Good catch, that is exactly right. My oversight. A while back Fortify
released a white paper entitled "Misplaced Confidence in Application
Penetration Testing" [reg required]
http://www.fortify.com/security-resources/library/overviews.jsp
Tools also available to help measure.
On Aug 6, 2009, at 5:04 PM, James Landis wrote:
There's a big claim in area 2) that actually does exist:
instrumentation of static code to give you code coverage metrics for
your dynamic scanning efforts. Well, maybe it's not area 2), but
it's definitely a static analyzer vendor feeding dynamic analysis.
-j
On Thu, Aug 6, 2009 at 4:30 PM, Jeremiah Grossman <jerem...@whitehatsec.com
> wrote:
Hey all,
I've been monitoring this thread [1] and some excellent points have
been raised (cross-posting to websecurity as the subject matter
applies). I'm personally very interested in the potential benefits
of an integration between dynamic and static analysis scanning
technology. The spork of software security testing. The desire of
many is a single solution that unifies the benefits of both
methodologies and simultaneously reduces their respective well-
described limitations. For at least the last couple of years there
have been vendors claiming success in this area, of which I remain
skeptical.
A brief explanation of the bi-directional and somewhat simple
sounding innovations that vendors are trying to develop:
1) Dynamic Scanner -> Static Analyzer
A dynamic analysis engine capable of providing HTTP vulnerability
details (URL, cookie, form etc.) to a static analysis tool. Static
analysis results narrowed down to a single line of insecure code or
subroutine to speed vulnerability remediation. Prioritize issues
that are located in a publicly available code flow vs. those that
are not technically remotely-exploitable. Isolate security issues
where source code was not available, such as third-party libraries.
Static Analyzer -> Dynamic Scanner
2) A static analyzer capable of providing a remotely available
attack surface (URLs, Forms, etc.) to a dynamic analysis tool.
Dynamic analysis may realize additional testing comprehensiveness,
measurement of coverage depth, and hints for creating exploit proof-
of-concepts. Not to mention able to provide more detailed
application fix recommendations.
<vendor bias>
As it stands currently, the state-of-the-art is basically a
reporting mash-up. Very little of the aforementioned advancements
have been proven to funtion outside of the lab environment. If
anyone has evidence to the contrary they can point to, please speak
up. For those curious as to Tom Brennan's comment, these are the
areas Fortify and WhiteHat are together working on.
</vendor bias>
This is an excellent time to be in the application and software
security industry. Over the next few years there is going to be a
lot of innovation and awareness in the "defense" side of the
industry. Talent, skill, and experience is going to command a premium.
[1] http://www.mail-archive.com/sc-l@securecoding.org/msg02731.html
Regards,
Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/
blog: http://jeremiahgrossman.blogspot.com/
twitter: @jeremiahg
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List
Archives:http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS
Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________