[WEB SECURITY] Re: [SC-L] Integrated Dynamic and Static Scanning

James Landis jcl24 at cornell.edu
Thu Aug 6 20:04:33 EDT 2009

There's a big claim in area 2) that actually does exist: instrumentation of
static code to give you code coverage metrics for your dynamic scanning
efforts. Well, maybe it's not area 2), but it's definitely a static analyzer
vendor feeding dynamic analysis.


On Thu, Aug 6, 2009 at 4:30 PM, Jeremiah Grossman
<jeremiah at whitehatsec.com>wrote:

> Hey all,
> I've been monitoring this thread [1] and some excellent points have been
> raised (cross-posting to websecurity as the subject matter applies). I'm
> personally very interested in the potential benefits of an integration
> between dynamic and static analysis scanning technology. The spork of
> software security testing. The desire of many is a single solution that
> unifies the benefits of both methodologies and simultaneously reduces their
> respective well-described limitations. For at least the last couple of years
> there have been vendors claiming success in this area, of which I remain
> skeptical.
> A brief explanation of the bi-directional and somewhat simple sounding
> innovations that vendors are trying to develop:
> 1) Dynamic Scanner -> Static Analyzer
> A dynamic analysis engine capable of providing HTTP vulnerability details
> (URL, cookie, form etc.) to a static analysis tool. Static analysis results
> narrowed down to a single line of insecure code or subroutine to speed
> vulnerability remediation. Prioritize issues that are located in a publicly
> available code flow vs. those that are not technically remotely-exploitable.
> Isolate security issues where source code was not available, such as
> third-party libraries.
> Static Analyzer -> Dynamic Scanner
> 2) A static analyzer capable of providing a remotely available attack
> surface (URLs, Forms, etc.) to a dynamic analysis tool. Dynamic analysis may
> realize additional testing comprehensiveness, measurement of coverage depth,
> and hints for creating exploit proof-of-concepts. Not to mention able to
> provide more detailed application fix recommendations.
> <vendor bias>
> As it stands currently, the state-of-the-art is basically a reporting
> mash-up. Very little of the aforementioned advancements have been proven to
> funtion outside of the lab environment. If anyone has evidence to the
> contrary they can point to, please speak up. For those curious as to Tom
> Brennan's comment, these are the areas Fortify and WhiteHat are together
> working on.
> </vendor bias>
> This is an excellent time to be in the application and software security
> industry. Over the next few years there is going to be a lot of innovation
> and awareness in the "defense" side of the industry. Talent, skill, and
> experience is going to command a premium.
> [1] http://www.mail-archive.com/sc-l@securecoding.org/msg02731.html
> Regards,
> Jeremiah Grossman
> Chief Technology Officer
> WhiteHat Security, Inc.
> http://www.whitehatsec.com/
> blog: http://jeremiahgrossman.blogspot.com/
> twitter: @jeremiahg
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090806/5cd891c1/attachment.html>

More information about the websecurity mailing list