[WEB SECURITY] Re: Integrated Dynamic and Static Scanning

[jeremiah at whitehatsec.com (Jeremiah Grossman)]

Good catch, that is exactly right. My oversight. A while back Fortify  
released a white paper entitled "Misplaced Confidence in Application  
Penetration Testing" [reg required]

http://www.fortify.com/security-resources/library/overviews.jsp

Tools also available to help measure.


On Aug 6, 2009, at 5:04 PM, James Landis wrote:

> There's a big claim in area 2) that actually does exist:  
> instrumentation of static code to give you code coverage metrics for  
> your dynamic scanning efforts. Well, maybe it's not area 2), but  
> it's definitely a static analyzer vendor feeding dynamic analysis.
>
> -j
>
> On Thu, Aug 6, 2009 at 4:30 PM, Jeremiah Grossman <jeremiah at whitehatsec.com 
> > wrote:
> Hey all,
>
> I've been monitoring this thread [1] and some excellent points have  
> been raised (cross-posting to websecurity as the subject matter  
> applies). I'm personally very interested in the potential benefits  
> of an integration between dynamic and static analysis scanning  
> technology. The spork of software security testing. The desire of  
> many is a single solution that unifies the benefits of both  
> methodologies and simultaneously reduces their respective well- 
> described limitations. For at least the last couple of years there  
> have been vendors claiming success in this area, of which I remain  
> skeptical.
>
> A brief explanation of the bi-directional and somewhat simple  
> sounding innovations that vendors are trying to develop:
>
> 1) Dynamic Scanner -> Static Analyzer
> A dynamic analysis engine capable of providing HTTP vulnerability  
> details (URL, cookie, form etc.) to a static analysis tool. Static  
> analysis results narrowed down to a single line of insecure code or  
> subroutine to speed vulnerability remediation. Prioritize issues  
> that are located in a publicly available code flow vs. those that  
> are not technically remotely-exploitable. Isolate security issues  
> where source code was not available, such as third-party libraries.
>
> Static Analyzer -> Dynamic Scanner
> 2) A static analyzer capable of providing a remotely available  
> attack surface (URLs, Forms, etc.) to a dynamic analysis tool.  
> Dynamic analysis may realize additional testing comprehensiveness,  
> measurement of coverage depth, and hints for creating exploit proof- 
> of-concepts. Not to mention able to provide more detailed  
> application fix recommendations.
>
> <vendor bias>
> As it stands currently, the state-of-the-art is basically a  
> reporting mash-up. Very little of the aforementioned advancements  
> have been proven to funtion outside of the lab environment. If  
> anyone has evidence to the contrary they can point to, please speak  
> up. For those curious as to Tom Brennan's comment, these are the  
> areas Fortify and WhiteHat are together working on.
> </vendor bias>
>
> This is an excellent time to be in the application and software  
> security industry. Over the next few years there is going to be a  
> lot of innovation and awareness in the "defense" side of the  
> industry. Talent, skill, and experience is going to command a premium.
>
>
> [1] http://www.mail-archive.com/sc-l at securecoding.org/msg02731.html
>
>
> Regards,
>
> Jeremiah Grossman
> Chief Technology Officer
> WhiteHat Security, Inc.
> http://www.whitehatsec.com/
> blog: http://jeremiahgrossman.blogspot.com/
> twitter: @jeremiahg
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS  
> Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA