Security Code Review Training
2008-02-19 18:05
302 查看
Input Validation
Database Handling
Authentication and Session Management
User Access Control (Authorization)
Error Handling and Logging
File Handling
Data Protection
Review time and date calculations
Use application-level functions instead of low-level system functions
Avoid difficult to secure shell languages
Configuration Management
Consider security during abnormal termination
Overview
Related Attacks
Cross Site Scripting (XSS), SQL Injection, Operating System (OS) Injection, Command Injection, Evaluation (Eval) Injection, XML Injection, Document Object Model (DOM) injection.
Rules and Solution
Be pessimistic. Use white-Listing, not black-Listing
Validate universally and don’t rely on anything that was sent to client
Validate all input on the server side
Validate all external data/connections
Check for data against range and length limitations
Check for the presence of null-bytes
Perform HTML Entity Encoding
==
Database Handling
Overview
Related Attacks
SQL Injection, Denial of Service (DOS).
Rules and Solution
Secure connection credentials
Least-privilege connections
Use parameterized queries
Close the connection
Escape meta-characters for SQL statements
==
Authentication and Session Management
Overview
Related Attacks
Session Hijacking, Privilege Escalation, Session Fixation, Session Interception, Session Prediction
Rules and Solution
Utilize site-wide authentication on every page of an application
Use secure Session IDs
Create Session IDs on the server-side
Don’t use hidden field or cookies to store sensitive or state information
Apply automatic session logouts
Clear session cookies
Verify the domain of session cookies
Authenticate on include files
Use digital signatures for non-repudiation
User redirect-after-Post for login
Utilize Application framework-specific session management capabilities
Protect data used for security-critical decisions
Re-authenticate for critical operations
Validate all parties involved with authentication
Protect session data storage space with filesystem permissions
==
User Access Control (Authorization)
Overview
Related Attacks
Privilege Escalation (vertical and horizontal).
Rules and Solution
Use role-based access control Use secure Session IDs
Define application resources
Define roles/groups
Create an Access Control Matrix
Enforce authorization checks on every request
Enforce business workflow
Use session objects for authorization
==
Error Handling and Logging
Overview
Related Attacks
Buffer overflow, Enumeration, Denial of Service (DoS).
Rules and Solution
Program code must do the error handling
Always use structured exception handlers
Use generic error messages
Implement a generic error page
Record all exceptions in a log
Do not store private information in logs
Logs must be carefully protected against manipulation
==
File Handling
Overview
Related Attacks
Path Traversal, Privilege Escalation, Data Corruption.
Rules and Solution
Never send the absolute or physical path to the user
Never save files in the web space
Never permit file execution in the file upload directory
Check file ownership and permissions
Validate configuration file values
Use fully qualified DNS and filenames(a trusted path)
Limit privilege and file system access at the OS
==
Data Protection
Overview
Related Attacks
Fault Induction, Brute Force.
Rules and Solution
Classify data throughout the application
Do not expose sensitive data in clear text or HTML code
Never use homegrown encryption algorithms
Hash passwords using a “hash algorithm”
Use symmetric encryption for local storage(AES)
Use asymmetric encryption for information sent over the network(SSL,GPG,IPSec)
==
Review time and date calculations
Rules and Solution
The year 2000, leap years and daylight savings should be accounted for
==
Use application-level functions instead of low-level system functions
Rules and Solution
Avoid passing user input to system command line execution functions(Java Runtime.exec())
==
Avoid difficult to secure shell languages
Rules and Solution
Do not use /bin/sh or /bin/csh for scripting
==
Configuration Management
Overview
Related Attacks
Fault Induction, Privilege Escalation, Cross Site Tracing (XST).
Rules and Solution
Always remove unused or legacy components and code
Remove manuals, installation documentation and examples
Remove or restrict any unnecessary web server interfaces
Change default usernames/passwords
Disable unused request types or methods
Use valid SSL certificates
Do not mix data from trusted and non-trusted sources
==
Consider security during abnormal termination
Rules and Solution
Clean up temporary resources
Close all allocated resources including sessions.
Database Handling
Authentication and Session Management
User Access Control (Authorization)
Error Handling and Logging
File Handling
Data Protection
Review time and date calculations
Use application-level functions instead of low-level system functions
Avoid difficult to secure shell languages
Configuration Management
Consider security during abnormal termination
Overview
Related Attacks
Cross Site Scripting (XSS), SQL Injection, Operating System (OS) Injection, Command Injection, Evaluation (Eval) Injection, XML Injection, Document Object Model (DOM) injection.
