BruCON Agnitio Workshop
-
Upload
security-ninja -
Category
Technology
-
view
1.617 -
download
0
description
Transcript of BruCON Agnitio Workshop
![Page 1: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/1.jpg)
David Rook
AgnitioSecurity code review swiss army knife
BruCON, Belgium
Wednesday, 21 September 2011
![Page 2: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/2.jpg)
if (slide == introduction)System.out.println("I’m David Rook");
• Application Security Lead, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms
• Security Ninja (@securityninja)
• Speaker at developer and security conferences
• Microsoft Developer Security MVP
• Developed and released Agnitio
Wednesday, 21 September 2011
![Page 3: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/3.jpg)
• What is static analysis?
• Agnitio: security code review Swiss army knife
• Agnitio and mobile apps
Agenda
Wednesday, 21 September 2011
![Page 4: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/4.jpg)
Static analysis
• What do I mean by static analysis?
• A review of source code without executing the application• Can be either manual or automated through one or more tools• Human and/or tools analysing application source code
Wednesday, 21 September 2011
![Page 5: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/5.jpg)
Static analysis
• Wetware or software?
• Humans are needed with or without static analysis tools• The best thing about humans is that they aren’t software
Wednesday, 21 September 2011
![Page 6: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/6.jpg)
Static analysis
• Wetware or software?
• Humans are needed with or without static analysis tools• The best thing about humans is that they aren’t software• The worst thing about humans is that they are humans
Wednesday, 21 September 2011
![Page 7: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/7.jpg)
Static analysis
• Wetware or software?
http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1
Wednesday, 21 September 2011
![Page 8: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/8.jpg)
Static analysis
• Wetware or software?
http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1
Wednesday, 21 September 2011
![Page 9: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/9.jpg)
Static analysis
• Wetware or software?
• Tools can cover more code in less time than a human• The best thing about software is that it isn’t human
Wednesday, 21 September 2011
![Page 10: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/10.jpg)
Static analysis
• Wetware or software?
• Tools can cover more code in less time than a human• The best thing about software is that it isn’t human• The worst thing about software is that it’s software
Wednesday, 21 September 2011
![Page 11: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/11.jpg)
Wednesday, 21 September 2011
![Page 12: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/12.jpg)
Wednesday, 21 September 2011
![Page 13: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/13.jpg)
Wednesday, 21 September 2011
![Page 14: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/14.jpg)
Wednesday, 21 September 2011
![Page 15: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/15.jpg)
Wednesday, 21 September 2011
![Page 16: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/16.jpg)
Wednesday, 21 September 2011
![Page 17: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/17.jpg)
Wednesday, 21 September 2011
![Page 18: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/18.jpg)
Wednesday, 21 September 2011
![Page 19: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/19.jpg)
Wednesday, 21 September 2011
![Page 20: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/20.jpg)
Wednesday, 21 September 2011
![Page 21: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/21.jpg)
Agnitio
• What is Agnitio?
• Tool to help with manual static analysis• Checklist based with reviewer & developer guidance • Produces audit trails & enforces integrity checks• Single tool for security code review reports & metrics
Wednesday, 21 September 2011
![Page 22: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/22.jpg)
Agnitio
• What is Agnitio?
• C# open source application, GPLv3 license• Four different versions in 10 months • 10,000+ downloads from users in over 100 countries• Used by SMEs, consulting firms and companies of the NYSE
Wednesday, 21 September 2011
![Page 23: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/23.jpg)
Agnitio
• Checklists?
• An application for doing checklist reviews? *yawn* how boring!• Checklists are for n00bs! I don't need a checklist to review code! • I beg to differ, would you say Doctors and Pilots are n00bs?
Wednesday, 21 September 2011
![Page 24: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/24.jpg)
Wednesday, 21 September 2011
![Page 25: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/25.jpg)
Wednesday, 21 September 2011
![Page 26: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/26.jpg)
Agnitio
Wednesday, 21 September 2011
![Page 27: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/27.jpg)
Agnitio
Wednesday, 21 September 2011
![Page 28: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/28.jpg)
Agnitio
• Checklists?
