SlideShare a Scribd company logo

Code review for secure web applications

Download as PPT, PDF
S
silviad74

The document discusses best practices for code review of secure web applications. It covers strategies like manual review using checklists focused on authentication, authorization, session management, input validation, output sanitization, and other topics. Sample code snippets are provided to demonstrate proper and insecure implementations for these areas. The checklist topics to be covered in the next meeting include preventing cross-site request forgery, implementing cryptographic controls, handling errors properly, logging appropriately, and avoiding race conditions.

Technology
1 of 24
Downloaded 98 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Code Review for Secure Web Applications With java samples
Bibliography • OWASP – Open web applications security projects – www.owasp.org • OWASP Code review guide
Introduction • Code reviews: – Ad hoc reviews – Pair programming – Walkthrough – Team review – Inspection • Purpose – security
Code review strategies • Automatic • Manual – use checklists – Risk based – Most encountered programming mistakes – Mitigation of most encountered vulnerabilities exploited in the world – Security best practices
Checklist based on best practices • Authentication • Authorization • Session management • Input validation and output sanitization
Checklist based on best practices To be presented next meeting • Prevent Cross Site Request Forgery • Cryptographic controls • Error handling • Logging • Prevent Race conditions
Authentication • Check user is not allowed to choose weak passwords Bad: String password = request.getParameter("Password"); if (password == Null) {throw InvalidPasswordException() }
Authentication • Check user is not allowed to choose weak passwords OK: if password.RegEx([a-z]) and password.RegEx([A-Z]) and password.RegEx([0-9]) and password.RegEx({8-30}) and password.RexEX([!"£$%^&*()]) return true; else return false;
Authentication • Password storage strategy: hashing using a one-way hash algorithm + salting OK hashing: import java.security.MessageDigest; public byte[] getHash(String password) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-1"); digest.reset(); byte[] input = digest.digest(password.getBytes("UTF-8")); }
Authentication • Password storage strategy: hashing using a one-way hash algorithm + salting OK salting: import java.security.MessageDigest; public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA- 256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8")); }
Authorization • Check the access roles matrix and make sure it is created respecting the need-to-know and least- privilege principle • Check the business logic for errors Bad: if user.equals("NormalUser") { grantUser(Normal_Permissions); } else{ //user must be admin/super grantUser("Super_Permissions); }
Authorization • Check if security by obscurity is used • Check if authorization is verified for every request Good: String action = request.getParameter("action"); if (action.equals("doStuff")) boolean permit = session.authTable.isAuthorised(action); if (permit) doStuff(); else{ throw new (InvalidRequestException("Unauthorised request"); session.invalidate(); }
Session Management • Check if only framework’s session manager is used • Check the cryptographic strength, the length of the sessions and character pool • Check that sessionIds coming from clients are validated • Check there is a timeout implemented for idle sessions • Check session is destroyed on logout
Input validation and output sanitization • Ensure 2 separate validations occur: first a security validation, then a business validation • Ensure in the security validation, data are canonicalized first public static void main(String[] args) { File x = new File("/cmd/" + args[1]); String absPath = x.getAbsolutePath(); String canonicalPath = x.getCanonicalPath(); }
Input validation and output sanitization • Check that all input that traversed untrusted zones is validated, not only user input • Check that validators or sanitizers are adapted for the modules that receives/uses data – encode, escape, etc • Check validators are applied in a safe side (never client side)
Input validation and output sanitization public class DoStuff { public String executeCommand(String userName) { try { String myUid = userName; Runtime rt = Runtime.getRuntime(); rt.exec("cmd.exe /C doStuff.exe " +”-“ +myUid); } catch(Exception e) { e.printStackTrace(); } } }
Input validation and output sanitization String myQuery = “select food from foods where name=?”; String sortOrder=request.getParameter(“order”); myQuery+=sortOrder; PreparedStatement preparedStatement = connection.prepareStatement(myQuery); preparedStatement.setString(1, “Shaorma”); ResultSet resultSet = preparedStatement.executeQuery();
Input validation and output sanitization import java.io.*; import javax.servlet.http.*; import javax.servlet.*; public class HelloServlet extends HttpServlet { public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { String input = req.getHeader(“USERINPUT”); PrintWriter out = res.getWriter(); out.println(Server.HTMLEncode(input)); out.close(); } }
Thank you for the interest Questions?
Prevent Cross Site Script Forgery
Cryptographic controls
Error handling
Logging
Prevent Race Conditions

