[Owasp-leaders] Code review for backdoors

Jim Manico jim.manico at owasp.org
Wed Mar 11 21:03:34 UTC 2015


https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf 


... especially from a Java point of view is one of the most interesting 
talks I've read on this topic.

- Jim

On 3/11/15 11:00 AM, Jeff Williams wrote:
> You may find some interesting guidance in a paper I did at BlackHat. 
>  Remember that any vulnerability might be put there on purpose.  So a 
> malicious code review has to include a regular code review.
>
> https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf 
>
>
> --Jeff
>
> Jeff Williams | CTO
> Contrast Security
> @planetlevel @contrastsec
>
>
>
>
>
> On Wed, Mar 11, 2015 at 1:51 PM -0700, "Ali Khalfan" 
> <ali.khalfan at owasp.org <mailto:ali.khalfan at owasp.org>> wrote:
>
>     yes,
>
>     one reason I wanted to setup some sort of guideline is for peer
>     reviewing.  The last thing a developer would want to do is read
>     code they did not create prior to deployment. So, it would be
>     easier to have a guideline telling the developer what to look for
>     (e.g. hard-coded values, encoded string,..etc).   Another reason
>     would be for the security reviews and auditors who have tools, but
>     of course tools may detect security weaknesses not backdoors or
>     logic bombs.  Thus, I think giving the reviewers general 'hints'
>     on what to look for would be very helpful.
>
>
>     If you have a link or summary of the Cigital session, please do share.
>
>
>
>     Ali
>
>
>     On 03/11/2015 10:38 PM, Gary Robinson wrote:
>>     Hi Ali,
>>
>>     I can confirm the latest version of the code review guide (in
>>     progress) doesn't mention intentional backdoors either.  This
>>     does tie in with an interesting session Cigital put on last week
>>     about developers (in house or 3rd party) being the 'bad guy'
>>     inserting vulnerabilities/backdoors.
>>
>>     If you have some technical ideas or content let us know.  I've
>>     never seen any technical advice on spotting intentional
>>     backdoors, however peer source code review (and audit or security
>>     reviews) would be the best way of catching this.
>>
>>     Gary
>>
>>     On Wed, Mar 11, 2015 at 7:06 PM, Azzeddine Ramrami
>>     <azzeddine.ramrami at owasp.org
>>     <mailto:azzeddine.ramrami at owasp.org>> wrote:
>>
>>         All backdoor exploit the security flaw in the apps. A good
>>         code review can detect security flaw in the code.
>>         You can also do a reverse engineering technique or fuzzy
>>         testing to detect security bugs in the apps.
>>         Azzeddine
>>
>>         On Wed, Mar 11, 2015 at 8:02 PM, Aaron Guzman
>>         <aaron.guzman at owasp.org <mailto:aaron.guzman at owasp.org>> wrote:
>>
>>             Backdoors are typically at the hardware or embedded level
>>             where its harder to locate. Usually ODMs and OEMs fall
>>             victim to this. Typically because they use “backdoors”
>>             for debugging and testing purposes during manufacturing.
>>             A solution is to test and analyze your code from third
>>             parties. Whether thats though IDA or other means.
>>             --
>>             Aaron G
>>             OWASP-LA Board Member
>>             Twitter: @scriptingxss
>>             Linkedin: http://lnkd.in/bds3MgN
>>
>>>             On Mar 11, 2015, at 11:27 AM, psiinon <psiinon at gmail.com
>>>             <mailto:psiinon at gmail.com>> wrote:
>>>
>>>             How about: "Dont put them in" ??
>>>
>>>             ;)
>>>
>>>             On Wed, Mar 11, 2015 at 6:22 PM, Ali Khalfan
>>>             <ali.khalfan at owasp.org <mailto:ali.khalfan at owasp.org>>
>>>             wrote:
>>>
>>>                 The owasp code review guidelines do a great job at
>>>                 looking for vulnerabilities. However, the will not
>>>                 address intentional vulnerabilities such as
>>>                 backdoors and logic bombs.
>>>
>>>                 I wanted to establish such a guideline, but I was
>>>                 wondering if there is any reference I could fall
>>>                 back on ?
>>>
>>>                 Ali
>>>                 -- 
>>>                 Sent from my Android device with K-9 Mail. Please
>>>                 excuse my brevity.
>>>                 _______________________________________________
>>>                 OWASP-Leaders mailing list
>>>                 OWASP-Leaders at lists.owasp.org
>>>                 <mailto:OWASP-Leaders at lists.owasp.org>
>>>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>>
>>>             -- 
>>>             OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project
>>>             leader
>>>             _______________________________________________
>>>             OWASP-Leaders mailing list
>>>             OWASP-Leaders at lists.owasp.org
>>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>             _______________________________________________
>>             OWASP-Leaders mailing list
>>             OWASP-Leaders at lists.owasp.org
>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>         -- 
>>         Azzeddine RAMRAMI
>>         +33 6 65 48 90 04 <tel:%2B33%206%2065%2048%2090%2004>.
>>         Enterprise Security Architect
>>         OWASP Leader (Morocco Chapter)
>>         Mozilla Security Projects Mentor
>>
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>     _______________________________________________
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150311/b1b3fd90/attachment-0001.html>


More information about the OWASP-Leaders mailing list