Code Review for Generic Exception Throwing and Catching

Code Pattern: Look for code where the developer is attempting to throw and catch an exception with super class

Recommendation: Always throw and catch exceptions with a specific type of exception class

Code Review for Cookies Vulnerable to Client-side Scripts Attacks

Code Pattern: Look for configuration where the developer is attempting to set the httpOnly attribute to false

Recommendation: Always set httpOnly attribute to true

Code Review for Cookies Vulnerable to CSRF Attacks

Code Pattern: Look for configuration where the developer is attempting to set the session-timeout value to a large value in the web.xml file

Recommendation: Always set session-timeout value to as minimum as possible

Code Review for Enabling Directory Listing

Code Pattern: Look for configuration where the developer is attempting to set the directory Listing parameter value to true in web.xml of the tomcat server

Recommendation: Do not enable the directory listing feature. Set param value as “false" in web.xml

Code Review: Check List Approach

What does a Checklist Contain?

Sample Checklist: Input Validation

Ensure that all external inputs are validated
Ensure that data is validated server-side (Security should not rely on client-side validations)
Ensure that the application validates respective data types and rejects unexpected input
Ensure that the application efficiently evaluates input length
Ensure that there is strong separation between data and commands
Ensure that there is strong separation between data and client side scripts
Ensure that data is validated for special characters before being passed to SQL, LDAP, OS and third party commands
Ensure that http headers are validated for each request (e.g. referer)

Sample Checklist: Authentication

Ensure that user credentials are encrypted in the data store
Ensure that security policies are configurable (not hardcoded)
Ensure that standard security frameworks are used (instead of custom code)
Ensure that SSL is used to protect user credentials and authentication tokens
Ensure that authentication cookies are not persisted
Ensure that authentication cookies are encrypted
Ensure that cookie names and paths are used
Ensure that application handles user management events such as authentication failure, password reset, password change, account lockout and cancel account
Ensure that application handles suspicious events such as multiple failed logon attempts, session replay and attempted access to restricted resources
Ensure that strong passwords policies are enforced
Ensure that authentication credentials are not passed by HTTP GET

Sample Checklist: Authorization

Ensure that authentication and authorization should be the first logic executed for each request
Ensure that authorization checks are granular (page and directory level)
Ensure that application denies access to pages and data by default
Ensure that application re-authenticates for requests that have side-effects
Ensure that ACLs are configured for all files
Ensure that authorization is performed based on roles defined
Ensure that application implements strong authorization
Ensure that application implements strong authorization and can not be bypassed though parameter manipulation
Ensure that authorization cannot be bypassed through cookie manipulation

Sample Checklist: Session Management

Ensure that application should not pass session parameters in URLs
Ensure that duration for session cookies expiration should be as minimum as possible
Ensure that cookies are encrypted
Ensure that session data is validated
Ensure that private data in cookies is kept to a minimum
Ensure that application avoids excessive cookie use
Ensure that session id is complex and generated randomly
Ensure that session storage is secure
Ensure that application properly handles invalid session ids
Ensure that session timeout are enforced
Ensure that logout invalids the session
Ensure that session resources are released when session invalidated

Sample Checklist: Cryptography

Cheng®