Select Page
Your Perfect Assignment is Just a Click Away
We Write Custom Academic Papers

100% Original, Plagiarism Free, Customized to your instructions!

glass
pen
clip
papers
heaphones

CodeSecurity-IssuesandBestPractices.pptx

CodeSecurity-IssuesandBestPractices.pptx

Code Security – Issues and Best Practices

1

Outline

Intro to Code Security

Need for Code Security

Code Security Fundamentals

Code Security Issues

OWASP Top 10 – A4:2017– XML External Entities (XXE)

OWASP Top 10 – A8:2017– Insecure Deserialization

OWASP Top 10 – A9:2017– Using Components with Known Vulnerabilities

Attacks against Code Security Mechanisms

Code Security Best Practices

2

Intro to Code Security

3

Intro to Code Security

What is Code?

Code refers to instructions issued to a computer that tells it which actions to perform and in what order

Code is made of strings of typed letters, numbers, and figures, which constitute a language complete with spelling rules and syntax

Code is used to do all sorts of activities including:

Building websites

Flying airplanes

Running NASA satellites

Making cars/cellphones/TVs/gaming consoles, etc. work

4

Source: Indeed.com – How to Write Code in 6 Steps? –

https://www.indeed.com/career-advice/career-development/how-to-write-code

Intro to Code Security (contd.)

Code Types

Markup Languages – Use start tags (<>) and end tags () to represent different components

Examples:

HTML – Is the code that describes the structure and content of a web application

XML – Is code that is designed to store and transport data in both human– and machine–readable format

SAML – Is a framework for describing and exchanging security information between online business partners

5

Intro to Code Security (contd.)

Code Types (continued)

Scripting Languages – Used to write small programs that are usually interpreted at runtime by a runtime environment

Examples (client-side):

JavaScript – Is a cross-platform scripting language that can be embedded within web pages to create interactive documents

AJAX – Is a collection of technologies that allows web developers to improve the response times between web pages

6

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf

Intro to Code Security (contd.)

Code Types (continued)

Scripting Languages – Can also be used from server-side

Examples (server-side):

CGI – Is used to make web sites interact with databases and other applications

SSI – Is a limited scripting language supported by most web servers

ASP – Is used to create dynamic and interactive web applications for servers that serve “.asp” web pages using the .NET framework

PHP – Is used to create dynamic web pages that extract data from a database and present it on a web page

7

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf

Intro to Code Security (contd.)

Code Types (continued)

Programming Languages – Used to code the business logic behind the web applications

Examples:

Java – Is a cross-platform programming language that is secure, fast, powerful, open-source, and free

C# – Is an object-oriented programming language created by Microsoft that runs on the .NET framework

Python – Is an interpreted programming language used to create web applications that can be used to handle big data and perform complex math

Ruby – Is an open-source programming language with a focus on simplicity and productivity

8

Intro to Code Security (contd.)

Code Market Share:

9

Source: Programming Languages Market Share Report – Datanyze –

https://www.datanyze.com/market-share/programming-languages–67/

Intro to Code Security (contd.)

Secure Coding Concepts – Professor Messer

10

Source: Professor Messer – Secure Coding Concepts – CompTIA Security+ SY0-401: 4.1 –

https://www.youtube.com/watch?v=N-tQtS5uQoo

Intro to Code Security (contd.)

Code security refers to “a set of technologies and best practices for making software as secure and stable as possible. It encompasses everything from encryption, certificates, and federated identity to recommendations for moving sensitive data, accessing a file system, and managing memory” (Red Hat, 2020)

As per Apple (2016), code security involves writing software that:

Is resistant to attack by malicious or mischievous people or programs

Stops an attacker from accessing and taking control of a server or a user’s computer resulting in denial of service, compromise of secrets, or damage to the systems of thousands of users

Protects a user’s data from theft or corruption

Is secure regardless of whether it is a small script or a commercial application

11

Need for Code Security

12

Need for Code Security

As per OWASP (2010):

It is much less expensive to build secure software than to correct security issues after the software package has been completed, not to mention the costs that may be associated with a security breach

Securing critical software resources is more important than ever as the focus of attackers has steadily moved toward the application layer

Failure to do secure coding can compromise:

The software and its associated information

The operating systems of the associated servers

The backend database

Other applications in a shared environment

13

Need for Code Security (contd.)

