Overview
Software vulnerabilities is a reality in today's world. Every day we can read news in Information Security magazines and websites reporting a zero-day vulnerability. Software vulnerabilities occur due to numerous reasons, but the most significant are: lack of security awareness of developers and deadline pressure. Lack in awareness of security issues is usually depicted in some statements such as: "We will not get hacked", "Our services reside on internal network", "We trust our internal users (eg employees, partners)", "We have a very expensive web application firewall (waf) protecting us", etc. But nowadays, when industrial espionage is a reality, trust can cost money and reputation.
Code review generally is the process when examining the source code of an application for vulnerabilities. It is a necessity in order to develop secure software and contributes in the Software Development Life Cycle (SDLC). We can examine one of the most famous SDLC guide providing guidelines in developing secure software: Microsoft Security Development Lifecycle (SDL).
Security flavour in SDL
The phases of Microsoft SDL:
Security is integrated in almost all phases. Further details can be found on SDL's website.
Code review resides mainly in "Verification" phase. In SDL website, Microsoft provides a list of tools for code reviewing, but in this current article I am going to present a demo of Yasca, an open source code review tool.
Yasca
From Yasca website:"Yasca is a source code analysis tool that I started writing in 2007. It could best be described as a "glorified grep script" plus an aggregator of other open-source tools.
Yasca can scan source code written in Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, and other languages."
The main advantage of Yasca is that collaborates perfectly with a wide list of static code review tools such as: FindBugs, PMD, JLint, JavaScript Lint, PHPLint, CppCheck, ClamAV, RATS, Pixy.
Personally, I have installed Yasca in a Windows 7 Ultimate and works perfectly in command line, whereas I have abandoned the installation in Backtrack 5 R3 because of numerous errors.
Demo
I extracted the vulnerable code (guess from where?! Of course from OWASP broken web applications VM where there is a tone of vulnerable code just waiting to be hacked!). The vulnerable code is from WebGoat web application found on the path:
/owaspbwa/WebGoat-svn/src/main/java/org/owasp/webgoat/lessonsHere is a sample of Yasca's report:
Wrap-up
Code review should be included in every software deployment project. It is an essential safeguard in order to produce secure software and minimize the risk from potential vulnerabilities. Besides, we should always apply security techniques in every layer of our web application (code review, web application firewall, access control, etc).
Further reading
The Owasp Code Review Top 9 :: https://www.owasp.org/index.php/The_Owasp_Code_Review_Top_9
OWASP Code Review Guide :: https://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents
The Ten Best Practices for Secure Software Development :: https://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/Certification_Programs/CSSLP/ISC2_WPIV.pdf
US Homeland Security Secure SDL :: https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/sdlc/326-BSI.html
SANS Secure SDL and Code Analysis Tools :: http://www.sans.org/reading_room/whitepapers/securecode/secure-software-development-code-analysis-tools_389
Planning is an objective of each and every activity, where we want to discover things that belong to the project and more useful for SDLC.
ReplyDeleteThank you very much to describe Software Development Life cycle trow this page. It will be very helpful for me.
ReplyDelete.Net Application Development