure improvements • External validation of the review process and SDLC Friday, 17 June 2011

  33. The principles of secure development • What are the principles of secure development? Friday, 17 June 2011

  34. Philosophical Application Security Give a man a fish and you feed him for a day, teach him to fish and you feed him for a lifetime. Friday, 17 June 2011

  35. Philosophical Application Security Give a man a fish and you feed him for a day, teach him to fish and you feed him for a lifetime. I want to apply this to secure development education: Teach a developer about a vulnerability and he will prevent it, teach him how to develop securely and he will prevent many vulnerabilities. Friday, 17 June 2011

  36. The current approach Failure to Preserve SQL Query Structure Failure to Preserve Web Page Structure Reliance on Untrusted Inputs in a Security Decision Missing Encryption of Sensitive Data Incorrect Calculation of Buffer Size Improper Control of Filename for Include/Require Statement in PHP Program Buffer Copy without Checking Size on Input URL Redirection to Untrusted Site Content Spoofing Allocation of Resource Without Limits or Throttling Cross Site Request Forgery Information Leakage Injection Flaws Cross Site Scripting Improper Check for Unusual or Exceptional Conditions Failure to Preserve OS Command Structure Insufficient Transport Layer Protection Improper Limitation of a Pathname to a Restricted Directory Insufficient Authorisation Insecure Cryptographic Storage Insufficient Authentication Improper Access Control Session Management Race Condition Use of Hard-coded Credentials Insecure Direct Object Reference Improper Validation of Array Index Information Exposure Through an Error Message Abuse of Functionality Download of Code Without Integrity Check Predictable Resource Location Failure to Restrict URL Access Unvalidated Redirects and Forwards Buffer Access with Incorrect Length Value Security Misconfiguration SQL Injection Unrestricted Upload of File with Dangerous Type Broken Authentication Missing Authentication for Critical Function Integer Overflow or Wraparound Use of a Broken or Risky Cryptographic Algorithm Incorrect Permission Assignment for Critical Resource Friday, 17 June 2011

  37. The Principles of Secure Development Secure Communications Output Validation Input Validation Auditing and Logging Authorisation Session Management Error Handling Secure Resource Access Authentication Secure Storage Friday, 17 June 2011

  38. Agnitio • What is Agnitio? • Tool to help with manual static analysis • Checklist based with reviewer & developer guidance • Produces audit trails & enforces integrity checks • Single tool for security code review reports & metrics Friday, 17 June 2011

  39. Agnitio • Checklists? • An application for doing checklist reviews? *yawn* how boring! • Checklists are for n00bs! I don't need a checklist to review code! • I beg to differ, would you say Doctors and Pilots are n00bs? Friday, 17 June 2011

  40. Friday, 17 June 2011

  41. Friday, 17 June 2011

  42. Agnitio Friday, 17 June 2011

  43. Agnitio Friday, 17 June 2011

  44. Agnitio • Checklists? • So you don't use a checklist for reviewing source code? • What's the worst that could happen? Friday, 17 June 2011

  45. Ariane 5 flight 501 Friday, 17 June 2011

  46. Ariane 5 flight 501 Friday, 17 June 2011

  47. Therac-25 Friday, 17 June 2011

  48. Mars Climate Orbiter Friday, 17 June 2011

  49. Mars Climate Orbiter Friday, 17 June 2011

  50. Agnitio • Checklists? • So you don't use a checklist for reviewing source code? • What's the worst that could happen? • Four people dead and over € 700m of equipment destroyed • Checklists can be useful to pilots, doctors and code reviewers! Friday, 17 June 2011

  51. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! Friday, 17 June 2011

  52. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart Friday, 17 June 2011

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OpenSky: A Swiss Army Knife for Air Traffic Security Research Martin Strohmeier 1 Matthias

OpenSky: A Swiss Army Knife for Air Traffic Security Research Martin Strohmeier 1 Matthias

Department of Computer Science OpenSky: A Swiss Army Knife for Air Traffic Security Research Martin Strohmeier 1 Matthias Schfer 2 Markus Fuchs 4 Vincent Lenders 3 Ivan Martinovic 1 1 University of Oxford, UK 2 University of Kaiserslautern,

573 views • 29 slides
Private Cloud Devotional Sacristan Gordon is the consultant's answer to The Swiss Army knife -

Private Cloud Devotional Sacristan Gordon is the consultant's answer to The Swiss Army knife -

Private Cloud Devotional Sacristan Gordon is the consultant's answer to The Swiss Army knife - versatile and always at hand. Gordon's core competency is to undertake projects that no one else dare, will, or can. Titled CTO on the business card

710 views • 28 slides
Projective Geometric Algebra: A Swiss army knife for doing Cayley-Klein geometry Charles Gunn

