It has been around six months since I posted any information about the security code review tool I was developing so I thought it was time for an update. To be honest if you have read the title of this blog post you will know today’s blog is bit more than just a progress update post!
In April I showed you two images of a security code review tool which was about 25% complete. It allowed you to perform a security code review tool and that was about it but I didn’t like it, it was ugly and that’s not what I had in mind. I know that sounds a bit shallow but I wanted this tool to be easy to use, make the lives of security code reviewers easier but also be easy on the eye!
I decided to give the code review tool and facelift and a proper name before I completed anymore coding. I’m glad I did this because I can forget about the GUI design now and just focus on functionality. Before I move onto explaining the name and the functionality in v1.0.0 I wanted to show you some before and after images:
I decided to name the tool Agnitio which is a Latin word which means recognition and knowledge in English. This seemed like a perfect name because I recognised that the current approach to manual security code reviews (and the associated reporting, audit trails etc) has “issues” (covered later in this post) and I wanted to deliver a solution which gave reviewers the knowledge they needed to address the issues I identified.
Agnitio was developed with two main goals in mind:
- To help further the adoption of the Principles of Secure Development
- Bring more repeatability and integrity to security code reviews
I have explained each of these items in more depth in the rest of this blog post and how Agnitio will help with them both.
Repeatability and Integrity
As an industry we should always be aware of the security CIA (Confidentiality, Integrity and Availability) when it comes to any work we do. I feel that we often fail to do this when it comes to security code reviews. We record our code review notes in notepad files, Word documents or Excel spreadsheets which fail to enforce integrity or any kind of audit trail. We then turn these notes into Word or PDF format reports and give them to our customers, where is the integrity and audit trail in this process? How can I prove that I produced the report for Application A on X date? How can I prove to an auditor that the report I’m showing them hasn’t been modified since it was originally produced?
So what does Agnitio do to address these integrity concerns? Agnitio will remove the need to use notepad files for notes and it will produce reports for any applications that have been reviewed with the tool. It will make reviewers think about the application they are reviewing and the real risk associated with any findings.
Agnitio forces a reviewer to follow a checklist for each code review meaning a consistent approach to reviewing source code for security flaws in followed. To ensure the reviewer is really thinking about the application being reviewed Agnitio requires the reviewer to either create an application profile or select an existing profile before any checklist items can be answered. I feel this will make more reviewers think about the real risk of issues found in the code they are reviewing. I’m sure we all have encountered reviewers who record findings such as SQL Injection as “high” severity issues without considering the real risk associated with this finding in this particular application.
Agnitio has a code review checklist with over 60 items on it covering all of the principles of secure development. The checklist can help enforce a repeatable approach to security code reviews because the same questions will be asked for any application being reviewed.
A reviewer has to provide one of three answers for each checklist item, if the N/A answer is selected the reviewer must explain why they have answered N/A in the notes section of the review.
When a review is completed it is stored in a reviews table and it is immediately available for review in the tool or as an HTML report. The creation of the HTML report includes the creation of a verification hash which allows security professionals and auditors to check the integrity of any report produced by Agnitio.
The Principles of Secure Development
The Principles of Secure Development remove the confusion often associated with other secure development approaches by taking a positive approach and focusing on what developers should do instead of what hackers might do.
The current approach to secure development education focuses on detailing many different ways an attacker can hack your application. This approach often spends more time explaining the potential problems and “cool” hacks without really telling the developer how to actually prevent these flaws occurring in the first place.
This approach wouldn’t be an acceptable way to educate people on how to carryout other difficult tasks such as learning to drive but we continue to accept this for secure development education. The driving instructor does not tell the learner driver about all of the different ways they could crash a car and hope they figure out how not to crash. The instructor will detail how the learner driver should safely drive a car, explaining the rules of the road and speed limits. By doing this the learner driver can drive safely without needing to understand all the ways they could crash a car, the Principles of Secure Development aims to do the same for developers.
Rather than focusing on the many different ways an application can be exploited the principles detail how a developer should write secure code. This will help developers prevent the common vulnerabilities we currently see being exploited as well as unknown future threats without the developers ever needing to know the details behind them.
I have spent the past 18 months discussing this approach at security and developer conferences as well as talking with companies who have implemented this approach. I have discussed and published principles of secure development materials which cover the people and process parts of secure development, Agnitio is the first of a few tools I plan to realease that covers the technology part of secure development.
I cannot stress enough that you should not view any of the principles materials as a silver bullet and the same goes for Agnitio. In my opinion the principles approach and Agnitio can help you implement and enforce a simpler approach to secure development but it can’t solve all of the problems you will face.
I think that is everything I wanted to say about v1.0.0 of Agnitio. I plan to release new versions quite often and I have a list of potential features longer than Santa’s shopping list to keep me busy but feel free to request/suggest features and I will try to include them! I have planned a small release before Christmas which will include a few features I wanted to include in v1.0.0 but I ran out of time to include.
The biggest update to Agnitio will be the move away from a local SQLite database to a centralised database. I plan to work on this once I’ve released the “Christmas” update because I think the centralised database option is vital to allow development and security teams to use Agnitio together and ultimately deliver centralised reporting and metrics based on the reviews conducted using Agnitio.
So the waiting is finally over! I would like to emphasise that Agnito was developed by me on my own time and while my employers are aware of the work I’ve done developing Agnito and support the work that I do, Agnito is a free application and it will be hosted on Source Forge. The Agnitio project page and installer download can be found here.
I look forward to receiving any feedback you have!