Security Basics mailing list archives
Re: Vuln Scanner for Web App Source Code
From: "Dan Anderson" <dan.anderson.mobile () gmail com>
Date: Mon, 19 May 2008 02:17:23 -0400
There are quite a few automated code scanners that look for various things. The other reply is a good source for many of these. I'm not sure what your situation is*, but in general, care should be taken with these tools for several reasons: 1. They often generate a lot of false positives that need to be weeded out. Your credibility can be damaged by reporting too many false positive results or "technically correct but so what?" style findings. 2. While many of these are getting better, they all can still miss stuff, important stuff, even stuff that is really obvious if you read the code. 3. It is not always simple to determine false positives and negatives without a strong development background even with the best tools available. 4. You may not have access to all of the code which you really need to test - you run into this a lot on windows where you have a blackbox dll in the middle of a critical program. These scanners all work better as tools in a "toolbox" that you use to evaluate code with rather then as the "Solutions" they are often sold as. Your most important tool (IMO) is a good methodology and your second most important tool (IMO) is a good understanding of the application, environment and the data flows around it (there are some good tools in this area too, Eclipse has some good plugins, Windows "Search" can be useful, grep, JavaDocs, etc.). When selecting a tool for your "toolbox" you should have a clear understanding of what role it will play in your methodology. Your methodology should drive your efforts, not the available tools or the reports they provide. This is particularly important to remember when you are using the high-end scanners which create pretty reports - a color-coded graph of unverified results is still just a bunch of unverified results. There is also probably a philosophical discussion that should be had concerning these sort of tools...Some of these tools are really expensive and your organization might be better off spending some money on secure development specific developer training (including books - there are some good ones available), basic software resources (lint, purify, etc) and integrating security into your SDLC (requirements, code review checklists, QA testing, etc) then to try and "test security in" at the very end. In my experience, with software security the 80% solution is developer training/awareness and SDLC security process integration/improvements. (I know - this sounds like an advertisement for TQM or CMM but it really is true.) Good Luck! Dan * depending on your role in all of this you may care less about some of these issues - i.e. if you are a developer and are looking for something to help you improve your code quality (bless you!), maybe you don't mind looking at a bunch of false positives since you can weed them out yourself or within your team, whereas if you are in a compliance position reporting a bunch of false positives may make you lose credibility to several layers of management and staff - reducing your overall effectiveness. On Sun, May 18, 2008 at 12:15 AM, <cnanne () gmail com> wrote:
This might be a bit of a dumb question, but does anyone know of a good Vulnerability Scanner for finding faults in the actual Source Code of the Web App? Or can this task can only be done by hand? Any feedback on this is highly appreciative cheers, PhoenixRbrth ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Vuln Scanner for Web App Source Code cnanne (May 18)
- RE: Vuln Scanner for Web App Source Code Naveed Ahmed (May 19)
- Re: Vuln Scanner for Web App Source Code Greg Rubin (May 19)
- Re: Vuln Scanner for Web App Source Code Johnny Wong (May 19)
- RE: Vuln Scanner for Web App Source Code Lorna Alamri (May 20)
- Re: Vuln Scanner for Web App Source Code Paul J. Brickett (May 19)
- RE: Vuln Scanner for Web App Source Code Dan Denton (May 20)
- Re: Vuln Scanner for Web App Source Code Christian Nanne (May 20)
- RE: Vuln Scanner for Web App Source Code Dan Denton (May 20)
- <Possible follow-ups>
- Re: Vuln Scanner for Web App Source Code Dan Anderson (May 19)