Projective Geometric Algebra: A Swiss army knife for doing Cayley-Klein geometry Charles Gunn

Projective Geometric Algebra: A Swiss army knife for doing Cayley-Klein geometry Charles Gunn Sept. 18, 2019 at ICERM, Providence Full-featured slides available at: https://slides.com/skydog23/icerm2019. Check for updates incorporating new

1.47k views • 94 slides
Suder v. Commissioner : The Swiss Army Knife for your Research Credit Claims February 19, 2015

Suder v. Commissioner : The Swiss Army Knife for your Research Credit Claims February 19, 2015

Suder v. Commissioner : The Swiss Army Knife for your Research Credit Claims February 19, 2015 William A. Schmalzl, Chicago, IL wschmalzl@mayerbrown.com Michael Kaupa, Chicago, IL mkaupa@mayerbrown.com Mayer Brown is a global legal services

551 views • 51 slides
The Swiss-Army Knife for Python Web Developers Armin Ronacher http://lucumr.pocoo.org/ About

The Swiss-Army Knife for Python Web Developers Armin Ronacher http://lucumr.pocoo.org/ About

The Swiss-Army Knife for Python Web Developers Armin Ronacher http://lucumr.pocoo.org/ About Me About Me Name: Armin Ronacher Werkzeug, Jinja, Pygments, ubuntuusers.de Python since 2005 WSGI warrior since the very beginning

1.51k views • 126 slides
stress-ng A stress-testing Swiss army knife Presentation by Colin Ian King

stress-ng A stress-testing Swiss army knife Presentation by Colin Ian King

stress-ng A stress-testing Swiss army knife Presentation by Colin Ian King colin.king@canonical.com www.canonical.com October 2019 stress-ng Designed to stress a computer system: Originally designed to trip hardware issues (make test

558 views • 25 slides
Spectra of UWB Signals in a Swiss Army Knife Andrea Ridolfi EPFL, Switzerland joint work with

Spectra of UWB Signals in a Swiss Army Knife Andrea Ridolfi EPFL, Switzerland joint work with

Spectra of UWB Signals in a Swiss Army Knife Andrea Ridolfi EPFL, Switzerland joint work with Pierre Br emaud, EPFL (Switzerland) and ENS Paris (France) Laurent Massouli e, Microsoft Cambridge (UK) Martin Vetterli , EPFL (Switzerland)

894 views • 70 slides
Ghostferry: the swiss army knife of live data migrations with minimum downtime Shuhao Wu Shopify

Ghostferry: the swiss army knife of live data migrations with minimum downtime Shuhao Wu Shopify

Ghostferry: the swiss army knife of live data migrations with minimum downtime Shuhao Wu Shopify Inc. April 24, 2018 1 Data Migration 2 Data Migration 3 Data Migration Between MySQL Servers Data Copy: mysqldump/Percona XtraBackup

477 views • 22 slides
The Swiss Army Knife SLTE Alice Shelton, Michele Barezzani Alcatel-Lucent Submarine

The Swiss Army Knife SLTE Alice Shelton, Michele Barezzani Alcatel-Lucent Submarine

conference & convention enabling the next generation of networks & services The Swiss Army Knife SLTE Alice Shelton, Michele Barezzani Alcatel-Lucent Submarine Networks conference & convention enabling the next generation of

402 views • 18 slides
The Swiss Army Knife SLTE Alice Shelton Alcatel-Lucent Submarine Networks conference &

The Swiss Army Knife SLTE Alice Shelton Alcatel-Lucent Submarine Networks conference &

conference & convention enabling the next generation of networks & services The Swiss Army Knife SLTE Alice Shelton Alcatel-Lucent Submarine Networks conference & convention enabling the next generation of networks &

393 views • 18 slides
The Development of HKFSDs High Angle Rescue Team Experience and Insight Sharing Swiss Army

The Development of HKFSDs High Angle Rescue Team Experience and Insight Sharing Swiss Army

The Development of HKFSDs High Angle Rescue Team Experience and Insight Sharing Swiss Army Knife vs Multitool Traditional High Angle Rescue Use techniques and equipment derived from Mountain Rescue High Angle Rescue in Modern City

577 views • 54 slides
CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions

CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions

CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions Prof. Nadim Kobeissi 1.1a Why Hash Functions? Describing the importance of the cryptographers Swiss Army knife. 2 CSCI-UA.9480:

569 views • 34 slides
Building secure player experiences at Riot Games David Rook 1 2 3 4 5 Riot Application

Building secure player experiences at Riot Games David Rook 1 2 3 4 5 Riot Application