As per Veracode (2020):

Code security analysis is a must for competitive enterprises

Most current threats are directed at the application layer

It is critical to search code for vulnerabilities such as backdoors and malicious code before hackers discover and exploit those vulnerabilities using a variety of attacks

Such code-targeted attacks on the enterprise can have severe consequences:

Reduce productivity

Tie up valuable organizational resources

Damage brand reputation

Cut into profits

14

Need for Code Security (contd.)

As per the Veracode (2019) State of Software Security Report, web applications coded in most common languages have at least 1 vulnerability:

15

Need for Code Security (contd.)

As per the Veracode (2019) State of Software Security Report, the flaw intensity vs flaw prevalence are:

16

Need for Code Security (contd.)

As per the Veracode (2019) State of Software Security Report, the flaw intensity vs flaw prevalence are :

17

Need for Code Security (contd.)

As per the Veracode (2019) State of Software Security Report, the flaw debt types by language are :

18

Need for Code Security (contd.)

Poor code security continues to be a major cause data breaches (Privacy Rights Clearinghouse, 2020)

19

Code Security Fundamentals

20

Code Security Fundamentals

Secure Coding Standards – SEI | CMU | CERT

21

Source: SEI | CMU | CERT – Secure Coding Standards –

https://www.youtube.com/watch?v=WYKSivnp3gA

Code Security Fundamentals (contd.)

Code security (by code type):

Markup language security

HTML security

XML security

SAML security

Scripting language (client-side) security

JavaScript security (in Firefox)

AJAX security

22

Code Security Fundamentals (contd.)

Code security (by code type):

Scripting language (server-side) security

CGI security

SSI security

ASP security

PHP security

Programming language security

Java security

C++ security

Python security

Ruby security

23

Code Security Issues

24

Code Security Issues

Specific code security issues include the following:

Vulnerabilities in C amounted to 50% of all reported vulnerabilities

The most common CWEs across most programming languages are Cross-Site-Scripting (XSS), Input Validation, Permissions, Privileges, and Access Control, and Information Leak / Disclosure

A significant rise was seen in reported vulnerabilities as a result of the use of automated tools and the trend of bug bounty programs

While there was a spike in the number of reported security vulnerabilities in the past couple of years, the number of high severity vulnerabilities has decreased in most languages.

25

Source: Whitesource – Most Secure Programming Languages –

https://www.whitesourcesoftware.com/most-secure-programming-languages/

Code Security Issues (contd.)

Specific code security issues include the following:

Total reported vulnerabilities per language

26

Source: Whitesource – Most Secure Programming Languages –

https://www.whitesourcesoftware.com/most-secure-programming-languages/

Code Security Issues (contd.)

Top 3 vulnerabilities per language

27

Source: Whitesource – Most Secure Programming Languages –

https://www.whitesourcesoftware.com/most-secure-programming-languages/

Code Security Issues (contd.)

Top 3 vulnerabilities per language

28

Source: Whitesource – Most Secure Programming Languages –

https://www.whitesourcesoftware.com/most-secure-programming-languages/

Code Security Issues (contd.)

OWASP Top 10–A4:2017 – XML External Entities (XXE)

29

Source: OWASP Top 10 2017 A4 – XML External Entities (XXE) –

https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE).html

Code Security Issues (contd.)

Common code security vulnerabilities:

30

Source: OWASP Top 10 2017 A4 – XML External Entities (XXE) –

https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE).html

Code Security Issues (contd.)

