1 / 10

CERT Secure Coding

OWASP Education Computer based training. CERT Secure Coding. Nishi Kumar IT Architect Specialist, FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org Contributor and Reviewer Keith Turpin . Objectives. Understand Cert Secure Coding

brilliant
Télécharger la présentation

CERT Secure Coding

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP Education Computer based training CERT Secure Coding Nishi Kumar IT Architect Specialist, FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.orgContributor and Reviewer Keith Turpin

  2. Objectives • Understand Cert Secure Coding • Cert Secure Coding Standards

  3. Cert Secure Coding goals • Reduce vulnerabilities resulting from coding errors • Identify common programming errors that lead to software vulnerabilities • Establish secure coding standards • Educate software developers to advance the state of the practice in secure coding

  4. Cert Secure Coding Standards • Establish coding guidelines for commonly used programming languages that can be used to improve the security of software systems under development Based on documented standard language versions as defined by official or de facto standards organizations Secure coding standards are under development for: • The CERT C Secure Coding Standard, Version 2.0 • The CERT C++ Secure Coding Standard • The CERT Oracle Secure Coding Standard for Java

  5. The CERT Oracle Secure Coding Standard for Java

  6. The CERT Oracle Secure Coding Standard for Java

  7. Noncompliant Code Example IDS01-J. Sanitize untrusted data passed across a trust boundary public void doPrivilegedAction(String username, char[] password) throws SQLException { Connection connection = getConnection(); if (connection == null) { // handle error } String pwd = hashPassword(password); String sqlString = "SELECT * FROM db_user WHERE username = '" + username + "' AND password ='" + pwd + "'"; Statement stmt = connection.createStatement(); ResultSet rs = stmt.executeQuery(sqlString); if (!rs.next()) { throw new SecurityException("User name or Password incorrect"); } // Authenticated; proceed }

  8. Compliant Solution (PreparedStatement) IDS01-J. Sanitize untrusted data passed across a trust boundary class Login { public void doPrivilegedAction(String username, char[] password) throws SQLException { Connection connection = getConnection(); if (connection == null) { // handle error } String pwd = hashPassword(password); // Ensure that the length of user name is legitimate if ((username.length() >= 8) { // Handle error } String sqlString = "select * from db_user where username=?and password=?"; PreparedStatement stmt = connection.prepareStatement(sqlString); stmt.setString (1, username); stmt.setString (2, pwd); ResultSet rs = stmt.executeQuery(); if (!rs.next()) { throw new SecurityException("User name or Password incorrect"); } // Authenticated; proceed } }

  9. References • CERT - www.cert.org The CERT® Program is part of the Software Engineering Institute (SEI). CERT's primary objectives include analyzing and communicating the state of internet security through its US-CERT Vulnerability Notes Database and improving software security with its secure coding practices publications. US-CERT Vulnerability Notes Database - http://www.kb.cert.org/vuls/ CERT Secure Coding Practices - http://www.cert.org/secure-coding/

More Related