Re: [SC-L] InformIT: comparing static analysis tools

[Jeremiah Grossman]

Hi Gary,

No offense taken. :) Securing Web software is a plenty big enough challenge for 
me. 270+ million websites accessible to 2 billion people. And let's not even go 
into the hundreds of thousands of mobile apps, which are basically all mini 
webapps. After I'm done solving that problem I'll think about moving on to 
mainframes, operating systems, and databases. uhh, maybe not.

One thing in your note deserves further WebAppSec clarity:

You can't push dynamic testing very far back in the SDLC, because your code 
has to run before you can test it dynamically.  For me, way back in the SDLC 
means architectural risk analysis or even security requirements analysis.

Very true, no one appreciates this better than us.

As you probably know the Agile approach to software development is winning out 
in the Web application world. Release early. Release fast. Release often. Push 
or die on Tuesday, that's the motto. This means the time distance between 
architectural risk analysis / security requirements analysis and production 
deployment is roughly 2 - 4 weeks (6 max). Whatever analysis necessary to 
perform must also be repeated on each iteration in case a change impacts the 
entire system. Maybe you do not agree?

Then QA testing windows are shortened to  1 - 3 days regardless of the 
preferred method of software security testing (SAST or DAST). Collective then 
this all begs the question, what forms of software security checks does the 
enterprise have the time and resources to deploy.


Regards,

Jeremiah-


On Feb 4, 2011, at 2:47 AM, Gary McGraw wrote:

 hi arian,
 
 Glad you liked the article.
 
 I guess my brush was a bit too wide when it comes to dynamic testing.  I
 was really only referring to the Web application testing tools which in my
 mind hit the wall for two reasons.  Reason one is that they only work
 over port80 and are designed to take advantage of the fact that HTTP is a
 stateless protocol (with a few small caveats).  IMPORTANT NOTE: lots of
 software is not web software (sorry Jeremiah).  Reason two has to do with
 the canned nature of the tests.  The generic tests in the black box Web
 app testing tools are, well, generic.  If your software falls prey to
 those tests, it sucks.  IMPORTANT NOTE: Lots of software does, in fact,
 suck.
 
 As you probably know I call those tools badness-ometers and also
 ***suggest that everyone buy and use one***. See this ancient post (and
 associated informIT article) from 2007:
 
 http://www.cigital.com/justiceleague/2007/03/19/badness-ometers-are-good-do
 -you-own-one/
 
 Now, there are many other kinds of dynamic testing tools (think of any
 kind of fault injection tool).  I wrote a software engineering tome about
 that way back in 1998 called Software Fault Injection
 http://tinyurl.com/4ao6twv.  And you are right that dynamic testing has
 a place.  However, short of fuzzing tools generally tied to a
 grammar-based protocol and capture-replay tools there are not very many
 dynamic testing tools that work for non-Web software.  Why not?  Because
 genericizing is too hard, making the potential market for a particular
 tool too small.
 
 Security testing plays a key role in the Touchpoints (my own and Cigital's
 approach to SDLC integration) which are described in Software Security
 http://swsec.com.  Hoglund and I also describe some dynamic tools that
 we screwed around with when writing Exploiting Software in 2004
 http://www.exploitingsoftware.com/.  I am in complete agreement that
 dynamic testing is important for software security.
 
 One quibble with your question.  You can't push dynamic testing very far
 back in the SDLC, because your code has to run before you can test it
 dynamically.  For me, way back in the SDLC means architectural risk
 analysis or even security requirements analysis.
 
 Sorry for the multiple invocations of the way back machine!  I must be
 getting old.
 
 gem
 
 company www.cigital.com
 podcast www.cigital.com/silverbullet
 blog www.cigital.com/justiceleague
 book www.swsec.com
 
 
 
 On 2/3/11 7:26 PM, Arian J. Evans arian.ev...@anachronic.com wrote:
 
 Great article, Gary. Many of your comments about static technology
 challenges I have seen and verified first-hand, including
 multi-million dollar cost overruns. After some great dialogue with
 John Stevens, I suspect we have had similar experiences.
 
 I was just about to write a similar article at a higher level - about
 how the vast majority of enterprise customers I work with are actively
 moving security into the SDLC. The time has come, the event has
 tipped, and SDLC security is indeed mainstream. This is an exciting
 time to be in the industry.
 
 However - I was curious about your comments about dynamic tools
 reaching their limit or something like that, as customers move
 security efforts deeper into the SDLC. What does that mean?
 
 I see customers making extensive use of dynamic testing, and
 leveraging it deeper and deeper into the SDLC. Enterprises are

Re: [SC-L] [WEB SECURITY] Re: Integrated Dynamic and Static Scanning

[Jeremiah Grossman]

Good catch, that is exactly right. My oversight. A while back Fortify  
released a white paper entitled Misplaced Confidence in Application  
Penetration Testing [reg required]


http://www.fortify.com/security-resources/library/overviews.jsp

Tools also available to help measure.


On Aug 6, 2009, at 5:04 PM, James Landis wrote:

There's a big claim in area 2) that actually does exist:  
instrumentation of static code to give you code coverage metrics for  
your dynamic scanning efforts. Well, maybe it's not area 2), but  
it's definitely a static analyzer vendor feeding dynamic analysis.


-j

On Thu, Aug 6, 2009 at 4:30 PM, Jeremiah Grossman jerem...@whitehatsec.com 
 wrote:

Hey all,

I've been monitoring this thread [1] and some excellent points have  
been raised (cross-posting to websecurity as the subject matter  
applies). I'm personally very interested in the potential benefits  
of an integration between dynamic and static analysis scanning  
technology. The spork of software security testing. The desire of  
many is a single solution that unifies the benefits of both  
methodologies and simultaneously reduces their respective well- 
described limitations. For at least the last couple of years there  
have been vendors claiming success in this area, of which I remain  
skeptical.


A brief explanation of the bi-directional and somewhat simple  
sounding innovations that vendors are trying to develop:


1) Dynamic Scanner - Static Analyzer
A dynamic analysis engine capable of providing HTTP vulnerability  
details (URL, cookie, form etc.) to a static analysis tool. Static  
analysis results narrowed down to a single line of insecure code or  
subroutine to speed vulnerability remediation. Prioritize issues  
that are located in a publicly available code flow vs. those that  
are not technically remotely-exploitable. Isolate security issues  
where source code was not available, such as third-party libraries.


Static Analyzer - Dynamic Scanner
2) A static analyzer capable of providing a remotely available  
attack surface (URLs, Forms, etc.) to a dynamic analysis tool.  
Dynamic analysis may realize additional testing comprehensiveness,  
measurement of coverage depth, and hints for creating exploit proof- 
of-concepts. Not to mention able to provide more detailed  
application fix recommendations.


vendor bias
As it stands currently, the state-of-the-art is basically a  
reporting mash-up. Very little of the aforementioned advancements  
have been proven to funtion outside of the lab environment. If  
anyone has evidence to the contrary they can point to, please speak  
up. For those curious as to Tom Brennan's comment, these are the  
areas Fortify and WhiteHat are together working on.

/vendor bias

This is an excellent time to be in the application and software  
security industry. Over the next few years there is going to be a  
lot of innovation and awareness in the defense side of the  
industry. Talent, skill, and experience is going to command a premium.



[1] http://www.mail-archive.com/sc-l@securecoding.org/msg02731.html


Regards,

Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/
blog: http://jeremiahgrossman.blogspot.com/
twitter: @jeremiahg


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List 
Archives:http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS  
Feed]


Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA




___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___