[Owasp-leaders] Code review for backdoors

Ali Khalfan ali.khalfan at owasp.org
Wed Mar 11 20:50:29 UTC 2015


yes,

one reason I wanted to setup some sort of guideline is for peer
reviewing.  The last thing a developer would want to do is read code
they did not create prior to deployment.  So, it would be easier to have
a guideline telling the developer what to look for (e.g. hard-coded
values, encoded string,..etc).   Another reason would be for the
security reviews and auditors who have tools, but of course tools may
detect security weaknesses not backdoors or logic bombs.  Thus, I think
giving the reviewers general 'hints' on what to look for would be very
helpful.


If you have a link or summary of the Cigital session, please do share.



Ali


On 03/11/2015 10:38 PM, Gary Robinson wrote:
> Hi Ali,
>
> I can confirm the latest version of the code review guide (in
> progress) doesn't mention intentional backdoors either.  This does tie
> in with an interesting session Cigital put on last week about
> developers (in house or 3rd party) being the 'bad guy' inserting
> vulnerabilities/backdoors.
>
> If you have some technical ideas or content let us know.  I've never
> seen any technical advice on spotting intentional backdoors, however
> peer source code review (and audit or security reviews) would be the
> best way of catching this.
>
> Gary
>
> On Wed, Mar 11, 2015 at 7:06 PM, Azzeddine Ramrami
> <azzeddine.ramrami at owasp.org <mailto:azzeddine.ramrami at owasp.org>> wrote:
>
>     All backdoor exploit the security flaw in the apps. A good code
>     review can detect security flaw in the code.
>     You can also do a reverse engineering technique or fuzzy testing
>     to detect security bugs in the apps.
>     Azzeddine
>
>     On Wed, Mar 11, 2015 at 8:02 PM, Aaron Guzman
>     <aaron.guzman at owasp.org <mailto:aaron.guzman at owasp.org>> wrote:
>
>         Backdoors are typically at the hardware or embedded level
>         where its harder to locate. Usually ODMs and OEMs fall victim
>         to this. Typically because they use “backdoors” for debugging
>         and testing purposes during manufacturing. A solution is to
>         test and analyze your code from third parties. Whether thats
>         though IDA or other means.
>         --
>         Aaron G
>         OWASP-LA Board Member
>         Twitter: @scriptingxss
>         Linkedin: http://lnkd.in/bds3MgN
>
>>         On Mar 11, 2015, at 11:27 AM, psiinon <psiinon at gmail.com
>>         <mailto:psiinon at gmail.com>> wrote:
>>
>>         How about: "Dont put them in" ??
>>
>>         ;)
>>
>>         On Wed, Mar 11, 2015 at 6:22 PM, Ali Khalfan
>>         <ali.khalfan at owasp.org <mailto:ali.khalfan at owasp.org>> wrote:
>>
>>             The owasp code review guidelines do a great job at
>>             looking for vulnerabilities. However, the will not
>>             address intentional vulnerabilities such as backdoors and
>>             logic bombs.
>>
>>             I wanted to establish such a guideline, but I was
>>             wondering if there is any reference I could fall back on ?
>>
>>             Ali
>>             -- 
>>             Sent from my Android device with K-9 Mail. Please excuse
>>             my brevity.
>>             _______________________________________________
>>             OWASP-Leaders mailing list
>>             OWASP-Leaders at lists.owasp.org
>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>         -- 
>>         OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org
>         <mailto:OWASP-Leaders at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>     -- 
>     Azzeddine RAMRAMI
>     +33 6 65 48 90 04 <tel:%2B33%206%2065%2048%2090%2004>.
>     Enterprise Security Architect
>     OWASP Leader (Morocco Chapter)
>     Mozilla Security Projects Mentor
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150311/e61c761f/attachment-0001.html>


More information about the OWASP-Leaders mailing list