Code Review Approach

Submitted to Dubai bank

1
2

About Green Method Industry Credentials Green Method Services

3 4 5

Green Method Approach Examples

About Green Method

FZE company based out of UAE Invested by experienced information security organization, Secureyes All projects delivered by expert consultants with varied experience from 15 years to 3 years Have resource center in India (Secureyes) and houses about 30 information security consultants
Green Method is a co-invested partner of SecurEyes, India. SecurEyes acts as the technology and resource hub for all the MENA & Indian operations. SecurEyes specializes in Information Security Services delivery.

Founded in 2004, SecurEyes comprises of a group of dedicated information security professionals from different domains. Secureyes have the base in Bangalore and have done several information security projects in India, Middle East, Africa and the United States of America.

Industry Credentials
Our Consultants have: Vast experience in providing information security consulting services for large banks, telecom and government organizations in the Middle-east and Africa region. Conducted end to end risk assessments for multiple multinational banks across the globe. Audited 500+ business critical applications. Trained over 3000+ software developers on secure coding practices. Empanelled by CERT-IN, Ministry of Communications & Information Technology, Government of India as IT Security Auditors. Actively involved in R&D activities and have been speaking in well known security conferences Developed in-house security tools in collaboration with Foundstone (HACKME Bank version 1 has seen more than a million downloads). Actively involved in web-based malware research activities to identify, detect and clean malwares from websites. Have developed proprietary tools to continuously monitor the web sites of our customers.

Green Method Services

Governance IT Strategy Development IT Governance Design IT Strategy Planning Enterprise IT Architecture Development Enterprise Performance Management Balanced Score Card Implementation Risk Management Business Continuity Management Information Security Risk Management Disaster Recovery Planning Ethical Hacking ERP / Applications Business Control Audit VOIP Risk Assessment GSM Risk Assessment Compliance ISO 27001 based ISMS build and accreditation assistance ISO 20000 based ITSM system build and accreditation assistance BS 25999 based BCMS system build and accreditation assistance Payment Card Industry Data Security Standards (PCI-DSS) Compliance Facilitation

A few of Our Clients

Sample Projects: ISMS Application Audit VA & PT Secure Code Review IT Strategy Development IT Governance Framework Design Balance Score Card Implementation Performance Measurement Enterprise Risk Assessments Client Domains Banking & Finance Multi Business Conglomerates Retail IT Companies Government

Green Method Approach

Application Understanding & Architecture Analysis Application Threat Profiling Application Code Review Report Documentation Confirmation Review

Industry Best Practices and Standards Compliance

OWASP ISECOM

Application Understanding & Architecture Analysis

Gain thorough application understanding using: Available documentation Application walk through Development team interviews etc.

Learn the application architecture through: Available documentation Meeting / Discussions with developers
Develop understanding of different component modules in the application along with their dependencies Study all application interfaces Study custom communication protocols if any

Application Threat Profiling

Threat profiling
Listing the threats the application may be exposed to

Mapping threats to different modules

Develop module wise test plan for code review

Prioritizing
Critical application modules Interface layers

Application Code Review

Manual review of the application code

Identification of insecure coding issues Discovering and categorizing replicating vulnerable code throughout the application Carrying out exploit simulation for vulnerabilities found in manual code review Documenting vulnerable code snippets

Application Code Review

Manual review of the application code

Identification of insecure coding issues Discovering and categorizing replicating vulnerable code throughout the application Carrying out exploit simulation for vulnerabilities found in manual code review Documenting vulnerable code snippets

Code Review - Sample Areas

1 Authentication
Password complexity, susceptibility to brute forcing, account lockout on incorrect login attempts, user name harvesting, stealing of passwords locally, login error messages, password policy, SQL injection, etc Insecure session management, Secure Cookie use, caching, user tracking logic, susceptibility to session hijacking / session replay attacks Review HTML Page source code for: Revision History, developer Comments, E-mail Addresses, Internal host information, Hidden form fields, Error messages Buffer overflow, SQL injection, Cross site scripting, System calls, URL re-writing

Authorization

Information Leakage

Field Variable Control

Session Time-out and Log-out

Cookie invalidation, are multiple logins allowed for a single user, Reusing older credentials to gain access, secure logout mechanism , session fixation, session

riding

Code Review Sample Technical Risks Covered

Input data validation SLQ injection XSS attacks Authentication & authorization of users Improper session management Improper error handling Weak cryptography implementation Insecure configuration management Improper handling of sensitive data Hard coded secrets Weak auditing & logging mechanisms Insecure developer comments

Code Review Sample Specific Checks

Input data validation
Server side validations for SQL injection, XSS, business rules, etc Data type, length & format checking White list validation Sanitization

Authentication
CAPTCHA/Account lock out Use of salted one way hash

Reporting
Final Report with security risks, impact and solutions All vulnerable codes are depicted using appropriate screen shots Presentation/Call with developers to explain exploit scenarios Detailed report containing:

Separate executive and technical sections Prioritized results Risks described in terms of real business risk! Details of vulnerabilities/holes discovered in code Step-by-step description of insecure code and possible exploits No false positives Practicable recommendations

Confirmatory Review

Post implementation review Black box penetration testing Ensuring all holes have been plugged by the development team

Benefits of Code Review

Detailed knowledge of application at following levels
Design Architecture Source Code

Internal behavior of the program is completely understood Best approach for identifying all potential threats Fool-proof method of securing applications Identifies even the most remote application security holes

Benefits of Code Review

Detect Insecure Coding Flaws
Discover common security issues in code Identify uncommon security loopholes - even deep inside the code

Spot Insecure Logical Flaws

Identify code that flouts Business rules Identify workflow bypass issues

Discover potential backdoors in code

Discover backdoors purposefully inserted by developers

Gain 360 Security of the application

Example: SQL Injection

Example: Weak Input Validation

Example: Improper Session Management

Example: Improper Error Handling

Thank You