SlideShare a Scribd company logo

Static analysis for security

Download as PPTX, PDF
Fadi Abdulwahab, profile picture
Fadi Abdulwahab

The document discusses static and dynamic analysis as essential practices for ensuring software security before release. It highlights the importance of tools and manual code reviews in identifying risks and enforcing best security practices. The document also emphasizes the role of both development and information security departments in utilizing these analyses to enhance application security.

Technology
1 of 12
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
Static Analysis for Security JUNE 2016 FABDULWAHAB.COM
Security is Requirement  Testing code against common security risks to ensure the quality before release(before attacker access)  Help in implementation best practices and prioritize the risks  Also called white box testing or source code review
Software developers are the first and best line of defense for the security of their code
Types  Static  Analyze the code before go to run  Automated by tools (also can analyze the binary code or (bytecode) but with limitations)  Also include code review by senior developers and professionals  Find risks like business logic , exception handling and NULLL issues  Dynamic  Analyze the application behavior during the run phase  Automated by tools  Used when no code access or knowledge  Find risks like XSS , Injection or configuration issues  Better to go with both types (defense in depth)
Development Process  Study past security errors and prevent them from happening in the future  All portions of the program must be secure  Still need best practices , training and skills  Whitelist vs. blacklist validation  Good design and good implementation need each other  Manual Code review is very important  Including configuration analysis
Tools  Information security department focus on dynamic analysis tools for pen testing  Development department focus on static analysis and sometime also for dynamic analysis tools  In most cases ,Static analysis tools integrated with IDE  Tools has rules to validate the code like searching for user inputs like Request[] or searching for injection like SQL Command in code …  Remember , running tools doesn’t make application secure
false negatives are more troublesome than false positives
Tools  Static analysis tools categories  Type checking  Style checking (whitespace , naming , program structure …)  Program understanding (find all uses of this methods or variable …)  Program verification and Property checking (check against rules and specifications)  Bug finding  Security review
Tools  Commercial/free  Open source  Support Development Standards and Compliance (PCI , ISO …)  Based on programming Languages  Examples  https://sourceforge.net/projects/visualcodegrepp/  https://sourceforge.net/projects/agnitiotool/  https://www.microsoft.com/en-us/download/details.aspx?id=6544  ttps://www.microsoft.com/en-us/download/details.aspx?id=19968  http://www8.hp.com/us/en/software-solutions/application-security/index.html  https://www.checkmarx.com/  https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html (list)
Demo 01 – Visual Studio Code Analysis  Identify potential issues based on Microsoft’s rules and best practices  http://nugetmusthaves.com/Tag/CodeAnalysis  http://fxcopaspnetsecurity.codeplex.com/  https://blogs.msdn.microsoft.com/hkamel/2013/10/24/visual-studio-2013-static- code-analysis-in-depth-what-when-and-how/
Demo 02 – WCSA  To analyze the web.config  https://code.google.com/archive/p/wcsa/downloads
References  https://www.owasp.org/index.php/Static_Code_Analysis  Secure Programming with Static Analysis book , By Brian and Jacob

More Related Content

PPTX
Quality in Cyber security Awareness
Fadi Abdulwahab
 
PDF
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
PPTX
Security testing operation vijay
lavanyam210
 
PPTX
A5: Security Misconfiguration
Tariq Islam
 
PPTX
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
PDF
The Complete Web Application Security Testing Checklist
Cigital
 
PPTX
Web Application Security 101
Jannis Kirschner
 
PDF
Web Application Security 101
Cybersecurity Education and Research Centre
 
Quality in Cyber security Awareness
Fadi Abdulwahab
 
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
Security testing operation vijay
lavanyam210
 
A5: Security Misconfiguration
Tariq Islam
 
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
The Complete Web Application Security Testing Checklist
Cigital
 
Web Application Security 101
Jannis Kirschner
 
Web Application Security 101
Cybersecurity Education and Research Centre
 

What's hot (20)

PPTX
Uniface Web Application Security
Uniface
 
PPTX
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
 
PPTX
Security Testing
Qualitest
 
PPTX
Application Security Tools
Lalit Kale
 
PDF
Testing Web Application Security
Ted Husted
 
PDF
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
ODP
OWASP Secure Coding
bilcorry
 
PDF
Threat Detection using Analytics & Machine Learning
Priyanka Aash
 
PPTX
Security misconfiguration
Micho Hayek
 
PPTX
Web application security
Kapil Sharma
 
PDF
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
PDF
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
PPTX
Application Security-Understanding The Horizon
Lalit Kale
 
