Overview

The Project aims at enhancing the Secure Code Review module by:

·         Developing additional security reviews in the secure code review module.

·         Developing parsed based routines to find the vulnerable usage of the functions of source code of module.

·         Developing Taint injection module to inject data into input fields.

·         Displaying security review results

Present state of Secure Code Review module:

Secure code review provides automated tools to assist with security reviews of Drupal module code. The tools will be built atop the grammar parser library and its code manipulation API (CMAPI). The project may also involve extending and enhancing the CMAPI to support the security reviewtools. Present version of secure code review mitigates known risks but when it encounters a novel snippet it is not able to determine whether the code is secure or not.This project will add another layer of security review in this module by incorporating parsed based routines and Taint injection module so that secure code review will mitigates all possible vulnerabilities from the modules.

Benifits to Drupal:

Security is one of the most crucial aspect which must always be kept on evolving to mitigate threats and vulnerabilities. Previous year statistics revealed that almost 50% of drupal vulnerabilities comprises of XSS(cross site scripting) which simply indicates that there is a vast diversity of XSS attacks. These statistics makes us to understand that there are so many ways to exploit one vulnerability. So now it is becoming rudimentary to always be prepared to confront the totally new vulnerabilities as well as the modified forms of existing vulnerabilities .Secure code review with parsed based routines and taint injection will provide drupal the tools that will handles a majority of all these kind of vulnerabilities.

Project description:

1^st ).Adding more reviews to mitigate known risks that are defined in drupal security advisories  and to recognize code that we know is secure :

It provides security from all known attacks. But in this step there may be cases when this module encounters a novel code snippet that secure code review isn't able to determine, whether this code snippet is secure or contain vulnerabilities.

2^nd ).Incorporate the Parsed based routines in the Secure code review module to confront novel code snippet:

The functionality of these routines is to find the vulnerable usage of functions in the code snippet. These routines will review the parsed functions and check for which parts of the functions can be used maliciously be an attacker .

3^rd).Developing Taint Injection Module:

Developing a module which will injects data into input fields to check for different kinds of vulnerabilities. The routines of this module will be modified using results of the parsed based routines to prepare data to be injected in input fields. Both the Taint injection module and parser based routines will make Secure code review more powerful and mitigates all possible vulnerabilities from the code snippet.

4^th).Design the functions to prioritize and display the security review results.

Timeline:

Tasks before May 21, 2012:

-      Conduct research on security vulnerabilities ,their prevention measures and secure coding techniques

-      Study and understanding existing Secure code review code.

-      Planning designing and prototyping for enhancing Secure code review

Tasks before June 5, 2012:

-      Prepare sample modules with code vulnerabilities and understanding how the functions in these modules are vulnerably used and how does it affecting the website.

-      Prepare database of different inputs (data) to be injected in input fields to exploit the vulnerability in the sample modules.

Tasks before June 25, 2012:

-      Develop additional Security review routines to locate vulnerabilities in the sample modules.

-      Develop Parsed based routines to predict the vulnerabilities in the sample modules:

Now these routines will be developed separately from the security review routines, they discover the vulnerable usage of the functions in the sample modules and predicts the inputs that is to be fed in the inputs fields to exploit vulnerability

Tasks before July 5, 2012:

-      Integrate Security review routines with the Parsed based routines:

Since every time preparing the inputs with the parsed based routines is very cumbersome so its better to use parsed based routines only in places where security review routines encounters novel code snippet and is not able to determine whether the code snippet is secure or not.So Secure code review module will review the code first with security review routines and if it’s unsuccessful then it will do the reviewing by parsed based routines.

Tasks before Jul 20, 2012:

-      Midterm evaluation

-      Prepare the Taint Injection module

Tasks before Jul 30, 2012:

-      Integrate Secure code review module with the Taint injection module:

Taint injection module will use the results from parsed based routines and checks for vulnerabilities

Tasks before Aug 10, 2012:

-      Develop and implement a user interface to display security review results.

Tasks before Aug 20, 2012:

-      Scrub code, write tests and improve documentation.

About me :

I am Udit Jaggi currently pursuing B. Tech. in Computer Science Engineering from Jaypee Institute Of Information Technology , Noida , India. I like web development and made many projects using open source software’s .I have been working with drupal for 3 months and really enjoyed and learnt a lot with this community. I have strong interest in security aspects of web and have exploited vulnerabilities like xss,sql injection, tabbed napping etc in some of the internet websites. I am always fond of working with the vulnerabilities and their prevention measures and the module like Secure code review is best for me to work and contribute to the community.

E-mail: uditdude143@gmail.com

IRC: udaksh(freenode)