WebApp Sec mailing list archives
Re: Finally - [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Tue, 29 Jun 2004 09:30:33 -0700
The points you touch on are very important understand. The realization that there are complex vulnerabilities in a system sheds light on the current limitations of scanning in the industry. Perhaps also the limits of the software security process as well. As you said, if a human/developer has a difficult time identifying business-logic issues in their code (cause its complex), how can an automated tool be expected to find it? Also note, even two completely secure blocks of code and can be combined creating and insecure scenario.
I've given presentations about this where I categorize webappsec vulnerabilities into two groups, Technical and Logical. Technical issues (example: SQL Injection, XSS) are often easy to identify by automated means. You send something in (example: ';), you get some back you can recognize (an ODBC error message). Simple right. Ok, over simplified, but you get what I mean.
On the other-hand, when dealing with Logical vulnerabilities, the results will require knowledge of context. Scanners are capable of manipulating params all day long, but how does the tool know if the data is gets back it was supposed to see or not. Did the page contain my bank account data or someone else's? Determining what was supposed and not-supposed to happen in a generic fashion is amazingly difficult. Humans can perform this task very well. Score 1 for the human brain! But at this point, tools that hit or miss is the best we can hope for.
This is where many have said... "scanner suck because they don't find everything". Though I think its simply better to say technology is not a complete solution. The reality of the situation is that Logical problems are not something the industry has had to deal with before. We're all new at this. This is especially true for network vulnerability scanning and the scale we are facing is massive.
In my opinion, technologies such as vulnerability scanning and secure code libraries will help out with the Technical issues, but without new solutions, we'll be dealing with the Logical issues for years to come. Manipulate a hidden form field and you bought the laptop for a dollar. There are simply too many web sites and too few humans to review it all. And did I mention web sites have a habit of changing? :)
Regards, Jeremiah- On Tuesday, June 29, 2004, at 07:59 AM, <PPowenski () oag com> wrote:
In addition to the points below..... Even though Security awareness should be provided to developers to understand the implication of creating code it should not be as heavy burden as it is turning into. The aesoteric aspects that some of theattacks take and the combination of events to gain access is an entirely different stream of thought that Developers ususally do not focus on. Atleast the ones I have come across. the core problem related to security with all the api's, tools, scripting engines, and compilers can be attributed to those who created them for developers to create code. If a developer has to engage in working out for himself the complex issues of using the api and where it touches the system, its access control mechanisms, and paths to network then the burden detracts significantly from getting the job done. Understanding these aspects isa large undertaking in itself. Most manufacturers do not want many folksto know these details as well. If the founders of our set of developer tools had enough insight to consider this it would probably be much better for all of us. just my2c paul
Current thread:
- Re: Finally - Curphey award 2004 to SPI Dynamics, (continued)
- Re: Finally - Curphey award 2004 to SPI Dynamics Mads Rasmussen (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Mark Curphey (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics wirepair (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Stan Guzik (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics Daniel Cuthbert (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Thomas Ryan (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics Daniel Cuthbert (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Madsen, Villy (Jun 29)
- The Right Approach to Web Developer Education Mark Curphey (Jun 29)
- RE: The Right Approach to Web Developer Education Yvan Boily (Jun 29)
- The Right Approach to Web Developer Education Mark Curphey (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics PPowenski (Jun 29)
- Re: Finally - [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Jeremiah Grossman (Jun 29)
- RE: [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Arian J. Evans (Jun 30)
- Re: [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Jeremiah Grossman (Jun 30)
- Re: Finally - [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Jeremiah Grossman (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics Mads Rasmussen (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Madsen, Villy (Jun 29)