• Do you use checklists for your source code reviews?• What's the worst that could happen if you don’t?
Wednesday, 21 September 2011
![Page 29: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/29.jpg)
Ariane 5 flight 501
Wednesday, 21 September 2011
![Page 30: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/30.jpg)
Wednesday, 21 September 2011
![Page 31: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/31.jpg)
Ariane 5 flight 501
L_M_BV_32 := TBD.T_ENTIER_32S ((1.0/C_M_LSB_BV) * G_M_INFO_DERIVE(T_ALG.E_BV)); if L_M_BV_32 > 32767 then P_M_DERIVE(T_ALG.E_BV) := 16#7FFF#;elsif L_M_BV_32 < -32768 then P_M_DERIVE(T_ALG.E_BV) := 16#8000#;else P_M_DERIVE(T_ALG.E_BV) := UC_16S_EN_16NS(TDB.T_ENTIER_16S(L_M_BV_32);end if; P_M_DERIVE(T_ALG.E_BH) := UC_16S_EN_16NS (TDB.T_ENTIER_16S ((1.0/C_M_LSB_BH) * G_M_INFO_DERIVE(T_ALG.E_BH)));
http://moscova.inria.fr/~levy/talks/10enslongo/enslongo.pdf
Wednesday, 21 September 2011
![Page 32: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/32.jpg)
Therac-25
Wednesday, 21 September 2011
![Page 33: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/33.jpg)
Mars Climate Orbiter
Wednesday, 21 September 2011
![Page 34: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/34.jpg)
Mars Climate Orbiter
Wednesday, 21 September 2011
![Page 35: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/35.jpg)
Agnitio
• Checklists?
• Do you use checklist for your source code reviews?• What's the worst that could happen if you don’t?• Four people dead and over €700m of equipment destroyed• Checklists can be useful to pilots, doctors and code reviewers!
Wednesday, 21 September 2011
![Page 36: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/36.jpg)
Agnitio
• So, why did I develop Agnitio?
• I love using checklists for security code reviews!
Wednesday, 21 September 2011
![Page 37: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/37.jpg)
Agnitio
• So, why did I develop Agnitio?
• I love using checklists for security code reviews!• Even if your process is good it might not be smart
Wednesday, 21 September 2011
![Page 38: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/38.jpg)
Agnitio
• So, why did I develop Agnitio?
• I love using checklists for security code reviews!
• Is your review process really repeatable and easy to audit?• Even if your process is good it might not be smart
Wednesday, 21 September 2011
![Page 39: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/39.jpg)
Agnitio
• So, why did I develop Agnitio?
• I love using checklists for security code reviews!
• Is your review process really repeatable and easy to audit?• How about producing metrics, useful reports & integrity checks?
• Even if your process is good it might not be smart
Wednesday, 21 September 2011
![Page 40: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/40.jpg)
Agnitio
• So, why did I develop Agnitio?
• I love using checklists for security code reviews!
• Is your review process really repeatable and easy to audit?• How about producing metrics, useful reports & integrity checks?• No? That’s why I developed Agnitio!
• Even if your process is good it might not be smart
Wednesday, 21 September 2011
![Page 41: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/41.jpg)
Why did I develop Agnitio?
• Demonstration: application profiles
Wednesday, 21 September 2011
![Page 42: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/42.jpg)
Why did I develop Agnitio?
• Demonstration: security code reviews
Wednesday, 21 September 2011
![Page 43: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/43.jpg)
Why did I develop Agnitio?
• Demonstration: security code review reports
Wednesday, 21 September 2011
![Page 44: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/44.jpg)
Why did I develop Agnitio?
• Demonstration: application security metrics
Wednesday, 21 September 2011
![Page 45: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/45.jpg)
Why did I develop Agnitio?