Rules and Solution
Be pessimistic. Use white-Listing, not black-Listing
Validate universally and don’t rely on anything that was sent to client
Validate all input on the server side
Validate all external data/connections
Check for data against range and length limitations
Check for the presence of null-bytes
Perform HTML Entity Encoding
==
Database Handling
Overview
Related Attacks
SQL Injection, Denial of Service (DOS).
Rules and Solution
Secure connection credentials
Least-privilege connections
Use parameterized queries
Close the connection
Escape meta-characters for SQL statements
==
Authentication and Session Management
Overview
Related Attacks
Session Hijacking, Privilege Escalation, Session Fixation, Session Interception, Session Prediction
Rules and Solution
Utilize site-wide authentication on every page of an application
Use secure Session IDs
Create Session IDs on the server-side
Don’t use hidden field or cookies to store sensitive or state information
Apply automatic session logouts
Clear session cookies
Verify the domain of session cookies
Authenticate on include files
Use digital signatures for non-repudiation
User redirect-after-Post for login
Utilize Application framework-specific session management capabilities
Protect data used for security-critical decisions
Re-authenticate for critical operations
Validate all parties involved with authentication
Protect session data storage space with filesystem permissions
==
User Access Control (Authorization)
Overview
Related Attacks
Privilege Escalation (vertical and horizontal).
Rules and Solution
Use role-based access control Use secure Session IDs
Define application resources
Define roles/groups
Create an Access Control Matrix
Enforce authorization checks on every request
Enforce business workflow
Use session objects for authorization
==
Error Handling and Logging
Overview
Related Attacks
Buffer overflow, Enumeration, Denial of Service (DoS).
Rules and Solution
Program code must do the error handling
Always use structured exception handlers
Use generic error messages
Implement a generic error page
Record all exceptions in a log
Do not store private information in logs
Logs must be carefully protected against manipulation
==
File Handling
Overview
Related Attacks
Path Traversal, Privilege Escalation, Data Corruption.
Rules and Solution
Never send the absolute or physical path to the user
Never save files in the web space
Never permit file execution in the file upload directory
Check file ownership and permissions
Validate configuration file values
Use fully qualified DNS and filenames(a trusted path)
Limit privilege and file system access at the OS
==
Data Protection
Overview
Related Attacks
Fault Induction, Brute Force.
Rules and Solution
Classify data throughout the application
Do not expose sensitive data in clear text or HTML code
Never use homegrown encryption algorithms
Hash passwords using a “hash algorithm”
Use symmetric encryption for local storage(AES)
Use asymmetric encryption for information sent over the network(SSL,GPG,IPSec)
==
Review time and date calculations
Rules and Solution
The year 2000, leap years and daylight savings should be accounted for
==
Use application-level functions instead of low-level system functions
Rules and Solution
Avoid passing user input to system command line execution functions(Java Runtime.exec())
==
Avoid difficult to secure shell languages
Rules and Solution
Do not use /bin/sh or /bin/csh for scripting
==
Configuration Management
Overview
Related Attacks
Fault Induction, Privilege Escalation, Cross Site Tracing (XST).
Rules and Solution
Always remove unused or legacy components and code
Remove manuals, installation documentation and examples
Remove or restrict any unnecessary web server interfaces
Change default usernames/passwords
Disable unused request types or methods
Use valid SSL certificates
Do not mix data from trusted and non-trusted sources
==
Consider security during abnormal termination
Rules and Solution
Clean up temporary resources
Close all allocated resources including sessions.
相关文章推荐
- 编译 JWSCL(JEDI Windows Security Code Lib) 的方法(rev316)
- .NET Framework Security Code Access Security-應用程式篇
- AntiPattern: Batch Code Review
- iOS 代码审查(Code Review for iOS)
- 【Deep Learning】Review of Stereo Matching by Training a Convolutional Neural Network to Compare Image
- C# Code Review Checklist
- Java Code Review Checklist
- SQL Server Code Review Checklist
- Codeforces Gym F. Performance Review (树状数组 + DFS 序)
- Jupiter Code Review Reference -- Jupiter代码审查工具使用参考 (修改版)
- New Staff Training vs. Code Quality
- Java Code Review清单
- 【贪心】【2014 Multi-University Training Contest 2】1011 ZCC Loves Codefires
- .NET Framework Security Code Access Security-應用程式篇
- C# Code Review Checklist
- CodeReview of JDK Source Code
- Eclipse Code Review(代码审查)工具介绍
- Code Hunt Sector 00 Training - Java
- Code Review Tool
- A checklist approach to security code reviews