Dailydave mailing list archives
Re: bugs are bad.
From: foofus () foofus net
Date: Tue, 1 Aug 2006 13:18:58 -0500
On Mon, Jul 31, 2006 at 01:52:43PM -0500, John Lampe wrote:
It would seem that a better methodology for app pen-testing would be to do the code audit and pen-test in conjunction. The code audit gives you the attack vectors that *should* work, and the pen-test becomes nothing more than a validation for the code audit.
Hear, hear! When I do application security reviews, I typically structure them this way. The pen-test remains, however, slightly more than a validation of the code audit. It's important to remember that the code doesn't run in a vacuum, and neither is the source code equal to the app. Code runs (often in a compiled form) on a particular system(s), in a specific network environment, etc. Interactions between these various strata can often expose an app to attack. For example, I once reviewed a web app where the developers had bungled their change-to-production processes and accidentally exported their CVS tree to their web servers (in both test and production, alas). Source code review told be that the code had problems, but only tinkering with the app could tell me that anybody who wanted could also do their own source code review. :) I agree that in most cases an app pen-test is insufficient as a barometer of security, and that the depth and thoroughness of code review are essential. At the same time, though, the pen- test can sometimes discover weaknesses in the app that are not evident in the code: problems inherited from flaws in third- party components, problems created by poor administrative tactics, problems created by foolish users, and trust relationships between the code and the underlying technologis on which it is built. Consider the "shatter" class of attacks, for example: they don't exploit a weakness in the application's code, per se, but rather a vulnerability that arises from the way in which the operating system interacts with user interface components that the code exposes. --Foofus. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- bugs are bad. Dave Aitel (Jul 31)
- Re: bugs are bad. Jared DeMott (Jul 31)
- Re: bugs are bad. Matthew Franz (Aug 01)
- Message not available
- Re: bugs are bad. Matthew Franz (Aug 01)
- Re: bugs are bad. John Lampe (Aug 01)
- Re: bugs are bad. foofus (Aug 01)
- Re: bugs are bad. John Lampe (Aug 01)
- Re: bugs are bad. Matthew Franz (Aug 01)
- Re: bugs are bad. Jared DeMott (Jul 31)
- Re: bugs are bad. John Lampe (Aug 01)