| ||
For access controls, this is fairly simple: look for code that sets access. Carefully review any code that sets access controls or permissions. Next, look for code that creates files or other objects and does not set access controls. Ask whether the default access controls are correct for the location and the sensitivity of the information.
Language | Key Words to Look For |
---|---|
C/C++ (Windows) | SetFileSecurity, SetKernelObjectSecurity, SetSecurityDescriptorDacl, SetServiceObjectSecurity, SetUserObjectSecurity, SECURITY_DESCRIPTOR, ConvertStringSecurityDescriptorToSecurityDescriptor |
C/C++ (*nix and Apple Mac OS X) | chmod, fchmod, chown, lchown, fchown, fcntl, setgroups, acl_* |
Java | java.security.acl.Acl interface |
.NET code | System.Security.AccessControl namespace |
Perl (*nix) | chmod, chown |
For the embedded secrets sin, as a first pass, the author of this chapter likes to scan code for certain keywords to help determine if the code could be potentially sinful. Key words include:
Secret
Private (of course, youll get a lot of noise from private classes!)
Password
Pwd
Key
Passphrase
Crypt
Cipher and cypher (sic!)
If you get hits on any of these words, determine if the word relates to embedded secret data, and if it does, make sure the secret is not within the code itself.