Code Security – Issues and Best Practices

1

Outline

Intro to Code Security

Need for Code Security

Code Security Fundamentals

Code Security Issues

OWASP Top 10 – A4:2017– XML External Entities (XXE)

OWASP Top 10 – A8:2017– Insecure Deserialization

OWASP Top 10 – A9:2017– Using Components with Known Vulnerabilities

Attacks against Code Security Mechanisms

Code Security Best Practices

2

Intro to Code Security

3

What is Code?

Code refers to instructions issued to a computer that tells it which actions to perform and in what order

Code is made of strings of typed letters, numbers, and figures, which constitute a language complete with spelling rules and syntax

Code is used to do all sorts of activities including:

Building websites

Flying airplanes

Running NASA satellites

Making cars/cellphones/TVs/gaming consoles, etc. work

Intro to Code Security

Source: Indeed.com – How to Write Code in 6 Steps? –

https://www.indeed.com/career-advice/career-development/how-to-write-code

4

Code Types

Markup Languages – Use start tags (<>) and end tags () to represent different components

Examples:

HTML – Is the code that describes the structure and content of a web application

XML – Is code that is designed to store and transport data in both human– and machine–readable format

SAML – Is a framework for describing and exchanging security information between online business partners

Intro to Code Security (contd.)

5

Code Types (continued)

Scripting Languages – Used to write small programs that are usually interpreted at runtime by a runtime environment

Examples (client-side):

JavaScript – Is a cross-platform scripting language that can be embedded within web pages to create interactive documents

AJAX – Is a collection of technologies that allows web developers to improve the response times between web pages

Intro to Code Security (contd.)

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf

6

Code Types (continued)

Scripting Languages – Can also be used from server-side

Examples (server-side):

CGI – Is used to make web sites interact with databases and other applications

SSI – Is a limited scripting language supported by most web servers

ASP – Is used to create dynamic and interactive web applications for servers that serve “.asp” web pages using the .NET framework

PHP – Is used to create dynamic web pages that extract data from a database and present it on a web page

Intro to Code Security (contd.)

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf

7

Code Types (continued)

Programming Languages – Used to code the business logic behind the web applications

Examples:

Java – Is a cross-platform programming language that is secure, fast, powerful, open-source, and free

C# – Is an object-oriented programming language created by Microsoft that runs on the .NET framework

Python – Is an interpreted programming language used to create web applications that can be used to handle big data and perform complex math

Ruby – Is an open-source programming language with a focus on simplicity and productivity

Intro to Code Security (contd.)

8

Code Market Share:

Intro to Code Security (contd.)

Source: Programming Languages Market Share Report – Datanyze –

https://www.datanyze.com/market-share/programming-languages–67/

9

Secure Coding Concepts – Professor Messer

Intro to Code Security (contd.)

Source: Professor Messer – Secure Coding Concepts – CompTIA Security+ SY0-401: 4.1 –

https://www.youtube.com/watch?v=N-tQtS5uQoo

10

Code security refers to “a set of technologies and best practices for making software as secure and stable as possible. It encompasses everything from encryption, certificates, and federated identity to recommendations for moving sensitive data, accessing a file system, and managing memory” (Red Hat, 2020)

As per Apple (2016), code security involves writing software that:

Is resistant to attack by malicious or mischievous people or programs

Stops an attacker from accessing and taking control of a server or a user’s computer resulting in denial of service, compromise of secrets, or damage to the systems of thousands of users

Protects a user’s data from theft or corruption

Is secure regardless of whether it is a small script or a commercial application

Intro to Code Security (contd.)

11

Need for Code Security

12

As per OWASP (2010):

It is much less expensive to build secure software than to correct security issues after the software package has been completed, not to mention the costs that may be associated with a security breach

Securing critical software resources is more important than ever as the focus of attackers has steadily moved toward the application layer

Failure to do secure coding can compromise:

The software and its associated information

The operating systems of the associated servers

The backend database

Other applications in a shared environment

Need for Code Security

13

As per Veracode (2020):

Code security analysis is a must for competitive enterprises

Most current threats are directed at the application layer

It is critical to search code for vulnerabilities such as backdoors and malicious code before hackers discover and exploit those vulnerabilities using a variety of attacks

Such code-targeted attacks on the enterprise can have severe consequences:

Reduce productivity

Tie up valuable organizational resources

Damage brand reputation

Cut into profits

Need for Code Security (contd.)

14

As per the Veracode (2019) State of Software Security Report, web applications coded in most common languages have at least 1 vulnerability:

Need for Code Security (contd.)

15

As per the Veracode (2019) State of Software Security Report, the flaw intensity vs flaw prevalence are:

Need for Code Security (contd.)

16

As per the Veracode (2019) State of Software Security Report, the flaw intensity vs flaw prevalence are :

Need for Code Security (contd.)

17

As per the Veracode (2019) State of Software Security Report, the flaw debt types by language are :

Need for Code Security (contd.)

18

Poor code security continues to be a major cause data breaches (Privacy Rights Clearinghouse, 2020)

Need for Code Security (contd.)

19

Code Security Fundamentals

20

Secure Coding Standards – SEI | CMU | CERT

Code Security Fundamentals

Source: SEI | CMU | CERT – Secure Coding Standards –

https://www.youtube.com/watch?v=WYKSivnp3gA

21

Code security (by code type):

Markup language security

HTML security

XML security

SAML security

Scripting language (client-side) security

JavaScript security (in Firefox)

AJAX security

Code Security Fundamentals (contd.)

22

Code security (by code type):

Scripting language (server-side) security

CGI security

SSI security

ASP security

PHP security

Programming language security

Java security

C++ security

Python security

Ruby security

Code Security Fundamentals (contd.)

23

Code Security Issues

24

Specific code security issues include the following:

Vulnerabilities in C amounted to 50% of all reported vulnerabilities

The most common CWEs across most programming languages are Cross-Site-Scripting (XSS), Input Validation, Permissions, Privileges, and Access Control, and Information Leak / Disclosure

A significant rise was seen in reported vulnerabilities as a result of the use of automated tools and the trend of bug bounty programs

While there was a spike in the number of reported security vulnerabilities in the past couple of years, the number of high severity vulnerabilities has decreased in most languages.

Code Security Issues

Source: Whitesource – Most Secure Programming Languages –

https://www.whitesourcesoftware.com/most-secure-programming-languages/

25

Specific code security issues include the following:

Total reported vulnerabilities per language

Code Security Issues (contd.)

Source: Whitesource – Most Secure Programming Languages –

https://www.whitesourcesoftware.com/most-secure-programming-languages/

26

Top 3 vulnerabilities per language

Code Security Issues (contd.)

Source: Whitesource – Most Secure Programming Languages –

https://www.whitesourcesoftware.com/most-secure-programming-languages/

27

Code Security Issues (contd.)

Top 3 vulnerabilities per language

Source: Whitesource – Most Secure Programming Languages –

https://www.whitesourcesoftware.com/most-secure-programming-languages/

28

OWASP Top 10–A4:2017 – XML External Entities (XXE)

Code Security Issues (contd.)

Source: OWASP Top 10 2017 A4 – XML External Entities (XXE) –

https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE).html

29

Common code security vulnerabilities:

Code Security Issues (contd.)

Source: OWASP Top 10 2017 A4 – XML External Entities (XXE) –

https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE).html

30

OWASP Top 10–A8:2017 – Insecure Deserialization

Code Security Issues (contd.)

Source: OWASP Top 10 2017 A8 – Insecure Deserialization –

https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization

31

Code Security Issues (contd.)

Common code security vulnerabilities:

Source: OWASP Top 10 2017 A8 – Insecure Deserialization –

https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization

32

OWASP Top 10–A9:2017 – Using Components with Known Vulnerabilities

Code Security Issues (contd.)

Source: OWASP Top 10 2017 A9 – Using Components with Known Vulnerabilities –

https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities

33

Common code security vulnerabilities:

Code Security Issues (contd.)

