Code Insecurity or Code in Security - Mano Paul

Explore a comprehensive conference talk on code security and insecurity, delving into the INSECURE framework. Learn about non-repudiation, error handling, cryptographic weaknesses, unsafe functions, and privilege elevation in code. Discover defensive strategies against various security threats, including injection attacks, spoofing, and reversible code. Gain insights into best practices for secure coding, such as implementing proper authorization checks and using non-admin accounts for code execution. Enhance your understanding of code security principles and practical defense mechanisms to improve your software development practices.

Syllabus

whoami
What is this talk about?
More than what meets the Eye
Code Insecurity (INSECURE Framework)
N - Non-repudiation non-existent
E - Errors & Exceptions Mis-/Un-handled
C-Cryptographically Weak Code
U - Unsafe / Unused Functions in Code Banned Ansecure Ale Unknown APIs and Interfaces Vestigial Functions (Crl+C. Ctrl+X, Ctrl+V)
E - Elevated in Privileges
Defense against Injection
Defense against Non-repudiation
Defense against Spoofing
Defense against Errors & Exception Mis-/Un-handling Laconic error messages
Defense against Cryptographically Weak Code
Defense against Unsafe / Unused Functions
Defenses against Reversible Code
Defenses against Elevated Privileges Check authorization before allowing privileged operations Non-admin accounts used for code execution
Conclusion