CERT Secure Coding

OWASP Education Computer based training CERT Secure Coding Nishi Kumar IT Architect Specialist, FIS Chair, Software Security Forum at FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.orgContributor and Reviewer Keith Turpin

Objectives • Understand Cert Secure Coding • Cert Secure Coding Standards • Go over few Java samples

Cert Secure Coding goals • Reduce vulnerabilities resulting from coding errors • Identify common programming errors that lead to software vulnerabilities • Establish secure coding standards • Educate software developers to advance the state of the practice in secure coding

Cert Secure Coding Standards • Establish coding guidelines for commonly used programming languages that can be used to improve the security of software systems under development Based on documented standard language versions as defined by official or de facto standards organizations Secure coding standards are under development for: • The CERT C Secure Coding Standard, Version 2.0 • The CERT C++ Secure Coding Standard • The CERT Oracle Secure Coding Standard for Java

The CERT Oracle Secure Coding Standard for Java

Noncompliant Code Example IDS01-J. Sanitize untrusted data passed across a trust boundary public void doPrivilegedAction(String username, char[] password) throws SQLException { Connection connection = getConnection(); if (connection == null) { // handle error } String pwd = hashPassword(password); String sqlString = "SELECT * FROM db_user WHERE username = '" + username + "' AND password ='" + pwd + "'"; Statement stmt = connection.createStatement(); ResultSet rs = stmt.executeQuery(sqlString); if (!rs.next()) { throw new SecurityException("User name or Password incorrect"); } // Authenticated; proceed }

Compliant Solution (PreparedStatement) IDS01-J. Sanitize untrusted data passed across a trust boundary class Login { public void doPrivilegedAction(String username, char[] password) throws SQLException { Connection connection = getConnection(); if (connection == null) { // handle error } String pwd = hashPassword(password); // Ensure that the length of user name is legitimate if ((username.length() >= 8) { // Handle error } String sqlString = "select * from db_user where username=?and password=?"; PreparedStatement stmt = connection.prepareStatement(sqlString); stmt.setString (1, username); stmt.setString (2, pwd); ResultSet rs = stmt.executeQuery(); if (!rs.next()) { throw new SecurityException("User name or Password incorrect"); } // Authenticated; proceed } }

Noncompliant Code Example ERR02-J. Prevent exceptions while logging data try { // ... } catch (SecurityException se) { System.err.println(e); // Recover from exception } } Writing such exceptions to the standard error stream is inadequate for logging purposes

Compliant Solution ERR02-J. Prevent exceptions while logging data try { // ... } catch (SecurityException se) { logger.log(Level.SEVERE, se);// Recover from exception } }

Noncompliant Code Example MSC11-J. Address the shortcomings of the Singleton design pattern class MySingleton { private static MySingleton Instance; protected MySingleton() { // private constructor prevents instantiation by untrusted callers Instance = new MySingleton(); } public static synchronized MySingleton getInstance() { return Instance; } }

Compliant Solution MSC11-J. Address the shortcomings of the Singleton design pattern class MySingleton { private static final MySingleton Instance = new MySingleton(); private MySingleton() { // private constructor prevents instantiation by untrusted callers } public static synchronized MySingleton getInstance() { return Instance; } }

Noncompliant Code Example TSM00-J. Do not override thread-safe methods with methods that are not thread-safe class Base { public synchronized void doSomething() { // ... } } class Derived extends Base { @Override public void doSomething() { // ... } }

Compliant Solution TSM00-J. Do not override thread-safe methods with methods that are not thread-safe class Base { public synchronized void doSomething() { // ... } } class Derived extends Base { @Override public synchronized void doSomething() { // ... } }

Compliant Solution MSC02-J. Generate strong random numbers import java.util.Random; // ... Random number = new Random(123L); //... for (int i = 0; i < 20; i++) { // Generate another random integer in the range [0, 20] int n = number.nextInt(21); System.out.println(n); }

Noncompliant Code Example MSC02-J. Generate strong random numbers import java.security.SecureRandom; import java.security.NoSuchAlgorithmException; // ... public static void main (String args[]) { try { SecureRandom number = SecureRandom.getInstance("SHA1PRNG"); // Generate 20 integers 0..20 for (int i = 0; i < 20; i++) { System.out.println(number.nextInt(21)); } } catch (NoSuchAlgorithmException nsae) { // Forward to handler } }

References • CERT - www.cert.org The CERT® Program is part of the Software Engineering Institute (SEI). CERT's primary objectives include analyzing and communicating the state of internet security through its US-CERT Vulnerability Notes Database and improving software security with its secure coding practices publications. US-CERT Vulnerability Notes Database - http://www.kb.cert.org/vuls/ CERT Secure Coding Practices - http://www.cert.org/secure-coding/

CERT Secure Coding