Source: OWASP Top 10 2017 A9 – Using Components with Known Vulnerabilities –

https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities

34

Code Security Attacks

35

Most common code security attacks:

Code Security Attacks

Attack Type Description
Billion Laughs Attack / XML Bomb A block of XML that is both well-formed and valid according to the rules of an XML schema but which crashes or hangs a program when that program attempts to parse it (Microsoft, 2015)
Buffer Overflow An attack which consists of overwriting memory fragments of a process resulting in errors that end execution of the application in an unexpected way
Code Injection An attack which consists of injecting code that is then interpreted/executed by the application
36

Most common code security attacks (continued):

Code Security Attacks (contd.)

Attack Type Description
JSON Injection A simple server-side attack that could be performed in PHP to grant admin privileges to a regular user
SSI Injection An attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely
XXE Attack The attacker breaks out of the usual processing schema and bypasses the security verification and reads locally stored files
37

What is an XXE Attack – Hacksplaining

Code Security Attacks (contd.)

Source: Hacksplaining – What is an XXE Attack? –

https://www.youtube.com/watch?v=hIHrGuG3r5w

38

Code Security Best Practices

39

Code Security Best Practices

Best practices for code security include :

Establishing coding standards and conventions

Select languages based on security issues they inherit

Use built-in security features

Use loosely coupled frameworks / libraries / components

Enforce standards

Using safe functions / APIs only

Provide guidance to developers on what functions / APIs to avoid

Use appropriate tools to Help in identifying and reviewing the usage of dangerous functions

Use the latest versions of compliers / interpreters / runtime environments

Source: SAFEcode.org – Fundamental Practices for Secure Software Development –

https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf

40

Code Security Best Practices (contd.)

Best practices for code security include (continued):

Using code analysis tools to find security issues early

Use tools to analyze code to identify deviation from requirements

Use tools that plug in directly into the IDE

Use secure code review to identify logical errors in the source code

Handling data safely / handling errors gracefully

Use input validation techniques to begin with

Enforce data segregation to prevent data from becoming application logic

Use encoding so that data is interpreted in the context in which it is used

Use data binding which prevents data from being interpreted as control logic

Use sanitization techniques to remove, replace, or encode unwanted characters

Source: SAFEcode.org – Fundamental Practices for Secure Software Development –

https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf

41

Code Security Best Practices (contd.)

Best practices for code security include the following:

Take Security Requirements and Risk Information into Account During Software Design

Review the Software Design to Verify Compliance with Security Requirements and Risk Information

Verify Third-Party Software Complies with Security Requirements

Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality

Create Source Code Adhering to Secure Coding Practices

Source: NIST – Cybersecurity White Paper –

https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf

42

Code Security Best Practices (contd.)

Best practices for code security include the following:

Configure the Compilation and Build Processes to Improve Executable Security

Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements

Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements

Configure the Software to Have Secure Settings by Default

Source: NIST – Cybersecurity White Paper –

https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf

43

Use the following code security best practices to protect against XML External Entities (XXE):

Code Security Best Practices (contd.)

Source: OWASP Top 10 2017 A4 – XML External Entities (XXE) –

https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE).html

44

Use the following code security best practices to protect against insecure deserialization:

Code Security Best Practices (contd.)

Source: OWASP Top 10 2017 A8 – Insecure Deserialization –

https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html

45

Use the following code security best practices to protect against using components with known vulnerabilities:

Code Security Best Practices (contd.)

Source: OWASP Top 10 2017 A9 – Using Components with Known Vulnerabilities –

https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities.html

46

Code security issues are among the OWASP Top 10 list of web application security risks

This is due to weaknesses in coding technologies such as markup languages, scripting languages (client- and server-side), programming languages, etc.

Hackers are able to exploit the weaknesses using attacks such as billion laughs, buffer overflow, code/SSI/JSON injection, XXE attacks, etc.

Best practices to protect code include establishing coding standards, protecting data, performing input validation/error handling/logging, ensuring proper memory management, using code analysis tools to do secure code review, etc.

Recap

47

Thank you!!!

48