[WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis?

[arian.evans at anachronic.com (Arian J. Evans)]

So to be clear -

You are saying that you do all of the below when you are analyzing
hundreds to thousands of websites to help your customers identify
weaknesses that hackers could exploit?

How do you find the time?

---
Arian Evans



On Mon, Apr 26, 2010 at 10:54 PM, Andre Gironda <andreg at gmail.com> wrote:
> On Sat, Apr 24, 2010 at 9:33 PM, Arian J. Evans
> <arian.evans at anachronic.com> wrote:
> > You guys that write a lot of ideological software SDL-theory books can
> > keep your dinosaur Multics.
>
> Nobody wants to go back to / can go back to the TCSEC/Orange-Book
> formal methods days. We can't go back to the 4GL/CASE days. We can't
> go back to the Clean Room Development days. Most can't even go back to
> the OOA&D or Software Contracts days. Even the xP TDD days are long
> gone, and haven't been replaced by BDD or anything worthwhile. Try
> measuring cyclomatic complexity and applying it to security
> testing/inspection.
>
> You are right, the Multics days are gone. But so should be C/C++/Assembler.
>
> If we wanted to go down these paths than the importance of certain
> kinds of what you people call "static analysis tools" would be more
> about things like:
> 1) Hoare Logics (e.g. Klocwork)
> 2) Abstraction Interpretation (e.g. Coverity)
>
> but instead what we have right know are crappy satisfiability solvers
> (e.g. Insure++ or worse, Valgrind plugins that cause things like
> Debian openssl Epic-Fail) combined with abstract-syntax trees (e.g.
> Fortify and Ounce). If you want to specify custom development around
> the crappy static analysis tools we have today i.e. Slicing (e.g.
> Checkmarx and testablesa) or focus on elaborate CFG development (e.g.
> SciTools and GrammaTech) -- then we might realize that it's not
> Fortify vs. everybody but instead there is a lot to learn from all of
> these tools.
>
> Instead, we have tools like CAT.NET which dwarf Fortify (for what it
> does and sets out to do) -- but realize that the engine in both should
> be around 30 LOC because it's NOT THAT COMPLEX. Also meaning that it
> shouldn't cost 50-60K USD per year for a single audit license, but
> instead should be a free toy.
>
> And you can see why people call this stuff "source code scanning",
> because it's really not that much beyond RATS or Graudit in the same
> way that grep or PCRE get the job done almost as well as XPath (or XML
> stream parsers) if you scale is small and you don't understand the
> internals.
>
> > BB and static analysis fit together hand in glove, and obviously some
> > of us on this list are working to explore the best marriage of the
> > two. I think we will be able to really dial in the efficiency of
> > analysis efforts once we have a clearer understanding of where BB and
> > static overlap, and where they don't.
>
> More like "hand and NES Power-Glove".
>
> We still need workflow and people. Metasploit is doing WMAP and a
> commercial product, Express. Dradis Framework is including Burp Suite
> Professional Scanner output, in addition to Nessus/Nikto. Qualys is
> combining their QG data and feeding their WAS product. HoneyApps is
> combining tool output from Sentinel XML API, Nessus, Hailstorm, Qualys
> WAS, and other sources. Dan Cornell of The Denim Group is working on a
> Vulnerability Manager that takes output from Fortify, Ounce, CAT.NET,
> Sentinel XML API, AppScan, FindBugs, and Burp Suite Professional
> Scanner. The HP AMP has an open API and obviously Rafal Los and Matt
> Wood are keeping quiet about the SOURCEconference announcement that
> they are about to do a lot more than Hybrid 2.0 intended. Certainly,
> mapping URLs to source code is much easier than knowing several tens
> of language+platforms+frameworks with Fortify PTA and WebInspect (or
> potentially Acunetix WVS and Acusensor, but not quite in the same way
> or to the same effect).
>
> Other ideas like DevInspect and SecureObjects are now dead. Will they
> rise from the grave?
>
> Getting people is key though. Very key. We need more
> penetration-testers that can read code (or is it vice versa?) and only
> people like Dan Guido or Billy Rios are going to make that happen.
>
> If you are going to do anything or BUY anything -- definitely put a
> copy of "Code Reading: The Open-Source Perspective" and "The Web
> Application Hacker's Handbook" on everybody's desk and maybe place a
> few key copies of "The Art of Software Security Assessment" on desks
> of people who are doing well with the first two. And then buy
> everybody a copy of Burp Suite Professional and Metasploit Express
> long before you go for the shelfware that is Hybrid 2.0 (or any app or
> source code scanner).
>
> Peace,
> Andre
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA