[WEB SECURITY] Re: [SC-L] Integrated Dynamic and Static Scanning

Glenn.Everhart at chase.com Glenn.Everhart at chase.com
Fri Aug 7 08:07:37 EDT 2009

One of the things I've noticed in static analysis is the constant need to figure out what is a trusted input or
output (and why). Source code alone mostly does not cover this, since a lot depends on surrounding
environmental controls. (For a simple example, not-too-large outputs that are sent to a human for decisions
about actions to take are relatively hard to use for attacks (with obvious caveats about the humans in question).)
The feed in from pen testing is obvious, so long as the connection between what is found in such tests to
source code inputs or outputs can be made. Again though, the layers between can make that tricky.
Glenn Everhart

-----Original Message-----
From: Qiang Liu [mailto:liuyuer at gmail.com]
Sent: Thursday, August 06, 2009 11:34 PM
To: Jeremiah Grossman
Cc: sc-l at securecoding.org; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Re: [SC-L] Integrated Dynamic and Static Scanning

It's cool!
If I haven't do like this.I had to analyze codes in static for my customers when I finished my dynamic scan.
Then I would know how to tell my customers how to fix those bugs.
It will be better if there is a automatic tool.

2009/8/7 Jeremiah Grossman < jeremiah at whitehatsec.com>

Hey all,

I've been monitoring this thread [1] and some excellent points have been raised (cross-posting to websecurity as the subject matter applies). I'm personally very interested in the potential benefits of an integration between dynamic and static analysis scanning technology. The spork of software security testing. The desire of many is a single solution that unifies the benefits of both methodologies and simultaneously reduces their respective well-described limitations. For at least the last couple of years there have been vendors claiming success in this area, of which I remain skeptical.

A brief explanation of the bi-directional and somewhat simple sounding innovations that vendors are trying to develop:

1) Dynamic Scanner -> Static Analyzer
A dynamic analysis engine capable of providing HTTP vulnerability details (URL, cookie, form etc.) to a static analysis tool. Static analysis results narrowed down to a single line of insecure code or subroutine to speed vulnerability remediation. Prioritize issues that are located in a publicly available code flow vs. those that are not technically remotely-exploitable. Isolate security issues where source code was not available, such as third-party libraries.

Static Analyzer -> Dynamic Scanner
2) A static analyzer capable of providing a remotely available attack surface (URLs, Forms, etc.) to a dynamic analysis tool. Dynamic analysis may realize additional testing comprehensiveness, measurement of coverage depth, and hints for creating exploit proof-of-concepts. Not to mention able to provide more detailed application fix recommendations.

<vendor bias>
As it stands currently, the state-of-the-art is basically a reporting mash-up. Very little of the aforementioned advancements have been proven to funtion outside of the lab environment. If anyone has evidence to the contrary they can point to, please speak up. For those curious as to Tom Brennan's comment, these are the areas Fortify and WhiteHat are together working on.
</vendor bias>

This is an excellent time to be in the application and software security industry. Over the next few years there is going to be a lot of innovation and awareness in the "defense" side of the industry. Talent, skill, and experience is going to command a premium.

[1] http://www.mail-archive.com/sc-l@securecoding.org/msg02731.html


Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
blog: http://jeremiahgrossman.blogspot.com/
twitter: @jeremiahg

Join us on IRC: irc.freenode.net <http://irc.freenode.net/>  #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law.  If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED.  Although this transmission and
any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is
received and opened, it is the responsibility of the recipient to
ensure that it is virus free and no responsibility is accepted by
JPMorgan Chase & Co., its subsidiaries and affiliates, as
applicable, for any loss or damage arising in any way from its use.
 If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090807/0ecfcc62/attachment.html>

More information about the websecurity mailing list