Application Code Review
Professional Code Review Catches the Mistakes We All Make
This simple mistake causes a subtle but potentially catastrophic error. By writing exactly 64 characters into a 64-character string, it leaves no room for a null character! So printf will keep printing past the string and into memory (at least until it finds a zero!). You could either limit strncpy to 63 characters or make temp 65 characters to remediate this particular issue. As always, pre-wiping the destination buffer by using memset to zero it out can also help reduce errors, but keep an eye out for subtle buffer overflows like this!
Even the best developers out there can make mistakes like the one above. Worse still, older code often grows organically, and sometimes outlives its expected lifetime by many, many years! The result? Code that may be vulnerable to modern threats, or quite simply didn't have security in mind when designed.
Alasdair can conduct code reviews of code that’s either due for release, or is already out there facing threats, and we have done so for applications written in over a dozen languages. Such reviews look for common security flaws as well as identifying unintended consequences, something that no “clean coding” tool can ever do completely. A wise colleague of ours once put it: the corollary to a use case stating “This feature should do XYZ” should be an implied “AND NOTHING ELSE” at the end of it. We help identify those “something else”s.
Code review is a great way to examine current security state, and start building similar processes into the organization. In fact, Alasdair offers a solution which ties code review with application security training – we can not only review the code, but use it as a springboard for an interactive set of seminars to train your developers on thinking like a hacker…and building even better code.
Sidebar: Missed It by That Much
In February 2017, businesses woke up and learned that a major cloud provider, Cloudflare, had suffered a security flaw that put their customers’ data at risk. Worse still, the flaw had been around for a few months and, due to its nature, no one could say for sure who lost what, if anything.
So what was this massive bug? Using “==” instead of “>=”. That’s it. The resultant flaw caused certain operations to walk past their buffer and, well the rest is history.
It can be that simple: one character wreaking havoc. Alasdair has a great deal of experience looking for these sort of innocuous mistakes, and sometimes a second set of eyes like ours can make all the difference!
Sure, vulnerability scanners can do some very basic application penetration testing. Really good application scanners (and their corresponding exorbitant price tags) can do a better job. But we have found nothing comes even close to having a human do a deep-dive on an application to uncover flaws.
Our engineers use several both commercial and custom tools and scripts to uncover application-level flaws, along with the one piece of wetware no application scanner (currently) has: a human brain. Guided by many years of testing experience as well as a development background, we will find flaws that scanners simply can’t, and approach an application as a real attacker would: looking for critical assets, exploring common weak points and chaining combinations of attacks together to provide a proper simulation of what your application probably faces every day: intelligent threats.
Alasdair has a storied history of breaking applications before someone else does. Let us discuss options with you and we think you’ll see that a proper application pentest is not only a great way to improve security, but may help highlight weaknesses you hadn’t even considered.
Sidebar: Hacking the Un-hackable
Recently we had a customer come to us who has had application pentests done for years. With a background in security themselves, they had patched the few minor flaws other firms had found over those years, but no one had really gained substantial access. They considered the application essentially un-hackable!
Our engineering team did a thorough review and not only found two reflected cross-site scripting flaws that other tools and teams had missed, but also a remote Linux shell exploit complete with data exfiltration. Rather than being upset, our customer was thrilled we had identified the weaknesses and had them patched within an hour of explaining what we’d found!