Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
"The hardest thing of all is to find a black cat in a dark room, especially if there is no cat." – Confucius
Security code inspections is sort of searching in the dark. However, security vulnerabilities in many cases* are recurrent anti-patterns that can be identified by well defined set of string searches.
This post sheds a light into the dark room to help finding those black cats – security vulnerabilities.
Search Toolset
These are the tools I use to perform text searches.
- Dumping strings from compiled assemblies - ILDASM : Code Inspection - First Look For What To Look For
- Visual Studio 2005 As General Code Search Tool
- FindStr - Performing Text Searches
- Security .Net Code Inspection Using Outlook 2007
- Security Code Review – Use Visual Studio Bookmarks To Capture Security Findings
Security Vulnerabilities Search Patterns
First, define what you want to search. Here is one example how to do it - Generate Your Own Security Code Review Checklist Document Using Outlook 2007. Then start searching. These are few search patterns that can help you getting on track of finding security vulnerabilities:
- Quickly Find And Fix Cross Site Scripting (XSS) Vulnerabilities In Your ASP.NET Application.
- Security Code Inspection - Eternal Search For SQL Injection
- Security Code Review – String Search Patterns For Finding Input Validation Vulnerabilities
- Security Code Review – String Search Patterns For Authentication Vulnerabilities
- Security Code Review – String Search Patterns For Authorization Vulnerabilities
Related materials
- Security Question List: ASP.NET 2.0
- XSSDetect Public Beta now Available!
- XSSDETECT: Analyzing Large Applications
- Chapter 21 – Code Review
Happy searching, alikl
________
*Searching for strings can lead to hotspots – potential security vulnerabilities – but not finding all the security vulnerabilities. Sometimes it hits the vulnerabilities right between the eyes, sometimes it misses it. But it surely helps narrowing the security inspection scope.
Comments
- Anonymous
August 05, 2008
Recently, while I visited a new customer, someone rushed to the room shouting – someone had hacked our - Anonymous
September 26, 2008
You probably heard about SDL few times. This is the process that MS apply when developing its products