[Owasp-leaders] Code review for backdoors
Ali Khalfan
ali.khalfan at owasp.org
Wed Mar 11 21:26:31 UTC 2015
Looks very helpful , thanks . I'll see if I can come up with a guideline based on it.
On 12 مارس، 2015 12:00:08 ص GMT+03:00, Jeff Williams <jeff.williams at owasp.org> wrote:
>You may find some interesting guidance in a paper I did at BlackHat.
> Remember that any vulnerability might be put there on purpose. So a
>malicious code review has to include a regular code review.
>https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf
>
>--Jeff
>
>Jeff Williams | CTO
>Contrast Security
>@planetlevel @contrastsec
>
>
>
>
>
>
>On Wed, Mar 11, 2015 at 1:51 PM -0700, "Ali Khalfan"
><ali.khalfan at owasp.org> wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
> yes,
>
>
>
> one reason I wanted to setup some sort of guideline is for peer
> reviewing. The last thing a developer would want to do is read
> code they did not create prior to deployment. So, it would be
> easier to have a guideline telling the developer what to look for
> (e.g. hard-coded values, encoded string,..etc). Another reason
> would be for the security reviews and auditors who have tools, but
> of course tools may detect security weaknesses not backdoors or
> logic bombs. Thus, I think giving the reviewers general 'hints'
> on what to look for would be very helpful.
>
>
>
>
>
> If you have a link or summary of the Cigital session, please do
> share.
>
>
>
>
>
>
>
> Ali
>
>
>
>
>
> On 03/11/2015 10:38 PM, Gary Robinson wrote:
>
>
>
> Hi Ali,
>
>
>
> I can confirm the latest version of the code review guide
> (in progress) doesn't mention intentional backdoors either.
> This does tie in with an interesting session Cigital put on
> last week about developers (in house or 3rd party) being the
> 'bad guy' inserting vulnerabilities/backdoors.
>
>
>
> If you have some technical ideas or content let us know.
> I've never seen any technical advice on spotting intentional
> backdoors, however peer source code review (and audit or
> security reviews) would be the best way of catching this.
>
>
>
> Gary
>
>
>
> On Wed, Mar 11, 2015 at 7:06 PM,
> Azzeddine Ramrami <azzeddine.ramrami at owasp.org>
> wrote:
>
>
>
>
> All backdoor exploit the security flaw in the apps.
> A good code review can detect security flaw in the
> code.
>
>
> You can also do a reverse engineering technique or fuzzy
> testing to detect security bugs in the apps.
>
>
> Azzeddine
>
>
>
>
>
>
> On Wed, Mar 11, 2015 at 8:02
> PM, Aaron Guzman <aaron.guzman at owasp.org>
> wrote:
>
>
> Backdoors are
> typically at the hardware or embedded level
> where its harder to locate. Usually ODMs and
> OEMs fall victim to this. Typically because they
> use “backdoors” for debugging and testing
> purposes during manufacturing. A solution is to
> test and analyze your code from third parties.
> Whether thats though IDA or other means.
>
>
>
>
> --
> Aaron
> G
> OWASP-LA
> Board Member
> Twitter:
> @scriptingxss
> Linkedin: http://lnkd.in/bds3MgN
>
>
>
>
>
>
>
>
>
> On Mar 11, 2015, at 11:27 AM,
> psiinon <psiinon at gmail.com>
> wrote:
>
>
>
> How about: "Dont put
> them in" ??
>
>
>
> ;)
>
>
>
>
> On Wed, Mar
> 11, 2015 at 6:22 PM, Ali Khalfan <ali.khalfan at owasp.org>
> wrote:
>
> The
> owasp code review guidelines do
> a great job at looking for
> vulnerabilities. However, the
> will not address intentional
> vulnerabilities such as
> backdoors and logic bombs.
>
>
>
> I wanted to establish such a
> guideline, but I was wondering
> if there is any reference I
> could fall back on ?
>
>
>
> Ali
>
> --
>
> Sent from my Android device
> with K-9 Mail. Please excuse
> my brevity.
>
>_______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>
>
>
>
>
>
> --
>
> OWASP ZAP
> Project leader
>
>
>
>_______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>
>
>
>
>
>
> --
>
>
>
>
>
>
> Azzeddine RAMRAMI
>
> +33 6 65
> 48 90 04.
>
> Enterprise Security Architect
>
> OWASP Leader (Morocco Chapter)
>
>
> Mozilla Security Projects Mentor
>
>
>
>
>
>
> _______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
>OWASP-Leaders mailing list
>OWASP-Leaders at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-leaders
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150312/31dc6958/attachment.html>
More information about the OWASP-Leaders
mailing list