[WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis?

[mparsons1980 at gmail.com (Matt Parsons)]

I am working on a collaborative effort trying to blog daily about a
different software security bug.   I am looking for comments on my
blog on how to make it better.   Maybe eventually we can turn this
into an OWASP project.  I am really just doing this because at the
current time all I am doing is web penetration testing and I want to
make sure that I don't lose any of my code review skills.  Any
comments positive or negative would be very helpful.
http://parsonsisconsulting.blogspot.com/

Thanks,
Matt Parsons, CISSP, MSM



On Wed, Apr 28, 2010 at 12:10 AM, SneakySimian <sneaky.simian at gmail.com> wrote:
> I couldn't let this one go.
>
> Having done both source code analysis and blackbox testing, I see
> merits in both. The failure that was the Debian SSL bug is a prime
> example of why I prefer blackbox testing. That's not to say things
> can't go wrong in blackbox testing, because they do, but not all code
> behaves the same way in the same environment, so if you actually test
> it in the environment it is running in, you can then understand why
> the code behaves the way it does. Oversimplified example:
>
> <?php
> $file = $_GET['file'];
>
> if(file_exists($file))
> {
> ? ? echo $file;
> }
>
> else
> {
> ? ?echo 'File not found. :(';
> }
>
> Ignoring the other blatant issues with that code snippet, is that
> vulnerable to XSS? No? Are you sure? Yes? Can you prove it? As it
> turns out, it depends on a configuration setting in php.ini. The only
> real way to know if it is an issue is to run it in the environment it
> is meant to be run in. Now, that's not to say that the developer who
> wrote that code shouldn't be told to fix it in a source code analysis,
> but the point is, some issues are wholly dependent on the environment
> and may or may not get caught during code analysis. Other issues such
> as code branches that don't execute or do execute in certain
> environments can be problematic to spot during normal source code
> analysis.
>
> That all said, I do enjoy reading code, especially comment coding from
> other developers. :P
>
>
>
> On Tue, Apr 27, 2010 at 2:29 PM, Andre Gironda <andreg at gmail.com> wrote:
> > On Tue, Apr 27, 2010 at 4:08 PM, Arian J. Evans
> > <arian.evans at anachronic.com> wrote:
> > > I think everyone would agree that you definitely want to apply
> > > additional (deeper?) degrees of analysis and defensive
> > > compensating-control to high-value and high-risk assets. The tough
> > > question is what ruler you use to justify degree of security
> > > investment to degree of potential Risk/Loss.
> >
> > That requires information sharing and trend analysis, something that
> > our classic vulnerability management programs have also not solved
> >
> > ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA



-- 
Matt Parsons, CISSP
315-559-3588 Blackberry
817-238-3325 Home Office
mparsons1980 at gmail.com
www.parsonsisconsulting.com