• Demonstration: customise your Agnitio installation
Wednesday, 21 September 2011
![Page 46: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/46.jpg)
Agnitio hands on
• Create a PHP rule
Wednesday, 21 September 2011
![Page 47: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/47.jpg)
Agnitio hands on
• Analyse the PHP application
Wednesday, 21 September 2011
![Page 48: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/48.jpg)
Mobile apps and Agnitio
• Mobile apps can create value for a business
• Businesses can benefit from having a mobile presence• Innovative apps for customers using mobile functionality
Wednesday, 21 September 2011
![Page 49: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/49.jpg)
Mobile apps and Agnitio
Wednesday, 21 September 2011
![Page 50: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/50.jpg)
Mobile apps and Agnitio
Wednesday, 21 September 2011
![Page 51: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/51.jpg)
Mobile apps and Agnitio
Wednesday, 21 September 2011
![Page 52: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/52.jpg)
Mobile apps and Agnitio
Wednesday, 21 September 2011
![Page 53: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/53.jpg)
Mobile apps and Agnitio
Wednesday, 21 September 2011
![Page 54: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/54.jpg)
Mobile apps and Agnitio
Wednesday, 21 September 2011
![Page 55: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/55.jpg)
Mobile apps and Agnitio
Wednesday, 21 September 2011
![Page 56: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/56.jpg)
Mobile apps and Agnitio
Wednesday, 21 September 2011
![Page 57: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/57.jpg)
Mobile apps and Agnitio
Wednesday, 21 September 2011
![Page 58: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/58.jpg)
Mobile apps and Agnitio
Wednesday, 21 September 2011
![Page 59: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/59.jpg)
Mobile apps and Agnitio
Wednesday, 21 September 2011
![Page 60: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/60.jpg)
Mobile apps and Agnitio
• Mobile apps can create value for a business
• Businesses can benefit from having a mobile presence
• Most developers have not been trained to write secure code• Innovative apps for customers using mobile functionality
Wednesday, 21 September 2011
![Page 61: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/61.jpg)
Mobile apps and Agnitio
• Mobile apps can create value for a business
• Businesses can benefit from having a mobile presence
• Most developers have not been trained to write secure code• Not trained to write secure code, new to mobile development......
• Innovative apps for customers using mobile functionality
Wednesday, 21 September 2011
![Page 62: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/62.jpg)
Mobile apps and Agnitio
• Mobile apps can create value for a business
• Businesses can benefit from having a mobile presence
• Most developers have not been trained to write secure code• Not trained to write secure code, new to mobile development......• What could possibly go wrong?
• Innovative apps for customers using mobile functionality
Wednesday, 21 September 2011
![Page 63: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/63.jpg)
There’s an app for that
Wednesday, 21 September 2011
![Page 64: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/64.jpg)
There’s an app for that
Wednesday, 21 September 2011
![Page 65: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/65.jpg)
There’s an app for that
• Lets assume the predicted growth happens
• 1,000,000+ apps by the end of 2011
• The answer isn’t “none” but it won’t be many, ≤1%?• How many have been developed with security in mind?
Wednesday, 21 September 2011
![Page 66: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/66.jpg)
There’s an app for that
• Lets assume the predicted growth happens
• 1,000,000+ apps by the end of 2011
• The answer isn’t “none” but it won’t be many, ≤1%?• But none of us are surprised by this are we?
• How many have been developed with security in mind?
Wednesday, 21 September 2011
![Page 67: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/67.jpg)
There’s an app for that
• Lets assume the predicted growth happens
• 1,000,000+ apps by the end of 2011
• The answer isn’t “none” but it won’t be many, ≤1%?• But none of us are surprised by this are we?• I want us to try and find the insecure apps with Agnitio
• How many have been developed with security in mind?
