mailing list archives
Re: Finally - [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Tue, 29 Jun 2004 09:30:33 -0700
The points you touch on are very important understand. The realization
that there are complex vulnerabilities in a system sheds light on the
current limitations of scanning in the industry. Perhaps also the
limits of the software security process as well. As you said, if a
human/developer has a difficult time identifying business-logic issues
in their code (cause its complex), how can an automated tool be
expected to find it? Also note, even two completely secure blocks of
code and can be combined creating and insecure scenario.
I've given presentations about this where I categorize webappsec
vulnerabilities into two groups, Technical and Logical. Technical
issues (example: SQL Injection, XSS) are often easy to identify by
automated means. You send something in (example: ';), you get some back
you can recognize (an ODBC error message). Simple right. Ok, over
simplified, but you get what I mean.
On the other-hand, when dealing with Logical vulnerabilities, the
results will require knowledge of context. Scanners are capable of
manipulating params all day long, but how does the tool know if the
data is gets back it was supposed to see or not. Did the page contain
my bank account data or someone else's? Determining what was supposed
and not-supposed to happen in a generic fashion is amazingly difficult.
Humans can perform this task very well. Score 1 for the human brain!
But at this point, tools that hit or miss is the best we can hope for.
This is where many have said... "scanner suck because they don't find
everything". Though I think its simply better to say technology is not
a complete solution. The reality of the situation is that Logical
problems are not something the industry has had to deal with before.
We're all new at this. This is especially true for network
vulnerability scanning and the scale we are facing is massive.
In my opinion, technologies such as vulnerability scanning and secure
code libraries will help out with the Technical issues, but without new
solutions, we'll be dealing with the Logical issues for years to come.
Manipulate a hidden form field and you bought the laptop for a dollar.
There are simply too many web sites and too few humans to review it
all. And did I mention web sites have a habit of changing? :)
On Tuesday, June 29, 2004, at 07:59 AM, <PPowenski () oag com> wrote:
In addition to the points below.....
Even though Security awareness should be provided to developers to
understand the implication of creating code it should not be as heavy
burden as it is turning into. The aesoteric aspects that some of the
attacks take and the combination of events to gain access is an
different stream of thought that Developers ususally do not focus on.
least the ones I have come across.
the core problem related to security with all the api's, tools,
scripting engines, and compilers can be attributed to those who created
them for developers to create code.
If a developer has to engage in working out for himself the complex
issues of using the api and where it touches the system, its access
control mechanisms, and paths to network then the burden detracts
significantly from getting the job done. Understanding these aspects is
a large undertaking in itself. Most manufacturers do not want many
to know these details as well.
If the founders of our set of developer tools had enough insight to
consider this it would probably be much better for all of us.