More Related Content

PPTX
Null meet Code Review
Naga Venkata Sunil Alamuri
 
PDF
Java Code Review Checklist
Mahesh Chopker
 
PPTX
Secure coding practices
Scott Hurrey
 
PDF
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
PPTX
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
PDF
Manual Code Review
n|u - The Open Security Community
 
PPTX
Static Code Analysis
Geneva, Switzerland
 
PPTX
DevBeat 2013 - Developer-first Security
Coverity
 
Null meet Code Review
Naga Venkata Sunil Alamuri
 
Java Code Review Checklist
Mahesh Chopker
 
Secure coding practices
Scott Hurrey
 
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Manual Code Review
n|u - The Open Security Community
 
Static Code Analysis
Geneva, Switzerland
 
DevBeat 2013 - Developer-first Security
Coverity
 

What's hot (20)

PPTX
Top 10 static code analysis tool
scmGalaxy Inc
 
PPTX
Server Side Template Injection by Mandeep Jadon
Mandeep Jadon
 
PPTX
Code review
Abhishek Sur
 
PPT
Security Testing
Kiran Kumar
 
PPTX
PVS-Studio and static code analysis technique
Andrey Karpov
 
PPTX
Making Security Agile
Oleg Gryb
 
ODP
OWASP Secure Coding
bilcorry
 
PDF
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
PDF
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
PDF
Neoito — Secure coding practices
Neoito
 
PPTX
Static code analysis
Rune Sundling
 
PPTX
Static Analysis Primer
Coverity
 
PPTX
DevSecOps: Securing Applications with DevOps
Wouter de Kort
 
PPTX
Java Code Quality Tools
Orest Ivasiv
 
PDF
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
PDF
Simplified Security Code Review Process
Sherif Koussa
 
PDF
Best Practices of Static Code Analysis in the SDLC
Parasoft_Mitchell
 
PPTX
Java exception handling
BHUVIJAYAVELU
 
DOCX
Code review guidelines
Lalit Kale
 
PPT
L27
NathannyabvureMapisa
 
Top 10 static code analysis tool
scmGalaxy Inc
 
Server Side Template Injection by Mandeep Jadon
Mandeep Jadon
 
Code review
Abhishek Sur
 
Security Testing
Kiran Kumar
 
PVS-Studio and static code analysis technique
Andrey Karpov
 
Making Security Agile
Oleg Gryb
 
OWASP Secure Coding
bilcorry
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
Neoito — Secure coding practices
Neoito
 
Static code analysis
Rune Sundling
 
Static Analysis Primer
Coverity
 
DevSecOps: Securing Applications with DevOps
Wouter de Kort
 
Java Code Quality Tools
Orest Ivasiv
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Simplified Security Code Review Process
Sherif Koussa
 
Best Practices of Static Code Analysis in the SDLC
Parasoft_Mitchell
 
Java exception handling
BHUVIJAYAVELU
 
Code review guidelines
Lalit Kale
 
L27
NathannyabvureMapisa
 
Ad

Viewers also liked (16)

PPTX
Security asp.net application
ZAIYAUL HAQUE
 
PDF
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
PPTX
Microsoft asp.net identity security
rustd
 
KEY
Security Code Review: Magic or Art?
Sherif Koussa
 
PPTX
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
PPTX
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
gmaran23
 
ODP
Secure coding in C#
Siddharth Bezalwar
 
PDF
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
OWASP Ottawa
 
ODP
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
PPTX
PCI security requirements secure coding and code review 2014
Haitham Raik
 