OWASP Top 10–A8:2017 – Insecure Deserialization

31

Source: OWASP Top 10 2017 A8 – Insecure Deserialization –

https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization

Code Security Issues (contd.)

Common code security vulnerabilities:

32

Source: OWASP Top 10 2017 A8 – Insecure Deserialization –

https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization

Code Security Issues (contd.)

OWASP Top 10–A9:2017 – Using Components with Known Vulnerabilities

33

Source: OWASP Top 10 2017 A9 – Using Components with Known Vulnerabilities –

https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities

Code Security Issues (contd.)

Common code security vulnerabilities:

34

Source: OWASP Top 10 2017 A9 – Using Components with Known Vulnerabilities –

https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities

Code Security Attacks

35

Code Security Attacks

Most common code security attacks:

36

Attack Type Description
Billion Laughs Attack / XML Bomb A block of XML that is both well-formed and valid according to the rules of an XML schema but which crashes or hangs a program when that program attempts to parse it (Microsoft, 2015)
Buffer Overflow An attack which consists of overwriting memory fragments of a process resulting in errors that end execution of the application in an unexpected way
Code Injection An attack which consists of injecting code that is then interpreted/executed by the application

Code Security Attacks (contd.)

Most common code security attacks (continued):

37

Attack Type Description
JSON Injection A simple server-side attack that could be performed in PHP to grant admin privileges to a regular user
SSI Injection An attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely
XXE Attack The attacker breaks out of the usual processing schema and bypasses the security verification and reads locally stored files

Code Security Attacks (contd.)

What is an XXE Attack – Hacksplaining

38

Source: Hacksplaining – What is an XXE Attack? –

https://www.youtube.com/watch?v=hIHrGuG3r5w

Code Security Best Practices

39

Code Security Best Practices

Best practices for code security include :

Establishing coding standards and conventions

Select languages based on security issues they inherit

Use built-in security features

Use loosely coupled frameworks / libraries / components

Enforce standards

Using safe functions / APIs only

Provide guidance to developers on what functions / APIs to avoid

Use appropriate tools to assist in identifying and reviewing the usage of dangerous functions

Use the latest versions of compliers / interpreters / runtime environments

40

Source: SAFEcode.org – Fundamental Practices for Secure Software Development –

https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf

Code Security Best Practices (contd.)

Best practices for code security include (continued):

Using code analysis tools to find security issues early

Use tools to analyze code to identify deviation from requirements

Use tools that plug in directly into the IDE

Use secure code review to identify logical errors in the source code

Handling data safely / handling errors gracefully

Use input validation techniques to begin with

Enforce data segregation to prevent data from becoming application logic

Use encoding so that data is interpreted in the context in which it is used

Use data binding which prevents data from being interpreted as control logic

Use sanitization techniques to remove, replace, or encode unwanted characters

41

Source: SAFEcode.org – Fundamental Practices for Secure Software Development –

https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf

Code Security Best Practices (contd.)

Best practices for code security include the following:

Take Security Requirements and Risk Information into Account During Software Design

Review the Software Design to Verify Compliance with Security Requirements and Risk Information

Verify Third-Party Software Complies with Security Requirements

Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality

Create Source Code Adhering to Secure Coding Practices

42

Source: NIST – Cybersecurity White Paper –

https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf

Code Security Best Practices (contd.)

Best practices for code security include the following:

Configure the Compilation and Build Processes to Improve Executable Security

Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements

Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements

Configure the Software to Have Secure Settings by Default

43

Source: NIST – Cybersecurity White Paper –

https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf

Code Security Best Practices (contd.)

Use the following code security best practices to protect against XML External Entities (XXE):

44

Source: OWASP Top 10 2017 A4 – XML External Entities (XXE) –

https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE).html

Code Security Best Practices (contd.)

Use the following code security best practices to protect against insecure deserialization:

45

Source: OWASP Top 10 2017 A8 – Insecure Deserialization –

https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html

Code Security Best Practices (contd.)

