Secure Coding mailing list archives
[WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis?
From: mparsons1980 at gmail.com (Matt Parsons)
Date: Wed, 28 Apr 2010 01:33:16 -0500
I am working on a collaborative effort trying to blog daily about a different software security bug. I am looking for comments on my blog on how to make it better. Maybe eventually we can turn this into an OWASP project. I am really just doing this because at the current time all I am doing is web penetration testing and I want to make sure that I don't lose any of my code review skills. Any comments positive or negative would be very helpful. http://parsonsisconsulting.blogspot.com/ Thanks, Matt Parsons, CISSP, MSM On Wed, Apr 28, 2010 at 12:10 AM, SneakySimian <sneaky.simian at gmail.com> wrote:
I couldn't let this one go. Having done both source code analysis and blackbox testing, I see merits in both. The failure that was the Debian SSL bug is a prime example of why I prefer blackbox testing. That's not to say things can't go wrong in blackbox testing, because they do, but not all code behaves the same way in the same environment, so if you actually test it in the environment it is running in, you can then understand why the code behaves the way it does. Oversimplified example: <?php $file = $_GET['file']; if(file_exists($file)) { ? ? echo $file; } else { ? ?echo 'File not found. :('; } Ignoring the other blatant issues with that code snippet, is that vulnerable to XSS? No? Are you sure? Yes? Can you prove it? As it turns out, it depends on a configuration setting in php.ini. The only real way to know if it is an issue is to run it in the environment it is meant to be run in. Now, that's not to say that the developer who wrote that code shouldn't be told to fix it in a source code analysis, but the point is, some issues are wholly dependent on the environment and may or may not get caught during code analysis. Other issues such as code branches that don't execute or do execute in certain environments can be problematic to spot during normal source code analysis. That all said, I do enjoy reading code, especially comment coding from other developers. :P On Tue, Apr 27, 2010 at 2:29 PM, Andre Gironda <andreg at gmail.com> wrote:On Tue, Apr 27, 2010 at 4:08 PM, Arian J. Evans <arian.evans at anachronic.com> wrote:I think everyone would agree that you definitely want to apply additional (deeper?) degrees of analysis and defensive compensating-control to high-value and high-risk assets. The tough question is what ruler you use to justify degree of security investment to degree of potential Risk/Loss.That requires information sharing and trend analysis, something that our classic vulnerability management programs have also not solved ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
-- Matt Parsons, CISSP 315-559-3588 Blackberry 817-238-3325 Home Office mparsons1980 at gmail.com www.parsonsisconsulting.com
Current thread:
- What do you like better Web penetration testing or static code analysis? Peter G. Neumann (Apr 22)
- What do you like better Web penetration testing or static code analysis? Gary McGraw (Apr 22)
- What do you like better Web penetration testing or static code analysis? Matt Parsons (Apr 23)
- What do you like better Web penetration testing or static code analysis? Brian Chess (Apr 23)
- What do you like better Web penetration testing or static code analysis? Kevin W. Wall (Apr 24)
- What do you like better Web penetration testing or static code analysis? Arian J. Evans (Apr 24)
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Arian J. Evans (Apr 27)
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Arian J. Evans (Apr 27)
- Message not available
- Message not available
- Message not available
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Matt Parsons (Apr 27)
- What do you like better Web penetration testing or static code analysis? Matt Parsons (Apr 23)
- What do you like better Web penetration testing or static code analysis? Gary McGraw (Apr 22)
- Message not available
- Message not available
- Message not available
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Sebastian Schinzel (Apr 28)
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Greg Beeley (May 05)
- Message not available
- Message not available
- Message not available
- Message not available
- [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis? Chris Wysopal (Apr 28)