PPTX
ASP.NET Core Security
Albert Weinert
 
PPTX
ASP.NET Web Security
SharePointRadi
 
PDF
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
PDF
Sass Code Reviews - How one code review changed my life #SassConf2015
Stacy Kvernmo
 
PDF
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
OWASP Russia
 
PDF
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
OWASP Russia
 
Security asp.net application
ZAIYAUL HAQUE
 
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
Microsoft asp.net identity security
rustd
 
Security Code Review: Magic or Art?
Sherif Koussa
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
gmaran23
 
Secure coding in C#
Siddharth Bezalwar
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
OWASP Ottawa
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
PCI security requirements secure coding and code review 2014
Haitham Raik
 
ASP.NET Core Security
Albert Weinert
 
ASP.NET Web Security
SharePointRadi
 
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Sass Code Reviews - How one code review changed my life #SassConf2015
Stacy Kvernmo
 
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
OWASP Russia
 
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
OWASP Russia
 
Ad

Similar to Code review for secure web applications (20)

PDF
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Jayasree Veliyath
 
PPTX
Secure coding - Balgan - Tiago Henriques
Tiago Henriques
 
PPTX
Ebu class edgescan-2017
Eoin Keary
 
PPTX
Code Review Cybersecurity: Comprehensive Guide to Secure Code Evaluation & B...
hamdi71
 
PPTX
Defending web applications v.1.0
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
PDF
WhiteList Checker: An Eclipse Plugin to Improve Application Security
guest032fe5
 
PDF
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
PDF
42 minutes to secure your code....
Sebastien Gioria
 
PDF
2015 09-18-jug summer camp
Sebastien Gioria
 
PDF
9 Ways to Hack a Web App
elliando dias
 
PDF
Secure code
ddeogun
 
PPT
Secure code practices
Hina Rawal
 
PPTX
The path of secure software by Katy Anton
DevSecCon
 
PPTX
Writing secure code
Madhura P M
 
PDF
Protecting web apps
Omkar Parab
 
PDF
WhiteList Checker: An Eclipse Plugin to Improve Application Security
guest56b7565
 
PDF
Owasp tds
snyff
 
ODP
Java zone ASVS 2015
Joachim Van der Auwera
 
PDF
SecurityBSides London - Agnitio: it's static analysis but not as we know it
Security Ninja
 
PPT
Web application development_dos_and_donts
huynhvanphuc
 
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Jayasree Veliyath
 
Secure coding - Balgan - Tiago Henriques
Tiago Henriques
 
Ebu class edgescan-2017
Eoin Keary
 
Code Review Cybersecurity: Comprehensive Guide to Secure Code Evaluation & B...
hamdi71
 
Defending web applications v.1.0
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
WhiteList Checker: An Eclipse Plugin to Improve Application Security
guest032fe5
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
42 minutes to secure your code....
Sebastien Gioria
 
2015 09-18-jug summer camp
Sebastien Gioria
 
9 Ways to Hack a Web App
elliando dias
 
Secure code
ddeogun
 
Secure code practices
Hina Rawal
 
The path of secure software by Katy Anton
DevSecCon
 
Writing secure code
Madhura P M
 
Protecting web apps
Omkar Parab
 
WhiteList Checker: An Eclipse Plugin to Improve Application Security
guest56b7565
 
Owasp tds
snyff
 
Java zone ASVS 2015
Joachim Van der Auwera
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
Security Ninja
 
Web application development_dos_and_donts
huynhvanphuc
 

Recently uploaded (20)

PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
KodekX | Application Modernization Development
KodekX
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Approach and Philosophy of On baking technology
30anthuong17
 
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Modernizing your data center with Dell and AMD
Principled Technologies
 

