On Source Code Review
LinkFirst of all, Jeremiah Grossman's periodic Web Application Professional's Survey is online - so go take it.
That being said, I've kept quite silent on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of static source code analysis for awhile now because I'm pretty sure what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reaction will be, but one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 questions on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 survey was regarding which measures to application security go first.
There have been several places where static analysis has gotten a dissed, where it might not be necessary. Most notably of which, I think Fortify Software did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own software a disservice at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Iron Chef Blackhat edition at Black Hat last year. The competition was between some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir source code analyzers and some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir dynamic analyzers. The application testers won hands down.
Before I begin, know that I believe that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no silver bullet to application security. Nor do I think static source code analysis is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "best" method of finding vulnerabilities. Here are some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 valid or most important reasons that static analysis should not stand alone:
- Static analysis is really best at finding semantic flaws - bad API use or failure to use certain API's, etc.
- Static analysis doesn't give compelling pretty pictures and videos of your application giving up information. The results of a static analysis are only meaningful to developers, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, only meaningful to developers who understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real risk of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 types of findings.
- Static analysis almost always requires really expensive tools to do a really, really good job. There are grep types of analyzers, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't follow taint through an application.
- Static analysis may analyze components of your code that don't get used. There are still prioritization decisions to be made.
- Static analysis tools can't find logical flaws such as privilege escalation or XSRF.
- Static analysis has different requirements than black box testing:
- Developers who understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code and can fix it
- The source code
- For many tools, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code needs to at least build (doesn't have to run)
- Static analysis can find vulnerabilities that dynamic analysis can't - corner cases. "This cross-site scripting flaw only exists on Tuesdays" - if your application was tested in a running state on Monday, you won't know that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 flaw exists. Thread safety issues are very bad for an application, but a black box test of an application might never cause one to come up, and if it does, it's nearly impossible to reproduce, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results don't say to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 oracle that it was that type of vulnerability. (For example, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application gave you access even though you used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrong password.)
- The results of static analysis are meaningful to developers. They get lines of code back where untrusted data enters cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application, where it flows through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application, and when it exits cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application. These are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exact lines that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 developers need to fix, which a black box test alone can't give you.
- Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results of a static analysis are geared toward cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 developers, it provides "instant training" for developers. "What does it take to make this shut up?" (While I prefer developers understand why you want it to shut up, finding all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 places is pretty good, too.)
- Static analysis can happen much earlier in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 development process, long before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application is functional. This gives black box testers more time to test cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 really cool stuff that static analysis can't find.
- Static analysis can take place as part of a build process, automatically generating problem tickets and/or preventing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 promotion of code with high-probability, high-risk findings. This can be done with automated black-box tools, but it requires a running environment - many more moving parts.
0 comments:
Post a Comment