[WEB SECURITY] R: [WEB SECURITY] Static code analyzers

Dinis Cruz dinis at ddplus.net
Wed Jan 21 12:46:31 EST 2009


Since Victor brought up the topics of Ounce and Cat.Net, I would like to
call your attention to a research project I have been working on for the
past 12 months, which recently have been released under an Open Source
license.

As some of you know, I have been contracting for a while at Ounce Labs as a
security consultant to perform advanced security analysis/reviews of
real-world applications. Well, as it is also widely known in the web app sec
security industry, tools like Ounce, Fortify, Cat.Net (& others) don't
always provide the answers and visibility required by knowledgeable security
consultants.

Although the Ounce GUI has some of those limitations, its core engine is
REALLY powerful, so what I did, was to build a number of tools that allow
power users to REALLY gain visibility into what is going on. Basically I
wrote these modules to answer the questions that I had during those
engagements. And while buliding those tools, I found a way to 'automate my
brain' :)

I called this toolkit O2 (for Ounce Open) and I really credit Ounce Labs
for: a) paying me to develop it, and b) release it under an Open Source
license. The main O2 website is at http://ounceopen.squarespace.com  and the
source code is hosted at CodePlex (http://www.codeplex.com/o2)

Now, at the moment, these tools are still in a very 'early beta' state, and
they are really customized to the way I (Dinis) like to work. So that the
rest of the community can use it,  I'm working hard at the moment to break
part a lot of the O2 modules and on documenting how it works.

I have to admit that analyzing applications with O2 is VERY addictive and
empowering, since finally I am able to 'script my brain' and really gain
visibility what is going on.

See this screen shoot for a good example of 'O2 goodness'
http://ounceopen.squarespace.com/storage/images/blog-posts/o2-presentation-slide-efforts_are_worth_it.gif

This screenshot represents what I call a 'complete trace' , i.e. a trace
that goes from the 'begining of the attack surface' all the way to the' exit
point' of the application (in ths example, the trace starts on the web layer
(with an Asp.Net page load event) goes though the web services invocation
(note how I 'glued two traces together': the web layer invoke with the web
services [webmethod]) and ends up on an SQL execute.

That screen shot is from the O2 presentation I posted here:
http://ounceopen.squarespace.com/technical-info/2009/1/20/o2-presentation-jan-09.html

To test O2, just open the following links to install (via .NET's Click-Once
technology) the main O2 modules:


   - *SAR (Search Assessment
Run)<http://ounceopen.squarespace.com/sar-search-assessment-run/>
   *  - Installer on http://76.12.247.164/O2_SearchAssessmentRun
   - *O2_CirAnalysis* - Installer on http://76.12.247.164/O2_CirAnalysis
   - *O2_CSharpScripts* - Installer on http://76.12.247.164/O2_CSharpScripts
   - *O2_WillItScan *- Installer on
http://76.12.247.164/<http://76.12.247.164/O2_WillItScan>
   O2_WillItScan <http://76.12.247.164/O2_WillItScan>

Lack of documentation is a real problem today, and I'm working hard at the
moment to write down detailed how-to guides for O2. Here is a preview of
what I am doing *SAR (Search Assessment
Run)<http://ounceopen.squarespace.com/sar-search-assessment-run/>
*  (contains screenshots of the main features of that module)

For more background info on O2's history and what it can do, please read:

   - O2 presentation (Jan
09)<http://ounceopen.squarespace.com/technical-info/2009/1/20/o2-presentation-jan-09.html#entry2872763>(the
O2 presentation also linked above)
   - OunceLabs releases my research tools under an Open Source license (it's
   called O2 and is hosted at
CodePlex<http://diniscruz.blogspot.com/2008/09/ouncelabs-releases-my-research-tools.html>(from
my personal blog)
   - So what can I do with
O2?<http://diniscruz.blogspot.com/2008/09/in-my-first-post-httpdiniscruz.html>(from
my personal blog)
   - http://ounceopen.squarespace.com/technical-info/ - O2 main tech blog
   - http://ounceopen.squarespace.com/o2-challenges-can-you-solve/ - Blog
   with challenges for the O2 community

A note on O2 and Cat.Net. If you install and run the O2 Will It
Scan<http://76.12.247.164/O2_WillItScan>module you will notice that it
already contains support for triggering
Cat.Net scans via that GUI (just drag and drop a *.dll of VS solution file
and click scan). Currently I'm working on a little 'converter' that will
transform/convert Cat.Net XML 'saved assessment file' format into Ounce's
XML 'saved assessment file' format. This way Cat.Net users will be able to
take advantage of O2's amazing findings filtering, post-scan analysis and
scripting capabilities.

I am also working with Paolo and Stephen from OWASP's Orizon
project<http://www.owasp.org/index.php/Category:OWASP_Orizon_Project>to
be able to used O2's modules on top of Orizon's results (there is also
a
'secret' project to find a way to convert Fortify's XML results into Ounce's
XML format)

So yes, in the short term, the plan is that you will be able to use to use
O2 on top of Ounce's, Cat.Net, OWASP's Orizon or even Fortify's scanning
engine :)

So please give O2 a test drive and give me feedback on what you would like
it do to.

If you are not a current Ounce customer, you can use the demo files I posted
on the O2 website
<http://ounceopen.squarespace.com/files-binaries-source-and-demo/>or, if you
want to take Ounce 6.x for a test-drive, please create an account on the O2
website <http://ounceopen.squarespace.com/register-create-account/> and make
a request here
https://ounceopen.squarespace.com/request-ounce-6x-evaluation/ (the requests
from this form go directly to me, so that I can trigger the eval process for
you at Ounce)

Looking forward to your comments

Best regards

Dinis Cruz



On Wed, Jan 21, 2009 at 9:23 AM, Vicari Marco Vincenzo (UGIS - UniCredit
Group) <MarcoVincenzo.Vicari at unicreditgroup.eu> wrote:

> In my company I'm using  ONCE 6 (Once Lab) is expensive, but less than
> other commercial product like Fortify, it is a good tool and very user
> friendly, have a interesting features. We have a lot of web application and
> the scan step is configured to work in batch mode, after the triage step
> shows the vulnerability to the analyst that can verify each flaw with the
> source navigator included in Once. There is also the feature that permit to
> publish and to share the assessment.
> For us is a good tool.
>
> ---------------------------------------------
> Marco Vincenzo Vicari
> ICT Security
> Infrastructure and Customer Services
> Unicredit Global Information Services
> Via Ugo La Malfa 50
> 90100 Palermo, Italia
> Tel. +39 091 608 6332
> Cell. +39 335 7978086
> mailto:marco.vicari at unicreditgroup.eu
> http://www.unicreditgroup.eu
> ---------------------------------------------
> Please consider the environment before printing this e-mail
> ________________________________________
> Da: Mostafa Siraj [mailto:mostafa.siraj at gmail.com]
> Inviato: giovedì 15 gennaio 2009 12.40
> A: John Johnson
> Cc: connectjunkie at gmail.com; websecurity at webappsec.org
> Oggetto: Re: [WEB SECURITY] Static code analyzers
>
> I'm using in my company Ounce Labs and CAT.NET, Ounce Labs is very
> expensive (your company has to be big in order to be able to buy it) while
> CAT.NET is free (at least until now). Ounce is very powerful tool
> according to my experience and did a great job into improving the security
> of our products.
>
> Thanks
> On Thu, Jan 15, 2009 at 12:00 AM, John Johnson <john_johnson89 at hotmail.com>
> wrote:
> Another key factor involved in "best" might be is what the tool will find.
> The vendors is this space have introduced support for languages at different
> times, and have put different levels of effort into the depth with which the
> research the threat landscape and to what degree the markup the API in their
> security rules knowledgebase(s).  For example at one snapshot in time tool A
> may scan .Net code but find a limited number of real issues and a high
> number of FP's, while tool B may have gone deeper and done a better job.
> Then with a different language that may be reversed.
>
> The best way to really know if to do simple testing on sample code.
> ________________________________________
>
> Date: Wed, 14 Jan 2009 21:33:48 +0000
> From: connectjunkie at gmail.com
> To: websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Static code analyzers
>
>
> Define "better".  Are you looking at usage scenario (i.e. Integrates into
> more Visual Studio versions, integrates into Team Studio etc), more security
> bugs found (will depend on people's experiences and code), runs faster, uses
> less memory, is cheaper/better value etc etc etc
>
> Also, are you looking at commercial, or freely available solutions?
>
>
> On 14/01/2009 21:10, "Michael Williams" <mw7301 at hotmail.com> wrote:
>
> I was wondering do any of you have a feel for which static code analyzer
> does a better job with C# source code? From my research it looks to me like
> some of the products seem to do better with Java than C++ or vice versa for
> example so I was wondering which one seemed to do C# the best.
>
> ________________________________________
> Windows LiveT: Keep your life in sync. Check it out.
>
>
>
> --
> "Our deepest fear is not that we are inadequate. Our deepest fear is that
> we are powerful beyond measure. It is our light, not our darkness, that most
> frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
> talented, and fabulous?Actually, who are you not to be? You are a child of
> God. Your playing small doesn't serve the world. There's nothing enlightened
> about shrinking so that other people won't feel insecure around you. We are
> all meant to shine, as children do. We are born to make manifest the glory
> of God that is within us. It's not just in some of us, it's in everyone. And
> as we let our own light shine, we unconsciously give other people permission
> to do the same. As we are liberated from our own fear, our presence
> automatically liberates others." --Nelson Mandela--
>
> This e-mail is confidential and may also contain privileged information. If
> you are not the intended recipient you are not authorised to read, print,
> save, process or disclose this message. If you have received this message by
> mistake, please inform the sender immediately and delete this e-mail, its
> attachments and any copies.
> Any use, distribution, reproduction or disclosure by any person other than
> the intended recipient is strictly prohibited and the person responsible may
> incur penalties.
> Thank you!
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090121/e2f38711/attachment.html>


More information about the websecurity mailing list