20070911

Some Things are Easier to Fix than Find

Okay, I've not gone off my rocker. It's almost true.

When performing an application test, you might not find every single instance of a particular vulnerability. Due to time, tool, or other resource constraints, some things simply slip through the cracks. A common response to this is to enumerate all of them that were found with a great big note to the developers that this is a pervasive issue, and that a global policy needs to be adopted to fix them all. And of course, there's always the pushback - "we'll fix exactly the instances you find."

This is where I think "old school" static analysis far outshines the new fangled static analysis engines. With a really good developer, grep, and a hammer, fixing semantic flaws really comes down to a few short steps:

  1. Identify the common idioms used that result in "bad things". These will differ from environment to environment, which is why you have the sharp developer. Some examples:
    1. <%= %> tags
    2. Connection.createStatement()
    3. .exec()
  2. Grep the entire source tree for those idioms.
  3. Replace. The examples above become:
    1. tags (in Java. And I realize there are other things you need to do to make that work)
    2. Connection.prepareStatement() and PreparedStatement.set...()
    3. Get rid of it
Again, that's a really, really broad strokes example. But although a lot of shops use bad API's, they use them in a way that's consistent. So the replacement is consistent. And it's quicker to grep for those cases than it is for an assessment team to perform a complete deep dive on every single form element and known values that go into the application. It's next to impossible to cover every edge case in a running application. Tthere are tools that can help you do that, but they're not free, and you still have to perform all the assessment work to determine that it was covered. Why not just understand the set of API's generally used, fix those, then do a good code review on the remainder, possible uncovering some additional API's that can be grep'ped.

date: 9/11/2007 11:45:00 PM

Labels: ,

1 comment:

  1. Andy Steingruebl02:26

    Its a good point. On top of that I hate paying a pen tester/app-security person to find and enumerate all cases of a vulnerability when once they've pointed out I have an issue I can do the enumeration myself.

    I'd rather have them spend their time finding complicated vulnerabilities than enumerating every single XSS vuln of a specific type. Those I'll tee to to fix either individually or via framework and retrofit.

    ReplyDelete