path to self - isaca presentations... · path to self securing code gary robinson & yan huang...
TRANSCRIPT
The Path to Self Securing Code
Gary Robinson
• Founder & Director at Uleska
• OWASP Europe Board Member
• Previously, Senior Application
Security Architect at CitiGroup
Dr. Yan Huang
• Sr. Engineer at the Center for
Secure Information
Technologies (CSIT)
• Part of Queens University
Belfast
• Sr. Engineer at CSITLabs
“Software development has accelerated and improved in almost
every aspect – apart from application security.”
“How can we change this?”
Fact
The Application Security industry already knows how to solve every software security issue.
The issue is in execution!
Writing an Effective Source Code Scanner
Using Open Source tools to understand the application from it’s
code
Code Scanner Static Code Analysis
• Model Checking
• Control-flow analysis
• Data-flow analysis
• Symbolic analysis
• Information-flow analysis
Attack Surface Analysis
• Identify what functions and what parts of
the system you need to review/test for
security vulnerabilities
• Identify high risk areas of code that
require defence-in-depth protection Reducing Attack Surface
Java Source Code Scanner
• Traverses source code directory
• Enumeration of web interface attack surface
• GET/POST parameters
• Store information in a JSON format
JavaParser
• Java Open-Source Library
• LGPL License / Apache License
• The parser is extra lightweight, no dependencies
• Get an Abstract Syntax Tree (AST) from Java code
• Visitor design pattern
Project Models
Data/Artifact Recording Engine
Data/Artifact Enumeration
CVE, data type, library query
Project Model
Security Code/Feature
Implementation Generation
Real-time Security
Implementation Security Model