PPT
Get Ready for Web Application Security Testing
Alan Kan
 
PPTX
3. backup file artifacts - mazin ahmed
Rashid Khatmey
 
PPT
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
PPTX
Owasp top10salesforce
gbreavin
 
PPTX
Security Testing for Web Application
Precise Testing Solution
 
PPT
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
PPTX
Owasp first5 presentation
Ashwini Paranjpe
 
Uniface Web Application Security
Uniface
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
 
Security Testing
Qualitest
 
Application Security Tools
Lalit Kale
 
Testing Web Application Security
Ted Husted
 
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
OWASP Secure Coding
bilcorry
 
Threat Detection using Analytics & Machine Learning
Priyanka Aash
 
Security misconfiguration
Micho Hayek
 
Web application security
Kapil Sharma
 
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
Application Security-Understanding The Horizon
Lalit Kale
 
Get Ready for Web Application Security Testing
Alan Kan
 
3. backup file artifacts - mazin ahmed
Rashid Khatmey
 
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
Owasp top10salesforce
gbreavin
 
Security Testing for Web Application
Precise Testing Solution
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Owasp first5 presentation
Ashwini Paranjpe
 
Ad

Viewers also liked (20)

PDF
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
nullowaspmumbai
 
PDF
Introduction to burp suite
Utkarsh Bhargava
 
PPTX
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
PPTX
Webinar: Ransomware - Five Reasons You’re Not As Protected As You Think
Storage Switzerland
 
PDF
Using Massively Distributed Malware in APT-Style Attacks
IBM Security
 
PDF
Base64 Encoding
Jonathan Francis Roscoe
 
KEY
Scénarios d'exploitation Metasploit - FR : Scénario 1
Eric Romang
 
ODP
2600 av evasion_deuce
Db Cooper
 
PDF
The old is new, again. CVE-2011-2461 is back!
Luca Carettoni
 
PPT
Pentesting Using Burp Suite
jasonhaddix
 
PDF
Attaque metasploite
Majid CHADAD
 
KEY
Scénarios d'exploitation Metasploit - FR : Scénario 3
Eric Romang
 
PPTX
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
PPTX
Burp Suite Starter
Fadi Abdulwahab
 
PDF
14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang
Ninad Sarang
 
PDF
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
nullowaspmumbai
 
PDF
An EyeWitness View into your Network
CTruncer
 
ODP
Introduction to ethereum_public
antitree
 
PPTX
Pen Testing, Red Teaming, and More
CTruncer
 
PDF
Offensive OSINT
Christian Martorella
 
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
nullowaspmumbai
 
Introduction to burp suite
Utkarsh Bhargava
 
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Webinar: Ransomware - Five Reasons You’re Not As Protected As You Think
Storage Switzerland
 
Using Massively Distributed Malware in APT-Style Attacks
IBM Security
 
Base64 Encoding
Jonathan Francis Roscoe
 
Scénarios d'exploitation Metasploit - FR : Scénario 1
Eric Romang
 
2600 av evasion_deuce
Db Cooper
 
The old is new, again. CVE-2011-2461 is back!
Luca Carettoni
 
Pentesting Using Burp Suite
jasonhaddix
 
Attaque metasploite
Majid CHADAD
 
Scénarios d'exploitation Metasploit - FR : Scénario 3
Eric Romang
 
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
Burp Suite Starter
Fadi Abdulwahab
 
14 Jan17- Nullmeets -Blockchain concept decoded by Ninad Sarang
Ninad Sarang
 
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
nullowaspmumbai
 
An EyeWitness View into your Network
CTruncer
 
Introduction to ethereum_public
antitree
 
Pen Testing, Red Teaming, and More
CTruncer
 
Offensive OSINT
Christian Martorella
 
Ad

Similar to Static analysis for security (20)

PDF
WhiteList Checker: An Eclipse Plugin to Improve Application Security
guest56b7565
 
PDF
Static code analysis
Prancer Io
 
PPT
Ensuring code quality
MikhailVladimirov
 
PDF
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
PPT
Software Security Engineering
Marco Morana
 
PDF
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Perforce
 
PDF
All You Need to Know About Application Security Testing.pdf
kalichargn70th171
 
PDF
OWASP Secure Coding Quick Reference Guide
Aryan G
 
PPTX
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
DOCX
Aardwolf Security's Expert Code Review Services
Aardwolf Security
 
