CSC 2045 Secure Software Tools PDF

CSC 2045 SECURE SOFTWARE TOOLS OBJECTIVES AGENDA: WEEK 03 Become proficient in the use of 1. Fundamentals of Git and GitHub an IDE from starting the project, 2. VSCode debugging the project, to committing 3. Vulnerability Defects & How to and syncing the project back to GitHub. Mitigate against them 4. Static Code Analysis Conduct thorough analysis of source code using various tools 5. Dynamic Code Analysis and techniques 6. Debug and Debugger Perform code reviews and use 7. Tips for Debugging both static and dynamic 8. Debugging C++ Programs analysis tools 9. Explore VSCode Debugger Analyze issues reported by the code analysis tools 10. Secure Coding Tools FUNDAMENTALS OF GIT & GITHUB Git is a version control system that lets you manage and keep track of your source code history. GitHub is a cloud-based hosting service that lets you manage Git repositories. VISUAL STUDIO CODE (VSCODE) VSCode is a free, lightweight, and powerful source code editor that allows users to write and work on code: Features: Built-in support for JavaScript, TypeScript, and Node.js, with extensions for other languages (C++, Java and more) and runtimes. VSCode includes: IntelliSense to predict what you'll type next Git support to track code changes Syntax highlighting Platform: Available for Windows, macOS, and Linux Customization: Users can change the theme, keyboard shortcuts, and preferences Extensions: Users can install extensions to add functionality VULNERABILITY DEFECTS 1. Bugs Problem introduced during software implementation Can be easily discovered and corrected Buffer overflows, race conditions, unsafe system calls, incorrect validation 2. Flaws Problem at a much deeper level More subtle Originated from its design and being instantiated in code compartmentalization problems in design, error-handling problems, and broken or illogical access control WHAT IS STATIC CODE ANALYSIS Process by which software Syntax problems developers examine their Unreachable code code for problems and Unconditional branches into loops inconsistencies before or after compiling it Undeclared variables Uninitialized variables Use static code analysis tools to examine the code Parameter type mismatches and identify security Uncalled functions and procedures vulnerabilities Variables used before initialization Can speed up examining Non-usage of function results task with automation Possible array bound errors STATIC CODE ANALYSIS TOOLS Using tools, developers can analyze their source code Scan the code and automatically detect errors that pass- through the compiler, but can be problems later Some tools generate reports with graphical analysis results and recommend possible solutions Note: Tools can produce false positives and negatives notifying free of vulnerabilities or none of the patterns found by the tool’s rule-base for security defects Microsoft Visual Studio Code analysis for C/C++ overview Use the C++ Core Guidelines checkers to enable additional rules during static code analysis. STATIC CODE ANALYSIS TOOLS CANNOT Automatically identify common coding problems Only for Implementation bugs by developer’s error Identify design and architectural flaws Identify poorly designed cryptographic libraries or improperly selected algorithms Identify design problems Identify passwords or numbers embedded in code STATIC CODE ANALYSIS CAN Discover implementation errors before the software is tested Reduce testing efforts Minimize operations and maintenance costs Lead to higher quality software Identify a subset of the vulnerabilities leading to security problems Be used with other manual analysis and software quality assurance methods to reduce vulnerabilities Produce false positives when potential vulnerabilities do not exist DEBUGGING: DYNAMIC CODE ANALYSIS Debugging is considered a form of dynamic code analysis because it involves examining and interacting with a program while it is running, allowing developers to identify issues by observing its behavior during execution, which is the core principle of dynamic analysis. What is debugging? The term debugging means removing bugs from your code. A debugger is a very specialized developer tool that attaches to your running app and allows you to inspect your code. https://learn.microsoft.com/en-us/visualstudio/debugger/what-is- debugging?source=recommendations&view=vs-2022 DEBUGGING TIPS AND TUTORIAL If it is difficult to identify the region of code where the problem occurs: set a breakpoint in code that runs before the problem occurs, and then use step commands until you see the problem manifest. use tracepoints to log messages to the Output window. By looking at logged messages (and noticing which messages were not yet logged!), you can often isolate the region of code with the problem. Work through the tutorial and complete the quiz questions at the end. DEBUGGING C++ PROGRAMS (LEARNCPP) Work through the module and complete the quiz at the end. o 3.1 Syntax and semantic errors o 3.2 The debugging process o 3.3 A strategy for debugging o 3.4 Basic debugging tactics o 3.5 More debugging tactics o 3.6 Using an integrated debugger: Stepping o 3.7 Using an integrated debugger: Running and breakpoints o 3.8 Using an integrated debugger: Watching variables o 3.9 Using an integrated debugger: The call stack o 3.10 Finding issues before they become problems o Chapter 3 summary and quiz EXPLORE VSCODE DEBUGGER Review the tutorial: o https://code.visualstudio.com/docs/cpp/config-msvc#_explore- the-debugger Watch the short video (linked) for Getting Started with C++ Devlopment using VSCode o Run and Debug C++ file o Customizing the Debugger ▪ https://code.visualstudio.com/docs/cpp/introvideos- cpp#_debug-a-c-project COMPARE & CONTRAST: CODE ANALYSIS Using the text drawing Static 1 tools, outline something Code 2 that is Analysis similar and Types unique about each code Dynamic 1 2 analysis type.

CSC 2045 Secure Software Tools PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue