[WEB SECURITY] Re: [SC-L] Integrated Dynamic and Static Scanning

Jeremiah Grossman jeremiah at whitehatsec.com
Thu Aug 6 19:30:03 EDT 2009

Hey all,

I've been monitoring this thread [1] and some excellent points have  
been raised (cross-posting to websecurity as the subject matter  
applies). I'm personally very interested in the potential benefits of  
an integration between dynamic and static analysis scanning  
technology. The spork of software security testing. The desire of many  
is a single solution that unifies the benefits of both methodologies  
and simultaneously reduces their respective well-described  
limitations. For at least the last couple of years there have been  
vendors claiming success in this area, of which I remain skeptical.

A brief explanation of the bi-directional and somewhat simple sounding  
innovations that vendors are trying to develop:

1) Dynamic Scanner -> Static Analyzer
A dynamic analysis engine capable of providing HTTP vulnerability  
details (URL, cookie, form etc.) to a static analysis tool. Static  
analysis results narrowed down to a single line of insecure code or  
subroutine to speed vulnerability remediation. Prioritize issues that  
are located in a publicly available code flow vs. those that are not  
technically remotely-exploitable. Isolate security issues where source  
code was not available, such as third-party libraries.

Static Analyzer -> Dynamic Scanner
2) A static analyzer capable of providing a remotely available attack  
surface (URLs, Forms, etc.) to a dynamic analysis tool. Dynamic  
analysis may realize additional testing comprehensiveness, measurement  
of coverage depth, and hints for creating exploit proof-of-concepts.  
Not to mention able to provide more detailed application fix  

<vendor bias>
As it stands currently, the state-of-the-art is basically a reporting  
mash-up. Very little of the aforementioned advancements have been  
proven to funtion outside of the lab environment. If anyone has  
evidence to the contrary they can point to, please speak up. For those  
curious as to Tom Brennan's comment, these are the areas Fortify and  
WhiteHat are together working on.
</vendor bias>

This is an excellent time to be in the application and software  
security industry. Over the next few years there is going to be a lot  
of innovation and awareness in the "defense" side of the industry.  
Talent, skill, and experience is going to command a premium.

[1] http://www.mail-archive.com/sc-l@securecoding.org/msg02731.html


Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
blog: http://jeremiahgrossman.blogspot.com/
twitter: @jeremiahg

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list