lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <151e385b0706271128k5751c513n7aac2fd81d914cf2@mail.gmail.com>
Date: Wed, 27 Jun 2007 13:28:36 -0500
From: "Dave Hull" <ireadit@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Static Code Analysis - Nuts and Bolts

I agree with Debasis.

I spent a year and a half in an Infosec Office doing code audits for
E-Commerce web apps. I tried various open source automated tools and found
that most of them missed the vast majority of exploitable vulnerabilities.
In my experience, nothing beats a line-by-line analysis of the code by
someone who knows what to look for. Yes, it's time consuming and completely
impractical for sufficiently large applications, but it's more effective
than the tools I tried out.

As for estimating time requirements for line-by-line analysis, I've always
been a fan of "under promising and over delivering," and found I could bid
successfully at about a minute per line of code, from there calculate your
hourly rate accordingly.

I wish I could have tried out some commercial tools, but we were too cheap
for that.

When dealing with web apps, walk through the application, note all user
inputs and even those useless "hidden" fields that so many web app
developers are fond of using, trace through the code and verify that the
developer is validating and sanitizing those inputs correctly. If you want
to be really anal (we are talking security here right?), then you should
also verify that database inputs are also validated and sanitized and
outputs sent back to the user. When you're dealing with E-Commerce apps,
it's hard to be too paranoid.

For web app testing, proxies like Web Scarab from OWASP are invaluable.
Haven't tried Paros but it sounds excellent.

Cheers.

On 6/27/07, Debasis Mohanty <debasis.mohanty.listmails@...il.com> wrote:
8< snip >8

Though this is an important phase during code review but definitely
> not an ultimate phase to find security holes. The important phase is
> what comes next i.e. Manual Data Flow (DF) and Control Flow (CF)
> analysis.
>
>
> d) Manual Data Flow (DF) and Control Flow (CF) analysis
>
> DF analysis - http://en.wikipedia.org/wiki/Data_flow_analysis
>
> CF analysis - http://en.wikipedia.org/wiki/Control_flow_graph
>
> Performing both DF and CF analysis manually takes lot of time but is
> definitely most important part of code review. It helps identifying
> accurate threats from security standpoint. This phase requires a
> master code security ninja's hand to ensure actual issues are
> captured.
>

-- 
ireadit@...il.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