Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Static Code Analysis - Nuts and Bolts

from [Dave Hull] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Static Code Analysis - Nuts and Bolts
Date: Wed, 27 Jun 2007 13:28:36 -0500 
I agree with Debasis.

I spent a year and a half in an Infosec Office doing code audits for
E-Commerce web apps. I tried various open source automated tools and found
that most of them missed the vast majority of exploitable vulnerabilities.
In my experience, nothing beats a line-by-line analysis of the code by
someone who knows what to look for. Yes, it's time consuming and completely
impractical for sufficiently large applications, but it's more effective
than the tools I tried out.

As for estimating time requirements for line-by-line analysis, I've always
been a fan of "under promising and over delivering," and found I could bid
successfully at about a minute per line of code, from there calculate your
hourly rate accordingly.

I wish I could have tried out some commercial tools, but we were too cheap
for that.

When dealing with web apps, walk through the application, note all user
inputs and even those useless "hidden" fields that so many web app
developers are fond of using, trace through the code and verify that the
developer is validating and sanitizing those inputs correctly. If you want
to be really anal (we are talking security here right?), then you should
also verify that database inputs are also validated and sanitized and
outputs sent back to the user. When you're dealing with E-Commerce apps,
it's hard to be too paranoid.

For web app testing, proxies like Web Scarab from OWASP are invaluable.
Haven't tried Paros but it sounds excellent.

Cheers.

On 6/27/07, Debasis Mohanty <debasis.mohanty.listmails@gmail.com> wrote:
8< snip >8

Though this is an important phase during code review but definitely 
not an ultimate phase to find security holes. The important phase is
what comes next i.e. Manual Data Flow (DF) and Control Flow (CF)
analysis.


d) Manual Data Flow (DF) and Control Flow (CF) analysis

DF analysis - http://en.wikipedia.org/wiki/Data_flow_analysis

CF analysis - http://en.wikipedia.org/wiki/Control_flow_graph

Performing both DF and CF analysis manually takes lot of time but is
definitely most important part of code review. It helps identifying
accurate threats from security standpoint. This phase requires a
master code security ninja's hand to ensure actual issues are
captured.


--
ireadit@gmail.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Month of Random Hashes: DAY FOURTEEN, Joey Mengele
Next by Date:  [Full-disclosure] [GOODFELLAS - VULN] hpqxml.dll 2.0.0.133 from HP Digital Imaging Arbitary Data Write., Goodfellas SRT
Previous by Thread:  Re: [Full-disclosure] Static Code Analysis - Nuts and Bolts, Debasis Mohanty
Next by Thread:  [Full-disclosure] XSS hvv.de, DaWickedest
Indexes:  [Date] [Thread] [Top] [All Lists]