Uncovering Vulnerabilities in Secure Coding Guidelines

Presented at DeepSec 2018 „I like to mov &6974,%bx“, Unknown date/time (Unknown duration).

Several government-related and private organizations provide guidance on how to improve the security of existing software as well as best practices for developing new code. These organizations include the Computer Emergency Readiness Team (CERT) Secure Coding Standards, Common Weakness Enumeration (CWE), Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) Software Assurance Metrics.

This talk will expose multiple underlying exploitable vulnerabilities in secure pieces of code that follows the recommendations from each of these organizations. Even though these guidelines were created to improve software security, they may also inject side vulnerabilities.

Within secure code snippets, reviewed by many and considered trustworthy by all, are issues that attackers could exploit to escape secure directories, abuse insecure hashing and encryption practices, or even expose applications to SQL injection attacks among others.

Presenters:

• Fernando Arnaboldi - IOActive
  Fernando Arnaboldi is a developer and security consultant who specializes in penetration testing and code reviews on multiple platforms. He has focused his research on breaking the security of different programming languages and has presented his findings at security conferences such as Black Hat USA & Europe, DEF CON, Ruxcon, OWASP AppSec USA & Europe and HITB Amsterdam.

Links:

• https://deepsec.net/archive/2018.deepsec.net/speaker.html#PSLOT389

Similar Presentations:

• DEF CON 17 (2009) / Hack The Textbook
• CircleCityCon 8.0 (2021) Virtual / Do Your Developers Write SUPER Secure Code?
• Kernelcon 2023 / Secure Coding in Go: Avoiding Common Vulnerabilities to better Secure Your Code