Code review for secure web applications

  • 1. Code Review for Secure Web Applications With java samples
  • 2. Bibliography • OWASP – Open web applications security projects – www.owasp.org • OWASP Code review guide
  • 3. Introduction • Code reviews: – Ad hoc reviews – Pair programming – Walkthrough – Team review – Inspection • Purpose – security
  • 4. Code review strategies • Automatic • Manual – use checklists – Risk based – Most encountered programming mistakes – Mitigation of most encountered vulnerabilities exploited in the world – Security best practices
  • 5. Checklist based on best practices • Authentication • Authorization • Session management • Input validation and output sanitization
  • 6. Checklist based on best practices To be presented next meeting • Prevent Cross Site Request Forgery • Cryptographic controls • Error handling • Logging • Prevent Race conditions
  • 7. Authentication • Check user is not allowed to choose weak passwords Bad: String password = request.getParameter("Password"); if (password == Null) {throw InvalidPasswordException() }
  • 8. Authentication • Check user is not allowed to choose weak passwords OK: if password.RegEx([a-z]) and password.RegEx([A-Z]) and password.RegEx([0-9]) and password.RegEx({8-30}) and password.RexEX([!"£$%^&*()]) return true; else return false;
  • 9. Authentication • Password storage strategy: hashing using a one-way hash algorithm + salting OK hashing: import java.security.MessageDigest; public byte[] getHash(String password) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-1"); digest.reset(); byte[] input = digest.digest(password.getBytes("UTF-8")); }
  • 10. Authentication • Password storage strategy: hashing using a one-way hash algorithm + salting OK salting: import java.security.MessageDigest; public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA- 256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8")); }
  • 11. Authorization • Check the access roles matrix and make sure it is created respecting the need-to-know and least- privilege principle • Check the business logic for errors Bad: if user.equals("NormalUser") { grantUser(Normal_Permissions); } else{ //user must be admin/super grantUser("Super_Permissions); }
  • 12. Authorization • Check if security by obscurity is used • Check if authorization is verified for every request Good: String action = request.getParameter("action"); if (action.equals("doStuff")) boolean permit = session.authTable.isAuthorised(action); if (permit) doStuff(); else{ throw new (InvalidRequestException("Unauthorised request"); session.invalidate(); }
  • 13. Session Management • Check if only framework’s session manager is used • Check the cryptographic strength, the length of the sessions and character pool • Check that sessionIds coming from clients are validated • Check there is a timeout implemented for idle sessions • Check session is destroyed on logout
  • 14. Input validation and output sanitization • Ensure 2 separate validations occur: first a security validation, then a business validation • Ensure in the security validation, data are canonicalized first public static void main(String[] args) { File x = new File("/cmd/" + args[1]); String absPath = x.getAbsolutePath(); String canonicalPath = x.getCanonicalPath(); }
  • 15. Input validation and output sanitization • Check that all input that traversed untrusted zones is validated, not only user input • Check that validators or sanitizers are adapted for the modules that receives/uses data – encode, escape, etc • Check validators are applied in a safe side (never client side)
  • 16. Input validation and output sanitization public class DoStuff { public String executeCommand(String userName) { try { String myUid = userName; Runtime rt = Runtime.getRuntime(); rt.exec("cmd.exe /C doStuff.exe " +”-“ +myUid); } catch(Exception e) { e.printStackTrace(); } } }
  • 17. Input validation and output sanitization String myQuery = “select food from foods where name=?”; String sortOrder=request.getParameter(“order”); myQuery+=sortOrder; PreparedStatement preparedStatement = connection.prepareStatement(myQuery); preparedStatement.setString(1, “Shaorma”); ResultSet resultSet = preparedStatement.executeQuery();
  • 18. Input validation and output sanitization import java.io.*; import javax.servlet.http.*; import javax.servlet.*; public class HelloServlet extends HttpServlet { public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { String input = req.getHeader(“USERINPUT”); PrintWriter out = res.getWriter(); out.println(Server.HTMLEncode(input)); out.close(); } }
  • 19. Thank you for the interest Questions?
  • 20. Prevent Cross Site Script Forgery