Re: [SC-L] [WEB SECURITY] Re: Integrated Dynamic and Static Scanning
Good catch, that is exactly right. My oversight. A while back Fortify released a white paper entitled Misplaced Confidence in Application Penetration Testing [reg required] http://www.fortify.com/security-resources/library/overviews.jsp Tools also available to help measure. On Aug 6, 2009, at 5:04 PM, James Landis wrote: There's a big claim in area 2) that actually does exist: instrumentation of static code to give you code coverage metrics for your dynamic scanning efforts. Well, maybe it's not area 2), but it's definitely a static analyzer vendor feeding dynamic analysis. -j On Thu, Aug 6, 2009 at 4:30 PM, Jeremiah Grossman jerem...@whitehatsec.com wrote: Hey all, I've been monitoring this thread [1] and some excellent points have been raised (cross-posting to websecurity as the subject matter applies). I'm personally very interested in the potential benefits of an integration between dynamic and static analysis scanning technology. The spork of software security testing. The desire of many is a single solution that unifies the benefits of both methodologies and simultaneously reduces their respective well- described limitations. For at least the last couple of years there have been vendors claiming success in this area, of which I remain skeptical. A brief explanation of the bi-directional and somewhat simple sounding innovations that vendors are trying to develop: 1) Dynamic Scanner - Static Analyzer A dynamic analysis engine capable of providing HTTP vulnerability details (URL, cookie, form etc.) to a static analysis tool. Static analysis results narrowed down to a single line of insecure code or subroutine to speed vulnerability remediation. Prioritize issues that are located in a publicly available code flow vs. those that are not technically remotely-exploitable. Isolate security issues where source code was not available, such as third-party libraries. Static Analyzer - Dynamic Scanner 2) A static analyzer capable of providing a remotely available attack surface (URLs, Forms, etc.) to a dynamic analysis tool. Dynamic analysis may realize additional testing comprehensiveness, measurement of coverage depth, and hints for creating exploit proof- of-concepts. Not to mention able to provide more detailed application fix recommendations. vendor bias As it stands currently, the state-of-the-art is basically a reporting mash-up. Very little of the aforementioned advancements have been proven to funtion outside of the lab environment. If anyone has evidence to the contrary they can point to, please speak up. For those curious as to Tom Brennan's comment, these are the areas Fortify and WhiteHat are together working on. /vendor bias This is an excellent time to be in the application and software security industry. Over the next few years there is going to be a lot of innovation and awareness in the defense side of the industry. Talent, skill, and experience is going to command a premium. [1] http://www.mail-archive.com/sc-l@securecoding.org/msg02731.html Regards, Jeremiah Grossman Chief Technology Officer WhiteHat Security, Inc. http://www.whitehatsec.com/ blog: http://jeremiahgrossman.blogspot.com/ twitter: @jeremiahg Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives:http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Integrated Dynamic and Static Scanning
Speaking of the lab environment, my thesis from 2006 (http://research.microsoft.com/en-us/um/people/livshits/papers/pdf/thesis.pdf) explores the interplay between static and runtime in gory detail. I am not aware of these hybrid approaches being integrated into commercial products. Regards, -Ben -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Jeremiah Grossman Sent: Thursday, August 06, 2009 4:30 PM To: sc-l@securecoding.org; websecur...@webappsec.org Subject: Re: [SC-L] Integrated Dynamic and Static Scanning Hey all, I've been monitoring this thread [1] and some excellent points have been raised (cross-posting to websecurity as the subject matter applies). I'm personally very interested in the potential benefits of an integration between dynamic and static analysis scanning technology. The spork of software security testing. The desire of many is a single solution that unifies the benefits of both methodologies and simultaneously reduces their respective well-described limitations. For at least the last couple of years there have been vendors claiming success in this area, of which I remain skeptical. A brief explanation of the bi-directional and somewhat simple sounding innovations that vendors are trying to develop: 1) Dynamic Scanner - Static Analyzer A dynamic analysis engine capable of providing HTTP vulnerability details (URL, cookie, form etc.) to a static analysis tool. Static analysis results narrowed down to a single line of insecure code or subroutine to speed vulnerability remediation. Prioritize issues that are located in a publicly available code flow vs. those that are not technically remotely-exploitable. Isolate security issues where source code was not available, such as third-party libraries. Static Analyzer - Dynamic Scanner 2) A static analyzer capable of providing a remotely available attack surface (URLs, Forms, etc.) to a dynamic analysis tool. Dynamic analysis may realize additional testing comprehensiveness, measurement of coverage depth, and hints for creating exploit proof-of-concepts. Not to mention able to provide more detailed application fix recommendations. vendor bias As it stands currently, the state-of-the-art is basically a reporting mash-up. Very little of the aforementioned advancements have been proven to funtion outside of the lab environment. If anyone has evidence to the contrary they can point to, please speak up. For those curious as to Tom Brennan's comment, these are the areas Fortify and WhiteHat are together working on. /vendor bias This is an excellent time to be in the application and software security industry. Over the next few years there is going to be a lot of innovation and awareness in the defense side of the industry. Talent, skill, and experience is going to command a premium. [1] http://www.mail-archive.com/sc-l@securecoding.org/msg02731.html Regards, Jeremiah Grossman Chief Technology Officer WhiteHat Security, Inc. http://www.whitehatsec.com/ blog: http://jeremiahgrossman.blogspot.com/ twitter: @jeremiahg ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___