Full Disclosure mailing list archives
Re: Static Code Analysis - Nuts and Bolts
From: "Dave Hull" <ireadit () gmail com>
Date: Wed, 27 Jun 2007 13:28:36 -0500
I agree with Debasis. I spent a year and a half in an Infosec Office doing code audits for E-Commerce web apps. I tried various open source automated tools and found that most of them missed the vast majority of exploitable vulnerabilities. In my experience, nothing beats a line-by-line analysis of the code by someone who knows what to look for. Yes, it's time consuming and completely impractical for sufficiently large applications, but it's more effective than the tools I tried out. As for estimating time requirements for line-by-line analysis, I've always been a fan of "under promising and over delivering," and found I could bid successfully at about a minute per line of code, from there calculate your hourly rate accordingly. I wish I could have tried out some commercial tools, but we were too cheap for that. When dealing with web apps, walk through the application, note all user inputs and even those useless "hidden" fields that so many web app developers are fond of using, trace through the code and verify that the developer is validating and sanitizing those inputs correctly. If you want to be really anal (we are talking security here right?), then you should also verify that database inputs are also validated and sanitized and outputs sent back to the user. When you're dealing with E-Commerce apps, it's hard to be too paranoid. For web app testing, proxies like Web Scarab from OWASP are invaluable. Haven't tried Paros but it sounds excellent. Cheers. On 6/27/07, Debasis Mohanty <debasis.mohanty.listmails () gmail com> wrote: 8< snip >8 Though this is an important phase during code review but definitely
not an ultimate phase to find security holes. The important phase is what comes next i.e. Manual Data Flow (DF) and Control Flow (CF) analysis. d) Manual Data Flow (DF) and Control Flow (CF) analysis DF analysis - http://en.wikipedia.org/wiki/Data_flow_analysis CF analysis - http://en.wikipedia.org/wiki/Control_flow_graph Performing both DF and CF analysis manually takes lot of time but is definitely most important part of code review. It helps identifying accurate threats from security standpoint. This phase requires a master code security ninja's hand to ensure actual issues are captured.
-- ireadit () gmail com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Static Code Analysis - Nuts and Bolts Paul Sebastian Ziegler (Jun 22)
- Re: Static Code Analysis - Nuts and Bolts Debasis Mohanty (Jun 27)
- Re: Static Code Analysis - Nuts and Bolts Dave Hull (Jun 27)
- Re: Static Code Analysis - Nuts and Bolts Debasis Mohanty (Jun 27)