Introduction to

Secure Code Review

Summer 2024
 2

Hello!
I am MinhTC
I am here because I “Phải đi làm”.
 ROADMAP

SCR – Basic SCR - Process Introduction to SCR

knowledge Tools

1 2 3
 01
Basic knowledge
Basic knowledge about Secure Code Review
 Main contents

SCR? SCR in SDLC Sources - Sinks

What is SCR? Secure SDLC What are Sources and Sinks

Classification Implement Regex

Types of SCR How to implement SCR? How to use Regex in SCR?
 Requirements for SCR

● Process

● Development

● Vulnerability
Như thế nào là một phần mềm an toàn?
“Một phần mềm an toàn là một phần
mềm chỉ thực hiện đúng các chức
năng mà nó được tạo ra.”

—I don’t know
Secure Code Review là gì?
“Là quá trình đánh giá mã nguồn dựa
trên một tiêu chuẩn nhất định với
mục đích tìm ra các điểm yếu bảo
mật và làm cho phần mềm an toàn.”
—I don’t know
Tell
Me
Why?
Why do you need SCR?
Prevention is better
than cure
Where and
When?
Where (When) is Secure
Code Review used?
Secure – SDLC Microsoft
Secure – SDLC OWASP
Secure – SDLC
Sources
and
Sinks
What are Sources and Sinks?
 Sources and Sinks

Sources Sinks
Là những điểm tiếp nhận dữ Là các điểm thực thi dữ liệu từ
liệu từ bên ngoài Sources và có thể gây ra lỗi
 Sources and Sinks

Sources Chain Sinks

Input Data Flow Execute Input
Control Flow
Sources and Sinks
 24

Source and Sink

 Classifications

Based on Form Based on Purpose

● Automated Testing ● Audit Code
● Manual Testing ● Find vulnerability
● Hybrid Testing
 Classifications

Based on Form
Automated Testing Manual Testing Hybrid Testing

● Fast ● Slow ● Fast

● Lots of False positive ● Less False positives ● Less False positives
● Expensive ● Expensive ● More Expensive
 Classifications
Based on Purpose

Audit code Find vulnerability

● Can lead to vulnerability ● Sure

● Sources, Sinks
● Sources, Sinks, Configs
● Knowledge vulnerability
● Checklist
● Coding
● Coding
● Regex
● Knowledge vulnerability
● Debug
● Regex
● Fuzzing
● Reverse
 Audit Code

Sources

Sinks Checklist Audit Report

Config
 Find vulnerability

Sources

Trace Code Chain Verify Report

Sinks
 Implement

Implement Security Code Review in an internal organization

 Regex - Regular expression

Definition Purpose
A regular expression (shortened as Search Sinks
regex) sometimes referred to as Search Sources
rational expression is a sequence Search every things you want
of characters that specifies a
match pattern in text.
Regex Basic
Regex Basic
 Regex Example
Pattern: .*exec.*\)
 Regex Example
Pattern: .*exec.*\)
 Regex Example
Pattern: ^(?:(?!\/\/).)*exec(?:(?!\/\/).)*$
 Regex Practice

"select userid from sql_challenge_users where userid = '" +

username_reg + "'";

Pattern: "(select|update|insert).*\+.*;$
 ASVS Checklist
Content
● Architecture ● Data Protection
● Authentication ● Communication Security
● Session Management ● Malicious Code
● Access Control ● Business Logic
● Input Validation ● Files and Resources
● Cryptography at Rest ● Web Services
● Error Handling and Logging ● Configuration
ASVS Checklist
 02
Process
Process Secure Code Review
 Process
Prepare Threat modeling Report, Document
Communication, Document, Vulnerability
Important assets, Context Checklist
Common Weakness

Information gathering Crawling Code Auto and manual

● Technology Sinks
Chain
● Architecture Sources
Vulnerability
● Components … Config Files
 Prepare
Input Output

Development department Communication - Pen-tester with Developer

Design document

Technical document

Instruction document

Important assets(Customer Information,

Money)

Context – Gov Website, Banking WebApp

 Information gathering
Input Output

Communication - Pen-tester with Q&A

Developer

Design document Architecture: Web App, Mobile App,

Desktop App, Client – Server, Stand Alone

Technical document Technology: Programing language,

Framework, Protocol
Components: Library, Framework

Instruction document Input data, output data

Important assets(Customer Information, Target

Money)

Context – Gov Website, Banking WebApp Target

 Information gathering - WebGoat

● Technology: Java, Spring Boots, HTTP, Web Socket …

● Architecture: Web App (Client-Server)
● Components: commons-io, jquery, log4j …
● Function: Login(JWT), lession, Edit, Delete, Add, Listing …
● Input data: Client Input (Cookie, Header, Request), Config
Input(File, log), Database, ping host
● Output data: Browser, Database, File, Log, …
 Threat modeling
Input Output

Information gathering Attack Interface

Checklist: ASVS checklist (Authentication,

Access Control, Session Management, …)

Common Weakness: Hard Code, Unsafe

Query String, SQL Injection, XSS
 Threat modeling - Webgoat
● Attack Interface: User Interface, File Config, Log, Database
● Checklist: Authentication, Session Management (JWT) …
● Common Weakness:

