OWASP Education
The OWASP Foundation
Computer based training
http://www.owasp.org
CERT Secure Coding
Nishi Kumar
IT Architect Specialist, FIS
OWASP CBT Project Lead
OWASP Global Industry Committee
Nishi.Kumar@owasp.org
Contributor and Reviewer
Keith Turpin
Objectives
Understand Cert Secure Coding
Cert Secure Coding Standards
2
Cert Secure Coding goals
Reduce vulnerabilities resulting from coding errors
Identify common programming errors that lead to
software vulnerabilities
Establish secure coding standards
Educate software developers to advance the state of
the practice in secure coding
3
Cert Secure Coding Standards
Establish coding guidelines for commonly used
programming languages that can be used to improve the
security of software systems under development Based
on documented standard language versions as defined
by official or de facto standards organizations Secure
coding standards are under development for:
The CERT C Secure Coding Standard, Version 2.0
The CERT C++ Secure Coding Standard
The CERT Oracle Secure Coding Standard for Java
4
The CERT Oracle Secure
Coding Standard for Java
Cert Secure Coding Standard for Java
00. Input Validation and Data Sanitization (IDS)
01. Declarations and Initialization (DCL)
02. Expressions (EXP)
03. Numeric Types and Operations (NUM)
04. Object Orientation (OBJ)
05. Methods (MET)
06. Exceptional Behavior (ERR)
07. Visibility and Atomicity (VNA)
5
The CERT Oracle Secure
Coding Standard for Java
Cert Secure Coding Standard for Java
08. Locking (LCK)
09. Thread APIs (THI)
10. Thread Pools (TPS)
11. Thread-Safety Miscellaneous (TSM)
12. Input Output (FIO)
14. Platform Security (SEC)
15. Runtime Environment (ENV)
16. Serialization (SER)
49. Miscellaneous (MSC)
6
IDS01-J. Sanitize untrusted data passed
across a trust boundary
Noncompliant Code Example
public void doPrivilegedAction(String username, char[] password) throws SQLException {
Connection connection = getConnection();
if (connection == null) {
// handle error
}
String pwd = hashPassword(password);
String sqlString = "SELECT * FROM db_user WHERE
username = '" + username + "' AND password =
'" + pwd + "'";
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(sqlString);
if (!rs.next()) {
throw new SecurityException("User name or Password incorrect");
} // Authenticated; proceed
}
7
IDS01-J. Sanitize untrusted data passed
across a trust boundary
Compliant Solution (PreparedStatement)
class Login {
public void doPrivilegedAction(String username, char[] password) throws SQLException {
Connection connection = getConnection();
if (connection == null) {
// handle error
}
String pwd = hashPassword(password);
// Ensure that the length of user name is legitimate
if ((username.length() >= 8) {
// Handle error
}
username=? and password=?";
PreparedStatement stmt = connection.prepareStatement(sqlString);
stmt.setString (1, username);
stmt.setString (2, pwd);
String sqlString = "select * from db_user where
ResultSet rs = stmt.executeQuery();
if (!rs.next()) {
throw new SecurityException("User name or Password incorrect");
} // Authenticated; proceed
}
}
8
References
CERT - www.cert.org
The CERT® Program is part of the Software Engineering Institute
(SEI). CERT's primary objectives include analyzing and
communicating the state of internet security through its US-CERT
Vulnerability Notes Database and improving software security with its
secure coding practices publications.
US-CERT Vulnerability Notes Database - http://www.kb.cert.org/vuls/
CERT Secure Coding Practices - http://www.cert.org/secure-coding/
9
10