Building secure player experiences at Riot Games David Rook 1 2 3 4 5 Riot Application Security tl;dr not this Riot Application Security Automation Rioters Bug Bounty ESLint Security Rules ESLint Security Rules Dependency Scanner PoC

402 views • 37 slides
Polyglot persistence: utilizing open source databases as a Swiss pocket knife Art van

Polyglot persistence: utilizing open source databases as a Swiss pocket knife Art van

Polyglot persistence: utilizing open source databases as a Swiss pocket knife Art van Scheppingen - Senior (No)SQL DBA @ VidaXL Bart Ole - Senior Support Engineer @ Severalnines Who are we? VidaXL Company Stats Online retailer in

539 views • 37 slides
Python: Swiss-Army Glue Josh Karpel <karpel@wisc.edu> Graduate Student, Yavuz Group

Python: Swiss-Army Glue Josh Karpel <karpel@wisc.edu> Graduate Student, Yavuz Group

1 Python: Swiss-Army Glue Josh Karpel <karpel@wisc.edu> Graduate Student, Yavuz Group UW-Madison Physics Department My Research: Matrix Multiplication 2 Python: Swiss-Army Glue - HTCondor Week 2018 My Research: Computational Quantum

269 views • 15 slides
British Army Leadership Code British Army Leadership Code Agenda British Army Values

British Army Leadership Code British Army Leadership Code Agenda British Army Values

British Army Leadership Code British Army Leadership Code Agenda British Army Values Exercise 1 British Army Behaviours Exercise 2 Leadership Practices Inventory Assessment Exercise 3 Summary Values: British Army

544 views • 23 slides
Development of Web Applications Principles and Practice Vincent Simonet, 2013-2014 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2013-2014 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2013-2014 Universit Pierre et Marie Curie, Master Informatique, Spcialit STL 2 Communication Vincent Simonet, 2013-2014 Universit Pierre et Marie Curie, Master

782 views • 57 slides
Internet Systems Programming NFS: Protocols, Programming, and Implementation Erez Zadok

Internet Systems Programming NFS: Protocols, Programming, and Implementation Erez Zadok

Internet Systems Programming NFS: Protocols, Programming, and Implementation Erez Zadok ezk@cs.columbia.edu October 25, 1999 The BIG Picture portmap biod NFS Client (kernel) mountd process lockd NFS_READ read() RPC XDR XDR RPC

469 views • 15 slides
Wednesday, March 7, 2012 Our games all look the same Flash client Backend

Wednesday, March 7, 2012 Our games all look the same Flash client Backend

G AMES FOR THE M ASSES How DevOps Affects Architecture Jesper Richter-Reichhelm, @jrirei Wednesday, March 7, 2012 Wednesday, March 7, 2012 Our games all look the same Flash client Backend Wednesday, March 7,

1.77k views • 145 slides
Stateless Systems, Factory Reset, Golden Master Systems and systemd LinuxCon Europe, Duesseldorf

Stateless Systems, Factory Reset, Golden Master Systems and systemd LinuxCon Europe, Duesseldorf

Stateless Systems, Factory Reset, Golden Master Systems and systemd LinuxCon Europe, Duesseldorf October 2014 Stateless Systems, Factory Reset, Golden Master Systems and Factory Reset? Stateless Systems, Factory Reset, Golden Master Systems

930 views • 80 slides
Allocation for Social Good Auditing Mechanisms for Utility Maximization Taylor Lundy 1 , Alexander

Allocation for Social Good Auditing Mechanisms for Utility Maximization Taylor Lundy 1 , Alexander

Allocation for Social Good Auditing Mechanisms for Utility Maximization Taylor Lundy 1 , Alexander Wei 2 , Hu Fu 1 , Scott Duke Kominers 2 , Kevin Leyton-Brown 1 1 University of British Columbia 2 Harvard University Food Banks and Food Pantries

489 views • 24 slides
Retrofitting Security in input parsing routines Jayakrishna Menon, Christophe Hauser, Yan

Retrofitting Security in input parsing routines Jayakrishna Menon, Christophe Hauser, Yan

Retrofitting Security in input parsing routines Jayakrishna Menon, Christophe Hauser, Yan Shoshitaishvili, Stephen Schwab {jmenon, hauser, schwab}@isi.edu yans@asu.edu Modern defenses Vulnerabilities Many programs are still OS defenses

702 views • 35 slides
The 10 Commandments of Release Engineering Dinah McNutt Google, Inc. Overview This talk is

The 10 Commandments of Release Engineering Dinah McNutt Google, Inc. Overview This talk is

The 10 Commandments of Release Engineering Dinah McNutt Google, Inc. Overview This talk is really about "Build & Release", not just "Release" Focus is on server-side software The commandments are solutions to

358 views • 16 slides
Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides

More recommend