Secure Coding mailing list archives
[WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis?
From: arian.evans at anachronic.com (Arian J. Evans)
Date: Tue, 27 Apr 2010 09:52:55 -0700
So to be clear - You are saying that you do all of the below when you are analyzing hundreds to thousands of websites to help your customers identify weaknesses that hackers could exploit? How do you find the time? --- Arian Evans On Mon, Apr 26, 2010 at 10:54 PM, Andre Gironda <andreg at gmail.com> wrote:
On Sat, Apr 24, 2010 at 9:33 PM, Arian J. Evans <arian.evans at anachronic.com> wrote:You guys that write a lot of ideological software SDL-theory books can keep your dinosaur Multics.Nobody wants to go back to / can go back to the TCSEC/Orange-Book formal methods days. We can't go back to the 4GL/CASE days. We can't go back to the Clean Room Development days. Most can't even go back to the OOA&D or Software Contracts days. Even the xP TDD days are long gone, and haven't been replaced by BDD or anything worthwhile. Try measuring cyclomatic complexity and applying it to security testing/inspection. You are right, the Multics days are gone. But so should be C/C++/Assembler. If we wanted to go down these paths than the importance of certain kinds of what you people call "static analysis tools" would be more about things like: 1) Hoare Logics (e.g. Klocwork) 2) Abstraction Interpretation (e.g. Coverity) but instead what we have right know are crappy satisfiability solvers (e.g. Insure++ or worse, Valgrind plugins that cause things like Debian openssl Epic-Fail) combined with abstract-syntax trees (e.g. Fortify and Ounce). If you want to specify custom development around the crappy static analysis tools we have today i.e. Slicing (e.g. Checkmarx and testablesa) or focus on elaborate CFG development (e.g. SciTools and GrammaTech) -- then we might realize that it's not Fortify vs. everybody but instead there is a lot to learn from all of these tools. Instead, we have tools like CAT.NET which dwarf Fortify (for what it does and sets out to do) -- but realize that the engine in both should be around 30 LOC because it's NOT THAT COMPLEX. Also meaning that it shouldn't cost 50-60K USD per year for a single audit license, but instead should be a free toy. And you can see why people call this stuff "source code scanning", because it's really not that much beyond RATS or Graudit in the same way that grep or PCRE get the job done almost as well as XPath (or XML stream parsers) if you scale is small and you don't understand the internals.BB and static analysis fit together hand in glove, and obviously some of us on this list are working to explore the best marriage of the two. I think we will be able to really dial in the efficiency of analysis efforts once we have a clearer understanding of where BB and static overlap, and where they don't.More like "hand and NES Power-Glove". We still need workflow and people. Metasploit is doing WMAP and a commercial product, Express. Dradis Framework is including Burp Suite Professional Scanner output, in addition to Nessus/Nikto. Qualys is combining their QG data and feeding their WAS product. HoneyApps is combining tool output from Sentinel XML API, Nessus, Hailstorm, Qualys WAS, and other sources. Dan Cornell of The Denim Group is working on a Vulnerability Manager that takes output from Fortify, Ounce, CAT.NET, Sentinel XML API, AppScan, FindBugs, and Burp Suite Professional Scanner. The HP AMP has an open API and obviously Rafal Los and Matt Wood are keeping quiet about the SOURCEconference announcement that they are about to do a lot more than Hybrid 2.0 intended. Certainly, mapping URLs to source code is much easier than knowing several tens of language+platforms+frameworks with Fortify PTA and WebInspect (or potentially Acunetix WVS and Acusensor, but not quite in the same way or to the same effect). Other ideas like DevInspect and SecureObjects are now dead. Will they rise from the grave? Getting people is key though. Very key. We need more penetration-testers that can read code (or is it vice versa?) and only people like Dan Guido or Billy Rios are going to make that happen. If you are going to do anything or BUY anything -- definitely put a copy of "Code Reading: The Open-Source Perspective" and "The Web Application Hacker's Handbook" on everybody's desk and maybe place a few key copies of "The Art of Software Security Assessment" on desks of people who are doing well with the first two. And then buy everybody a copy of Burp Suite Professional and Metasploit Express long before you go for the shelfware that is Hybrid 2.0 (or any app or source code scanner). Peace, Andre ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Current thread:
- What do you like better Web penetration testing or static code analysis? Peter G. Neumann (Apr 22)
- What do you like better Web penetration testing or static code analysis? Gary McGraw (Apr 22)
- What do you like better Web penetration testing or static code analysis? Matt Parsons (Apr 23)
- What do you like better Web penetration testing or static code analysis? Brian Chess (Apr 23)
- What do you like better Web penetration testing or static code analysis? Kevin W. Wall (Apr 24)
- What do you like better Web penetration testing or static code analysis? Arian J. Evans (Apr 24)
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Arian J. Evans (Apr 27)
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Arian J. Evans (Apr 27)
- Message not available
- Message not available
- Message not available
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Matt Parsons (Apr 27)
- What do you like better Web penetration testing or static code analysis? Matt Parsons (Apr 23)
- What do you like better Web penetration testing or static code analysis? Gary McGraw (Apr 22)
- Message not available
- Message not available
- Message not available
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Sebastian Schinzel (Apr 28)
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Greg Beeley (May 05)
- Message not available
- Message not available
- Message not available
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Chris Wysopal (Apr 28)