RE: Web apps code testing

["Yvan Boily" <yboily () seccuris com>]

Code Scanners are very useful tools that will provide some direction in how
to inspect the application for some types of implementation flaws, and web
site pen-testing tools can test for some types of attacks, however using
them to test application security is a flawed approach.  The recommendation
to use a code scanning tool to ensure that code is secure is extremely
dangerous; if you use a tool like that to check if your application is
"secure" then you are giving yourself a false sense of security.

Application design is more relevant to security than implementation;
implementation flaws are typically minor bugs which can be fixed quickly
when identified; security related design flaws typically require
redevelopment of affected areas of the application as well as introduction
of new user interface elements.

I don't disagree that using a code scanning tool, or pentesting the
application has some degree of value, but without an analysis of the
applications design, the environment it operates within (Especially
important for networked apps including websites), and the application source
code you have not given yourself anything more than a false sense of
security.  You need to identify the real risks associated with operating the
application, and from those risks determine which are acceptable and which
need to be corrected.  Code scanning tools cannot perform analysis of design
or environment, and can only detect predefined language constructs which are
deemed "risky".  A more comprehensive approach is required to test for
application level security.  Ensuring that security features of the
application address the OWASP top-ten issues would be a best first step.

Regards,
Yvan Boily
Information Security Analyst
Seccuris 

> -----Original Message-----
> From: Dean Saxe [mailto:Dean.Saxe () DigitalInsight com] 
> Sent: Thursday, March 18, 2004 11:30 AM
> To: 'Sistemas Aurensis-Sys Sec'; security-basics () securityfocus com
> Subject: RE: Web apps code testing
>
> That will only scan the server, not the code, for vulnerabilities.  I
> believe the OWASP had a Java code scanner project in the 
> works.  You may
> also want to test the application with a product like WebInspect by
> SPIDynamics (www.spidynamics.com).
>
> -dhs
>
> -----Original Message-----
> From: Sistemas Aurensis-Sys Sec [mailto:syssec () aurensis com]
> Sent: Thursday, March 18, 2004 2:29 AM
> To: security-basics () securityfocus com
> Subject: Web apps code testing
>
>
> You can try nikto.
> Nikto is a web server scanner which looks for over 2000 potentially
> dangerous files/CGIs and problems on over 200 servers
>
> http://www.cirt.net/code/nikto.shtml
>
> -----Mensaje original-----
> De: Marty [mailto:groupecci () yahoo ca]
> Enviado el: miércoles 17 de marzo de 2004 1:51
> Para: Sec Basic
> Asunto: Web apps code testing
>
>
> Hi,
>
> I have the complete code (Java) for a website our
> development team just completed.
>
> Is there a tool I can use to make sure the code
> is secure?
>
> Thanks!
>
> Marty
>
> __________________________________________________________
> Lèche-vitrine ou lèche-écran ?
> magasinage.yahoo.ca
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and 
> get $545 off 
> any course! All of our class sizes are guaranteed to be 10 
> students or less 
> to facilitate one-on-one interaction with one of our expert 
> instructors. 
> Attend a course taught by an expert instructor with years of 
> in-the-field 
> pen testing experience in our state of the art hacking lab. Master the
> skills 
> of an Ethical Hacker to better assess the security of your 
> organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and 
> get $545 off 
> any course! All of our class sizes are guaranteed to be 10 
> students or less 
> to facilitate one-on-one interaction with one of our expert 
> instructors. 
> Attend a course taught by an expert instructor with years of 
> in-the-field 
> pen testing experience in our state of the art hacking lab. Master the
> skills 
> of an Ethical Hacker to better assess the security of your 
> organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and 
> get $545 off 
> any course! All of our class sizes are guaranteed to be 10 
> students or less 
> to facilitate one-on-one interaction with one of our expert 
> instructors. 
> Attend a course taught by an expert instructor with years of 
> in-the-field 
> pen testing experience in our state of the art hacking lab. 
> Master the skills 
> of an Ethical Hacker to better assess the security of your 
> organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------