1 / 12

Secure Code Review C hecklist

Security code reviews focus on finding flaws in each of the following areas: Authentication, authorization, security configuration, session management, logging, data validation, error handling, and encryption. Secure Code Review C hecklist.

fsmith
Download Presentation

Secure Code Review C hecklist

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security code reviews focus on finding flaws in each of the following areas: Authentication, authorization, security configuration, session management, logging, data validation, error handling, and encryption

  2. Secure Code Review Checklist • A secure code review is just one part of a comprehensive security process that includes security testing. • When conducting manual code reviews, make sure all reviewers are working by the same comprehensive checklist. • Just as the developers writing the code are human and can neglect secure coding practices, reviewers can forget to certain checks, if not working with a well-designed checklist. https://www.checkmarx.com/2016/02/05/5-best-practices-perfect-secure-code-review/

  3. Secure Code Review Checklist • Defining a generic checklist which can be filled out by the development team is of high value, if the checklist asks the correct questions in order to give us context. • Every checklist is different. • It is recommended to brainstorm your checklist with your development team including (developers, architect, …etc.).  https://arch.simplicable.com/arch/new/secure-code-review-checklist

  4. Secure Code Review Checklist • This checklist is extensive but not complete: • Design • Authentication and User Management • Authorization • Session Management • Input Validation • Cryptography • Exception Handling • Auditing and Logging https://arch.simplicable.com/arch/new/secure-code-review-checklist

  5. Secure Code Review Checklist: Design • Architecture and design documentation is complete • User and role based privileges are documented • Site is well partitioned into public and restricted pages • Security is layered - each layer assumes other layers may have been compromised • Security design covers all 8 principles of web security: authentication, authorization, confidentiality, message integrity, data integrity, availability, non-repudiation

  6. Secure Code Review Checklist: Authentication and User Management • User credentials are encrypted in the data store • Standard security frameworks are used (instead of custom code) • Authentication cookies are not persisted • Authentication cookies are encrypted • Application handles suspicious events such as multiple failed logon attempts • Strong passwords policies are enforced

  7. Secure Code Review Checklist: Authorization • Authentication and authorization should be the first logic executed for each request • Deny access to pages and data by default • Re-authenticate for requests that have side-effects • Authorization based on clearly defined roles • Authorization cannot be bypassed by cookie manipulation

  8. Secure Code Review Checklist: Session Management • Session cookies expire in a reasonably short time • Session cookies are encrypted • Private data in cookies is kept to a minimum • Application avoids excessive cookie use • Session id is complex

  9. Secure Code Review Checklist: Input Validation • All external input is validated • Application validates numerical input and rejects unexpected input • Application efficiently evaluates input length • Data should be checked for special characters before being passed to SQLand OS

  10. Secure Code Review Checklist: Cryptography • Sensitive data has been secured in memory, storage and transit • Restricted areas require Secure Sockets Layer (SSL) • Cryptographic protocols that provide security for communications over networks such as the Internet. • Provides a secure channel between two machines or devices operating over the internet or an internal network. • One common example is when SSL is used to secure communication between a web browser and a web server. • This turns a website's address from HTTP to HTTPS, the ‘S’ standing for ‘secure’. • Supports the following information security principles: • Encryption: protect data transmissions (e.g. browser to server, server to server, application to server, etc.) • Authentication: ensure the server you’re connected to is actually the correct server. • Data integrity: ensure that the data that is requested or submitted is what is actually delivered.

  11. Secure Code Review Checklist: Exception Handling • When exceptions occur the application fails securely • Error messages do not reveal sensitive information • System errors are never shown to users • Resources are released and transactions rolled back when there is an error

  12. Secure Code Review Checklist: Auditing and Logging • All user / system actions are logged • Sensitive information is not logged (e.g. passwords) • Logging for user management events (e.g. password reset) • Unusual activity such as multiple login attempts are logged • Logs have enough detail to reconstruct events for audit purposes

More Related