○ Login: SQL injection, Path Traversal, XSS, Session

Fixation, Bypass authentication, brute force, user
enumeration, …

○ Ping host: Command Injection …

 Crawling Code – SQL Injection
● Reason: Use string addition query
● Condition:

○ Use string addition query

○ The added string contains parameters that are taken from

the user or can be edited by the user

○ The parameter that generates the error needs to have a

primitive data type of "string"
Crawling Code – SQL Injection
Crawling Code – SQL Injection
Crawling Code – SQL Injection
Crawling Code – SQL Injection
Crawling Code – SQL Injection
Crawling Code – Path Traversal
Crawling Code – Path Traversal
 Crawling Code
Input Output

Threat modeling Sinks: .exec(), Runtime(), executeQuery(),

echo(), ${} …

Sources: request.getParameter(),
getText(), getHeader(), RequestParam …

Config Files: Web.xml, Web.config,

Application.property … debug,

Pattern Database
 Crawling Code - Webgoat
● Sinks: .exec(), Runtime(), executeQuery(), System.out, ${}, JWT,
login, password, username, Session
● Sources: request.getParameter(), getText(), getHeader() …
● Config Files: Application.property ..
● Use Regex for Search
 Automated SCR

Check-dependencies Scan Source Code

Vulnerability check of Optimization Config and
Libraries, Framework Rules
 Check-dependencies
Programing Tools

1 Java OWASP Dependency-Check

2 NodeJS check-dependencies

3 C#, DotNet NuGet

 Scan Source Code
● Optimization Config

○ Programing (Multi)

○ Policy Scan
● Rules

○ Customize Rules
 Manual SCR - Method

Reverse tracing Downstream tracing

Sinks  Sources Sources  Sinks
Reverse tracing
 Reverse tracing practice

● Sql Injection’s Sinks:

ResultSet resultSet =
statement.executeQuery(checkUserQuery);
● Regex Pattern:
executeQuery\([^)]*\);
● Trace Code:
executeQuery(checkUserQuery); //Sink

String checkUserQuery = "select userid from sql_challenge_users where userid = '"

+ username_reg + “’”;

@RequestParam String username_reg //Source

Downstream tracing
 03
Tools
Introduction to SCR Tools
 Introduction to SCR Tools
Tools

Automated Scan IDE Tools Support Tools

HCL AppScan Source FindSecBug JDGUI
Checkmarx dnSpy
SonarQube CodeQL
CodeQL Check - dependence
CodeQL Practice
Require: JDK 17, CodeQL bundle,
WebGoat Source
About CodeQL
Purpose: Detect and analysis vulnerabilities
Origin: Developed by Semmle
Acquired by GitHub
Languages and compilers: C/C++, C#, Go, Java,
Kotlin, JavaScript, Python, Ruby, Swift, TypeScript
 CodeQL tools
CodeQL CLI: Create DBcode, Run query, CI/CD, Gen
Report
CodeQL packs: a repository of programming
language-specific CodeQL queries.
CodeQL bundle: Automated analysis vulnerabilities
 CodeQL
Rules, CodeQL query
Full source code, Build (CodeQL packs, CodeQL
environment bundle, CodeQL CLI)

Input Execute

Analysis Result
Data Flow, Control Flow, Vulnerability, Report
Database Source Code (CodeQL CLI)
(CodeQL CLI)
Install JDK
 Install JDK
Edit Environment Variable 
New
 Install JDK
Variable name: JAVA_HOME
Variable value: Browse to JDK
folder
 Install JDK
Double Click to “Path” 
New
 Install JDK
Type: %JAVA_HOME%\bin
 OK
 Install JDK
Run Cmd and Type “Java -
version” to check
 Extra CodeQL
Bundle
Click Righ Mouse file
CodeqlBundle.zip  Extract
here
Environment
CodeQL
Bundle
Edit Environment Variable 
New Double Click to “Path”
 New  Browse (to Folder
CodeQL)
Test CodeQL
Open CMD and run “codeql”
Install MVN
Extract mvn.zip
 Add MVN to
Environment
Double Click to “Path” 
New  Browse  mvn-
folder/bin
Test MVN
Open CMD and run “mvn -h”
CodeQL &
WebGoat
run “cmd” In Folder Webgoat
and run command “codeql
database create webgoat-
database-code --
language=java
”
CodeQL &
WebGoat
After that, Codeql creats a
folder name “wg-database”.
This folder contains source-
code database of webgoat
app
Execute
Run command “codeql
database analyze webgoat-
database-code
/opt/codeql/qlpacks/codeql/jav
a-queries/1.0.0/Security/CWE --
format=csv --output=result.csv
”
Result
File result.csv
Dependence
Check
Extracting DC and
Copies
Webgoat.jar to
folder /bin of DC
folder
Dependence
Check
Run cmd in DC/bin folder and
run command “dependency-
check.bat --out . --scan
webgoat-2023.4.jar”
Result
dependency-check-report.html
JDGUI
Extract JDGUI.zip and Run it
JDGUI
Drap and Drop file Webgoat.jar
to JDGUI
dnSpy
Extract dnSpy.zip and Run
dnSpy.exe
dnSpy
Drag and Drop
“AppConsole1.exe” to dnSpy
 Thanks!
Do you have any questions?
[email protected]

CREDITS: This presentation template was created by Slidesgo, and includes

icons by Flaticon, and infographics & images by Freepik