Helping developers find logic and authorisation flaws

Question

Professional penetration testers are usually good at finding all sorts of vulnerabilities, including logic flaws, that are highly-specific to the site being tested. However, being a manual activity, penetration testing is performed infrequently, so there is a desire for developers to do more security QA in-house.

In-house security QA is usually done with a security tool - either a web scanner or a static code analyser. These tools are great for some vulnerabilities (e.g. cross-site scripting) but they usually cannot find logic or authorisation flaws at all.

So, how can we help developers find logic and authorisation flaws?

Answer 1

This has been covered before, but in my opinion, the best way to help developers find flaws that could lead to exploitation is to teach them to exploit code, teach them how to execute an SQL Injection attack or a direct object reference attack. Set up a capture-the-flag competition in-house with developers using their new hacking skills to break the sort of code they're used to writing.

Once you actually see how the exploits work, and once you've spent some time exploiting it yourself, then places in code you see that are exploitable start to draw attention to themselves. Once you've been trained to look for these flaws as an attacker, you can't turn it off. You see them everywhere. And the more time you spend "hacking", the brighter they start to show up. What yesterday was a time-saving trick now becomes an stepping-stone to privileges escalation. It's just a matter of perspective.

Presumably your developers will never have a use for the hacking skills you teach them, but you want them to have those skills anyway. It completely changes their point of view as developers and changes the type of code they produce.