Use the following code security best practices to protect against using components with known vulnerabilities:

46

Source: OWASP Top 10 2017 A9 – Using Components with Known Vulnerabilities –

https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities.html

Recap

Code security issues are among the OWASP Top 10 list of web application security risks

This is due to weaknesses in coding technologies such as markup languages, scripting languages (client- and server-side), programming languages, etc.

Hackers are able to exploit the weaknesses using attacks such as billion laughs, buffer overflow, code/SSI/JSON injection, XXE attacks, etc.

Best practices to protect code include establishing coding standards, protecting data, performing input validation/error handling/logging, ensuring proper memory management, using code analysis tools to do secure code review, etc.

47

Thank you!!!

48

How it Works

  1. Clіck оn the “Place оrder tab at the tоp menu оr “Order Nоw” іcоn at the bоttоm, and a new page wіll appear wіth an оrder fоrm tо be fіlled.
  2. Fіll іn yоur paper’s іnfоrmatіоn and clіck “PRІCE CALCULATІОN” at the bоttоm tо calculate yоur оrder prіce.
  3. Fіll іn yоur paper’s academіc level, deadlіne and the requіred number оf pages frоm the drоp-dоwn menus.
  4. Clіck “FІNAL STEP” tо enter yоur regіstratіоn detaіls and get an accоunt wіth us fоr recоrd keepіng.
  5. Clіck оn “PRОCEED TО CHECKОUT” at the bоttоm оf the page.
  6. Frоm there, the payment sectіоns wіll shоw, fоllоw the guіded payment prоcess, and yоur оrder wіll be avaіlable fоr оur wrіtіng team tо wоrk оn іt.

Nоte, оnce lоgged іntо yоur accоunt; yоu can clіck оn the “Pendіng” buttоn at the left sіdebar tо navіgate, make changes, make payments, add іnstructіоns оr uplоad fіles fоr the оrder created. e.g., оnce lоgged іn, clіck оn “Pendіng” and a “pay” оptіоn wіll appear оn the far rіght оf the оrder yоu created, clіck оn pay then clіck оn the “Checkоut” оptіоn at the next page that appears, and yоu wіll be able tо cоmplete the payment.

Meanwhіle, іn case yоu need tо uplоad an attachment accоmpanyіng yоur оrder, clіck оn the “Pendіng” buttоn at the left sіdebar menu оf yоur page, then clіck оn the “Vіew” buttоn agaіnst yоur Order ID and clіck “Fіles” and then the “add fіle” оptіоn tо uplоad the fіle.

Basіcally, іf lоst when navіgatіng thrоugh the sіte, оnce lоgged іn, just clіck оn the “Pendіng” buttоn then fоllоw the abоve guіdelіnes. оtherwіse, cоntact suppоrt thrоugh оur chat at the bоttоm rіght cоrner

NB

Payment Prоcess

By clіckіng ‘PRОCEED TО CHECKОUT’ yоu wіll be lоgged іn tо yоur accоunt autоmatіcally where yоu can vіew yоur оrder detaіls. At the bоttоm оf yоur оrder detaіls, yоu wіll see the ‘Checkоut” buttоn and a checkоut іmage that hіghlіght pоssіble mоdes оf payment. Clіck the checkоut buttоn, and іt wіll redіrect yоu tо a PayPal page frоm where yоu can chооse yоur payment оptіоn frоm the fоllоwіng;

  1. Pay wіth my PayPal accоunt‘– select thіs оptіоn іf yоu have a PayPal accоunt.
  2. Pay wіth a debіt оr credіt card’ or ‘Guest Checkout’ – select thіs оptіоn tо pay usіng yоur debіt оr credіt card іf yоu dоn’t have a PayPal accоunt.
  3. Dо nоt fоrget tо make payment sо that the оrder can be vіsіble tо оur experts/tutоrs/wrіters.

Regards,

Custоmer Suppоrt

Order Solution Now