Wednesday, 21 September 2011
![Page 68: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/68.jpg)
Mobile app security issues
• Data in transit and at rest• Dangerous inputs
Wednesday, 21 September 2011
![Page 69: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/69.jpg)
There’s an app for that
Wednesday, 21 September 2011
![Page 70: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/70.jpg)
Android Source Code
package com.denimgroup.android.training.pandemobium.stocktrader;
import android.app.Activity;import android.os.Bundle;import android.util.Log;import android.webkit.WebView;
public class TipsActivity extends Activity {
private WebView wvTips;
/** Called when the activity is first created. */ @Override public void onCreate(Bundle savedInstanceState) { Log.i("TipsActivity", " Loading up browser page to display stock tips"); super.onCreate(savedInstanceState); setContentView(R.layout.tips); wvTips = (WebView)findViewById(R.id.wv_tips); wvTips.loadUrl(getString(R.string.tip_list)); }}
Wednesday, 21 September 2011
![Page 71: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/71.jpg)
AndroidManifest.xml
• A good place to start your security code reviews!
• Applications and System code have an AndroidManifest file
• Defines the permissions needed by the application• Defines app activities and intents• Compressed XML file in the .apk
• Declares the package name, a unique identifier for the app
Wednesday, 21 September 2011
![Page 72: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/72.jpg)
Agnitio hands on
• AndroidManifest.xml - before and after
Wednesday, 21 September 2011
![Page 73: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/73.jpg)
Android Static Analysis
• Context.openFileOutput()• Context.openOrCreateDatabase()• rawQuery()• URLConnection()• HttpResponse()• MODE_PRIVATE• MODE_WORLD_READABLE• MODE_WORLD_WRITABLE
Wednesday, 21 September 2011
![Page 74: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/74.jpg)
Agnitio hands on
• Analyse the Android Pandemobium app
Wednesday, 21 September 2011
![Page 75: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/75.jpg)
iOS Source Code
#import "TipViewController.h"#import "StockDatabase.h"#import "/usr/include/sqlite3.h"#import "ASIHTTPRequest.h"#import "ASIFormDataRequest.h"
@implementation TipViewController
@synthesize keyboardToolbar;
- (id)initWithNibName:(NSString *)nibNameOrNil bundle:(NSBundle *)nibBundleOrNil{ self = [super initWithNibName:nibNameOrNil bundle:nibBundleOrNil]; if (self) { // Custom initialization stockDB = [[StockDatabase alloc] init]; } return self;}
Wednesday, 21 September 2011
![Page 76: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/76.jpg)
iOS Static Analysis
• writeToFile()• openURL()• sqlite3_prepare()• NSFILE
Wednesday, 21 September 2011
![Page 77: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/77.jpg)
Agnitio hands on
• Automated analysis of Android .apk files
Wednesday, 21 September 2011
![Page 78: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/78.jpg)
Using Agnitio
• How you can use Agnitio in your reviews
• Download Agnitio from Source Forge• Focus security code reviews on root causes not vulnerabilities• Use your language/s in all code examples and checklist items• Use Agnitio to conduct principles based security code reviews
Wednesday, 21 September 2011
![Page 79: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/79.jpg)
My USB key........
• I have some things on my USB key you might want
• .apk files of popular and “suspicious” Android apps• System.img file for v2.2 emulator to enable the marketplace• My slides from this workshop• You have to trust my USB key is safe to use ;-)
Wednesday, 21 September 2011
![Page 80: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/80.jpg)
Do you want to work with me?
• I’m expanding our application security team
• 1x Application Security Analyst• 2x Junior Application Security Analyst• Speak to me today or tomorrow!• [email protected]
Wednesday, 21 September 2011
![Page 81: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/81.jpg)
www.securityninja.co.uk
@securityninja
/realexninja
/securityninja
/realexninja
http://sourceforge.net/projects/agnitiotool/
Wednesday, 21 September 2011
![Page 82: BruCON Agnitio Workshop](https://reader033.fdocuments.in/reader033/viewer/2022052823/5553b419b4c905d4448b4c5e/html5/thumbnails/82.jpg)
www.securityninja.co.uk
@securityninja
QUESTIONS?
/realexninja
/securityninja
/realexninja
http://sourceforge.net/projects/agnitiotool/
Wednesday, 21 September 2011