[Owasp-leaders] Code review for backdoors

Ali Khalfan ali.khalfan at owasp.org
Wed Mar 11 21:26:31 UTC 2015


Looks very helpful , thanks . I'll see if I can come up with a guideline based on it. 

On 12 مارس، 2015 12:00:08 ص GMT+03:00, Jeff Williams <jeff.williams at owasp.org> wrote:
>You may find some interesting guidance in a paper I did at BlackHat.
> Remember that any vulnerability might be put there on purpose.  So a
>malicious code review has to include a regular code review.
>https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf 
>
>--Jeff
>
>Jeff Williams  | CTO
>Contrast Security
>@planetlevel @contrastsec
>
>
>
>
>
>
>On Wed, Mar 11, 2015 at 1:51 PM -0700, "Ali Khalfan"
><ali.khalfan at owasp.org> wrote:
>
>
>
>
>
>
>
>
>
>
>
>  
>  
>    yes,
>
>      
>
>      one reason I wanted to setup some sort of guideline is for peer
>      reviewing.  The last thing a developer would want to do is read
>      code they did not create prior to deployment.  So, it would be
>      easier to have a guideline telling the developer what to look for
>      (e.g. hard-coded values, encoded string,..etc).   Another reason
>     would be for the security reviews and auditors who have tools, but
>      of course tools may detect security weaknesses not backdoors or
>      logic bombs.  Thus, I think giving the reviewers general 'hints'
>      on what to look for would be very helpful.
>
>      
>
>      
>
>      If you have a link or summary of the Cigital session, please do
>      share.
>
>      
>
>      
>
>      
>
>      Ali
>
>      
>
>      
>
>      On 03/11/2015 10:38 PM, Gary Robinson wrote:
>
>    
>    
>      Hi Ali,
>        
>
>        
>        I can confirm the latest version of the code review guide
>          (in progress) doesn't mention intentional backdoors either. 
>          This does tie in with an interesting session Cigital put on
>          last week about developers (in house or 3rd party) being the
>          'bad guy' inserting vulnerabilities/backdoors.
>        
>
>        
>        If you have some technical ideas or content let us know. 
>          I've never seen any technical advice on spotting intentional
>          backdoors, however peer source code review (and audit or
>          security reviews) would be the best way of catching this.
>        
>
>        
>        Gary
>      
>      
>
>        On Wed, Mar 11, 2015 at 7:06 PM,
>          Azzeddine Ramrami <azzeddine.ramrami at owasp.org>
>          wrote:
>
>          
>            
>              
>                All backdoor exploit the security flaw in the apps.
>                  A good code review can detect security flaw in the
>                  code.
>
>                
>               You can also do a reverse engineering technique or fuzzy
>                testing to detect security bugs in the apps.
>
>              
>              Azzeddine
>
>            
>            
>              
>                
>
>                  On Wed, Mar 11, 2015 at 8:02
>                    PM, Aaron Guzman <aaron.guzman at owasp.org>
>                    wrote:
>
>                    
>                      Backdoors are
>                        typically at the hardware or embedded level
>                        where its harder to locate. Usually ODMs and
>                       OEMs fall victim to this. Typically because they
>                        use “backdoors” for debugging and testing
>                        purposes during manufacturing. A solution is to
>                        test and analyze your code from third parties.
>                        Whether thats though IDA or other means.
>
>                        
>                          
>                            
>                              --
>                              Aaron
>                                G
>                              OWASP-LA
>                                Board Member
>                              Twitter:
>                                @scriptingxss
>                              Linkedin: http://lnkd.in/bds3MgN
>                            
>                          
>                        
>                        
>                          
>                            
>
>                            
>                              
>                                On Mar 11, 2015, at 11:27 AM,
>                                  psiinon <psiinon at gmail.com>
>                                  wrote:
>                                
>
>                                
>                                  How about: "Dont put
>                                    them in" ??
>
>                                    
>
>                                    ;)
>
>                                  
>                                  
>
>                                    On Wed, Mar
>               11, 2015 at 6:22 PM, Ali Khalfan <ali.khalfan at owasp.org>
>                                      wrote:
>
>                                      The
>                                        owasp code review guidelines do
>                                        a great job at looking for
>                                        vulnerabilities. However, the
>                                        will not address intentional
>                                        vulnerabilities such as
>                                        backdoors and logic bombs. 
>
>                                        
>
>                                        I wanted to establish such a
>                                        guideline, but I was wondering
>                                        if there is any reference I
>                                        could fall back on ?
>
>                                            
>
>                                            Ali
>
>                                            -- 
>
>                                            Sent from my Android device
>                                           with K-9 Mail. Please excuse
>                                            my brevity.
>
>_______________________________________________
>
>                                        OWASP-Leaders mailing list
>
>                                        OWASP-Leaders at lists.owasp.org
>
>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>                                        
>
>                                      
>                                    
>                                    
>
>                                    
>
>                                    
>
>                                    -- 
>
>                                    OWASP ZAP
>                                      Project leader
>
>                                    
>                                  
>_______________________________________________
>
>                                  OWASP-Leaders mailing list
>
>                                  OWASP-Leaders at lists.owasp.org
>
>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>                                
>                              
>                            
>                            
>
>                          
>                        
>                      
>                      
>
>                      _______________________________________________
>
>                      OWASP-Leaders mailing list
>
>                      OWASP-Leaders at lists.owasp.org
>
>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>                      
>
>                    
>                  
>                  
>
>                  
>
>                  
>
>                  -- 
>
>                
>              
>              
>                  
>                    
>                      Azzeddine RAMRAMI
>
>                        +33 6 65
>                          48 90 04.
>
>                        Enterprise Security Architect
>
>                        OWASP Leader (Morocco Chapter)
>
>                      
>                      Mozilla Security Projects Mentor
>
>                    
>                  
>                
>            
>
>            _______________________________________________
>
>            OWASP-Leaders mailing list
>
>            OWASP-Leaders at lists.owasp.org
>
>            https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>            
>
>          
>        
>        
>
>      
>      
>
>      
>      
>
>      _______________________________________________
>OWASP-Leaders mailing list
>OWASP-Leaders at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-leaders

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150312/31dc6958/attachment.html>


More information about the OWASP-Leaders mailing list