Re: bugs are bad.

[John Lampe <jwlampe () nessus org>]

foofus () foofus net wrote:


> It's important to remember that the code doesn't run in a vacuum,
> and neither is the source code equal to the app.  Code runs (often
> in a compiled form) on a particular system(s), in a specific network
> environment, etc.  Interactions between these various strata can
> often expose an app to attack.  

sure, an architecture flaw can compromise a secure implementation and 
vice versa.  I think it's still easier to do the local audit and 
external pen-test in conjunction.  Or, if they must be done serially, 
I'd prefer the local audit first.


> For example, I once reviewed a web app where the developers had
> bungled their change-to-production processes and accidentally 
> exported their CVS tree to their web servers (in both test and
> production, alas).  Source code review told be that the code had
> problems, but only tinkering with the app could tell me that 
> anybody who wanted could also do their own source code review.  :)

Directory structure (virtual and otherwise) is easily culled locally 
(and, what kind of file extensions was that site serving? :-) ).  A lot 
of the app scanners try to guess the directories using a brute-force 
methodology.  If you have local access, map out the directories and save 
the webserver from having to process 5,000 requests read from some small 
dict file :-)

> I agree that in most cases an app pen-test is insufficient as a
> barometer of security, and that the depth and thoroughness of
> code review are essential.  At the same time, though, the pen-
> test can sometimes discover weaknesses in the app that are not
> evident in the code: problems inherited from flaws in third-
> party components, problems created by poor administrative tactics,
> problems created by foolish users, and trust relationships between
> the code and the underlying technologis on which it is built.

This is true.  3rd party components which are used for central parts of 
the application (authorization, database connectivity, form validation, 
etc.) are problematic at best.  The code auditor can claim that the code 
was secure and that the vendor was negligent (a valid claim, imo).  The 
pen-tester probably can't take that moral high ground - so there is a 
good use for an application test.



-- 
John Lampe
Senior Security Researcher
TENABLE Network Security, Inc.
jwlampe@{nessus.org,tenablesecurity.com}
Tele: (410) 872-0555
www.tenablesecurity.com

Is your network TENABLE?
---------------------------------------
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave