5 Standard actions for Security

[singhalkarun]

• [ ] Come up with 5 most important tests to have in system by Tue EOD
• [ ] Reasoning why you are picking these 5 by Tue EOD
• [ ] Implemetation of these 5 actions by Wed EOD

[Himasnhu-AT]

• [ ] Come up with the 5 most important tests to have in system by Tue EOD
• [ ] Reasoning why you are picking these 5 by Tue EOD

Summary:

5 Most common security analysis with errors they cause:

• Static Application Security Testing (SAST): This test analyzes source code to identify security flaws without executing the code. It's essential for detecting vulnerabilities like SQL injection and other code-related issues early in the development cycle.

  • SQL Injection: Malicious SQL statements are injected into an entry field for execution.
  • Cross-Site Scripting (XSS): Attackers inject client-side scripts into web pages viewed by other users.
  • Buffer Overflow: Excess data overflows into adjacent memory, leading to crashes or exploitable conditions.

• Dynamic Application Security Testing (DAST): DAST tools test the application as it's running. It's crucial for identifying runtime issues such as authentication and session management problems, which are not detectable by SAST.

  • Authentication Issues: Flaws in authentication mechanisms that could allow unauthorized access.
  • Session Management Flaws: Vulnerabilities that could lead to session hijacking or fixation.

• Dependency Scanning: Since modern applications often use open-source libraries, dependency scanning is vital to detect known vulnerabilities in these components.

  • Known Vulnerability Exploitation: Using outdated or vulnerable libraries that have known exploits.

• Configuration Scanning: This test checks for improperly configured permissions, open ports, and other security misconfigurations that could be exploited.

  • Misconfigured Access Controls: Incorrectly set permissions that could lead to unauthorized data access.
  • Open Ports: Unintentionally opened ports that could serve as entry points for attackers.

• Penetration Testing: This is a simulated cyber attack against your system to check for exploitable vulnerabilities, including those that may arise from business logic errors.

  • Business Logic Errors: Flaws in the application's logic that could be exploited.
  • Complex Vulnerability Chains: Series of vulnerabilities that, when exploited in sequence, lead to significant breaches.

Tools we can refer to:

• CodeQL

  CodeQL treats code as data. It analyzes the codebase by creating a CodeQL database that represents your codebase. Then, it runs queries against this database to identify potential vulnerabilities and errors. The process involves three main steps:

  1. Database Creation: For compiled languages, CodeQL monitors the build process to extract a relational representation of each source file. For interpreted languages, the extractor runs directly on the source code.
  2. Query Execution: After the database is created, you can execute CodeQL queries against it. These queries are written in a query language called QL.
  3. Interpreting Results: The results from the queries are then interpreted and can be displayed as alerts within GitHub for any potential issues found in the code.

• Synk:

  Snyk is a developer security platform that helps to find and fix vulnerabilities in various aspects of software development. Here's how Snyk works:

  1. Integration: Snyk integrates with your existing development environments, such as IDEs, repositories, and workflows. This allows for seamless security scanning within the tools developers are already using.
  2. Scanning: It continuously monitors your projects for vulnerabilities by scanning your code, open-source dependencies, container images, infrastructure as code configurations, and cloud environments3.
  3. Vulnerability Database: Snyk uses a database that includes CVEs (Common Vulnerabilities and Exposures) and proprietary vulnerability data to identify potential security issues. ...

---

• [ ] Implemetation of these 5 actions by Wed EOD

Here a sample code repo I have created: https://github.com/Himasnhu-AT/security What it Does?:

• Static code analysis:

  Example: Buffer Overflow Detection

Vulnerable Code:

let bufferOverflow: string[] = [];

function addToBuffer(input: string) {
  // Simulating buffer overflow by not checking the length of input
  bufferOverflow.push(input);
}

Detection by Script:

Our script will look for array manipulations and check if there are any safeguards for buffer limits.

Script Code:

import {
  Node,
  isCallExpression,
  createSourceFile,
  ScriptTarget,
  SyntaxKind,
  forEachChild,
} from "typescript";

const sourceCode = `
let bufferOverflow: string[] = [];

function addToBuffer(input: string) {
  bufferOverflow.push(input);
}
`;

const sourceFile = createSourceFile(
  "tempFile.ts",
  sourceCode,
  ScriptTarget.Latest,
  true
);

const securityIssues: string[] = [];

const analyzeNode = (node: Node) => {
  if (isCallExpression(node)) {
    const functionName = node.expression.getText();
    if (functionName.includes(".push")) {
      securityIssues.push(
        `Potential buffer overflow detected in function using array. Ensure proper length checks.`
      );
    }
  }
  forEachChild(node, analyzeNode);
};

forEachChild(sourceFile, analyzeNode);

if (securityIssues.length > 0) {
  console.log("Security issues found:");
  securityIssues.forEach((issue) => console.log(`- ${issue}`));
} else {
  console.log("No significant security issues found.");
}

Script Output:

Security issues found:
- Potential buffer overflow detected in function using array. Ensure proper length checks.

• Code analysis using Gemini (can finetune LLMs to find security vulnerabilities such as LLAMA3 or CodeUP):

This approach involves sending the code to an AI for analysis. The AI reviews the code and identifies security flaws, providing detailed reports with severity levels and proposed solutions.

Example AI Output:

{
  "report": [
    {
      "codeWithBug": "//! @Himasnhu-AT Improve token generation logic",
      "severity": "medium",
      "proposedSolution": "Tokens should be generated using a secure random number generator and should be cryptographically strong."
    },
    {
      "codeWithBug": "//! @Himasnhu-AT Improve verification Code generation logic",
      "severity": "medium",
      "proposedSolution": "Verification codes should be generated using a secure random number generator and should be cryptographically strong."
    },
    {
      "codeWithBug": "if (body.token != verificationCode)",
      "severity": "medium",
      "proposedSolution": "Verification codes should be compared using a constant-time comparison function to prevent timing attacks."
    },
    {
      "codeWithBug": "//! @Himasnhu-AT Hash this password",
      "severity": "high",
      "proposedSolution": "Passwords should be hashed using a strong hashing algorithm such as bcrypt or scrypt."
    },
   ]
}

FUTURE IMPROVEMENTS:

• In static analysis add more scripts and the ability to parse CVE dataset.
• In AI, improve the prompt and try giving the context of what exactly the code does, make it ignore vulnerabilities covered in comments, or maybe assign some other tag to it