PPTX
What are DevSecOps Tools and Why Do You Need Them?
Dev Software
 
PPTX
What are DevSecOps Tools and Why Do You Need Them.pptx
Dev Software
 
PPT
Chapter 2- Software Security FULL SLIDES.ppt
Lina Shimelis
 
PPT
Software security engineering
AHM Pervej Kabir
 
PPT
Software security engineering
AHM Pervej Kabir
 
PDF
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
PPT
Software Security Initiatives
Marco Morana
 
PDF
4 approaches to integrate dev secops in development cycle
Enov8
 
PDF
Arved sandstrom - the rotwithin - atlseccon2011
Atlantic Security Conference
 
PPT
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
WhiteList Checker: An Eclipse Plugin to Improve Application Security
guest56b7565
 
Static code analysis
Prancer Io
 
Ensuring code quality
MikhailVladimirov
 
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
Software Security Engineering
Marco Morana
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Perforce
 
All You Need to Know About Application Security Testing.pdf
kalichargn70th171
 
OWASP Secure Coding Quick Reference Guide
Aryan G
 
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Aardwolf Security's Expert Code Review Services
Aardwolf Security
 
What are DevSecOps Tools and Why Do You Need Them?
Dev Software
 
What are DevSecOps Tools and Why Do You Need Them.pptx
Dev Software
 
Chapter 2- Software Security FULL SLIDES.ppt
Lina Shimelis
 
Software security engineering
AHM Pervej Kabir
 
Software security engineering
AHM Pervej Kabir
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
Software Security Initiatives
Marco Morana
 
4 approaches to integrate dev secops in development cycle
Enov8
 
Arved sandstrom - the rotwithin - atlseccon2011
Atlantic Security Conference
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 

Recently uploaded (20)

PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Teaching material agriculture food technology
LiaRayya
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Cloud computing and distributed systems.
kkkkkhan
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 

Static analysis for security

  • 1. Static Analysis for Security JUNE 2016 FABDULWAHAB.COM
  • 2. Security is Requirement  Testing code against common security risks to ensure the quality before release(before attacker access)  Help in implementation best practices and prioritize the risks  Also called white box testing or source code review
  • 3. Software developers are the first and best line of defense for the security of their code
  • 4. Types  Static  Analyze the code before go to run  Automated by tools (also can analyze the binary code or (bytecode) but with limitations)  Also include code review by senior developers and professionals  Find risks like business logic , exception handling and NULLL issues  Dynamic  Analyze the application behavior during the run phase  Automated by tools  Used when no code access or knowledge  Find risks like XSS , Injection or configuration issues  Better to go with both types (defense in depth)
  • 5. Development Process  Study past security errors and prevent them from happening in the future  All portions of the program must be secure  Still need best practices , training and skills  Whitelist vs. blacklist validation  Good design and good implementation need each other  Manual Code review is very important  Including configuration analysis
  • 6. Tools  Information security department focus on dynamic analysis tools for pen testing  Development department focus on static analysis and sometime also for dynamic analysis tools  In most cases ,Static analysis tools integrated with IDE  Tools has rules to validate the code like searching for user inputs like Request[] or searching for injection like SQL Command in code …  Remember , running tools doesn’t make application secure
  • 7. false negatives are more troublesome than false positives
  • 8. Tools  Static analysis tools categories  Type checking  Style checking (whitespace , naming , program structure …)  Program understanding (find all uses of this methods or variable …)  Program verification and Property checking (check against rules and specifications)  Bug finding  Security review
  • 9. Tools  Commercial/free  Open source  Support Development Standards and Compliance (PCI , ISO …)  Based on programming Languages  Examples  https://sourceforge.net/projects/visualcodegrepp/  https://sourceforge.net/projects/agnitiotool/  https://www.microsoft.com/en-us/download/details.aspx?id=6544  ttps://www.microsoft.com/en-us/download/details.aspx?id=19968  http://www8.hp.com/us/en/software-solutions/application-security/index.html  https://www.checkmarx.com/  https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html (list)
  • 10. Demo 01 – Visual Studio Code Analysis  Identify potential issues based on Microsoft’s rules and best practices  http://nugetmusthaves.com/Tag/CodeAnalysis  http://fxcopaspnetsecurity.codeplex.com/  https://blogs.msdn.microsoft.com/hkamel/2013/10/24/visual-studio-2013-static- code-analysis-in-depth-what-when-and-how/
  • 11. Demo 02 – WCSA  To analyze the web.config  https://code.google.com/archive/p/wcsa/downloads