Secure Code Reviews Magic or Art?

Sherif Koussa

Wed, 24th July 2013

Speaker Bio 1:
Sherif @Skoussa has 14 years in the software development industry with the last 6 years solely focused on application security. Sherif is the Principal Security Consultant and Founder of Software Secured, his time is devoted to help organizations assess their high-risk software applications using a source-code driven security methodology. Mr. Koussa is also a member of the Steering Committee for the GIAC's GSSP-JAVA and GSSP-NET Exams. In addition to that, Mr. Koussa authored courseware for SANS new VoIP Security course.

Mr. Koussa is currently leading OWASP Ottawa Chapter and was the main force behind OWASP's WebGoat 5.0. Sherif performed security code review for 3 of the 5 largest banks in the United States. Before starting Software Secured, Mr. Koussa was architecting, designing, implementing and leading large-scale software projects for Fortune 500 companies including United Technologies and other leading organizations including Nortel Networks, March Healthcare, Carrier, Otis Elevators and NEC Unified Communications.

Learning Objectives:

Sherif will explain:

  • How security code reviews are one of the best ways to uncover security flaws in source code.
  • The essential steps, skills and tools to kick-off security code reviews at your organization.

Questions and answers

Max, Concise Courses:
Would you ever recommend using code snippets and if so where is a good library of sanitized snippets?

Sherif Koussa:
Code snippets are actually a lot of times ‘a must’ to show that developer where exactly the problem is. I am not sure why you would need to sanitize the code because you are sending what’s more important than the code, [i.e.] what the problem is with the code. I don’t know of a good tool that would sanitize the code but there is one thing which you need to be careful about. If you are sending code snippets you need to include only the places where it is problematic, [because] no one is going to look at thousands of lines of code, so only those lines that have a problem.

The second most important thing is to find out all the passwords and encryption keys, all of those things because you do not need to spread those around to everybody who is going to look at the report, but the whole report should be treated as confidential as possible because it includes all the problems that exist in the application.

Max, Concise Courses:
What do you think about Bug Bounties, are they now becoming the standard for vendors to implement?

Sherif Koussa:
Bug Bounties are really an economic way for companies to entice researchers and hopefully some attackers to tell them first about the vulnerabilities before they actually do something bad with it, so they are trying to get the bad guys and the researchers into their site. It is definitely a positive thing for companies.

The risk comes from the following: relying solely on those programs [bug bounties] for security assurance, that would be dangerous.

Max, Concise Courses:
Do you think I should learn PHP? My friends keep telling me that Python is better but I’m not so sure, by the way I want to be a web programmer…thanks!

Sherif Koussa:
That’s a tough question! In my own opinion there is no really better language than the other. There is a use for JAVA, a use for C++, a use for PHP, and Python and Ruby etc! Start with a language that you feel most comfortable with. Most likely what will happen is that after you spend a few years in one language you will naturally find yourself going into other languages. For example, I started with C++ and then business requirements [made me transfer] to ASP. I went from one extreme C++ to ASP Web Development and then I switched to JAVA and then DotNet and then PHP. One thing will lead to the other. Don’t spend too much time decided which one, just go into one of them and the rest will come.

Max, Concise Courses:
What the biggest hurdle in adopting security code reviews in organizations that you have worked with?

Sherif Koussa:
Basically it is expectations. Organizations expect that when they first adopt security code reviews it’s going to be an easy process. In fact, companies need to ramp-up for security code reviews, they need to focus. I sometimes recommend that they only focus on maybe half of all OWASP Top Ten, focus mainly on SQL-Injection, because SQL-Injection is responsible for seven out of ten all-time data breaches. So, if we just eliminated SQL-Injection that’s really remarkable.

Max, Concise Courses:
Does the choice of a static analysis code make a difference?

Sherif Koussa:
It does. Again, static analysis code or automation is only part of the whole picture. That is why a lot of companies start with static code analysis tools; they put it and one of two things happen. The first one is that it generates tons of false positives so they say, ‘you know what, this is a waste of time’ we are not going to spend time looking at all of these. The second thing that could happen is that the tool doesn’t find any meaningful vulnerabilities, so, they think that their product is pretty secure but actually it is not because the tool wasn’t tweaked enough or it wasn’t the best tool for their environment.

I invite you guys to look at static analysis tools evaluation criteria from OWASP because this will give you some guidelines on which tool will best fit your environment.