Secure Coding mailing list archives
Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis
From: weld at vulnwatch.org (Chris Wysopal)
Date: Mon, 22 Jan 2007 17:08:47 -0500 (EST)
Well since I am mentioned in the excerpt I will wade in. I don't think binary analysis and source analysis are all that different. Both approaches convert to an intermediate representation and then run checkers on a model. Source code analyzers use compiler technology to get to the IR and binary analyzers use decompiler technology. I would like to point out that the binary doesn't need to be machine code, it can be java byte code or .Net's MSIL. Findbugs and FxCop operate on binaries so the approach is not all new. The big benefit I see to using binary analysis on machine code is modern development teams don't write a whole program from scratch. They often link in a lot of binary code in the form of static and dynamic libraries. These are either in house shared components, 3rd party libraries, or libraries from platform providers. This code can have vulnerabilities themselves or cause vulnerabilities in the way they interact with the code the development team has written. Now some may be asking what happens when you find a vulnerability through binary analysis? How do you fix it? The answer is to use debug symbols to find the source file and line number associated with the binary offset of the problem. Yes, you may not have the symbols for a binary component you link but once you know where and what the problem is you can often work around it in your code. I think binary analysis gives you more information to use to secure software. Of course design reviews are important for many programs. Static analysis is just one piece to the SDLC. Good software requires good design and good quality assurance. Same goes for secure software. It requires secure design and secure testing. That is where I see binary analysis fitting in. -Chris On Mon, 22 Jan 2007, Kenneth Van Wyk wrote:
Ok, last software security news item for today, I promise. :-) This article (see http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1) is about a couple of new startup companies. One of them in particular, Veracode, may be of some interest here. The article says, "Veracode, founded by Chris Wysopal and other former executives of @stake, is now offering patented binary-code analysis of software for enterprises that want to analyze their software's security on a regular basis. The ASP will also offer security reviews of enterprise products and security analysis of third-party apps for software developers." The article also provides some counterpoints, including some from Gary McGraw, that are worth reading. Among other things, Gary says, "However, if you want real security analysis you have to go past the binary, past the source code, and actually consider the design." Opinions on binary vs. source code (and design!) analysis, anyone? Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com
Current thread:
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis Kenneth Van Wyk (Jan 22)
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis ljknews (Jan 22)
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis Blue Boar (Jan 22)
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis Crispin Cowan (Jan 24)
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis der Mouse (Jan 25)
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis Chris Wysopal (Jan 22)
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis ljknews (Jan 22)