Secure Coding mailing list archives
What do you like better Web penetration testing or static code analysis?
From: kevin.w.wall at gmail.com (Kevin W. Wall)
Date: Sun, 18 Apr 2010 19:24:24 -0400
Matt Parsons wrote:
What do you like doing better as application security professionals, web penetration testing or static code analysis?
McGovern, James F. (P+C Technology) wrote:
Should a security professional have a preference when both have different value propositions? While there is overlap, a static analysis tool can find things that pen testing tools cannot. Likewise, a pen test can report on secure applications deployed insecurely which is not visible to static analysis. So, the best answer is I prefer both...
While I realize that both are necessary and each have their own pros and cons, my personal preference is to do static code analysis, especially if it involves old-fashioned manual code inspections. The reason for that I like getting closer to the source code. Maybe that's just because it seems like I'm getting back to my development roots. (I worked as a developer for the first half of my career.) I find the advantages of dealing with source code is that you are able to spot the exact problem as well as offer more specific fixes. And working at the source code level gives me more opportunities to work closely with the development teams where I am able to explain to them in terms of their own code what is going on and how a vulnerability can be fixed. When approaching vulnerabilities from a pen testing level, I find all to often that the developers do not believe that there is anything wrong or if they do, they don't believe that it is serious enough that it needs to be fixed. (For instance, it is not uncommon that when developers are presented with results from a pen test that show that they have non-persistent (reflective) XSS vulnerabilities present, that I get the response "Yeah, but that's not going to happen. First you would have to get a authenticated user to click on that link and they would never do that." Apparently they don't believe that those doing phishing ever catch any victims.) However, when I'm dealing with source code, that objection generally does not come up...perhaps because I can show them right then and there how to remediate the issue. -kevin -- Kevin W. Wall "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
Current thread:
- What do you like better Web penetration testing or static code analysis? Matt Parsons (Apr 15)
- What do you like better Web penetration testing orstatic code analysis? McGovern, James F. (P+C Technology) (Apr 16)
- What do you like better Web penetration testing or static code analysis? Kevin W. Wall (Apr 18)